* [PATCH 6.6 01/93] ALSA: seq: Skip event type filtering for UMP events
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 02/93] LoongArch: Remove the unused dma-direct.h Greg Kroah-Hartman
` (97 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 32108c22ac619c32dd6db594319e259b63bfb387 upstream.
UMP events don't use the event type field, hence it's invalid to apply
the filter, which may drop the events unexpectedly.
Skip the event filtering for UMP events, instead.
Fixes: 46397622a3fa ("ALSA: seq: Add UMP support")
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240819084156.10286-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/seq/seq_clientmgr.c | 3 +++
1 file changed, 3 insertions(+)
--- a/sound/core/seq/seq_clientmgr.c
+++ b/sound/core/seq/seq_clientmgr.c
@@ -537,6 +537,9 @@ static struct snd_seq_client *get_event_
return NULL;
if (! dest->accept_input)
goto __not_avail;
+ if (snd_seq_ev_is_ump(event))
+ return dest; /* ok - no filter checks */
+
if ((dest->filter & SNDRV_SEQ_FILTER_USE_EVENT) &&
! test_bit(event->type, dest->event_filter))
goto __not_avail;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 02/93] LoongArch: Remove the unused dma-direct.h
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 01/93] ALSA: seq: Skip event type filtering for UMP events Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 03/93] btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() Greg Kroah-Hartman
` (96 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Miao Wang, Huacai Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miao Wang <shankerwangmiao@gmail.com>
commit 58aec91efb93338d1cc7acc0a93242613a2a4e5f upstream.
dma-direct.h is introduced in commit d4b6f1562a3c3284 ("LoongArch: Add
Non-Uniform Memory Access (NUMA) support"). In commit c78c43fe7d42524c
("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA"),
ARCH_HAS_PHYS_TO_DMA was deselected and the coresponding phys_to_dma()/
dma_to_phys() functions were removed. However, the unused dma-direct.h
was left behind, which is removed by this patch.
Cc: <stable@vger.kernel.org>
Fixes: c78c43fe7d42 ("LoongArch: Use acpi_arch_dma_setup() and remove ARCH_HAS_PHYS_TO_DMA")
Signed-off-by: Miao Wang <shankerwangmiao@gmail.com>
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/loongarch/include/asm/dma-direct.h | 11 -----------
1 file changed, 11 deletions(-)
delete mode 100644 arch/loongarch/include/asm/dma-direct.h
--- a/arch/loongarch/include/asm/dma-direct.h
+++ /dev/null
@@ -1,11 +0,0 @@
-/* SPDX-License-Identifier: GPL-2.0 */
-/*
- * Copyright (C) 2020-2022 Loongson Technology Corporation Limited
- */
-#ifndef _LOONGARCH_DMA_DIRECT_H
-#define _LOONGARCH_DMA_DIRECT_H
-
-dma_addr_t phys_to_dma(struct device *dev, phys_addr_t paddr);
-phys_addr_t dma_to_phys(struct device *dev, dma_addr_t daddr);
-
-#endif /* _LOONGARCH_DMA_DIRECT_H */
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 03/93] btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 01/93] ALSA: seq: Skip event type filtering for UMP events Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 02/93] LoongArch: Remove the unused dma-direct.h Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 04/93] btrfs: run delayed iputs when flushing delalloc Greg Kroah-Hartman
` (95 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Sterba, Josef Bacik, Qu Wenruo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit 10d9d8c3512f16cad47b2ff81ec6fc4b27d8ee10 upstream.
[BUG]
There is an internal report that KASAN is reporting use-after-free, with
the following backtrace:
BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs]
Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45
CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ #76
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014
Workqueue: btrfs-endio btrfs_end_bio_work [btrfs]
Call Trace:
dump_stack_lvl+0x61/0x80
print_address_description.constprop.0+0x5e/0x2f0
print_report+0x118/0x216
kasan_report+0x11d/0x1f0
btrfs_check_read_bio+0xa68/0xb70 [btrfs]
process_one_work+0xce0/0x12a0
worker_thread+0x717/0x1250
kthread+0x2e3/0x3c0
ret_from_fork+0x2d/0x70
ret_from_fork_asm+0x11/0x20
Allocated by task 20917:
kasan_save_stack+0x37/0x60
kasan_save_track+0x10/0x30
__kasan_slab_alloc+0x7d/0x80
kmem_cache_alloc_noprof+0x16e/0x3e0
mempool_alloc_noprof+0x12e/0x310
bio_alloc_bioset+0x3f0/0x7a0
btrfs_bio_alloc+0x2e/0x50 [btrfs]
submit_extent_page+0x4d1/0xdb0 [btrfs]
btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
btrfs_readahead+0x29a/0x430 [btrfs]
read_pages+0x1a7/0xc60
page_cache_ra_unbounded+0x2ad/0x560
filemap_get_pages+0x629/0xa20
filemap_read+0x335/0xbf0
vfs_read+0x790/0xcb0
ksys_read+0xfd/0x1d0
do_syscall_64+0x6d/0x140
entry_SYSCALL_64_after_hwframe+0x4b/0x53
Freed by task 20917:
kasan_save_stack+0x37/0x60
kasan_save_track+0x10/0x30
kasan_save_free_info+0x37/0x50
__kasan_slab_free+0x4b/0x60
kmem_cache_free+0x214/0x5d0
bio_free+0xed/0x180
end_bbio_data_read+0x1cc/0x580 [btrfs]
btrfs_submit_chunk+0x98d/0x1880 [btrfs]
btrfs_submit_bio+0x33/0x70 [btrfs]
submit_one_bio+0xd4/0x130 [btrfs]
submit_extent_page+0x3ea/0xdb0 [btrfs]
btrfs_do_readpage+0x8b4/0x12a0 [btrfs]
btrfs_readahead+0x29a/0x430 [btrfs]
read_pages+0x1a7/0xc60
page_cache_ra_unbounded+0x2ad/0x560
filemap_get_pages+0x629/0xa20
filemap_read+0x335/0xbf0
vfs_read+0x790/0xcb0
ksys_read+0xfd/0x1d0
do_syscall_64+0x6d/0x140
entry_SYSCALL_64_after_hwframe+0x4b/0x53
[CAUSE]
Although I cannot reproduce the error, the report itself is good enough
to pin down the cause.
The call trace is the regular endio workqueue context, but the
free-by-task trace is showing that during btrfs_submit_chunk() we
already hit a critical error, and is calling btrfs_bio_end_io() to error
out. And the original endio function called bio_put() to free the whole
bio.
This means a double freeing thus causing use-after-free, e.g.:
1. Enter btrfs_submit_bio() with a read bio
The read bio length is 128K, crossing two 64K stripes.
2. The first run of btrfs_submit_chunk()
2.1 Call btrfs_map_block(), which returns 64K
2.2 Call btrfs_split_bio()
Now there are two bios, one referring to the first 64K, the other
referring to the second 64K.
2.3 The first half is submitted.
3. The second run of btrfs_submit_chunk()
3.1 Call btrfs_map_block(), which by somehow failed
Now we call btrfs_bio_end_io() to handle the error
3.2 btrfs_bio_end_io() calls the original endio function
Which is end_bbio_data_read(), and it calls bio_put() for the
original bio.
Now the original bio is freed.
4. The submitted first 64K bio finished
Now we call into btrfs_check_read_bio() and tries to advance the bio
iter.
But since the original bio (thus its iter) is already freed, we
trigger the above use-after free.
And even if the memory is not poisoned/corrupted, we will later call
the original endio function, causing a double freeing.
[FIX]
Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(),
which has the extra check on split bios and do the proper refcounting
for cloned bios.
Furthermore there is already one extra btrfs_cleanup_bio() call, but
that is duplicated to btrfs_orig_bbio_end_io() call, so remove that
label completely.
Reported-by: David Sterba <dsterba@suse.com>
Fixes: 852eee62d31a ("btrfs: allow btrfs_submit_bio to split bios")
CC: stable@vger.kernel.org # 6.6+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/bio.c | 26 ++++++++++++++++++--------
1 file changed, 18 insertions(+), 8 deletions(-)
--- a/fs/btrfs/bio.c
+++ b/fs/btrfs/bio.c
@@ -646,7 +646,6 @@ static bool btrfs_submit_chunk(struct bt
{
struct btrfs_inode *inode = bbio->inode;
struct btrfs_fs_info *fs_info = bbio->fs_info;
- struct btrfs_bio *orig_bbio = bbio;
struct bio *bio = &bbio->bio;
u64 logical = bio->bi_iter.bi_sector << SECTOR_SHIFT;
u64 length = bio->bi_iter.bi_size;
@@ -682,7 +681,7 @@ static bool btrfs_submit_chunk(struct bt
bbio->saved_iter = bio->bi_iter;
ret = btrfs_lookup_bio_sums(bbio);
if (ret)
- goto fail_put_bio;
+ goto fail;
}
if (btrfs_op(bio) == BTRFS_MAP_WRITE) {
@@ -704,13 +703,13 @@ static bool btrfs_submit_chunk(struct bt
ret = btrfs_bio_csum(bbio);
if (ret)
- goto fail_put_bio;
+ goto fail;
} else if (use_append ||
(btrfs_is_zoned(fs_info) && inode &&
inode->flags & BTRFS_INODE_NODATASUM)) {
ret = btrfs_alloc_dummy_sum(bbio);
if (ret)
- goto fail_put_bio;
+ goto fail;
}
}
@@ -718,12 +717,23 @@ static bool btrfs_submit_chunk(struct bt
done:
return map_length == length;
-fail_put_bio:
- if (map_length < length)
- btrfs_cleanup_bio(bbio);
fail:
btrfs_bio_counter_dec(fs_info);
- btrfs_bio_end_io(orig_bbio, ret);
+ /*
+ * We have split the original bbio, now we have to end both the current
+ * @bbio and remaining one, as the remaining one will never be submitted.
+ */
+ if (map_length < length) {
+ struct btrfs_bio *remaining = bbio->private;
+
+ ASSERT(bbio->bio.bi_pool == &btrfs_clone_bioset);
+ ASSERT(remaining);
+
+ remaining->bio.bi_status = ret;
+ btrfs_orig_bbio_end_io(remaining);
+ }
+ bbio->bio.bi_status = ret;
+ btrfs_orig_bbio_end_io(bbio);
/* Do not submit another chunk */
return true;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 04/93] btrfs: run delayed iputs when flushing delalloc
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 03/93] btrfs: fix a use-after-free when hitting errors inside btrfs_submit_chunk() Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 05/93] smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() Greg Kroah-Hartman
` (94 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Josef Bacik, David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
commit 2d3447261031503b181dacc549fe65ffe2d93d65 upstream.
We have transient failures with btrfs/301, specifically in the part
where we do
for i in $(seq 0 10); do
write 50m to file
rm -f file
done
Sometimes this will result in a transient quota error, and it's because
sometimes we start writeback on the file which results in a delayed
iput, and thus the rm doesn't actually clean the file up. When we're
flushing the quota space we need to run the delayed iputs to make sure
all the unlinks that we think have completed have actually completed.
This removes the small window where we could fail to find enough space
in our quota.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/qgroup.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -3762,6 +3762,8 @@ static int try_flush_qgroup(struct btrfs
return 0;
}
+ btrfs_run_delayed_iputs(root->fs_info);
+ btrfs_wait_on_delayed_iputs(root->fs_info);
ret = btrfs_start_delalloc_snapshot(root, true);
if (ret < 0)
goto out;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 05/93] smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 04/93] btrfs: run delayed iputs when flushing delalloc Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 06/93] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins Greg Kroah-Hartman
` (93 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Stefan Metzmacher,
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Metzmacher <metze@samba.org>
commit c724b2ab6a46435b4e7d58ad2fbbdb7a318823cf upstream.
This happens when called from SMB2_read() while using rdma
and reaching the rdma_readwrite_threshold.
Cc: stable@vger.kernel.org
Fixes: a6559cc1d35d ("cifs: split out smb3_use_rdma_offload() helper")
Reviewed-by: David Howells <dhowells@redhat.com>
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/smb2pdu.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/smb/client/smb2pdu.c
+++ b/fs/smb/client/smb2pdu.c
@@ -4431,7 +4431,7 @@ smb2_new_read_req(void **buf, unsigned i
* If we want to do a RDMA write, fill in and append
* smbd_buffer_descriptor_v1 to the end of read request
*/
- if (smb3_use_rdma_offload(io_parms)) {
+ if (rdata && smb3_use_rdma_offload(io_parms)) {
struct smbd_buffer_descriptor_v1 *v1;
bool need_invalidate = server->dialect == SMB30_PROT_ID;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 06/93] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 05/93] smb/client: avoid dereferencing rdata=NULL in smb2_new_read_req() Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 07/93] pinctrl: single: fix potential NULL dereference in pcs_get_function() Greg Kroah-Hartman
` (92 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Kojedzinszky,
Huang-Huang Bao, Heiko Stuebner, Daniel Golle, Trevor Woerner,
Linus Walleij
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang-Huang Bao <i@eh5.me>
commit 128f71fe014fc91efa1407ce549f94a9a9f1072c upstream.
The base iomux offsets for each GPIO pin line are accumulatively
calculated based off iomux width flag in rockchip_pinctrl_get_soc_data.
If the iomux width flag is one of IOMUX_WIDTH_4BIT, IOMUX_WIDTH_3BIT or
IOMUX_WIDTH_2BIT, the base offset for next pin line would increase by 8
bytes, otherwise it would increase by 4 bytes.
Despite most of GPIO2-B iomux have 2-bit data width, which can be fit
into 4 bytes space with write mask, it actually take 8 bytes width for
whole GPIO2-B line.
Commit e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328
GPIO2-B pins") wrongly set iomux width flag to 0, causing all base
iomux offset for line after GPIO2-B to be calculated wrong. Fix the
iomux width flag to IOMUX_WIDTH_2BIT so the offset after GPIO2-B is
correctly increased by 8, matching the actual width of GPIO2-B iomux.
Fixes: e8448a6c817c ("pinctrl: rockchip: fix pinmux bits for RK3328 GPIO2-B pins")
Cc: stable@vger.kernel.org
Reported-by: Richard Kojedzinszky <richard@kojedz.in>
Closes: https://lore.kernel.org/linux-rockchip/4f29b743202397d60edfb3c725537415@kojedz.in/
Tested-by: Richard Kojedzinszky <richard@kojedz.in>
Signed-off-by: Huang-Huang Bao <i@eh5.me>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Tested-by: Daniel Golle <daniel@makrotopia.org>
Tested-by: Trevor Woerner <twoerner@gmail.com>
Link: https://lore.kernel.org/20240709105428.1176375-1-i@eh5.me
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -3802,7 +3802,7 @@ static struct rockchip_pin_bank rk3328_p
PIN_BANK_IOMUX_FLAGS(0, 32, "gpio0", 0, 0, 0, 0),
PIN_BANK_IOMUX_FLAGS(1, 32, "gpio1", 0, 0, 0, 0),
PIN_BANK_IOMUX_FLAGS(2, 32, "gpio2", 0,
- 0,
+ IOMUX_WIDTH_2BIT,
IOMUX_WIDTH_3BIT,
0),
PIN_BANK_IOMUX_FLAGS(3, 32, "gpio3",
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 07/93] pinctrl: single: fix potential NULL dereference in pcs_get_function()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 06/93] pinctrl: rockchip: correct RK3328 iomux width flag for GPIO2-B pins Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 08/93] of: Add cleanup.h based auto release via __free(device_node) markings Greg Kroah-Hartman
` (91 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Linus Walleij
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit 1c38a62f15e595346a1106025722869e87ffe044 upstream.
pinmux_generic_get_function() can return NULL and the pointer 'function'
was dereferenced without checking against NULL. Add checking of pointer
'function' in pcs_get_function().
Found by code review.
Cc: stable@vger.kernel.org
Fixes: 571aec4df5b7 ("pinctrl: single: Use generic pinmux helpers for managing functions")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Link: https://lore.kernel.org/20240808041355.2766009-1-make24@iscas.ac.cn
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-single.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/pinctrl/pinctrl-single.c
+++ b/drivers/pinctrl/pinctrl-single.c
@@ -349,6 +349,8 @@ static int pcs_get_function(struct pinct
return -ENOTSUPP;
fselector = setting->func;
function = pinmux_generic_get_function(pctldev, fselector);
+ if (!function)
+ return -EINVAL;
*func = function->data;
if (!(*func)) {
dev_err(pcs->dev, "%s could not find function%i\n",
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 08/93] of: Add cleanup.h based auto release via __free(device_node) markings
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 07/93] pinctrl: single: fix potential NULL dereference in pcs_get_function() Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 09/93] wifi: wfx: repair open network AP mode Greg Kroah-Hartman
` (90 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Rob Herring
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
commit 9448e55d032d99af8e23487f51a542d51b2f1a48 upstream.
The recent addition of scope based cleanup support to the kernel
provides a convenient tool to reduce the chances of leaking reference
counts where of_node_put() should have been called in an error path.
This enables
struct device_node *child __free(device_node) = NULL;
for_each_child_of_node(np, child) {
if (test)
return test;
}
with no need for a manual call of of_node_put().
A following patch will reduce the scope of the child variable to the
for loop, to avoid an issues with ordering of autocleanup, and make it
obvious when this assigned a non NULL value.
In this simple example the gains are small but there are some very
complex error handling cases buried in these loops that will be
greatly simplified by enabling early returns with out the need
for this manual of_node_put() call.
Note that there are coccinelle checks in
scripts/coccinelle/iterators/for_each_child.cocci to detect a failure
to call of_node_put(). This new approach does not cause false positives.
Longer term we may want to add scripting to check this new approach is
done correctly with no double of_node_put() calls being introduced due
to the auto cleanup. It may also be useful to script finding places
this new approach is useful.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20240225142714.286440-2-jic23@kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/of.h | 2 ++
1 file changed, 2 insertions(+)
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -13,6 +13,7 @@
*/
#include <linux/types.h>
#include <linux/bitops.h>
+#include <linux/cleanup.h>
#include <linux/errno.h>
#include <linux/kobject.h>
#include <linux/mod_devicetable.h>
@@ -134,6 +135,7 @@ static inline struct device_node *of_nod
}
static inline void of_node_put(struct device_node *node) { }
#endif /* !CONFIG_OF_DYNAMIC */
+DEFINE_FREE(device_node, struct device_node *, if (_T) of_node_put(_T))
/* Pointer for first entry in chain of all nodes. */
extern struct device_node *of_root;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 09/93] wifi: wfx: repair open network AP mode
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 08/93] of: Add cleanup.h based auto release via __free(device_node) markings Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 10/93] wifi: mwifiex: duplicate static structs used in driver instances Greg Kroah-Hartman
` (89 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Sverdlin,
Jérôme Pouiller, Kalle Valo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Sverdlin <alexander.sverdlin@siemens.com>
commit 6d30bb88f623526197c0e18a366e68a4254a2c83 upstream.
RSN IE missing in beacon is normal in open networks.
Avoid returning -EINVAL in this case.
Steps to reproduce:
$ cat /etc/wpa_supplicant.conf
network={
ssid="testNet"
mode=2
key_mgmt=NONE
}
$ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf
nl80211: Beacon set failed: -22 (Invalid argument)
Failed to set beacon parameters
Interface initialization failed
wlan0: interface state UNINITIALIZED->DISABLED
wlan0: AP-DISABLED
wlan0: Unable to setup interface.
Failed to initialize AP interface
After the change:
$ wpa_supplicant -iwlan0 -c /etc/wpa_supplicant.conf
Successfully initialized wpa_supplicant
wlan0: interface state UNINITIALIZED->ENABLED
wlan0: AP-ENABLED
Cc: stable@vger.kernel.org
Fixes: fe0a7776d4d1 ("wifi: wfx: fix possible NULL pointer dereference in wfx_set_mfp_ap()")
Signed-off-by: Alexander Sverdlin <alexander.sverdlin@siemens.com>
Reviewed-by: Jérôme Pouiller <jerome.pouiller@silabs.com>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240823131521.3309073-1-alexander.sverdlin@siemens.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/silabs/wfx/sta.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/net/wireless/silabs/wfx/sta.c
+++ b/drivers/net/wireless/silabs/wfx/sta.c
@@ -370,8 +370,11 @@ static int wfx_set_mfp_ap(struct wfx_vif
ptr = (u16 *)cfg80211_find_ie(WLAN_EID_RSN, skb->data + ieoffset,
skb->len - ieoffset);
- if (unlikely(!ptr))
+ if (!ptr) {
+ /* No RSN IE is fine in open networks */
+ ret = 0;
goto free_skb;
+ }
ptr += pairwise_cipher_suite_count_offset;
if (WARN_ON(ptr > (u16 *)skb_tail_pointer(skb)))
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 10/93] wifi: mwifiex: duplicate static structs used in driver instances
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 09/93] wifi: wfx: repair open network AP mode Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 11/93] net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response Greg Kroah-Hartman
` (88 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sascha Hauer, Francesco Dolcini,
Brian Norris, Kalle Valo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sascha Hauer <s.hauer@pengutronix.de>
commit 27ec3c57fcadb43c79ed05b2ea31bc18c72d798a upstream.
mwifiex_band_2ghz and mwifiex_band_5ghz are statically allocated, but
used and modified in driver instances. Duplicate them before using
them in driver instances so that different driver instances do not
influence each other.
This was observed on a board which has one PCIe and one SDIO mwifiex
adapter. It blew up in mwifiex_setup_ht_caps(). This was called with
the statically allocated struct which is modified in this function.
Cc: stable@vger.kernel.org
Fixes: d6bffe8bb520 ("mwifiex: support for creation of AP interface")
Signed-off-by: Sascha Hauer <s.hauer@pengutronix.de>
Reviewed-by: Francesco Dolcini <francesco.dolcini@toradex.com>
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/20240809-mwifiex-duplicate-static-structs-v1-1-6837b903b1a4@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wireless/marvell/mwifiex/cfg80211.c | 32 +++++++++++++++++++-----
1 file changed, 26 insertions(+), 6 deletions(-)
--- a/drivers/net/wireless/marvell/mwifiex/cfg80211.c
+++ b/drivers/net/wireless/marvell/mwifiex/cfg80211.c
@@ -4362,11 +4362,27 @@ int mwifiex_register_cfg80211(struct mwi
if (ISSUPP_ADHOC_ENABLED(adapter->fw_cap_info))
wiphy->interface_modes |= BIT(NL80211_IFTYPE_ADHOC);
- wiphy->bands[NL80211_BAND_2GHZ] = &mwifiex_band_2ghz;
- if (adapter->config_bands & BAND_A)
- wiphy->bands[NL80211_BAND_5GHZ] = &mwifiex_band_5ghz;
- else
+ wiphy->bands[NL80211_BAND_2GHZ] = devm_kmemdup(adapter->dev,
+ &mwifiex_band_2ghz,
+ sizeof(mwifiex_band_2ghz),
+ GFP_KERNEL);
+ if (!wiphy->bands[NL80211_BAND_2GHZ]) {
+ ret = -ENOMEM;
+ goto err;
+ }
+
+ if (adapter->config_bands & BAND_A) {
+ wiphy->bands[NL80211_BAND_5GHZ] = devm_kmemdup(adapter->dev,
+ &mwifiex_band_5ghz,
+ sizeof(mwifiex_band_5ghz),
+ GFP_KERNEL);
+ if (!wiphy->bands[NL80211_BAND_5GHZ]) {
+ ret = -ENOMEM;
+ goto err;
+ }
+ } else {
wiphy->bands[NL80211_BAND_5GHZ] = NULL;
+ }
if (adapter->drcs_enabled && ISSUPP_DRCS_ENABLED(adapter->fw_cap_info))
wiphy->iface_combinations = &mwifiex_iface_comb_ap_sta_drcs;
@@ -4460,8 +4476,7 @@ int mwifiex_register_cfg80211(struct mwi
if (ret < 0) {
mwifiex_dbg(adapter, ERROR,
"%s: wiphy_register failed: %d\n", __func__, ret);
- wiphy_free(wiphy);
- return ret;
+ goto err;
}
if (!adapter->regd) {
@@ -4503,4 +4518,9 @@ int mwifiex_register_cfg80211(struct mwi
adapter->wiphy = wiphy;
return ret;
+
+err:
+ wiphy_free(wiphy);
+
+ return ret;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 11/93] net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 10/93] wifi: mwifiex: duplicate static structs used in driver instances Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:15 ` [PATCH 6.6 12/93] mptcp: close subflow when receiving TCP+FIN Greg Kroah-Hartman
` (87 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Long Li,
David S. Miller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
commit 8af174ea863c72f25ce31cee3baad8a301c0cf0f upstream.
The mana_hwc_rx_event_handler() / mana_hwc_handle_resp() calls
complete(&ctx->comp_event) before posting the wqe back. It's
possible that other callers, like mana_create_txq(), start the
next round of mana_hwc_send_request() before the posting of wqe.
And if the HW is fast enough to respond, it can hit no_wqe error
on the HW channel, then the response message is lost. The mana
driver may fail to create queues and open, because of waiting for
the HW response and timed out.
Sample dmesg:
[ 528.610840] mana 39d4:00:02.0: HWC: Request timed out!
[ 528.614452] mana 39d4:00:02.0: Failed to send mana message: -110, 0x0
[ 528.618326] mana 39d4:00:02.0 enP14804s2: Failed to create WQ object: -110
To fix it, move posting of rx wqe before complete(&ctx->comp_event).
Cc: stable@vger.kernel.org
Fixes: ca9c54d2d6a5 ("net: mana: Add a driver for Microsoft Azure Network Adapter (MANA)")
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Long Li <longli@microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/microsoft/mana/hw_channel.c | 62 ++++++++++++-----------
1 file changed, 34 insertions(+), 28 deletions(-)
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -51,9 +51,33 @@ static int mana_hwc_verify_resp_msg(cons
return 0;
}
+static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq,
+ struct hwc_work_request *req)
+{
+ struct device *dev = hwc_rxq->hwc->dev;
+ struct gdma_sge *sge;
+ int err;
+
+ sge = &req->sge;
+ sge->address = (u64)req->buf_sge_addr;
+ sge->mem_key = hwc_rxq->msg_buf->gpa_mkey;
+ sge->size = req->buf_len;
+
+ memset(&req->wqe_req, 0, sizeof(struct gdma_wqe_request));
+ req->wqe_req.sgl = sge;
+ req->wqe_req.num_sge = 1;
+ req->wqe_req.client_data_unit = 0;
+
+ err = mana_gd_post_and_ring(hwc_rxq->gdma_wq, &req->wqe_req, NULL);
+ if (err)
+ dev_err(dev, "Failed to post WQE on HWC RQ: %d\n", err);
+ return err;
+}
+
static void mana_hwc_handle_resp(struct hw_channel_context *hwc, u32 resp_len,
- const struct gdma_resp_hdr *resp_msg)
+ struct hwc_work_request *rx_req)
{
+ const struct gdma_resp_hdr *resp_msg = rx_req->buf_va;
struct hwc_caller_ctx *ctx;
int err;
@@ -61,6 +85,7 @@ static void mana_hwc_handle_resp(struct
hwc->inflight_msg_res.map)) {
dev_err(hwc->dev, "hwc_rx: invalid msg_id = %u\n",
resp_msg->response.hwc_msg_id);
+ mana_hwc_post_rx_wqe(hwc->rxq, rx_req);
return;
}
@@ -74,30 +99,13 @@ static void mana_hwc_handle_resp(struct
memcpy(ctx->output_buf, resp_msg, resp_len);
out:
ctx->error = err;
- complete(&ctx->comp_event);
-}
-
-static int mana_hwc_post_rx_wqe(const struct hwc_wq *hwc_rxq,
- struct hwc_work_request *req)
-{
- struct device *dev = hwc_rxq->hwc->dev;
- struct gdma_sge *sge;
- int err;
-
- sge = &req->sge;
- sge->address = (u64)req->buf_sge_addr;
- sge->mem_key = hwc_rxq->msg_buf->gpa_mkey;
- sge->size = req->buf_len;
- memset(&req->wqe_req, 0, sizeof(struct gdma_wqe_request));
- req->wqe_req.sgl = sge;
- req->wqe_req.num_sge = 1;
- req->wqe_req.client_data_unit = 0;
+ /* Must post rx wqe before complete(), otherwise the next rx may
+ * hit no_wqe error.
+ */
+ mana_hwc_post_rx_wqe(hwc->rxq, rx_req);
- err = mana_gd_post_and_ring(hwc_rxq->gdma_wq, &req->wqe_req, NULL);
- if (err)
- dev_err(dev, "Failed to post WQE on HWC RQ: %d\n", err);
- return err;
+ complete(&ctx->comp_event);
}
static void mana_hwc_init_event_handler(void *ctx, struct gdma_queue *q_self,
@@ -234,14 +242,12 @@ static void mana_hwc_rx_event_handler(vo
return;
}
- mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, resp);
+ mana_hwc_handle_resp(hwc, rx_oob->tx_oob_data_size, rx_req);
- /* Do no longer use 'resp', because the buffer is posted to the HW
- * in the below mana_hwc_post_rx_wqe().
+ /* Can no longer use 'resp', because the buffer is posted to the HW
+ * in mana_hwc_handle_resp() above.
*/
resp = NULL;
-
- mana_hwc_post_rx_wqe(hwc_rxq, rx_req);
}
static void mana_hwc_tx_event_handler(void *ctx, u32 gdma_txq_id,
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 12/93] mptcp: close subflow when receiving TCP+FIN
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 11/93] net: mana: Fix race of mana_hwc_post_rx_wqe and new hwc response Greg Kroah-Hartman
@ 2024-09-01 16:15 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 13/93] mptcp: sched: check both backup in retrans Greg Kroah-Hartman
` (86 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:15 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit f09b0ad55a1196f5891663f8888463c0541059cb upstream.
When a peer decides to close one subflow in the middle of a connection
having multiple subflows, the receiver of the first FIN should accept
that, and close the subflow on its side as well. If not, the subflow
will stay half closed, and would even continue to be used until the end
of the MPTCP connection or a reset from the network.
The issue has not been seen before, probably because the in-kernel
path-manager always sends a RM_ADDR before closing the subflow. Upon the
reception of this RM_ADDR, the other peer will initiate the closure on
its side as well. On the other hand, if the RM_ADDR is lost, or if the
path-manager of the other peer only closes the subflow without sending a
RM_ADDR, the subflow would switch to TCP_CLOSE_WAIT, but that's it,
leaving the subflow half-closed.
So now, when the subflow switches to the TCP_CLOSE_WAIT state, and if
the MPTCP connection has not been closed before with a DATA_FIN, the
kernel owning the subflow schedules its worker to initiate the closure
on its side as well.
This issue can be easily reproduced with packetdrill, as visible in [1],
by creating an additional subflow, injecting a FIN+ACK before sending
the DATA_FIN, and expecting a FIN+ACK in return.
Fixes: 40947e13997a ("mptcp: schedule worker when subflow is closed")
Cc: stable@vger.kernel.org
Link: https://github.com/multipath-tcp/packetdrill/pull/154 [1]
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240826-net-mptcp-close-extra-sf-fin-v1-1-905199fe1172@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 5 ++++-
net/mptcp/subflow.c | 8 ++++++--
2 files changed, 10 insertions(+), 3 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2496,8 +2496,11 @@ static void __mptcp_close_subflow(struct
mptcp_for_each_subflow_safe(msk, subflow, tmp) {
struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
+ int ssk_state = inet_sk_state_load(ssk);
- if (inet_sk_state_load(ssk) != TCP_CLOSE)
+ if (ssk_state != TCP_CLOSE &&
+ (ssk_state != TCP_CLOSE_WAIT ||
+ inet_sk_state_load(sk) != TCP_ESTABLISHED))
continue;
/* 'subflow_data_ready' will re-sched once rx queue is empty */
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -1226,12 +1226,16 @@ out:
/* sched mptcp worker to remove the subflow if no more data is pending */
static void subflow_sched_work_if_closed(struct mptcp_sock *msk, struct sock *ssk)
{
- if (likely(ssk->sk_state != TCP_CLOSE))
+ struct sock *sk = (struct sock *)msk;
+
+ if (likely(ssk->sk_state != TCP_CLOSE &&
+ (ssk->sk_state != TCP_CLOSE_WAIT ||
+ inet_sk_state_load(sk) != TCP_ESTABLISHED)))
return;
if (skb_queue_empty(&ssk->sk_receive_queue) &&
!test_and_set_bit(MPTCP_WORK_CLOSE_SUBFLOW, &msk->flags))
- mptcp_schedule_work((struct sock *)msk);
+ mptcp_schedule_work(sk);
}
static bool subflow_can_fallback(struct mptcp_subflow_context *subflow)
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 13/93] mptcp: sched: check both backup in retrans
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-09-01 16:15 ` [PATCH 6.6 12/93] mptcp: close subflow when receiving TCP+FIN Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 14/93] mptcp: pm: reuse ID 0 after delete and re-add Greg Kroah-Hartman
` (85 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 2a1f596ebb23eadc0f9b95a8012e18ef76295fc8 upstream.
The 'mptcp_subflow_context' structure has two items related to the
backup flags:
- 'backup': the subflow has been marked as backup by the other peer
- 'request_bkup': the backup flag has been set by the host
Looking only at the 'backup' flag can make sense in some cases, but it
is not the behaviour of the default packet scheduler when selecting
paths.
As explained in the commit b6a66e521a20 ("mptcp: sched: check both
directions for backup"), the packet scheduler should look at both flags,
because that was the behaviour from the beginning: the 'backup' flag was
set by accident instead of the 'request_bkup' one. Now that the latter
has been fixed, get_retrans() needs to be adapted as well.
Fixes: b6a66e521a20 ("mptcp: sched: check both directions for backup")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20240826-net-mptcp-close-extra-sf-fin-v1-3-905199fe1172@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2289,7 +2289,7 @@ struct sock *mptcp_subflow_get_retrans(s
continue;
}
- if (subflow->backup) {
+ if (subflow->backup || subflow->request_bkup) {
if (!backup)
backup = ssk;
continue;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 14/93] mptcp: pm: reuse ID 0 after delete and re-add
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 13/93] mptcp: sched: check both backup in retrans Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 15/93] mptcp: pm: skip connecting to already established sf Greg Kroah-Hartman
` (84 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 8b8ed1b429f8fa7ebd5632555e7b047bc0620075 upstream.
When the endpoint used by the initial subflow is removed and re-added
later, the PM has to force the ID 0, it is a special case imposed by the
MPTCP specs.
Note that the endpoint should then need to be re-added reusing the same
ID.
Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -593,6 +593,11 @@ static void mptcp_pm_create_subflow_or_s
__clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
msk->pm.add_addr_signaled++;
+
+ /* Special case for ID0: set the correct ID */
+ if (local.addr.id == msk->mpc_endpoint_id)
+ local.addr.id = 0;
+
mptcp_pm_announce_addr(msk, &local.addr, false);
mptcp_pm_nl_addr_send_ack(msk);
@@ -617,6 +622,11 @@ subflow:
msk->pm.local_addr_used++;
__clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
+
+ /* Special case for ID0: set the correct ID */
+ if (local.addr.id == msk->mpc_endpoint_id)
+ local.addr.id = 0;
+
nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs);
if (nr == 0)
continue;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 15/93] mptcp: pm: skip connecting to already established sf
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 14/93] mptcp: pm: reuse ID 0 after delete and re-add Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 16/93] mptcp: pm: reset MPC endp ID when re-added Greg Kroah-Hartman
` (83 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit bc19ff57637ff563d2bdf2b385b48c41e6509e0d upstream.
The lookup_subflow_by_daddr() helper checks if there is already a
subflow connected to this address. But there could be a subflow that is
closing, but taking time due to some reasons: latency, losses, data to
process, etc.
If an ADD_ADDR is received while the endpoint is being closed, it is
better to try connecting to it, instead of rejecting it: the peer which
has sent the ADD_ADDR will not be notified that the ADD_ADDR has been
rejected for this reason, and the expected subflow will not be created
at the end.
This helper should then only look for subflows that are established, or
going to be, but not the ones being closed.
Fixes: d84ad04941c3 ("mptcp: skip connecting the connected address")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -135,12 +135,15 @@ static bool lookup_subflow_by_daddr(cons
{
struct mptcp_subflow_context *subflow;
struct mptcp_addr_info cur;
- struct sock_common *skc;
list_for_each_entry(subflow, list, node) {
- skc = (struct sock_common *)mptcp_subflow_tcp_sock(subflow);
+ struct sock *ssk = mptcp_subflow_tcp_sock(subflow);
- remote_address(skc, &cur);
+ if (!((1 << inet_sk_state_load(ssk)) &
+ (TCPF_ESTABLISHED | TCPF_SYN_SENT | TCPF_SYN_RECV)))
+ continue;
+
+ remote_address((struct sock_common *)ssk, &cur);
if (mptcp_addresses_equal(&cur, daddr, daddr->port))
return true;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 16/93] mptcp: pm: reset MPC endp ID when re-added
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 15/93] mptcp: pm: skip connecting to already established sf Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 17/93] mptcp: pm: send ACK on an active subflow Greg Kroah-Hartman
` (82 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit dce1c6d1e92535f165219695a826caedcca4e9b9 upstream.
The initial subflow has a special local ID: 0. It is specific per
connection.
When a global endpoint is deleted and re-added later, it can have a
different ID -- most services managing the endpoints automatically don't
force the ID to be the same as before. It is then important to track
these modifications to be consistent with the ID being used for the
address used by the initial subflow, not to confuse the other peer or to
send the ID 0 for the wrong address.
Now when removing an endpoint, msk->mpc_endpoint_id is reset if it
corresponds to this endpoint. When adding a new endpoint, the same
variable is updated if the address match the one of the initial subflow.
Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -1351,20 +1351,27 @@ static struct pm_nl_pernet *genl_info_pm
return pm_nl_get_pernet(genl_info_net(info));
}
-static int mptcp_nl_add_subflow_or_signal_addr(struct net *net)
+static int mptcp_nl_add_subflow_or_signal_addr(struct net *net,
+ struct mptcp_addr_info *addr)
{
struct mptcp_sock *msk;
long s_slot = 0, s_num = 0;
while ((msk = mptcp_token_iter_next(net, &s_slot, &s_num)) != NULL) {
struct sock *sk = (struct sock *)msk;
+ struct mptcp_addr_info mpc_addr;
if (!READ_ONCE(msk->fully_established) ||
mptcp_pm_is_userspace(msk))
goto next;
+ /* if the endp linked to the init sf is re-added with a != ID */
+ mptcp_local_address((struct sock_common *)msk, &mpc_addr);
+
lock_sock(sk);
spin_lock_bh(&msk->pm.lock);
+ if (mptcp_addresses_equal(addr, &mpc_addr, addr->port))
+ msk->mpc_endpoint_id = addr->id;
mptcp_pm_create_subflow_or_signal_addr(msk);
spin_unlock_bh(&msk->pm.lock);
release_sock(sk);
@@ -1437,7 +1444,7 @@ static int mptcp_nl_cmd_add_addr(struct
goto out_free;
}
- mptcp_nl_add_subflow_or_signal_addr(sock_net(skb->sk));
+ mptcp_nl_add_subflow_or_signal_addr(sock_net(skb->sk), &entry->addr);
return 0;
out_free:
@@ -1553,6 +1560,8 @@ static int mptcp_nl_remove_subflow_and_s
spin_unlock_bh(&msk->pm.lock);
}
+ if (msk->mpc_endpoint_id == entry->addr.id)
+ msk->mpc_endpoint_id = 0;
release_sock(sk);
next:
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 17/93] mptcp: pm: send ACK on an active subflow
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 16/93] mptcp: pm: reset MPC endp ID when re-added Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 18/93] mptcp: pm: do not remove already closed subflows Greg Kroah-Hartman
` (81 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit c07cc3ed895f9bfe0c53b5ed6be710c133b4271c upstream.
Taking the first one on the list doesn't work in some cases, e.g. if the
initial subflow is being removed. Pick another one instead of not
sending anything.
Fixes: 84dfe3677a6f ("mptcp: send out dedicated ADD_ADDR packet")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -776,9 +776,12 @@ void mptcp_pm_nl_addr_send_ack(struct mp
!mptcp_pm_should_rm_signal(msk))
return;
- subflow = list_first_entry_or_null(&msk->conn_list, typeof(*subflow), node);
- if (subflow)
- mptcp_pm_send_ack(msk, subflow, false, false);
+ mptcp_for_each_subflow(msk, subflow) {
+ if (__mptcp_subflow_active(subflow)) {
+ mptcp_pm_send_ack(msk, subflow, false, false);
+ break;
+ }
+ }
}
int mptcp_pm_nl_mp_prio_send_ack(struct mptcp_sock *msk,
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 18/93] mptcp: pm: do not remove already closed subflows
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 17/93] mptcp: pm: send ACK on an active subflow Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 19/93] mptcp: pm: fix ID 0 endp usage after multiple re-creations Greg Kroah-Hartman
` (80 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 58e1b66b4e4b8a602d3f2843e8eba00a969ecce2 upstream.
It is possible to have in the list already closed subflows, e.g. the
initial subflow has been already closed, but still in the list. No need
to try to close it again, and increments the related counters again.
Fixes: 0ee4261a3681 ("mptcp: implement mptcp_pm_remove_subflow")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -851,6 +851,8 @@ static void mptcp_pm_nl_rm_addr_or_subfl
int how = RCV_SHUTDOWN | SEND_SHUTDOWN;
u8 id = subflow_get_local_id(subflow);
+ if (inet_sk_state_load(ssk) == TCP_CLOSE)
+ continue;
if (rm_type == MPTCP_MIB_RMADDR && remote_id != rm_id)
continue;
if (rm_type == MPTCP_MIB_RMSUBFLOW && !mptcp_local_id_match(msk, id, rm_id))
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 19/93] mptcp: pm: fix ID 0 endp usage after multiple re-creations
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 18/93] mptcp: pm: do not remove already closed subflows Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 20/93] mptcp: pm: ADD_ADDR 0 is not a new address Greg Kroah-Hartman
` (79 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arınç ÜNAL,
syzbot+455d38ecd5f655fc45cf, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 9366922adc6a71378ca01f898c41be295309f044 upstream.
'local_addr_used' and 'add_addr_accepted' are decremented for addresses
not related to the initial subflow (ID0), because the source and
destination addresses of the initial subflows are known from the
beginning: they don't count as "additional local address being used" or
"ADD_ADDR being accepted".
It is then required not to increment them when the entrypoint used by
the initial subflow is removed and re-added during a connection. Without
this modification, this entrypoint cannot be removed and re-added more
than once.
Reported-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/512
Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking")
Reported-by: syzbot+455d38ecd5f655fc45cf@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/00000000000049861306209237f4@google.com
Cc: stable@vger.kernel.org
Tested-by: Arınç ÜNAL <arinc.unal@arinc9.com>
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm_netlink.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -623,12 +623,13 @@ subflow:
fullmesh = !!(local.flags & MPTCP_PM_ADDR_FLAG_FULLMESH);
- msk->pm.local_addr_used++;
__clear_bit(local.addr.id, msk->pm.id_avail_bitmap);
/* Special case for ID0: set the correct ID */
if (local.addr.id == msk->mpc_endpoint_id)
local.addr.id = 0;
+ else /* local_addr_used is not decr for ID 0 */
+ msk->pm.local_addr_used++;
nr = fill_remote_addresses_vec(msk, &local.addr, fullmesh, addrs);
if (nr == 0)
@@ -758,7 +759,9 @@ static void mptcp_pm_nl_add_addr_receive
spin_lock_bh(&msk->pm.lock);
if (sf_created) {
- msk->pm.add_addr_accepted++;
+ /* add_addr_accepted is not decr for ID 0 */
+ if (remote.id)
+ msk->pm.add_addr_accepted++;
if (msk->pm.add_addr_accepted >= add_addr_accept_max ||
msk->pm.subflows >= subflows_max)
WRITE_ONCE(msk->pm.accept_addr, false);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 20/93] mptcp: pm: ADD_ADDR 0 is not a new address
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 19/93] mptcp: pm: fix ID 0 endp usage after multiple re-creations Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 21/93] selftests: mptcp: join: check removing ID 0 endpoint Greg Kroah-Hartman
` (78 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 57f86203b41c98b322119dfdbb1ec54ce5e3369b upstream.
The ADD_ADDR 0 with the address from the initial subflow should not be
considered as a new address: this is not something new. If the host
receives it, it simply means that the address is available again.
When receiving an ADD_ADDR for the ID 0, the PM already doesn't consider
it as new by not incrementing the 'add_addr_accepted' counter. But the
'accept_addr' might not be set if the limit has already been reached:
this can be bypassed in this case. But before, it is important to check
that this ADD_ADDR for the ID 0 is for the same address as the initial
subflow. If not, it is not something that should happen, and the
ADD_ADDR can be ignored.
Note that if an ADD_ADDR is received while there is already a subflow
opened using the same address, this ADD_ADDR is ignored as well. It
means that if multiple ADD_ADDR for ID 0 are received, there will not be
any duplicated subflows created by the client.
Fixes: d0876b2284cf ("mptcp: add the incoming RM_ADDR support")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/pm.c | 4 +++-
net/mptcp/pm_netlink.c | 9 +++++++++
net/mptcp/protocol.h | 2 ++
3 files changed, 14 insertions(+), 1 deletion(-)
--- a/net/mptcp/pm.c
+++ b/net/mptcp/pm.c
@@ -227,7 +227,9 @@ void mptcp_pm_add_addr_received(const st
} else {
__MPTCP_INC_STATS(sock_net((struct sock *)msk), MPTCP_MIB_ADDADDRDROP);
}
- } else if (!READ_ONCE(pm->accept_addr)) {
+ /* id0 should not have a different address */
+ } else if ((addr->id == 0 && !mptcp_pm_nl_is_init_remote_addr(msk, addr)) ||
+ (addr->id > 0 && !READ_ONCE(pm->accept_addr))) {
mptcp_pm_announce_addr(msk, addr, true);
mptcp_pm_add_addr_send_ack(msk);
} else if (mptcp_pm_schedule_work(msk, MPTCP_PM_ADD_ADDR_RECEIVED)) {
--- a/net/mptcp/pm_netlink.c
+++ b/net/mptcp/pm_netlink.c
@@ -768,6 +768,15 @@ static void mptcp_pm_nl_add_addr_receive
}
}
+bool mptcp_pm_nl_is_init_remote_addr(struct mptcp_sock *msk,
+ const struct mptcp_addr_info *remote)
+{
+ struct mptcp_addr_info mpc_remote;
+
+ remote_address((struct sock_common *)msk, &mpc_remote);
+ return mptcp_addresses_equal(&mpc_remote, remote, remote->port);
+}
+
void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk)
{
struct mptcp_subflow_context *subflow;
--- a/net/mptcp/protocol.h
+++ b/net/mptcp/protocol.h
@@ -907,6 +907,8 @@ void mptcp_pm_add_addr_received(const st
void mptcp_pm_add_addr_echoed(struct mptcp_sock *msk,
const struct mptcp_addr_info *addr);
void mptcp_pm_add_addr_send_ack(struct mptcp_sock *msk);
+bool mptcp_pm_nl_is_init_remote_addr(struct mptcp_sock *msk,
+ const struct mptcp_addr_info *remote);
void mptcp_pm_nl_addr_send_ack(struct mptcp_sock *msk);
void mptcp_pm_rm_addr_received(struct mptcp_sock *msk,
const struct mptcp_rm_list *rm_list);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 21/93] selftests: mptcp: join: check removing ID 0 endpoint
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 20/93] mptcp: pm: ADD_ADDR 0 is not a new address Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 22/93] selftests: mptcp: join: no extra msg if no counter Greg Kroah-Hartman
` (77 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 5f94b08c001290acda94d9d8868075590931c198 upstream.
Removing the endpoint linked to the initial subflow should trigger a
RM_ADDR for the right ID, and the removal of the subflow. That's what is
now being verified in the "delete and re-add" test.
Note that removing the initial subflow will not decrement the 'subflows'
counters, which corresponds to the *additional* subflows. On the other
hand, when the same endpoint is re-added, it will increment this
counter, as it will be seen as an additional subflow this time.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 25 +++++++++++++++++-------
1 file changed, 18 insertions(+), 7 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3578,8 +3578,9 @@ endpoint_tests()
if reset_with_tcp_filter "delete and re-add" ns2 10.0.3.2 REJECT OUTPUT &&
mptcp_lib_kallsyms_has "subflow_rebuild_header$"; then
- pm_nl_set_limits $ns1 0 2
- pm_nl_set_limits $ns2 0 2
+ pm_nl_set_limits $ns1 0 3
+ pm_nl_set_limits $ns2 0 3
+ pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
test_linkfail=4 speed=20 \
run_tests $ns1 $ns2 10.0.1.1 &
@@ -3588,17 +3589,17 @@ endpoint_tests()
wait_mpj $ns2
pm_nl_check_endpoint "creation" \
$ns2 10.0.2.2 id 2 flags subflow dev ns2eth2
- chk_subflow_nr "before delete" 2
+ chk_subflow_nr "before delete id 2" 2
chk_mptcp_info subflows 1 subflows 1
pm_nl_del_endpoint $ns2 2 10.0.2.2
sleep 0.5
- chk_subflow_nr "after delete" 1
+ chk_subflow_nr "after delete id 2" 1
chk_mptcp_info subflows 0 subflows 0
pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
wait_mpj $ns2
- chk_subflow_nr "after re-add" 2
+ chk_subflow_nr "after re-add id 2" 2
chk_mptcp_info subflows 1 subflows 1
pm_nl_add_endpoint $ns2 10.0.3.2 id 3 flags subflow
@@ -3613,10 +3614,20 @@ endpoint_tests()
chk_subflow_nr "after no reject" 3
chk_mptcp_info subflows 2 subflows 2
+ pm_nl_del_endpoint $ns2 1 10.0.1.2
+ sleep 0.5
+ chk_subflow_nr "after delete id 0" 2
+ chk_mptcp_info subflows 2 subflows 2 # only decr for additional sf
+
+ pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
+ wait_mpj $ns2
+ chk_subflow_nr "after re-add id 0" 3
+ chk_mptcp_info subflows 3 subflows 3
+
mptcp_lib_kill_wait $tests_pid
- chk_join_nr 3 3 3
- chk_rm_nr 1 1
+ chk_join_nr 4 4 4
+ chk_rm_nr 2 2
fi
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 22/93] selftests: mptcp: join: no extra msg if no counter
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 21/93] selftests: mptcp: join: check removing ID 0 endpoint Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 23/93] selftests: mptcp: join: check re-re-adding ID 0 endp Greg Kroah-Hartman
` (76 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geliang Tang, Matthieu Baerts (NGI0),
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit 76a2d8394cc183df872adf04bf636eaf42746449 upstream.
The checksum and fail counters might not be available. Then no need to
display an extra message with missing info.
While at it, fix the indentation around, which is wrong since the same
commit.
Fixes: 47867f0a7e83 ("selftests: mptcp: join: skip check if MIB counter not supported")
Cc: stable@vger.kernel.org
Reviewed-by: Geliang Tang <geliang@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1256,26 +1256,26 @@ chk_csum_nr()
print_check "sum"
count=$(mptcp_lib_get_counter ${ns1} "MPTcpExtDataCsumErr")
- if [ "$count" != "$csum_ns1" ]; then
+ if [ -n "$count" ] && [ "$count" != "$csum_ns1" ]; then
extra_msg+=" ns1=$count"
fi
if [ -z "$count" ]; then
print_skip
elif { [ "$count" != $csum_ns1 ] && [ $allow_multi_errors_ns1 -eq 0 ]; } ||
- { [ "$count" -lt $csum_ns1 ] && [ $allow_multi_errors_ns1 -eq 1 ]; }; then
+ { [ "$count" -lt $csum_ns1 ] && [ $allow_multi_errors_ns1 -eq 1 ]; }; then
fail_test "got $count data checksum error[s] expected $csum_ns1"
else
print_ok
fi
print_check "csum"
count=$(mptcp_lib_get_counter ${ns2} "MPTcpExtDataCsumErr")
- if [ "$count" != "$csum_ns2" ]; then
+ if [ -n "$count" ] && [ "$count" != "$csum_ns2" ]; then
extra_msg+=" ns2=$count"
fi
if [ -z "$count" ]; then
print_skip
elif { [ "$count" != $csum_ns2 ] && [ $allow_multi_errors_ns2 -eq 0 ]; } ||
- { [ "$count" -lt $csum_ns2 ] && [ $allow_multi_errors_ns2 -eq 1 ]; }; then
+ { [ "$count" -lt $csum_ns2 ] && [ $allow_multi_errors_ns2 -eq 1 ]; }; then
fail_test "got $count data checksum error[s] expected $csum_ns2"
else
print_ok
@@ -1313,13 +1313,13 @@ chk_fail_nr()
print_check "ftx"
count=$(mptcp_lib_get_counter ${ns_tx} "MPTcpExtMPFailTx")
- if [ "$count" != "$fail_tx" ]; then
+ if [ -n "$count" ] && [ "$count" != "$fail_tx" ]; then
extra_msg+=",tx=$count"
fi
if [ -z "$count" ]; then
print_skip
elif { [ "$count" != "$fail_tx" ] && [ $allow_tx_lost -eq 0 ]; } ||
- { [ "$count" -gt "$fail_tx" ] && [ $allow_tx_lost -eq 1 ]; }; then
+ { [ "$count" -gt "$fail_tx" ] && [ $allow_tx_lost -eq 1 ]; }; then
fail_test "got $count MP_FAIL[s] TX expected $fail_tx"
else
print_ok
@@ -1327,13 +1327,13 @@ chk_fail_nr()
print_check "failrx"
count=$(mptcp_lib_get_counter ${ns_rx} "MPTcpExtMPFailRx")
- if [ "$count" != "$fail_rx" ]; then
+ if [ -n "$count" ] && [ "$count" != "$fail_rx" ]; then
extra_msg+=",rx=$count"
fi
if [ -z "$count" ]; then
print_skip
elif { [ "$count" != "$fail_rx" ] && [ $allow_rx_lost -eq 0 ]; } ||
- { [ "$count" -gt "$fail_rx" ] && [ $allow_rx_lost -eq 1 ]; }; then
+ { [ "$count" -gt "$fail_rx" ] && [ $allow_rx_lost -eq 1 ]; }; then
fail_test "got $count MP_FAIL[s] RX expected $fail_rx"
else
print_ok
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 23/93] selftests: mptcp: join: check re-re-adding ID 0 endp
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 22/93] selftests: mptcp: join: no extra msg if no counter Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 24/93] drm/amdgpu: align pp_power_profile_mode with kernel docs Greg Kroah-Hartman
` (75 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau,
Matthieu Baerts (NGI0), Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit d397d7246c11ca36c33c932bc36d38e3a79e9aa0 upstream.
This test extends "delete and re-add" to validate the previous commit:
when the endpoint linked to the initial subflow (ID 0) is re-added
multiple times, it was no longer being used, because the internal linked
counters are not decremented for this special endpoint: it is not an
additional endpoint.
Here, the "del/add id 0" steps are done 3 times to unsure this case is
validated.
The 'Fixes' tag here below is the same as the one from the previous
commit: this patch here is not fixing anything wrong in the selftests,
but it validates the previous fix for an issue introduced by this commit
ID.
Fixes: 3ad14f54bd74 ("mptcp: more accurate MPC endpoint tracking")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 27 +++++++++++++-----------
1 file changed, 15 insertions(+), 12 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -3582,7 +3582,7 @@ endpoint_tests()
pm_nl_set_limits $ns2 0 3
pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
pm_nl_add_endpoint $ns2 10.0.2.2 id 2 dev ns2eth2 flags subflow
- test_linkfail=4 speed=20 \
+ test_linkfail=4 speed=5 \
run_tests $ns1 $ns2 10.0.1.1 &
local tests_pid=$!
@@ -3614,20 +3614,23 @@ endpoint_tests()
chk_subflow_nr "after no reject" 3
chk_mptcp_info subflows 2 subflows 2
- pm_nl_del_endpoint $ns2 1 10.0.1.2
- sleep 0.5
- chk_subflow_nr "after delete id 0" 2
- chk_mptcp_info subflows 2 subflows 2 # only decr for additional sf
-
- pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
- wait_mpj $ns2
- chk_subflow_nr "after re-add id 0" 3
- chk_mptcp_info subflows 3 subflows 3
+ local i
+ for i in $(seq 3); do
+ pm_nl_del_endpoint $ns2 1 10.0.1.2
+ sleep 0.5
+ chk_subflow_nr "after delete id 0 ($i)" 2
+ chk_mptcp_info subflows 2 subflows 2 # only decr for additional sf
+
+ pm_nl_add_endpoint $ns2 10.0.1.2 id 1 dev ns2eth1 flags subflow
+ wait_mpj $ns2
+ chk_subflow_nr "after re-add id 0 ($i)" 3
+ chk_mptcp_info subflows 3 subflows 3
+ done
mptcp_lib_kill_wait $tests_pid
- chk_join_nr 4 4 4
- chk_rm_nr 2 2
+ chk_join_nr 6 6 6
+ chk_rm_nr 4 4
fi
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 24/93] drm/amdgpu: align pp_power_profile_mode with kernel docs
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 23/93] selftests: mptcp: join: check re-re-adding ID 0 endp Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 25/93] drm/amdgpu/swsmu: always force a state reprogram on init Greg Kroah-Hartman
` (74 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kenneth Feng, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit 8f614469de248a4bc55fb07e55d5f4c340c75b11 upstream.
The kernel doc says you need to select manual mode to
adjust this, but the code only allows you to adjust it when
manual mode is not selected. Remove the manual mode check.
Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit bbb05f8a9cd87f5046d05a0c596fddfb714ee457)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1882,8 +1882,7 @@ static int smu_adjust_power_state_dynami
smu_dpm_ctx->dpm_level = level;
}
- if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL &&
- smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) {
+ if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM) {
index = fls(smu->workload_mask);
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
workload[0] = smu->workload_setting[index];
@@ -1960,8 +1959,7 @@ static int smu_switch_power_profile(void
workload[0] = smu->workload_setting[index];
}
- if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_MANUAL &&
- smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM)
+ if (smu_dpm_ctx->dpm_level != AMD_DPM_FORCED_LEVEL_PERF_DETERMINISM)
smu_bump_power_profile_mode(smu, workload, 0);
return 0;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 25/93] drm/amdgpu/swsmu: always force a state reprogram on init
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 24/93] drm/amdgpu: align pp_power_profile_mode with kernel docs Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 26/93] drm/vmwgfx: Fix prime with external buffers Greg Kroah-Hartman
` (73 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kenneth Feng, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
commit d420c857d85777663e8d16adfc24463f5d5c2dbc upstream.
Always reprogram the hardware state on init. This ensures
the PMFW state is explicitly programmed and we are not relying
on the default PMFW state.
Closes: https://gitlab.freedesktop.org/drm/amd/-/issues/3131
Reviewed-by: Kenneth Feng <kenneth.feng@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit c50fe289ed7207f71df3b5f1720512a9620e84fb)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
+++ b/drivers/gpu/drm/amd/pm/swsmu/amdgpu_smu.c
@@ -1841,8 +1841,9 @@ static int smu_bump_power_profile_mode(s
}
static int smu_adjust_power_state_dynamic(struct smu_context *smu,
- enum amd_dpm_forced_level level,
- bool skip_display_settings)
+ enum amd_dpm_forced_level level,
+ bool skip_display_settings,
+ bool force_update)
{
int ret = 0;
int index = 0;
@@ -1871,7 +1872,7 @@ static int smu_adjust_power_state_dynami
}
}
- if (smu_dpm_ctx->dpm_level != level) {
+ if (force_update || smu_dpm_ctx->dpm_level != level) {
ret = smu_asic_set_performance_level(smu, level);
if (ret) {
dev_err(smu->adev->dev, "Failed to set performance level!");
@@ -1887,7 +1888,7 @@ static int smu_adjust_power_state_dynami
index = index > 0 && index <= WORKLOAD_POLICY_MAX ? index - 1 : 0;
workload[0] = smu->workload_setting[index];
- if (smu->power_profile_mode != workload[0])
+ if (force_update || smu->power_profile_mode != workload[0])
smu_bump_power_profile_mode(smu, workload, 0);
}
@@ -1908,11 +1909,13 @@ static int smu_handle_task(struct smu_co
ret = smu_pre_display_config_changed(smu);
if (ret)
return ret;
- ret = smu_adjust_power_state_dynamic(smu, level, false);
+ ret = smu_adjust_power_state_dynamic(smu, level, false, false);
break;
case AMD_PP_TASK_COMPLETE_INIT:
+ ret = smu_adjust_power_state_dynamic(smu, level, true, true);
+ break;
case AMD_PP_TASK_READJUST_POWER_STATE:
- ret = smu_adjust_power_state_dynamic(smu, level, true);
+ ret = smu_adjust_power_state_dynamic(smu, level, true, false);
break;
default:
break;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 26/93] drm/vmwgfx: Fix prime with external buffers
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 25/93] drm/amdgpu/swsmu: always force a state reprogram on init Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 27/93] tracing: Have format file honor EVENT_FILE_FL_FREED Greg Kroah-Hartman
` (72 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zack Rusin,
Broadcom internal kernel review list, dri-devel, Martin Krastev,
Maaz Mombasawala
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zack Rusin <zack.rusin@broadcom.com>
commit 50f1199250912568606b3778dc56646c10cb7b04 upstream.
Make sure that for external buffers mapping goes through the dma_buf
interface instead of trying to access pages directly.
External buffers might not provide direct access to readable/writable
pages so to make sure the bo's created from external dma_bufs can be
read dma_buf interface has to be used.
Fixes crashes in IGT's kms_prime with vgem. Regular desktop usage won't
trigger this due to the fact that virtual machines will not have
multiple GPUs but it enables better test coverage in IGT.
Signed-off-by: Zack Rusin <zack.rusin@broadcom.com>
Fixes: b32233acceff ("drm/vmwgfx: Fix prime import/export")
Cc: <stable@vger.kernel.org> # v6.6+
Cc: Broadcom internal kernel review list <bcm-kernel-feedback-list@broadcom.com>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v6.9+
Link: https://patchwork.freedesktop.org/patch/msgid/20240816183332.31961-3-zack.rusin@broadcom.com
Reviewed-by: Martin Krastev <martin.krastev@broadcom.com>
Reviewed-by: Maaz Mombasawala <maaz.mombasawala@broadcom.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/vmwgfx/vmwgfx_blit.c | 114 +++++++++++++++++++++++++++++++++--
drivers/gpu/drm/vmwgfx/vmwgfx_drv.h | 4 -
drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c | 12 +--
3 files changed, 118 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_blit.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_blit.c
@@ -27,6 +27,8 @@
**************************************************************************/
#include "vmwgfx_drv.h"
+
+#include "vmwgfx_bo.h"
#include <linux/highmem.h>
/*
@@ -420,13 +422,105 @@ static int vmw_bo_cpu_blit_line(struct v
return 0;
}
+static void *map_external(struct vmw_bo *bo, struct iosys_map *map)
+{
+ struct vmw_private *vmw =
+ container_of(bo->tbo.bdev, struct vmw_private, bdev);
+ void *ptr = NULL;
+ int ret;
+
+ if (bo->tbo.base.import_attach) {
+ ret = dma_buf_vmap(bo->tbo.base.dma_buf, map);
+ if (ret) {
+ drm_dbg_driver(&vmw->drm,
+ "Wasn't able to map external bo!\n");
+ goto out;
+ }
+ ptr = map->vaddr;
+ } else {
+ ptr = vmw_bo_map_and_cache(bo);
+ }
+
+out:
+ return ptr;
+}
+
+static void unmap_external(struct vmw_bo *bo, struct iosys_map *map)
+{
+ if (bo->tbo.base.import_attach)
+ dma_buf_vunmap(bo->tbo.base.dma_buf, map);
+ else
+ vmw_bo_unmap(bo);
+}
+
+static int vmw_external_bo_copy(struct vmw_bo *dst, u32 dst_offset,
+ u32 dst_stride, struct vmw_bo *src,
+ u32 src_offset, u32 src_stride,
+ u32 width_in_bytes, u32 height,
+ struct vmw_diff_cpy *diff)
+{
+ struct vmw_private *vmw =
+ container_of(dst->tbo.bdev, struct vmw_private, bdev);
+ size_t dst_size = dst->tbo.resource->size;
+ size_t src_size = src->tbo.resource->size;
+ struct iosys_map dst_map = {0};
+ struct iosys_map src_map = {0};
+ int ret, i;
+ int x_in_bytes;
+ u8 *vsrc;
+ u8 *vdst;
+
+ vsrc = map_external(src, &src_map);
+ if (!vsrc) {
+ drm_dbg_driver(&vmw->drm, "Wasn't able to map src\n");
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ vdst = map_external(dst, &dst_map);
+ if (!vdst) {
+ drm_dbg_driver(&vmw->drm, "Wasn't able to map dst\n");
+ ret = -ENOMEM;
+ goto out;
+ }
+
+ vsrc += src_offset;
+ vdst += dst_offset;
+ if (src_stride == dst_stride) {
+ dst_size -= dst_offset;
+ src_size -= src_offset;
+ memcpy(vdst, vsrc,
+ min(dst_stride * height, min(dst_size, src_size)));
+ } else {
+ WARN_ON(dst_stride < width_in_bytes);
+ for (i = 0; i < height; ++i) {
+ memcpy(vdst, vsrc, width_in_bytes);
+ vsrc += src_stride;
+ vdst += dst_stride;
+ }
+ }
+
+ x_in_bytes = (dst_offset % dst_stride);
+ diff->rect.x1 = x_in_bytes / diff->cpp;
+ diff->rect.y1 = ((dst_offset - x_in_bytes) / dst_stride);
+ diff->rect.x2 = diff->rect.x1 + width_in_bytes / diff->cpp;
+ diff->rect.y2 = diff->rect.y1 + height;
+
+ ret = 0;
+out:
+ unmap_external(src, &src_map);
+ unmap_external(dst, &dst_map);
+
+ return ret;
+}
+
/**
* vmw_bo_cpu_blit - in-kernel cpu blit.
*
- * @dst: Destination buffer object.
+ * @vmw_dst: Destination buffer object.
* @dst_offset: Destination offset of blit start in bytes.
* @dst_stride: Destination stride in bytes.
- * @src: Source buffer object.
+ * @vmw_src: Source buffer object.
* @src_offset: Source offset of blit start in bytes.
* @src_stride: Source stride in bytes.
* @w: Width of blit.
@@ -444,13 +538,15 @@ static int vmw_bo_cpu_blit_line(struct v
* Neither of the buffer objects may be placed in PCI memory
* (Fixed memory in TTM terminology) when using this function.
*/
-int vmw_bo_cpu_blit(struct ttm_buffer_object *dst,
+int vmw_bo_cpu_blit(struct vmw_bo *vmw_dst,
u32 dst_offset, u32 dst_stride,
- struct ttm_buffer_object *src,
+ struct vmw_bo *vmw_src,
u32 src_offset, u32 src_stride,
u32 w, u32 h,
struct vmw_diff_cpy *diff)
{
+ struct ttm_buffer_object *src = &vmw_src->tbo;
+ struct ttm_buffer_object *dst = &vmw_dst->tbo;
struct ttm_operation_ctx ctx = {
.interruptible = false,
.no_wait_gpu = false
@@ -460,6 +556,11 @@ int vmw_bo_cpu_blit(struct ttm_buffer_ob
int ret = 0;
struct page **dst_pages = NULL;
struct page **src_pages = NULL;
+ bool src_external = (src->ttm->page_flags & TTM_TT_FLAG_EXTERNAL) != 0;
+ bool dst_external = (dst->ttm->page_flags & TTM_TT_FLAG_EXTERNAL) != 0;
+
+ if (WARN_ON(dst == src))
+ return -EINVAL;
/* Buffer objects need to be either pinned or reserved: */
if (!(dst->pin_count))
@@ -479,6 +580,11 @@ int vmw_bo_cpu_blit(struct ttm_buffer_ob
return ret;
}
+ if (src_external || dst_external)
+ return vmw_external_bo_copy(vmw_dst, dst_offset, dst_stride,
+ vmw_src, src_offset, src_stride,
+ w, h, diff);
+
if (!src->ttm->pages && src->ttm->sg) {
src_pages = kvmalloc_array(src->ttm->num_pages,
sizeof(struct page *), GFP_KERNEL);
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_drv.h
@@ -1355,9 +1355,9 @@ void vmw_diff_memcpy(struct vmw_diff_cpy
void vmw_memcpy(struct vmw_diff_cpy *diff, u8 *dest, const u8 *src, size_t n);
-int vmw_bo_cpu_blit(struct ttm_buffer_object *dst,
+int vmw_bo_cpu_blit(struct vmw_bo *dst,
u32 dst_offset, u32 dst_stride,
- struct ttm_buffer_object *src,
+ struct vmw_bo *src,
u32 src_offset, u32 src_stride,
u32 w, u32 h,
struct vmw_diff_cpy *diff);
--- a/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
+++ b/drivers/gpu/drm/vmwgfx/vmwgfx_stdu.c
@@ -497,7 +497,7 @@ static void vmw_stdu_bo_cpu_commit(struc
container_of(dirty->unit, typeof(*stdu), base);
s32 width, height;
s32 src_pitch, dst_pitch;
- struct ttm_buffer_object *src_bo, *dst_bo;
+ struct vmw_bo *src_bo, *dst_bo;
u32 src_offset, dst_offset;
struct vmw_diff_cpy diff = VMW_CPU_BLIT_DIFF_INITIALIZER(stdu->cpp);
@@ -512,11 +512,11 @@ static void vmw_stdu_bo_cpu_commit(struc
/* Assume we are blitting from Guest (bo) to Host (display_srf) */
src_pitch = stdu->display_srf->metadata.base_size.width * stdu->cpp;
- src_bo = &stdu->display_srf->res.guest_memory_bo->tbo;
+ src_bo = stdu->display_srf->res.guest_memory_bo;
src_offset = ddirty->top * src_pitch + ddirty->left * stdu->cpp;
dst_pitch = ddirty->pitch;
- dst_bo = &ddirty->buf->tbo;
+ dst_bo = ddirty->buf;
dst_offset = ddirty->fb_top * dst_pitch + ddirty->fb_left * stdu->cpp;
(void) vmw_bo_cpu_blit(dst_bo, dst_offset, dst_pitch,
@@ -1136,7 +1136,7 @@ vmw_stdu_bo_populate_update_cpu(struct v
struct vmw_diff_cpy diff = VMW_CPU_BLIT_DIFF_INITIALIZER(0);
struct vmw_stdu_update_gb_image *cmd_img = cmd;
struct vmw_stdu_update *cmd_update;
- struct ttm_buffer_object *src_bo, *dst_bo;
+ struct vmw_bo *src_bo, *dst_bo;
u32 src_offset, dst_offset;
s32 src_pitch, dst_pitch;
s32 width, height;
@@ -1150,11 +1150,11 @@ vmw_stdu_bo_populate_update_cpu(struct v
diff.cpp = stdu->cpp;
- dst_bo = &stdu->display_srf->res.guest_memory_bo->tbo;
+ dst_bo = stdu->display_srf->res.guest_memory_bo;
dst_pitch = stdu->display_srf->metadata.base_size.width * stdu->cpp;
dst_offset = bb->y1 * dst_pitch + bb->x1 * stdu->cpp;
- src_bo = &vfbbo->buffer->tbo;
+ src_bo = vfbbo->buffer;
src_pitch = update->vfb->base.pitches[0];
src_offset = bo_update->fb_top * src_pitch + bo_update->fb_left *
stdu->cpp;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 27/93] tracing: Have format file honor EVENT_FILE_FL_FREED
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 26/93] drm/vmwgfx: Fix prime with external buffers Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 28/93] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration" Greg Kroah-Hartman
` (71 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Ajay Kaher, Ilkka Naulapää, Linus Torvalds, Al Viro,
Dan Carpenter, Beau Belgrave, Florian Fainelli, Alexey Makhalov,
Vasavi Sirnapalli, Mathias Krause, Steven Rostedt (Google),
Zheng Yejian
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steven Rostedt <rostedt@goodmis.org>
commit b1560408692cd0ab0370cfbe9deb03ce97ab3f6d upstream.
When eventfs was introduced, special care had to be done to coordinate the
freeing of the file meta data with the files that are exposed to user
space. The file meta data would have a ref count that is set when the file
is created and would be decremented and freed after the last user that
opened the file closed it. When the file meta data was to be freed, it
would set a flag (EVENT_FILE_FL_FREED) to denote that the file is freed,
and any new references made (like new opens or reads) would fail as it is
marked freed. This allowed other meta data to be freed after this flag was
set (under the event_mutex).
All the files that were dynamically created in the events directory had a
pointer to the file meta data and would call event_release() when the last
reference to the user space file was closed. This would be the time that it
is safe to free the file meta data.
A shortcut was made for the "format" file. It's i_private would point to
the "call" entry directly and not point to the file's meta data. This is
because all format files are the same for the same "call", so it was
thought there was no reason to differentiate them. The other files
maintain state (like the "enable", "trigger", etc). But this meant if the
file were to disappear, the "format" file would be unaware of it.
This caused a race that could be trigger via the user_events test (that
would create dynamic events and free them), and running a loop that would
read the user_events format files:
In one console run:
# cd tools/testing/selftests/user_events
# while true; do ./ftrace_test; done
And in another console run:
# cd /sys/kernel/tracing/
# while true; do cat events/user_events/__test_event/format; done 2>/dev/null
With KASAN memory checking, it would trigger a use-after-free bug report
(which was a real bug). This was because the format file was not checking
the file's meta data flag "EVENT_FILE_FL_FREED", so it would access the
event that the file meta data pointed to after the event was freed.
After inspection, there are other locations that were found to not check
the EVENT_FILE_FL_FREED flag when accessing the trace_event_file. Add a
new helper function: event_file_file() that will make sure that the
event_mutex is held, and will return NULL if the trace_event_file has the
EVENT_FILE_FL_FREED flag set. Have the first reference of the struct file
pointer use event_file_file() and check for NULL. Later uses can still use
the event_file_data() helper function if the event_mutex is still held and
was not released since the event_file_file() call.
Link: https://lore.kernel.org/all/20240719204701.1605950-1-minipli@grsecurity.net/
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Cc: Ajay Kaher <ajay.kaher@broadcom.com>
Cc: Ilkka Naulapää <digirigawa@gmail.com>
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dan Carpenter <dan.carpenter@linaro.org>
Cc: Beau Belgrave <beaub@linux.microsoft.com>
Cc: Florian Fainelli <florian.fainelli@broadcom.com>
Cc: Alexey Makhalov <alexey.makhalov@broadcom.com>
Cc: Vasavi Sirnapalli <vasavi.sirnapalli@broadcom.com>
Link: https://lore.kernel.org/20240730110657.3b69d3c1@gandalf.local.home
Fixes: b63db58e2fa5d ("eventfs/tracing: Add callback for release of an eventfs_inode")
Reported-by: Mathias Krause <minipli@grsecurity.net>
Tested-by: Mathias Krause <minipli@grsecurity.net>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
[Resolve conflict due to lack of commit a1f157c7a3bb ("tracing: Expand all
ring buffers individually") which add tracing_update_buffers() in
event_enable_write(), that commit is more of a feature than a bugfix
and is not related to the problem fixed by this patch]
Signed-off-by: Zheng Yejian <zhengyejian@huaweicloud.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.h | 23 +++++++++++++++++++++++
kernel/trace/trace_events.c | 33 ++++++++++++++++++++-------------
kernel/trace/trace_events_hist.c | 4 ++--
kernel/trace/trace_events_inject.c | 2 +-
kernel/trace/trace_events_trigger.c | 6 +++---
5 files changed, 49 insertions(+), 19 deletions(-)
--- a/kernel/trace/trace.h
+++ b/kernel/trace/trace.h
@@ -1555,6 +1555,29 @@ static inline void *event_file_data(stru
extern struct mutex event_mutex;
extern struct list_head ftrace_events;
+/*
+ * When the trace_event_file is the filp->i_private pointer,
+ * it must be taken under the event_mutex lock, and then checked
+ * if the EVENT_FILE_FL_FREED flag is set. If it is, then the
+ * data pointed to by the trace_event_file can not be trusted.
+ *
+ * Use the event_file_file() to access the trace_event_file from
+ * the filp the first time under the event_mutex and check for
+ * NULL. If it is needed to be retrieved again and the event_mutex
+ * is still held, then the event_file_data() can be used and it
+ * is guaranteed to be valid.
+ */
+static inline struct trace_event_file *event_file_file(struct file *filp)
+{
+ struct trace_event_file *file;
+
+ lockdep_assert_held(&event_mutex);
+ file = READ_ONCE(file_inode(filp)->i_private);
+ if (!file || file->flags & EVENT_FILE_FL_FREED)
+ return NULL;
+ return file;
+}
+
extern const struct file_operations event_trigger_fops;
extern const struct file_operations event_hist_fops;
extern const struct file_operations event_hist_debug_fops;
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -1386,12 +1386,12 @@ event_enable_read(struct file *filp, cha
char buf[4] = "0";
mutex_lock(&event_mutex);
- file = event_file_data(filp);
+ file = event_file_file(filp);
if (likely(file))
flags = file->flags;
mutex_unlock(&event_mutex);
- if (!file || flags & EVENT_FILE_FL_FREED)
+ if (!file)
return -ENODEV;
if (flags & EVENT_FILE_FL_ENABLED &&
@@ -1428,8 +1428,8 @@ event_enable_write(struct file *filp, co
case 1:
ret = -ENODEV;
mutex_lock(&event_mutex);
- file = event_file_data(filp);
- if (likely(file && !(file->flags & EVENT_FILE_FL_FREED)))
+ file = event_file_file(filp);
+ if (likely(file))
ret = ftrace_event_enable_disable(file, val);
mutex_unlock(&event_mutex);
break;
@@ -1538,7 +1538,8 @@ enum {
static void *f_next(struct seq_file *m, void *v, loff_t *pos)
{
- struct trace_event_call *call = event_file_data(m->private);
+ struct trace_event_file *file = event_file_data(m->private);
+ struct trace_event_call *call = file->event_call;
struct list_head *common_head = &ftrace_common_fields;
struct list_head *head = trace_get_fields(call);
struct list_head *node = v;
@@ -1570,7 +1571,8 @@ static void *f_next(struct seq_file *m,
static int f_show(struct seq_file *m, void *v)
{
- struct trace_event_call *call = event_file_data(m->private);
+ struct trace_event_file *file = event_file_data(m->private);
+ struct trace_event_call *call = file->event_call;
struct ftrace_event_field *field;
const char *array_descriptor;
@@ -1625,12 +1627,14 @@ static int f_show(struct seq_file *m, vo
static void *f_start(struct seq_file *m, loff_t *pos)
{
+ struct trace_event_file *file;
void *p = (void *)FORMAT_HEADER;
loff_t l = 0;
/* ->stop() is called even if ->start() fails */
mutex_lock(&event_mutex);
- if (!event_file_data(m->private))
+ file = event_file_file(m->private);
+ if (!file)
return ERR_PTR(-ENODEV);
while (l < *pos && p)
@@ -1704,8 +1708,8 @@ event_filter_read(struct file *filp, cha
trace_seq_init(s);
mutex_lock(&event_mutex);
- file = event_file_data(filp);
- if (file && !(file->flags & EVENT_FILE_FL_FREED))
+ file = event_file_file(filp);
+ if (file)
print_event_filter(file, s);
mutex_unlock(&event_mutex);
@@ -1734,9 +1738,13 @@ event_filter_write(struct file *filp, co
return PTR_ERR(buf);
mutex_lock(&event_mutex);
- file = event_file_data(filp);
- if (file)
- err = apply_event_filter(file, buf);
+ file = event_file_file(filp);
+ if (file) {
+ if (file->flags & EVENT_FILE_FL_FREED)
+ err = -ENODEV;
+ else
+ err = apply_event_filter(file, buf);
+ }
mutex_unlock(&event_mutex);
kfree(buf);
@@ -2451,7 +2459,6 @@ static int event_callback(const char *na
if (strcmp(name, "format") == 0) {
*mode = TRACE_MODE_READ;
*fops = &ftrace_event_format_fops;
- *data = call;
return 1;
}
--- a/kernel/trace/trace_events_hist.c
+++ b/kernel/trace/trace_events_hist.c
@@ -5609,7 +5609,7 @@ static int hist_show(struct seq_file *m,
mutex_lock(&event_mutex);
- event_file = event_file_data(m->private);
+ event_file = event_file_file(m->private);
if (unlikely(!event_file)) {
ret = -ENODEV;
goto out_unlock;
@@ -5888,7 +5888,7 @@ static int hist_debug_show(struct seq_fi
mutex_lock(&event_mutex);
- event_file = event_file_data(m->private);
+ event_file = event_file_file(m->private);
if (unlikely(!event_file)) {
ret = -ENODEV;
goto out_unlock;
--- a/kernel/trace/trace_events_inject.c
+++ b/kernel/trace/trace_events_inject.c
@@ -299,7 +299,7 @@ event_inject_write(struct file *filp, co
strim(buf);
mutex_lock(&event_mutex);
- file = event_file_data(filp);
+ file = event_file_file(filp);
if (file) {
call = file->event_call;
size = parse_entry(buf, call, &entry);
--- a/kernel/trace/trace_events_trigger.c
+++ b/kernel/trace/trace_events_trigger.c
@@ -159,7 +159,7 @@ static void *trigger_start(struct seq_fi
/* ->stop() is called even if ->start() fails */
mutex_lock(&event_mutex);
- event_file = event_file_data(m->private);
+ event_file = event_file_file(m->private);
if (unlikely(!event_file))
return ERR_PTR(-ENODEV);
@@ -213,7 +213,7 @@ static int event_trigger_regex_open(stru
mutex_lock(&event_mutex);
- if (unlikely(!event_file_data(file))) {
+ if (unlikely(!event_file_file(file))) {
mutex_unlock(&event_mutex);
return -ENODEV;
}
@@ -293,7 +293,7 @@ static ssize_t event_trigger_regex_write
strim(buf);
mutex_lock(&event_mutex);
- event_file = event_file_data(file);
+ event_file = event_file_file(file);
if (unlikely(!event_file)) {
mutex_unlock(&event_mutex);
kfree(buf);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 28/93] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration"
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 27/93] tracing: Have format file honor EVENT_FILE_FL_FREED Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 29/93] of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put() handling Greg Kroah-Hartman
` (70 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Charles Yo, Kyle Tso,
Amit Sunil Dhamne, Ondrej Jirman, Heikki Krogerus,
Dmitry Baryshkov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
In commit b16abab1fb64 ("usb: typec: tcpm: unregister existing source
caps before re-registration"), quilt, and git, applied the diff to the
incorrect function, which would cause bad problems if exercised in a
device with these capabilities.
Fix this all up (including the follow-up fix in commit 04c05d50fa79
("usb: typec: tcpm: fix use-after-free case in
tcpm_register_source_caps") to be in the correct function.
Fixes: 04c05d50fa79 ("usb: typec: tcpm: fix use-after-free case in tcpm_register_source_caps")
Fixes: b16abab1fb64 ("usb: typec: tcpm: unregister existing source caps before re-registration")
Reported-by: Charles Yo <charlesyo@google.com>
Cc: Kyle Tso <kyletso@google.com>
Cc: Amit Sunil Dhamne <amitsd@google.com>
Cc: Ondrej Jirman <megi@xff.cz>
Cc: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Cc: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/tcpm/tcpm.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -2403,7 +2403,7 @@ static int tcpm_register_source_caps(str
{
struct usb_power_delivery_desc desc = { port->negotiated_rev };
struct usb_power_delivery_capabilities_desc caps = { };
- struct usb_power_delivery_capabilities *cap;
+ struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
if (!port->partner_pd)
port->partner_pd = usb_power_delivery_register(NULL, &desc);
@@ -2413,6 +2413,11 @@ static int tcpm_register_source_caps(str
memcpy(caps.pdo, port->source_caps, sizeof(u32) * port->nr_source_caps);
caps.role = TYPEC_SOURCE;
+ if (cap) {
+ usb_power_delivery_unregister_capabilities(cap);
+ port->partner_source_caps = NULL;
+ }
+
cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
if (IS_ERR(cap))
return PTR_ERR(cap);
@@ -2426,7 +2431,7 @@ static int tcpm_register_sink_caps(struc
{
struct usb_power_delivery_desc desc = { port->negotiated_rev };
struct usb_power_delivery_capabilities_desc caps = { };
- struct usb_power_delivery_capabilities *cap = port->partner_source_caps;
+ struct usb_power_delivery_capabilities *cap;
if (!port->partner_pd)
port->partner_pd = usb_power_delivery_register(NULL, &desc);
@@ -2436,11 +2441,6 @@ static int tcpm_register_sink_caps(struc
memcpy(caps.pdo, port->sink_caps, sizeof(u32) * port->nr_sink_caps);
caps.role = TYPEC_SINK;
- if (cap) {
- usb_power_delivery_unregister_capabilities(cap);
- port->partner_source_caps = NULL;
- }
-
cap = usb_power_delivery_register_capabilities(port->partner_pd, &caps);
if (IS_ERR(cap))
return PTR_ERR(cap);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 29/93] of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put() handling
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 28/93] usb: typec: fix up incorrectly backported "usb: typec: tcpm: unregister existing source caps before re-registration" Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 30/93] thermal: of: Fix OF node leak in thermal_of_trips_init() error path Greg Kroah-Hartman
` (69 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Rob Herring,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Cameron <Jonathan.Cameron@huawei.com>
[ Upstream commit 34af4554fb0ce164e2c4876683619eb1e23848d4 ]
To avoid issues with out of order cleanup, or ambiguity about when the
auto freed data is first instantiated, do it within the for loop definition.
The disadvantage is that the struct device_node *child variable creation
is not immediately obvious where this is used.
However, in many cases, if there is another definition of
struct device_node *child; the compiler / static analysers will notify us
that it is unused, or uninitialized.
Note that, in the vast majority of cases, the _available_ form should be
used and as code is converted to these scoped handers, we should confirm
that any cases that do not check for available have a good reason not
to.
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Reviewed-by: Rob Herring <robh@kernel.org>
Link: https://lore.kernel.org/r/20240225142714.286440-3-jic23@kernel.org
Signed-off-by: Rob Herring <robh@kernel.org>
Stable-dep-of: afc954fd223d ("thermal: of: Fix OF node leak in thermal_of_trips_init() error path")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/of.h | 13 +++++++++++++
1 file changed, 13 insertions(+)
diff --git a/include/linux/of.h b/include/linux/of.h
index 50e882ee91da7..024dda54b9c77 100644
--- a/include/linux/of.h
+++ b/include/linux/of.h
@@ -1430,10 +1430,23 @@ static inline int of_property_read_s32(const struct device_node *np,
#define for_each_child_of_node(parent, child) \
for (child = of_get_next_child(parent, NULL); child != NULL; \
child = of_get_next_child(parent, child))
+
+#define for_each_child_of_node_scoped(parent, child) \
+ for (struct device_node *child __free(device_node) = \
+ of_get_next_child(parent, NULL); \
+ child != NULL; \
+ child = of_get_next_child(parent, child))
+
#define for_each_available_child_of_node(parent, child) \
for (child = of_get_next_available_child(parent, NULL); child != NULL; \
child = of_get_next_available_child(parent, child))
+#define for_each_available_child_of_node_scoped(parent, child) \
+ for (struct device_node *child __free(device_node) = \
+ of_get_next_available_child(parent, NULL); \
+ child != NULL; \
+ child = of_get_next_available_child(parent, child))
+
#define for_each_of_cpu_node(cpu) \
for (cpu = of_get_next_cpu_node(NULL); cpu != NULL; \
cpu = of_get_next_cpu_node(cpu))
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 30/93] thermal: of: Fix OF node leak in thermal_of_trips_init() error path
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 29/93] of: Introduce for_each_*_child_of_node_scoped() to automate of_node_put() handling Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 31/93] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Greg Kroah-Hartman
` (68 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Chen-Yu Tsai,
Daniel Lezcano, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit afc954fd223ded70b1fa000767e2531db55cce58 ]
Terminating for_each_child_of_node() loop requires dropping OF node
reference, so bailing out after thermal_of_populate_trip() error misses
this. Solve the OF node reference leak with scoped
for_each_child_of_node_scoped().
Fixes: d0c75fa2c17f ("thermal/of: Initialize trip points separately")
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://patch.msgid.link/20240814195823.437597-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/thermal_of.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c
index d5174f11b91c2..e7d25e70fb93e 100644
--- a/drivers/thermal/thermal_of.c
+++ b/drivers/thermal/thermal_of.c
@@ -123,7 +123,7 @@ static int thermal_of_populate_trip(struct device_node *np,
static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *ntrips)
{
struct thermal_trip *tt;
- struct device_node *trips, *trip;
+ struct device_node *trips;
int ret, count;
trips = of_get_child_by_name(np, "trips");
@@ -148,7 +148,7 @@ static struct thermal_trip *thermal_of_trips_init(struct device_node *np, int *n
*ntrips = count;
count = 0;
- for_each_child_of_node(trips, trip) {
+ for_each_child_of_node_scoped(trips, trip) {
ret = thermal_of_populate_trip(trip, &tt[count++]);
if (ret)
goto out_kfree;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 31/93] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 30/93] thermal: of: Fix OF node leak in thermal_of_trips_init() error path Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 32/93] ASoC: amd: acp: fix module autoloading Greg Kroah-Hartman
` (67 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Chen-Yu Tsai,
Daniel Lezcano, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit c0a1ef9c5be72ff28a5413deb1b3e1a066593c13 ]
Terminating for_each_available_child_of_node() loop requires dropping OF
node reference, so bailing out on errors misses this. Solve the OF node
reference leak with scoped for_each_available_child_of_node_scoped().
Fixes: 3fd6d6e2b4e8 ("thermal/of: Rework the thermal device tree initialization")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Link: https://patch.msgid.link/20240814195823.437597-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/thermal/thermal_of.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/thermal/thermal_of.c b/drivers/thermal/thermal_of.c
index e7d25e70fb93e..d8dfcd49695d3 100644
--- a/drivers/thermal/thermal_of.c
+++ b/drivers/thermal/thermal_of.c
@@ -182,14 +182,14 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int
* Search for each thermal zone, a defined sensor
* corresponding to the one passed as parameter
*/
- for_each_available_child_of_node(np, tz) {
+ for_each_available_child_of_node_scoped(np, child) {
int count, i;
- count = of_count_phandle_with_args(tz, "thermal-sensors",
+ count = of_count_phandle_with_args(child, "thermal-sensors",
"#thermal-sensor-cells");
if (count <= 0) {
- pr_err("%pOFn: missing thermal sensor\n", tz);
+ pr_err("%pOFn: missing thermal sensor\n", child);
tz = ERR_PTR(-EINVAL);
goto out;
}
@@ -198,18 +198,19 @@ static struct device_node *of_thermal_zone_find(struct device_node *sensor, int
int ret;
- ret = of_parse_phandle_with_args(tz, "thermal-sensors",
+ ret = of_parse_phandle_with_args(child, "thermal-sensors",
"#thermal-sensor-cells",
i, &sensor_specs);
if (ret < 0) {
- pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", tz, ret);
+ pr_err("%pOFn: Failed to read thermal-sensors cells: %d\n", child, ret);
tz = ERR_PTR(ret);
goto out;
}
if ((sensor == sensor_specs.np) && id == (sensor_specs.args_count ?
sensor_specs.args[0] : 0)) {
- pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, tz);
+ pr_debug("sensor %pOFn id=%d belongs to %pOFn\n", sensor, id, child);
+ tz = no_free_ptr(child);
goto out;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 32/93] ASoC: amd: acp: fix module autoloading
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 31/93] thermal: of: Fix OF node leak in of_thermal_zone_find() error paths Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 33/93] ASoC: SOF: amd: Fix for acp init sequence Greg Kroah-Hartman
` (66 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuntao Liu, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuntao Liu <liuyuntao12@huawei.com>
[ Upstream commit 164199615ae230ace4519141285f06766d6d8036 ]
Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
based on the alias from platform_device_id table.
Fixes: 9d8a7be88b336 ("ASoC: amd: acp: Add legacy sound card support for Chrome audio")
Signed-off-by: Yuntao Liu <liuyuntao12@huawei.com>
Link: https://patch.msgid.link/20240815084923.756476-1-liuyuntao12@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/amd/acp/acp-legacy-mach.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/sound/soc/amd/acp/acp-legacy-mach.c b/sound/soc/amd/acp/acp-legacy-mach.c
index 6d57d17ddfd77..6e820c2edd1d8 100644
--- a/sound/soc/amd/acp/acp-legacy-mach.c
+++ b/sound/soc/amd/acp/acp-legacy-mach.c
@@ -137,6 +137,8 @@ static const struct platform_device_id board_ids[] = {
},
{ }
};
+MODULE_DEVICE_TABLE(platform, board_ids);
+
static struct platform_driver acp_asoc_audio = {
.driver = {
.pm = &snd_soc_pm_ops,
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 33/93] ASoC: SOF: amd: Fix for acp init sequence
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 32/93] ASoC: amd: acp: fix module autoloading Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 34/93] pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE Greg Kroah-Hartman
` (65 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vijendar Mukunda, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
[ Upstream commit a42db293e5983aa1508d12644f23d73f0553b32c ]
When ACP is not powered on by default, acp power on sequence explicitly
invoked by programming pgfsm control mask. The existing implementation
checks the same PGFSM status mask and programs the same PGFSM control mask
in all ACP variants which breaks acp power on sequence for ACP6.0 and
ACP6.3 variants. So to fix this issue, update ACP pgfsm control mask and
status mask based on acp descriptor rev field, which will vary based on
acp variant.
Fixes: 846aef1d7cc0 ("ASoC: SOF: amd: Add Renoir ACP HW support")
Signed-off-by: Vijendar Mukunda <Vijendar.Mukunda@amd.com>
Link: https://patch.msgid.link/20240816070328.610360-1-Vijendar.Mukunda@amd.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/sof/amd/acp.c | 19 +++++++++++++++++--
sound/soc/sof/amd/acp.h | 7 +++++--
2 files changed, 22 insertions(+), 4 deletions(-)
diff --git a/sound/soc/sof/amd/acp.c b/sound/soc/sof/amd/acp.c
index add386f749ae9..bfed848de77c8 100644
--- a/sound/soc/sof/amd/acp.c
+++ b/sound/soc/sof/amd/acp.c
@@ -380,6 +380,7 @@ static int acp_power_on(struct snd_sof_dev *sdev)
const struct sof_amd_acp_desc *desc = get_chip_info(sdev->pdata);
unsigned int base = desc->pgfsm_base;
unsigned int val;
+ unsigned int acp_pgfsm_status_mask, acp_pgfsm_cntl_mask;
int ret;
val = snd_sof_dsp_read(sdev, ACP_DSP_BAR, base + PGFSM_STATUS_OFFSET);
@@ -387,9 +388,23 @@ static int acp_power_on(struct snd_sof_dev *sdev)
if (val == ACP_POWERED_ON)
return 0;
- if (val & ACP_PGFSM_STATUS_MASK)
+ switch (desc->rev) {
+ case 3:
+ case 5:
+ acp_pgfsm_status_mask = ACP3X_PGFSM_STATUS_MASK;
+ acp_pgfsm_cntl_mask = ACP3X_PGFSM_CNTL_POWER_ON_MASK;
+ break;
+ case 6:
+ acp_pgfsm_status_mask = ACP6X_PGFSM_STATUS_MASK;
+ acp_pgfsm_cntl_mask = ACP6X_PGFSM_CNTL_POWER_ON_MASK;
+ break;
+ default:
+ return -EINVAL;
+ }
+
+ if (val & acp_pgfsm_status_mask)
snd_sof_dsp_write(sdev, ACP_DSP_BAR, base + PGFSM_CONTROL_OFFSET,
- ACP_PGFSM_CNTL_POWER_ON_MASK);
+ acp_pgfsm_cntl_mask);
ret = snd_sof_dsp_read_poll_timeout(sdev, ACP_DSP_BAR, base + PGFSM_STATUS_OFFSET, val,
!val, ACP_REG_POLL_INTERVAL, ACP_REG_POLL_TIMEOUT_US);
diff --git a/sound/soc/sof/amd/acp.h b/sound/soc/sof/amd/acp.h
index 4dcceb7647694..133abed74f015 100644
--- a/sound/soc/sof/amd/acp.h
+++ b/sound/soc/sof/amd/acp.h
@@ -25,8 +25,11 @@
#define ACP_REG_POLL_TIMEOUT_US 2000
#define ACP_DMA_COMPLETE_TIMEOUT_US 5000
-#define ACP_PGFSM_CNTL_POWER_ON_MASK 0x01
-#define ACP_PGFSM_STATUS_MASK 0x03
+#define ACP3X_PGFSM_CNTL_POWER_ON_MASK 0x01
+#define ACP3X_PGFSM_STATUS_MASK 0x03
+#define ACP6X_PGFSM_CNTL_POWER_ON_MASK 0x07
+#define ACP6X_PGFSM_STATUS_MASK 0x0F
+
#define ACP_POWERED_ON 0x00
#define ACP_ASSERT_RESET 0x01
#define ACP_RELEASE_RESET 0x00
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 34/93] pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 33/93] ASoC: SOF: amd: Fix for acp init sequence Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 35/93] pinctrl: starfive: jh7110: Correct the level trigger configuration of iev register Greg Kroah-Hartman
` (64 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nícolas F . R . A . Prado,
Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nícolas F. R. A. Prado <nfraprado@collabora.com>
[ Upstream commit 166bf8af91225576f85208a31eaedbadd182d1ea ]
Despite its name, commit fed74d75277d ("pinctrl: mediatek: common-v2:
Fix bias-disable for PULL_PU_PD_RSEL_TYPE") actually broke bias-disable
for PULL_PU_PD_RSEL_TYPE.
mtk_pinconf_bias_set_combo() tries every bias method supported by the
pin until one succeeds. For PULL_PU_PD_RSEL_TYPE pins, before the
breaking commit, mtk_pinconf_bias_set_rsel() would be called first to
try and set the RSEL value (as well as PU and PD), and if that failed,
the only other valid option was that bias-disable was specified, which
would then be handled by calling mtk_pinconf_bias_set_pu_pd() and
disabling both PU and PD.
The breaking commit misunderstood this logic and added an early "return
0" in mtk_pinconf_bias_set_rsel(). The result was that in the
bias-disable case, the bias was left unchanged, since by returning
success, mtk_pinconf_bias_set_combo() no longer tried calling
mtk_pinconf_bias_set_pu_pd() to disable the bias.
Since the logic for configuring bias-disable on PULL_PU_PD_RSEL_TYPE
pins required mtk_pinconf_bias_set_rsel() to fail first, in that case,
an error was printed to the log, eg:
mt8195-pinctrl 10005000.pinctrl: Not support rsel value 0 Ohm for pin = 29 (GPIO29)
This is what the breaking commit actually got rid of, and likely part of
the reason why that commit was thought to be fixing functionality, while
in reality it was breaking it.
Instead of simply reverting that commit, restore the functionality but
in a way that avoids the error from being printed and makes the code
less confusing:
* Return 0 explicitly if a bias method was successful
* Introduce an extra function mtk_pinconf_bias_set_pu_pd_rsel() that
calls both mtk_pinconf_bias_set_rsel() (only if needed) and
mtk_pinconf_bias_set_pu_pd()
* And analogously for the corresponding getters
Fixes: fed74d75277d ("pinctrl: mediatek: common-v2: Fix bias-disable for PULL_PU_PD_RSEL_TYPE")
Signed-off-by: Nícolas F. R. A. Prado <nfraprado@collabora.com>
Link: https://lore.kernel.org/20240808-mtk-rsel-bias-disable-fix-v1-1-1b4e85bf596c@collabora.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../pinctrl/mediatek/pinctrl-mtk-common-v2.c | 55 ++++++++++---------
1 file changed, 29 insertions(+), 26 deletions(-)
diff --git a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
index b7921b59eb7b1..54301fbba524a 100644
--- a/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
+++ b/drivers/pinctrl/mediatek/pinctrl-mtk-common-v2.c
@@ -709,32 +709,35 @@ static int mtk_pinconf_bias_set_rsel(struct mtk_pinctrl *hw,
{
int err, rsel_val;
- if (!pullup && arg == MTK_DISABLE)
- return 0;
-
if (hw->rsel_si_unit) {
/* find pin rsel_index from pin_rsel array*/
err = mtk_hw_pin_rsel_lookup(hw, desc, pullup, arg, &rsel_val);
if (err)
- goto out;
+ return err;
} else {
- if (arg < MTK_PULL_SET_RSEL_000 ||
- arg > MTK_PULL_SET_RSEL_111) {
- err = -EINVAL;
- goto out;
- }
+ if (arg < MTK_PULL_SET_RSEL_000 || arg > MTK_PULL_SET_RSEL_111)
+ return -EINVAL;
rsel_val = arg - MTK_PULL_SET_RSEL_000;
}
- err = mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_RSEL, rsel_val);
- if (err)
- goto out;
+ return mtk_hw_set_value(hw, desc, PINCTRL_PIN_REG_RSEL, rsel_val);
+}
- err = mtk_pinconf_bias_set_pu_pd(hw, desc, pullup, MTK_ENABLE);
+static int mtk_pinconf_bias_set_pu_pd_rsel(struct mtk_pinctrl *hw,
+ const struct mtk_pin_desc *desc,
+ u32 pullup, u32 arg)
+{
+ u32 enable = arg == MTK_DISABLE ? MTK_DISABLE : MTK_ENABLE;
+ int err;
-out:
- return err;
+ if (arg != MTK_DISABLE) {
+ err = mtk_pinconf_bias_set_rsel(hw, desc, pullup, arg);
+ if (err)
+ return err;
+ }
+
+ return mtk_pinconf_bias_set_pu_pd(hw, desc, pullup, enable);
}
int mtk_pinconf_bias_set_combo(struct mtk_pinctrl *hw,
@@ -750,22 +753,22 @@ int mtk_pinconf_bias_set_combo(struct mtk_pinctrl *hw,
try_all_type = MTK_PULL_TYPE_MASK;
if (try_all_type & MTK_PULL_RSEL_TYPE) {
- err = mtk_pinconf_bias_set_rsel(hw, desc, pullup, arg);
+ err = mtk_pinconf_bias_set_pu_pd_rsel(hw, desc, pullup, arg);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PU_PD_TYPE) {
err = mtk_pinconf_bias_set_pu_pd(hw, desc, pullup, arg);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PULLSEL_TYPE) {
err = mtk_pinconf_bias_set_pullsel_pullen(hw, desc,
pullup, arg);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PUPD_R1R0_TYPE)
@@ -803,9 +806,9 @@ static int mtk_rsel_get_si_unit(struct mtk_pinctrl *hw,
return 0;
}
-static int mtk_pinconf_bias_get_rsel(struct mtk_pinctrl *hw,
- const struct mtk_pin_desc *desc,
- u32 *pullup, u32 *enable)
+static int mtk_pinconf_bias_get_pu_pd_rsel(struct mtk_pinctrl *hw,
+ const struct mtk_pin_desc *desc,
+ u32 *pullup, u32 *enable)
{
int pu, pd, rsel, err;
@@ -939,22 +942,22 @@ int mtk_pinconf_bias_get_combo(struct mtk_pinctrl *hw,
try_all_type = MTK_PULL_TYPE_MASK;
if (try_all_type & MTK_PULL_RSEL_TYPE) {
- err = mtk_pinconf_bias_get_rsel(hw, desc, pullup, enable);
+ err = mtk_pinconf_bias_get_pu_pd_rsel(hw, desc, pullup, enable);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PU_PD_TYPE) {
err = mtk_pinconf_bias_get_pu_pd(hw, desc, pullup, enable);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PULLSEL_TYPE) {
err = mtk_pinconf_bias_get_pullsel_pullen(hw, desc,
pullup, enable);
if (!err)
- return err;
+ return 0;
}
if (try_all_type & MTK_PULL_PUPD_R1R0_TYPE)
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 35/93] pinctrl: starfive: jh7110: Correct the level trigger configuration of iev register
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 34/93] pinctrl: mediatek: common-v2: Fix broken bias-disable for PULL_PU_PD_RSEL_TYPE Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 36/93] ovl: pass string to ovl_parse_layer() Greg Kroah-Hartman
` (63 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hal Feng, Linus Walleij, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hal Feng <hal.feng@starfivetech.com>
[ Upstream commit 639766ca10d1e218e257ae7eabe76814bae6ab89 ]
A mistake was made in level trigger register configuration. Correct it.
Fixes: 447976ab62c5 ("pinctrl: starfive: Add StarFive JH7110 sys controller driver")
Signed-off-by: Hal Feng <hal.feng@starfivetech.com>
Link: https://lore.kernel.org/20240812070108.100923-1-hal.feng@starfivetech.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c b/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c
index b4f7995726894..a3fee55479d20 100644
--- a/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c
+++ b/drivers/pinctrl/starfive/pinctrl-starfive-jh7110.c
@@ -805,12 +805,12 @@ static int jh7110_irq_set_type(struct irq_data *d, unsigned int trigger)
case IRQ_TYPE_LEVEL_HIGH:
irq_type = 0; /* 0: level triggered */
edge_both = 0; /* 0: ignored */
- polarity = mask; /* 1: high level */
+ polarity = 0; /* 0: high level */
break;
case IRQ_TYPE_LEVEL_LOW:
irq_type = 0; /* 0: level triggered */
edge_both = 0; /* 0: ignored */
- polarity = 0; /* 0: low level */
+ polarity = mask; /* 1: low level */
break;
default:
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 36/93] ovl: pass string to ovl_parse_layer()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 35/93] pinctrl: starfive: jh7110: Correct the level trigger configuration of iev register Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 37/93] ovl: fix wrong lowerdir number check for parameter Opt_lowerdir Greg Kroah-Hartman
` (62 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Christian Brauner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christian Brauner <brauner@kernel.org>
[ Upstream commit 7eff3453cbd7e0bfc7524d59694119b5ca844778 ]
So it can be used for parsing the Opt_lowerdir.
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20240705011510.794025-2-chengzhihao1@huawei.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Stable-dep-of: ca76ac36bb60 ("ovl: fix wrong lowerdir number check for parameter Opt_lowerdir")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/overlayfs/params.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
diff --git a/fs/overlayfs/params.c b/fs/overlayfs/params.c
index 488f920f79d28..17b9c1838182d 100644
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -369,10 +369,9 @@ static void ovl_add_layer(struct fs_context *fc, enum ovl_opt layer,
}
}
-static int ovl_parse_layer(struct fs_context *fc, struct fs_parameter *param,
- enum ovl_opt layer)
+static int ovl_parse_layer(struct fs_context *fc, const char *layer_name, enum ovl_opt layer)
{
- char *name = kstrdup(param->string, GFP_KERNEL);
+ char *name = kstrdup(layer_name, GFP_KERNEL);
bool upper = (layer == Opt_upperdir || layer == Opt_workdir);
struct path path;
int err;
@@ -586,7 +585,7 @@ static int ovl_parse_param(struct fs_context *fc, struct fs_parameter *param)
case Opt_datadir_add:
case Opt_upperdir:
case Opt_workdir:
- err = ovl_parse_layer(fc, param, opt);
+ err = ovl_parse_layer(fc, param->string, opt);
break;
case Opt_default_permissions:
config->default_permissions = true;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 37/93] ovl: fix wrong lowerdir number check for parameter Opt_lowerdir
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 36/93] ovl: pass string to ovl_parse_layer() Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 38/93] ovl: ovl_parse_param_lowerdir: Add missed \n for pr_err Greg Kroah-Hartman
` (61 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Amir Goldstein,
Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
[ Upstream commit ca76ac36bb6068866feca185045e7edf2a8f392f ]
The max count of lowerdir is OVL_MAX_STACK[500], which is broken by
commit 37f32f526438("ovl: fix memory leak in ovl_parse_param()") for
parameter Opt_lowerdir. Since commit 819829f0319a("ovl: refactor layer
parsing helpers") and commit 24e16e385f22("ovl: add support for
appending lowerdirs one by one") added check ovl_mount_dir_check() in
function ovl_parse_param_lowerdir(), the 'ctx->nr' should be smaller
than OVL_MAX_STACK, after commit 37f32f526438("ovl: fix memory leak in
ovl_parse_param()") is applied, the 'ctx->nr' is updated before the
check ovl_mount_dir_check(), which leads the max count of lowerdir
to become 499 for parameter Opt_lowerdir.
Fix it by replacing lower layers parsing code with the existing helper
function ovl_parse_layer().
Fixes: 37f32f526438 ("ovl: fix memory leak in ovl_parse_param()")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20240705011510.794025-3-chengzhihao1@huawei.com
Reviewed-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/overlayfs/params.c | 40 +++++++---------------------------------
1 file changed, 7 insertions(+), 33 deletions(-)
diff --git a/fs/overlayfs/params.c b/fs/overlayfs/params.c
index 17b9c1838182d..39919a10ce1c9 100644
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -357,6 +357,8 @@ static void ovl_add_layer(struct fs_context *fc, enum ovl_opt layer,
case Opt_datadir_add:
ctx->nr_data++;
fallthrough;
+ case Opt_lowerdir:
+ fallthrough;
case Opt_lowerdir_add:
WARN_ON(ctx->nr >= ctx->capacity);
l = &ctx->lower[ctx->nr++];
@@ -379,7 +381,7 @@ static int ovl_parse_layer(struct fs_context *fc, const char *layer_name, enum o
if (!name)
return -ENOMEM;
- if (upper)
+ if (upper || layer == Opt_lowerdir)
err = ovl_mount_dir(name, &path);
else
err = ovl_mount_dir_noesc(name, &path);
@@ -435,7 +437,6 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
{
int err;
struct ovl_fs_context *ctx = fc->fs_private;
- struct ovl_fs_context_layer *l;
char *dup = NULL, *iter;
ssize_t nr_lower, nr;
bool data_layer = false;
@@ -475,35 +476,11 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
goto out_err;
}
- if (nr_lower > ctx->capacity) {
- err = -ENOMEM;
- l = krealloc_array(ctx->lower, nr_lower, sizeof(*ctx->lower),
- GFP_KERNEL_ACCOUNT);
- if (!l)
- goto out_err;
-
- ctx->lower = l;
- ctx->capacity = nr_lower;
- }
-
iter = dup;
- l = ctx->lower;
- for (nr = 0; nr < nr_lower; nr++, l++) {
- ctx->nr++;
- memset(l, 0, sizeof(*l));
-
- err = ovl_mount_dir(iter, &l->path);
+ for (nr = 0; nr < nr_lower; nr++) {
+ err = ovl_parse_layer(fc, iter, Opt_lowerdir);
if (err)
- goto out_put;
-
- err = ovl_mount_dir_check(fc, &l->path, Opt_lowerdir, iter, false);
- if (err)
- goto out_put;
-
- err = -ENOMEM;
- l->name = kstrdup(iter, GFP_KERNEL_ACCOUNT);
- if (!l->name)
- goto out_put;
+ goto out_err;
if (data_layer)
ctx->nr_data++;
@@ -521,7 +498,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
*/
if (ctx->nr_data > 0) {
pr_err("regular lower layers cannot follow data lower layers");
- goto out_put;
+ goto out_err;
}
data_layer = false;
@@ -535,9 +512,6 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
kfree(dup);
return 0;
-out_put:
- ovl_reset_lowerdirs(ctx);
-
out_err:
kfree(dup);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 38/93] ovl: ovl_parse_param_lowerdir: Add missed \n for pr_err
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 37/93] ovl: fix wrong lowerdir number check for parameter Opt_lowerdir Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 39/93] mm: Fix missing folio invalidation calls during truncation Greg Kroah-Hartman
` (60 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Christian Brauner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
[ Upstream commit 441e36ef5b347d9ab4f54f7b54853266be687556 ]
Add '\n' for pr_err in function ovl_parse_param_lowerdir(), which
ensures that error message is displayed at once.
Fixes: b36a5780cb44 ("ovl: modify layer parameter parsing")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20240705011510.794025-4-chengzhihao1@huawei.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/overlayfs/params.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/overlayfs/params.c b/fs/overlayfs/params.c
index 39919a10ce1c9..0f3768cf9e871 100644
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -453,7 +453,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
return 0;
if (*name == ':') {
- pr_err("cannot append lower layer");
+ pr_err("cannot append lower layer\n");
return -EINVAL;
}
@@ -497,7 +497,7 @@ static int ovl_parse_param_lowerdir(const char *name, struct fs_context *fc)
* there are no data layers.
*/
if (ctx->nr_data > 0) {
- pr_err("regular lower layers cannot follow data lower layers");
+ pr_err("regular lower layers cannot follow data lower layers\n");
goto out_err;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 39/93] mm: Fix missing folio invalidation calls during truncation
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 38/93] ovl: ovl_parse_param_lowerdir: Add missed \n for pr_err Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 40/93] cifs: Fix FALLOC_FL_PUNCH_HOLE support Greg Kroah-Hartman
` (59 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells,
Matthew Wilcox (Oracle), Pankaj Raghav, Jeff Layton, Marc Dionne,
linux-afs, netfs, linux-mm, linux-fsdevel, Christian Brauner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 0aa2e1b2fb7a75aa4b5b4347055ccfea6f091769 ]
When AS_RELEASE_ALWAYS is set on a mapping, the ->release_folio() and
->invalidate_folio() calls should be invoked even if PG_private and
PG_private_2 aren't set. This is used by netfslib to keep track of the
point above which reads can be skipped in favour of just zeroing pagecache
locally.
There are a couple of places in truncation in which invalidation is only
called when folio_has_private() is true. Fix these to check
folio_needs_release() instead.
Without this, the generic/075 and generic/112 xfstests (both fsx-based
tests) fail with minimum folio size patches applied[1].
Fixes: b4fa966f03b7 ("mm, netfs, fscache: stop read optimisation when folio removed from pagecache")
Signed-off-by: David Howells <dhowells@redhat.com>
Link: https://lore.kernel.org/r/20240815090849.972355-1-kernel@pankajraghav.com/ [1]
Link: https://lore.kernel.org/r/20240823200819.532106-2-dhowells@redhat.com
Reviewed-by: Matthew Wilcox (Oracle) <willy@infradead.org>
cc: Matthew Wilcox (Oracle) <willy@infradead.org>
cc: Pankaj Raghav <p.raghav@samsung.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: linux-afs@lists.infradead.org
cc: netfs@lists.linux.dev
cc: linux-mm@kvack.org
cc: linux-fsdevel@vger.kernel.org
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
mm/truncate.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/mm/truncate.c b/mm/truncate.c
index 8e3aa9e8618ed..70c09213bb920 100644
--- a/mm/truncate.c
+++ b/mm/truncate.c
@@ -174,7 +174,7 @@ static void truncate_cleanup_folio(struct folio *folio)
if (folio_mapped(folio))
unmap_mapping_folio(folio);
- if (folio_has_private(folio))
+ if (folio_needs_release(folio))
folio_invalidate(folio, 0, folio_size(folio));
/*
@@ -235,7 +235,7 @@ bool truncate_inode_partial_folio(struct folio *folio, loff_t start, loff_t end)
*/
folio_zero_range(folio, offset, length);
- if (folio_has_private(folio))
+ if (folio_needs_release(folio))
folio_invalidate(folio, offset, length);
if (!folio_test_large(folio))
return true;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 40/93] cifs: Fix FALLOC_FL_PUNCH_HOLE support
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 39/93] mm: Fix missing folio invalidation calls during truncation Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 41/93] Revert "change alloc_pages name in dma_map_ops to avoid name conflicts" Greg Kroah-Hartman
` (58 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, Steve French,
Paulo Alcantara, Shyam Prasad N, Jeff Layton, linux-cifs, netfs,
Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
[ Upstream commit 416871f4fb84bc96822562e654941d5625a25bf8 ]
The cifs filesystem doesn't quite emulate FALLOC_FL_PUNCH_HOLE correctly
(note that due to lack of protocol support, it can't actually implement it
directly). Whilst it will (partially) invalidate dirty folios in the
pagecache, it doesn't write them back first, and so the EOF marker on the
server may be lower than inode->i_size.
This presents a problem, however, as if the punched hole invalidates the
tail of the locally cached dirty data, writeback won't know it needs to
move the EOF over to account for the hole punch (which isn't supposed to
move the EOF). We could just write zeroes over the punched out region of
the pagecache and write that back - but this is supposed to be a
deallocatory operation.
Fix this by manually moving the EOF over on the server after the operation
if the hole punched would corrupt it.
Note that the FSCTL_SET_ZERO_DATA RPC and the setting of the EOF should
probably be compounded to stop a third party interfering (or, at least,
massively reduce the chance).
This was reproducible occasionally by using fsx with the following script:
truncate 0x0 0x375e2 0x0
punch_hole 0x2f6d3 0x6ab5 0x375e2
truncate 0x0 0x3a71f 0x375e2
mapread 0xee05 0xcf12 0x3a71f
write 0x2078e 0x5604 0x3a71f
write 0x3ebdf 0x1421 0x3a71f *
punch_hole 0x379d0 0x8630 0x40000 *
mapread 0x2aaa2 0x85b 0x40000
fallocate 0x1b401 0x9ada 0x40000
read 0x15f2 0x7d32 0x40000
read 0x32f37 0x7a3b 0x40000 *
The second "write" should extend the EOF to 0x40000, and the "punch_hole"
should operate inside of that - but that depends on whether the VM gets in
and writes back the data first. If it doesn't, the file ends up 0x3a71f in
size, not 0x40000.
Fixes: 31742c5a3317 ("enable fallocate punch hole ("fallocate -p") for SMB3")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: Steve French <sfrench@samba.org>
cc: Paulo Alcantara <pc@manguebit.com>
cc: Shyam Prasad N <nspmangalore@gmail.com>
cc: Jeff Layton <jlayton@kernel.org>
cc: linux-cifs@vger.kernel.org
cc: netfs@lists.linux.dev
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2ops.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/fs/smb/client/smb2ops.c b/fs/smb/client/smb2ops.c
index 66cfce456263b..012d6ec12a691 100644
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -3251,6 +3251,7 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
struct inode *inode = file_inode(file);
struct cifsFileInfo *cfile = file->private_data;
struct file_zero_data_information fsctl_buf;
+ unsigned long long end = offset + len, i_size, remote_i_size;
long rc;
unsigned int xid;
__u8 set_sparse = 1;
@@ -3282,6 +3283,27 @@ static long smb3_punch_hole(struct file *file, struct cifs_tcon *tcon,
(char *)&fsctl_buf,
sizeof(struct file_zero_data_information),
CIFSMaxBufSize, NULL, NULL);
+
+ if (rc)
+ goto unlock;
+
+ /* If there's dirty data in the buffer that would extend the EOF if it
+ * were written, then we need to move the EOF marker over to the lower
+ * of the high end of the hole and the proposed EOF. The problem is
+ * that we locally hole-punch the tail of the dirty data, the proposed
+ * EOF update will end up in the wrong place.
+ */
+ i_size = i_size_read(inode);
+ remote_i_size = netfs_inode(inode)->remote_i_size;
+ if (end > remote_i_size && i_size > remote_i_size) {
+ unsigned long long extend_to = umin(end, i_size);
+ rc = SMB2_set_eof(xid, tcon, cfile->fid.persistent_fid,
+ cfile->fid.volatile_fid, cfile->pid, extend_to);
+ if (rc >= 0)
+ netfs_inode(inode)->remote_i_size = extend_to;
+ }
+
+unlock:
filemap_invalidate_unlock(inode->i_mapping);
out:
inode_unlock(inode);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 41/93] Revert "change alloc_pages name in dma_map_ops to avoid name conflicts"
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 40/93] cifs: Fix FALLOC_FL_PUNCH_HOLE support Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-02 10:58 ` Frank Scheiner
2024-09-01 16:16 ` [PATCH 6.6 42/93] selinux,smack: dont bypass permissions check in inode_setsecctx hook Greg Kroah-Hartman
` (57 subsequent siblings)
98 siblings, 1 reply; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor,
Suren Baghdasaryan, Kees Cook, Alexander Viro, Alex Gaynor,
Alice Ryhl, Andreas Hindborg, Benno Lossin, Björn Roy Baron,
Boqun Feng, Christoph Lameter, Dennis Zhou, Gary Guo,
Kent Overstreet, Miguel Ojeda, Pasha Tatashin, Peter Zijlstra,
Tejun Heo, Vlastimil Babka, Wedson Almeida Filho, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
This reverts commit 983e6b2636f0099dbac1874c9e885bbe1cf2df05 which is
commit 8a2f11878771da65b8ac135c73b47dae13afbd62 upstream.
It wasn't needed and caused a build break on s390, so just revert it
entirely.
Reported-by: Nathan Chancellor <nathan@kernel.org>
Link: https://lore.kernel.org/r/20240830221217.GA3837758@thelio-3990X
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: Kees Cook <keescook@chromium.org>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: Alex Gaynor <alex.gaynor@gmail.com>
Cc: Alice Ryhl <aliceryhl@google.com>
Cc: Andreas Hindborg <a.hindborg@samsung.com>
Cc: Benno Lossin <benno.lossin@proton.me>
Cc: "Björn Roy Baron" <bjorn3_gh@protonmail.com>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Dennis Zhou <dennis@kernel.org>
Cc: Gary Guo <gary@garyguo.net>
Cc: Kent Overstreet <kent.overstreet@linux.dev>
Cc: Miguel Ojeda <ojeda@kernel.org>
Cc: Pasha Tatashin <pasha.tatashin@soleen.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Tejun Heo <tj@kernel.org>
Cc: Vlastimil Babka <vbabka@suse.cz>
Cc: Wedson Almeida Filho <wedsonaf@gmail.com>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Sasha Levin <sashal@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/alpha/kernel/pci_iommu.c | 2 +-
arch/mips/jazz/jazzdma.c | 2 +-
arch/powerpc/kernel/dma-iommu.c | 2 +-
arch/powerpc/platforms/ps3/system-bus.c | 4 ++--
arch/powerpc/platforms/pseries/vio.c | 2 +-
arch/x86/kernel/amd_gart_64.c | 2 +-
drivers/iommu/dma-iommu.c | 2 +-
drivers/parisc/ccio-dma.c | 2 +-
drivers/parisc/sba_iommu.c | 2 +-
drivers/xen/grant-dma-ops.c | 2 +-
drivers/xen/swiotlb-xen.c | 2 +-
include/linux/dma-map-ops.h | 2 +-
kernel/dma/mapping.c | 4 ++--
13 files changed, 15 insertions(+), 15 deletions(-)
--- a/arch/alpha/kernel/pci_iommu.c
+++ b/arch/alpha/kernel/pci_iommu.c
@@ -929,7 +929,7 @@ const struct dma_map_ops alpha_pci_ops =
.dma_supported = alpha_pci_supported,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
EXPORT_SYMBOL(alpha_pci_ops);
--- a/arch/mips/jazz/jazzdma.c
+++ b/arch/mips/jazz/jazzdma.c
@@ -617,7 +617,7 @@ const struct dma_map_ops jazz_dma_ops =
.sync_sg_for_device = jazz_dma_sync_sg_for_device,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
EXPORT_SYMBOL(jazz_dma_ops);
--- a/arch/powerpc/kernel/dma-iommu.c
+++ b/arch/powerpc/kernel/dma-iommu.c
@@ -216,6 +216,6 @@ const struct dma_map_ops dma_iommu_ops =
.get_required_mask = dma_iommu_get_required_mask,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
--- a/arch/powerpc/platforms/ps3/system-bus.c
+++ b/arch/powerpc/platforms/ps3/system-bus.c
@@ -695,7 +695,7 @@ static const struct dma_map_ops ps3_sb_d
.unmap_page = ps3_unmap_page,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
@@ -709,7 +709,7 @@ static const struct dma_map_ops ps3_ioc0
.unmap_page = ps3_unmap_page,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
--- a/arch/powerpc/platforms/pseries/vio.c
+++ b/arch/powerpc/platforms/pseries/vio.c
@@ -611,7 +611,7 @@ static const struct dma_map_ops vio_dma_
.get_required_mask = dma_iommu_get_required_mask,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
--- a/arch/x86/kernel/amd_gart_64.c
+++ b/arch/x86/kernel/amd_gart_64.c
@@ -676,7 +676,7 @@ static const struct dma_map_ops gart_dma
.get_sgtable = dma_common_get_sgtable,
.dma_supported = dma_direct_supported,
.get_required_mask = dma_direct_get_required_mask,
- .alloc_pages_op = dma_direct_alloc_pages,
+ .alloc_pages = dma_direct_alloc_pages,
.free_pages = dma_direct_free_pages,
};
--- a/drivers/iommu/dma-iommu.c
+++ b/drivers/iommu/dma-iommu.c
@@ -1614,7 +1614,7 @@ static const struct dma_map_ops iommu_dm
.flags = DMA_F_PCI_P2PDMA_SUPPORTED,
.alloc = iommu_dma_alloc,
.free = iommu_dma_free,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
.alloc_noncontiguous = iommu_dma_alloc_noncontiguous,
.free_noncontiguous = iommu_dma_free_noncontiguous,
--- a/drivers/parisc/ccio-dma.c
+++ b/drivers/parisc/ccio-dma.c
@@ -1022,7 +1022,7 @@ static const struct dma_map_ops ccio_ops
.map_sg = ccio_map_sg,
.unmap_sg = ccio_unmap_sg,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
--- a/drivers/parisc/sba_iommu.c
+++ b/drivers/parisc/sba_iommu.c
@@ -1090,7 +1090,7 @@ static const struct dma_map_ops sba_ops
.map_sg = sba_map_sg,
.unmap_sg = sba_unmap_sg,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
};
--- a/drivers/xen/grant-dma-ops.c
+++ b/drivers/xen/grant-dma-ops.c
@@ -282,7 +282,7 @@ static int xen_grant_dma_supported(struc
static const struct dma_map_ops xen_grant_dma_ops = {
.alloc = xen_grant_dma_alloc,
.free = xen_grant_dma_free,
- .alloc_pages_op = xen_grant_dma_alloc_pages,
+ .alloc_pages = xen_grant_dma_alloc_pages,
.free_pages = xen_grant_dma_free_pages,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
--- a/drivers/xen/swiotlb-xen.c
+++ b/drivers/xen/swiotlb-xen.c
@@ -403,7 +403,7 @@ const struct dma_map_ops xen_swiotlb_dma
.dma_supported = xen_swiotlb_dma_supported,
.mmap = dma_common_mmap,
.get_sgtable = dma_common_get_sgtable,
- .alloc_pages_op = dma_common_alloc_pages,
+ .alloc_pages = dma_common_alloc_pages,
.free_pages = dma_common_free_pages,
.max_mapping_size = swiotlb_max_mapping_size,
};
--- a/include/linux/dma-map-ops.h
+++ b/include/linux/dma-map-ops.h
@@ -28,7 +28,7 @@ struct dma_map_ops {
unsigned long attrs);
void (*free)(struct device *dev, size_t size, void *vaddr,
dma_addr_t dma_handle, unsigned long attrs);
- struct page *(*alloc_pages_op)(struct device *dev, size_t size,
+ struct page *(*alloc_pages)(struct device *dev, size_t size,
dma_addr_t *dma_handle, enum dma_data_direction dir,
gfp_t gfp);
void (*free_pages)(struct device *dev, size_t size, struct page *vaddr,
--- a/kernel/dma/mapping.c
+++ b/kernel/dma/mapping.c
@@ -570,9 +570,9 @@ static struct page *__dma_alloc_pages(st
size = PAGE_ALIGN(size);
if (dma_alloc_direct(dev, ops))
return dma_direct_alloc_pages(dev, size, dma_handle, dir, gfp);
- if (!ops->alloc_pages_op)
+ if (!ops->alloc_pages)
return NULL;
- return ops->alloc_pages_op(dev, size, dma_handle, dir, gfp);
+ return ops->alloc_pages(dev, size, dma_handle, dir, gfp);
}
struct page *dma_alloc_pages(struct device *dev, size_t size,
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 41/93] Revert "change alloc_pages name in dma_map_ops to avoid name conflicts"
2024-09-01 16:16 ` [PATCH 6.6 41/93] Revert "change alloc_pages name in dma_map_ops to avoid name conflicts" Greg Kroah-Hartman
@ 2024-09-02 10:58 ` Frank Scheiner
0 siblings, 0 replies; 101+ messages in thread
From: Frank Scheiner @ 2024-09-02 10:58 UTC (permalink / raw)
To: gregkh
Cc: a.hindborg, akpm, alex.gaynor, aliceryhl, benno.lossin, bjorn3_gh,
boqun.feng, cl, dennis, gary, keescook, kent.overstreet, nathan,
ojeda, pasha.tatashin, patches, peterz, sashal, stable, surenb,
tj, vbabka, viro, wedsonaf
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
>
> This reverts commit 983e6b2636f0099dbac1874c9e885bbe1cf2df05 which is
> commit 8a2f11878771da65b8ac135c73b47dae13afbd62 upstream.
>
> It wasn't needed and caused a build break on s390, so just revert it
> entirely.
Thanks for reverting this, as it also broke the build for ia64 since
6.6.48-rc1 (see e.g. [1]).
[1]:
https://github.com/linux-ia64/linux-stable-rc/actions/runs/10589507221/job/29344063186#step:8:1892
Cheers,
Frank
^ permalink raw reply [flat|nested] 101+ messages in thread
* [PATCH 6.6 42/93] selinux,smack: dont bypass permissions check in inode_setsecctx hook
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 41/93] Revert "change alloc_pages name in dma_map_ops to avoid name conflicts" Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 43/93] iommufd: Do not allow creating areas without READ or WRITE Greg Kroah-Hartman
` (56 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Marek Gresko, Scott Mayhew,
Stephen Smalley, Chuck Lever, Jeff Layton, Casey Schaufler,
Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit 76a0e79bc84f466999fa501fce5bf7a07641b8a7 upstream.
Marek Gresko reports that the root user on an NFS client is able to
change the security labels on files on an NFS filesystem that is
exported with root squashing enabled.
The end of the kerneldoc comment for __vfs_setxattr_noperm() states:
* This function requires the caller to lock the inode's i_mutex before it
* is executed. It also assumes that the caller will make the appropriate
* permission checks.
nfsd_setattr() does do permissions checking via fh_verify() and
nfsd_permission(), but those don't do all the same permissions checks
that are done by security_inode_setxattr() and its related LSM hooks do.
Since nfsd_setattr() is the only consumer of security_inode_setsecctx(),
simplest solution appears to be to replace the call to
__vfs_setxattr_noperm() with a call to __vfs_setxattr_locked(). This
fixes the above issue and has the added benefit of causing nfsd to
recall conflicting delegations on a file when a client tries to change
its security label.
Cc: stable@kernel.org
Reported-by: Marek Gresko <marek.gresko@protonmail.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=218809
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Tested-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Acked-by: Casey Schaufler <casey@schaufler-ca.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/selinux/hooks.c | 4 ++--
security/smack/smack_lsm.c | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -6553,8 +6553,8 @@ static int selinux_inode_notifysecctx(st
*/
static int selinux_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
- return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
- ctx, ctxlen, 0);
+ return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SELINUX,
+ ctx, ctxlen, 0, NULL);
}
static int selinux_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
--- a/security/smack/smack_lsm.c
+++ b/security/smack/smack_lsm.c
@@ -4772,8 +4772,8 @@ static int smack_inode_notifysecctx(stru
static int smack_inode_setsecctx(struct dentry *dentry, void *ctx, u32 ctxlen)
{
- return __vfs_setxattr_noperm(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,
- ctx, ctxlen, 0);
+ return __vfs_setxattr_locked(&nop_mnt_idmap, dentry, XATTR_NAME_SMACK,
+ ctx, ctxlen, 0, NULL);
}
static int smack_inode_getsecctx(struct inode *inode, void **ctx, u32 *ctxlen)
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 43/93] iommufd: Do not allow creating areas without READ or WRITE
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 42/93] selinux,smack: dont bypass permissions check in inode_setsecctx hook Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 44/93] phy: fsl-imx8mq-usb: fix tuning parameter name Greg Kroah-Hartman
` (55 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Jason Gunthorpe,
Nicolin Chen, Kevin Tian, Joerg Roedel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
commit 996dc53ac289b81957aa70d62ccadc6986d26a87 upstream.
This results in passing 0 or just IOMMU_CACHE to iommu_map(). Most of
the page table formats don't like this:
amdv1 - -EINVAL
armv7s - returns 0, doesn't update mapped
arm-lpae - returns 0 doesn't update mapped
dart - returns 0, doesn't update mapped
VT-D - returns -EINVAL
Unfortunately the three formats that return 0 cause serious problems:
- Returning ret = but not uppdating mapped from domain->map_pages()
causes an infinite loop in __iommu_map()
- Not writing ioptes means that VFIO/iommufd have no way to recover them
and we will have memory leaks and worse during unmap
Since almost nothing can support this, and it is a useless thing to do,
block it early in iommufd.
Cc: stable@kernel.org
Fixes: aad37e71d5c4 ("iommufd: IOCTLs for the io_pagetable")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/1-v1-1211e1294c27+4b1-iommu_no_prot_jgg@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/ioas.c | 8 ++++++++
tools/testing/selftests/iommu/iommufd.c | 6 +++---
2 files changed, 11 insertions(+), 3 deletions(-)
--- a/drivers/iommu/iommufd/ioas.c
+++ b/drivers/iommu/iommufd/ioas.c
@@ -213,6 +213,10 @@ int iommufd_ioas_map(struct iommufd_ucmd
if (cmd->iova >= ULONG_MAX || cmd->length >= ULONG_MAX)
return -EOVERFLOW;
+ if (!(cmd->flags &
+ (IOMMU_IOAS_MAP_WRITEABLE | IOMMU_IOAS_MAP_READABLE)))
+ return -EINVAL;
+
ioas = iommufd_get_ioas(ucmd->ictx, cmd->ioas_id);
if (IS_ERR(ioas))
return PTR_ERR(ioas);
@@ -253,6 +257,10 @@ int iommufd_ioas_copy(struct iommufd_ucm
cmd->dst_iova >= ULONG_MAX)
return -EOVERFLOW;
+ if (!(cmd->flags &
+ (IOMMU_IOAS_MAP_WRITEABLE | IOMMU_IOAS_MAP_READABLE)))
+ return -EINVAL;
+
src_ioas = iommufd_get_ioas(ucmd->ictx, cmd->src_ioas_id);
if (IS_ERR(src_ioas))
return PTR_ERR(src_ioas);
--- a/tools/testing/selftests/iommu/iommufd.c
+++ b/tools/testing/selftests/iommu/iommufd.c
@@ -531,7 +531,7 @@ TEST_F(iommufd_ioas, copy_area)
{
struct iommu_ioas_copy copy_cmd = {
.size = sizeof(copy_cmd),
- .flags = IOMMU_IOAS_MAP_FIXED_IOVA,
+ .flags = IOMMU_IOAS_MAP_FIXED_IOVA | IOMMU_IOAS_MAP_WRITEABLE,
.dst_ioas_id = self->ioas_id,
.src_ioas_id = self->ioas_id,
.length = PAGE_SIZE,
@@ -1024,7 +1024,7 @@ TEST_F(iommufd_ioas, copy_sweep)
{
struct iommu_ioas_copy copy_cmd = {
.size = sizeof(copy_cmd),
- .flags = IOMMU_IOAS_MAP_FIXED_IOVA,
+ .flags = IOMMU_IOAS_MAP_FIXED_IOVA | IOMMU_IOAS_MAP_WRITEABLE,
.src_ioas_id = self->ioas_id,
.dst_iova = MOCK_APERTURE_START,
.length = MOCK_PAGE_SIZE,
@@ -1314,7 +1314,7 @@ TEST_F(iommufd_mock_domain, user_copy)
};
struct iommu_ioas_copy copy_cmd = {
.size = sizeof(copy_cmd),
- .flags = IOMMU_IOAS_MAP_FIXED_IOVA,
+ .flags = IOMMU_IOAS_MAP_FIXED_IOVA | IOMMU_IOAS_MAP_WRITEABLE,
.dst_ioas_id = self->ioas_id,
.dst_iova = MOCK_APERTURE_START,
.length = BUFFER_SIZE,
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 44/93] phy: fsl-imx8mq-usb: fix tuning parameter name
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 43/93] iommufd: Do not allow creating areas without READ or WRITE Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 45/93] soundwire: stream: fix programming slave ports for non-continous port maps Greg Kroah-Hartman
` (54 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xu Yang, Alexander Stein, Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xu Yang <xu.yang_2@nxp.com>
commit ce52c2532299c7ccfd34a52db8d071e890a78c59 upstream.
According to fsl,imx8mq-usb-phy.yaml, this tuning parameter should be
fsl,phy-pcs-tx-deemph-3p5db-attenuation-db.
Fixes: 63c85ad0cd81 ("phy: fsl-imx8mp-usb: add support for phy tuning")
Cc: stable@vger.kernel.org
Signed-off-by: Xu Yang <xu.yang_2@nxp.com>
Reviewed-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20240801124642.1152838-1-xu.yang_2@nxp.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/phy/freescale/phy-fsl-imx8mq-usb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
index 0b9a59d5b8f0..adc6394626ce 100644
--- a/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
+++ b/drivers/phy/freescale/phy-fsl-imx8mq-usb.c
@@ -176,7 +176,7 @@ static void imx8m_get_phy_tuning_data(struct imx8mq_usb_phy *imx_phy)
imx_phy->comp_dis_tune =
phy_comp_dis_tune_from_property(imx_phy->comp_dis_tune);
- if (device_property_read_u32(dev, "fsl,pcs-tx-deemph-3p5db-attenuation-db",
+ if (device_property_read_u32(dev, "fsl,phy-pcs-tx-deemph-3p5db-attenuation-db",
&imx_phy->pcs_tx_deemph_3p5db))
imx_phy->pcs_tx_deemph_3p5db = PHY_TUNE_DEFAULT;
else
--
2.46.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 45/93] soundwire: stream: fix programming slave ports for non-continous port maps
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 44/93] phy: fsl-imx8mq-usb: fix tuning parameter name Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 46/93] dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA Greg Kroah-Hartman
` (53 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Pierre-Louis Bossart, Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit ab8d66d132bc8f1992d3eb6cab8d32dda6733c84 upstream.
Two bitmasks in 'struct sdw_slave_prop' - 'source_ports' and
'sink_ports' - define which ports to program in
sdw_program_slave_port_params(). The masks are used to get the
appropriate data port properties ('struct sdw_get_slave_dpn_prop') from
an array.
Bitmasks can be non-continuous or can start from index different than 0,
thus when looking for matching port property for given port, we must
iterate over mask bits, not from 0 up to number of ports.
This fixes allocation and programming slave ports, when a source or sink
masks start from further index.
Fixes: f8101c74aa54 ("soundwire: Add Master and Slave port programming")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
Link: https://lore.kernel.org/r/20240729140157.326450-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soundwire/stream.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/soundwire/stream.c
+++ b/drivers/soundwire/stream.c
@@ -1286,18 +1286,18 @@ struct sdw_dpn_prop *sdw_get_slave_dpn_p
unsigned int port_num)
{
struct sdw_dpn_prop *dpn_prop;
- u8 num_ports;
+ unsigned long mask;
int i;
if (direction == SDW_DATA_DIR_TX) {
- num_ports = hweight32(slave->prop.source_ports);
+ mask = slave->prop.source_ports;
dpn_prop = slave->prop.src_dpn_prop;
} else {
- num_ports = hweight32(slave->prop.sink_ports);
+ mask = slave->prop.sink_ports;
dpn_prop = slave->prop.sink_dpn_prop;
}
- for (i = 0; i < num_ports; i++) {
+ for_each_set_bit(i, &mask, 32) {
if (dpn_prop[i].num == port_num)
return &dpn_prop[i];
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 46/93] dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 45/93] soundwire: stream: fix programming slave ports for non-continous port maps Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 47/93] dmaengine: dw-edma: Do not enable watermark " Greg Kroah-Hartman
` (52 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mrinmay Sarkar,
Manivannan Sadhasivam, Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mrinmay Sarkar <quic_msarkar@quicinc.com>
commit 383baf5c8f062091af34c63f28d37642a8f188ae upstream.
The current logic is enabling both STOP_INT_MASK and ABORT_INT_MASK
bit. This is apparently masking those particular interrupts rather than
unmasking the same. If the interrupts are masked, they would never get
triggered.
So fix the issue by unmasking the STOP and ABORT interrupts properly.
Fixes: e74c39573d35 ("dmaengine: dw-edma: Add support for native HDMA")
cc: stable@vger.kernel.org
Signed-off-by: Mrinmay Sarkar <quic_msarkar@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/1724674261-3144-2-git-send-email-quic_msarkar@quicinc.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/dw-edma/dw-hdma-v0-core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/dma/dw-edma/dw-hdma-v0-core.c b/drivers/dma/dw-edma/dw-hdma-v0-core.c
index 10e8f0715114..2addaca3b694 100644
--- a/drivers/dma/dw-edma/dw-hdma-v0-core.c
+++ b/drivers/dma/dw-edma/dw-hdma-v0-core.c
@@ -247,10 +247,11 @@ static void dw_hdma_v0_core_start(struct dw_edma_chunk *chunk, bool first)
if (first) {
/* Enable engine */
SET_CH_32(dw, chan->dir, chan->id, ch_en, BIT(0));
- /* Interrupt enable&unmask - done, abort */
- tmp = GET_CH_32(dw, chan->dir, chan->id, int_setup) |
- HDMA_V0_STOP_INT_MASK | HDMA_V0_ABORT_INT_MASK |
- HDMA_V0_LOCAL_STOP_INT_EN | HDMA_V0_LOCAL_ABORT_INT_EN;
+ /* Interrupt unmask - stop, abort */
+ tmp = GET_CH_32(dw, chan->dir, chan->id, int_setup);
+ tmp &= ~(HDMA_V0_STOP_INT_MASK | HDMA_V0_ABORT_INT_MASK);
+ /* Interrupt enable - stop, abort */
+ tmp |= HDMA_V0_LOCAL_STOP_INT_EN | HDMA_V0_LOCAL_ABORT_INT_EN;
if (!(dw->chip->flags & DW_EDMA_CHIP_LOCAL))
tmp |= HDMA_V0_REMOTE_STOP_INT_EN | HDMA_V0_REMOTE_ABORT_INT_EN;
SET_CH_32(dw, chan->dir, chan->id, int_setup, tmp);
--
2.46.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 47/93] dmaengine: dw-edma: Do not enable watermark interrupts for HDMA
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 46/93] dmaengine: dw-edma: Fix unmasking STOP and ABORT interrupts for HDMA Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 48/93] phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume Greg Kroah-Hartman
` (51 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mrinmay Sarkar,
Manivannan Sadhasivam, Serge Semin, Vinod Koul
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mrinmay Sarkar <quic_msarkar@quicinc.com>
commit 9f646ff25c09c52cebe726601db27a60f876f15e upstream.
DW_HDMA_V0_LIE and DW_HDMA_V0_RIE are initialized as BIT(3) and BIT(4)
respectively in dw_hdma_control enum. But as per HDMA register these
bits are corresponds to LWIE and RWIE bit i.e local watermark interrupt
enable and remote watermarek interrupt enable. In linked list mode LWIE
and RWIE bits only enable the local and remote watermark interrupt.
Since the watermark interrupts are not used but enabled, this leads to
spurious interrupts getting generated. So remove the code that enables
them to avoid generating spurious watermark interrupts.
And also rename DW_HDMA_V0_LIE to DW_HDMA_V0_LWIE and DW_HDMA_V0_RIE to
DW_HDMA_V0_RWIE as there is no LIE and RIE bits in HDMA and those bits
are corresponds to LWIE and RWIE bits.
Fixes: e74c39573d35 ("dmaengine: dw-edma: Add support for native HDMA")
cc: stable@vger.kernel.org
Signed-off-by: Mrinmay Sarkar <quic_msarkar@quicinc.com>
Reviewed-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Link: https://lore.kernel.org/r/1724674261-3144-3-git-send-email-quic_msarkar@quicinc.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/dw-edma/dw-hdma-v0-core.c | 17 +++--------------
1 file changed, 3 insertions(+), 14 deletions(-)
diff --git a/drivers/dma/dw-edma/dw-hdma-v0-core.c b/drivers/dma/dw-edma/dw-hdma-v0-core.c
index 2addaca3b694..e3f8db4fe909 100644
--- a/drivers/dma/dw-edma/dw-hdma-v0-core.c
+++ b/drivers/dma/dw-edma/dw-hdma-v0-core.c
@@ -17,8 +17,8 @@ enum dw_hdma_control {
DW_HDMA_V0_CB = BIT(0),
DW_HDMA_V0_TCB = BIT(1),
DW_HDMA_V0_LLP = BIT(2),
- DW_HDMA_V0_LIE = BIT(3),
- DW_HDMA_V0_RIE = BIT(4),
+ DW_HDMA_V0_LWIE = BIT(3),
+ DW_HDMA_V0_RWIE = BIT(4),
DW_HDMA_V0_CCS = BIT(8),
DW_HDMA_V0_LLE = BIT(9),
};
@@ -195,25 +195,14 @@ static void dw_hdma_v0_write_ll_link(struct dw_edma_chunk *chunk,
static void dw_hdma_v0_core_write_chunk(struct dw_edma_chunk *chunk)
{
struct dw_edma_burst *child;
- struct dw_edma_chan *chan = chunk->chan;
u32 control = 0, i = 0;
- int j;
if (chunk->cb)
control = DW_HDMA_V0_CB;
- j = chunk->bursts_alloc;
- list_for_each_entry(child, &chunk->burst->list, list) {
- j--;
- if (!j) {
- control |= DW_HDMA_V0_LIE;
- if (!(chan->dw->chip->flags & DW_EDMA_CHIP_LOCAL))
- control |= DW_HDMA_V0_RIE;
- }
-
+ list_for_each_entry(child, &chunk->burst->list, list)
dw_hdma_v0_write_ll_data(chunk, i++, control, child->sz,
child->sar, child->dar);
- }
control = DW_HDMA_V0_LLP | DW_HDMA_V0_TCB;
if (!chunk->cb)
--
2.46.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 48/93] phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 47/93] dmaengine: dw-edma: Do not enable watermark " Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 49/93] dmaengine: dw: Add peripheral bus width verification Greg Kroah-Hartman
` (50 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Piyush Mehta, Radhey Shyam Pandey,
Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Piyush Mehta <piyush.mehta@amd.com>
[ Upstream commit 5af9b304bc6010723c02f74de0bfd24ff19b1a10 ]
On a few Kria KR260 Robotics Starter Kit the PS-GEM SGMII linkup is not
happening after the resume. This is because serdes registers are reset
when FPD is off (in suspend state) and needs to be reprogrammed in the
resume path with the same default initialization as done in the first
stage bootloader psu_init routine.
To address the failure introduce a set of serdes registers to be saved in
the suspend path and then restore it on resume.
Fixes: 4a33bea00314 ("phy: zynqmp: Add PHY driver for the Xilinx ZynqMP Gigabit Transceiver")
Signed-off-by: Piyush Mehta <piyush.mehta@amd.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://lore.kernel.org/r/1722837547-2578381-1-git-send-email-radhey.shyam.pandey@amd.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/xilinx/phy-zynqmp.c | 56 +++++++++++++++++++++++++++++++++
1 file changed, 56 insertions(+)
diff --git a/drivers/phy/xilinx/phy-zynqmp.c b/drivers/phy/xilinx/phy-zynqmp.c
index 0cb5088e460b5..8c8b1ca31e4c4 100644
--- a/drivers/phy/xilinx/phy-zynqmp.c
+++ b/drivers/phy/xilinx/phy-zynqmp.c
@@ -166,6 +166,24 @@
/* Timeout values */
#define TIMEOUT_US 1000
+/* Lane 0/1/2/3 offset */
+#define DIG_8(n) ((0x4000 * (n)) + 0x1074)
+#define ILL13(n) ((0x4000 * (n)) + 0x1994)
+#define DIG_10(n) ((0x4000 * (n)) + 0x107c)
+#define RST_DLY(n) ((0x4000 * (n)) + 0x19a4)
+#define BYP_15(n) ((0x4000 * (n)) + 0x1038)
+#define BYP_12(n) ((0x4000 * (n)) + 0x102c)
+#define MISC3(n) ((0x4000 * (n)) + 0x19ac)
+#define EQ11(n) ((0x4000 * (n)) + 0x1978)
+
+static u32 save_reg_address[] = {
+ /* Lane 0/1/2/3 Register */
+ DIG_8(0), ILL13(0), DIG_10(0), RST_DLY(0), BYP_15(0), BYP_12(0), MISC3(0), EQ11(0),
+ DIG_8(1), ILL13(1), DIG_10(1), RST_DLY(1), BYP_15(1), BYP_12(1), MISC3(1), EQ11(1),
+ DIG_8(2), ILL13(2), DIG_10(2), RST_DLY(2), BYP_15(2), BYP_12(2), MISC3(2), EQ11(2),
+ DIG_8(3), ILL13(3), DIG_10(3), RST_DLY(3), BYP_15(3), BYP_12(3), MISC3(3), EQ11(3),
+};
+
struct xpsgtr_dev;
/**
@@ -214,6 +232,7 @@ struct xpsgtr_phy {
* @tx_term_fix: fix for GT issue
* @saved_icm_cfg0: stored value of ICM CFG0 register
* @saved_icm_cfg1: stored value of ICM CFG1 register
+ * @saved_regs: registers to be saved/restored during suspend/resume
*/
struct xpsgtr_dev {
struct device *dev;
@@ -226,6 +245,7 @@ struct xpsgtr_dev {
bool tx_term_fix;
unsigned int saved_icm_cfg0;
unsigned int saved_icm_cfg1;
+ u32 *saved_regs;
};
/*
@@ -299,6 +319,32 @@ static inline void xpsgtr_clr_set_phy(struct xpsgtr_phy *gtr_phy,
writel((readl(addr) & ~clr) | set, addr);
}
+/**
+ * xpsgtr_save_lane_regs - Saves registers on suspend
+ * @gtr_dev: pointer to phy controller context structure
+ */
+static void xpsgtr_save_lane_regs(struct xpsgtr_dev *gtr_dev)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(save_reg_address); i++)
+ gtr_dev->saved_regs[i] = xpsgtr_read(gtr_dev,
+ save_reg_address[i]);
+}
+
+/**
+ * xpsgtr_restore_lane_regs - Restores registers on resume
+ * @gtr_dev: pointer to phy controller context structure
+ */
+static void xpsgtr_restore_lane_regs(struct xpsgtr_dev *gtr_dev)
+{
+ int i;
+
+ for (i = 0; i < ARRAY_SIZE(save_reg_address); i++)
+ xpsgtr_write(gtr_dev, save_reg_address[i],
+ gtr_dev->saved_regs[i]);
+}
+
/*
* Hardware Configuration
*/
@@ -839,6 +885,8 @@ static int xpsgtr_runtime_suspend(struct device *dev)
gtr_dev->saved_icm_cfg0 = xpsgtr_read(gtr_dev, ICM_CFG0);
gtr_dev->saved_icm_cfg1 = xpsgtr_read(gtr_dev, ICM_CFG1);
+ xpsgtr_save_lane_regs(gtr_dev);
+
return 0;
}
@@ -849,6 +897,8 @@ static int xpsgtr_runtime_resume(struct device *dev)
unsigned int i;
bool skip_phy_init;
+ xpsgtr_restore_lane_regs(gtr_dev);
+
icm_cfg0 = xpsgtr_read(gtr_dev, ICM_CFG0);
icm_cfg1 = xpsgtr_read(gtr_dev, ICM_CFG1);
@@ -994,6 +1044,12 @@ static int xpsgtr_probe(struct platform_device *pdev)
return ret;
}
+ gtr_dev->saved_regs = devm_kmalloc(gtr_dev->dev,
+ sizeof(save_reg_address),
+ GFP_KERNEL);
+ if (!gtr_dev->saved_regs)
+ return -ENOMEM;
+
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 49/93] dmaengine: dw: Add peripheral bus width verification
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 48/93] phy: xilinx: phy-zynqmp: Fix SGMII linkup failure on resume Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 50/93] dmaengine: dw: Add memory " Greg Kroah-Hartman
` (49 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Serge Semin, Andy Shevchenko,
Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Serge Semin <fancer.lancer@gmail.com>
[ Upstream commit b336268dde75cb09bd795cb24893d52152a9191f ]
Currently the src_addr_width and dst_addr_width fields of the
dma_slave_config structure are mapped to the CTLx.SRC_TR_WIDTH and
CTLx.DST_TR_WIDTH fields of the peripheral bus side in order to have the
properly aligned data passed to the target device. It's done just by
converting the passed peripheral bus width to the encoded value using the
__ffs() function. This implementation has several problematic sides:
1. __ffs() is undefined if no bit exist in the passed value. Thus if the
specified addr-width is DMA_SLAVE_BUSWIDTH_UNDEFINED, __ffs() may return
unexpected value depending on the platform-specific implementation.
2. DW AHB DMA-engine permits having the power-of-2 transfer width limited
by the DMAH_Mk_HDATA_WIDTH IP-core synthesize parameter. Specifying
bus-width out of that constraints scope will definitely cause unexpected
result since the destination reg will be only partly touched than the
client driver implied.
Let's fix all of that by adding the peripheral bus width verification
method and calling it in dwc_config() which is supposed to be executed
before preparing any transfer. The new method will make sure that the
passed source or destination address width is valid and if undefined then
the driver will just fallback to the 1-byte width transfer.
Fixes: 029a40e97d0d ("dmaengine: dw: provide DMA capabilities")
Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
Acked-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/r/20240802075100.6475-2-fancer.lancer@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw/core.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c
index 5f7d690e3dbae..11e269a31a092 100644
--- a/drivers/dma/dw/core.c
+++ b/drivers/dma/dw/core.c
@@ -16,6 +16,7 @@
#include <linux/init.h>
#include <linux/interrupt.h>
#include <linux/io.h>
+#include <linux/log2.h>
#include <linux/mm.h>
#include <linux/module.h>
#include <linux/slab.h>
@@ -780,10 +781,43 @@ bool dw_dma_filter(struct dma_chan *chan, void *param)
}
EXPORT_SYMBOL_GPL(dw_dma_filter);
+static int dwc_verify_p_buswidth(struct dma_chan *chan)
+{
+ struct dw_dma_chan *dwc = to_dw_dma_chan(chan);
+ struct dw_dma *dw = to_dw_dma(chan->device);
+ u32 reg_width, max_width;
+
+ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV)
+ reg_width = dwc->dma_sconfig.dst_addr_width;
+ else if (dwc->dma_sconfig.direction == DMA_DEV_TO_MEM)
+ reg_width = dwc->dma_sconfig.src_addr_width;
+ else /* DMA_MEM_TO_MEM */
+ return 0;
+
+ max_width = dw->pdata->data_width[dwc->dws.p_master];
+
+ /* Fall-back to 1-byte transfer width if undefined */
+ if (reg_width == DMA_SLAVE_BUSWIDTH_UNDEFINED)
+ reg_width = DMA_SLAVE_BUSWIDTH_1_BYTE;
+ else if (!is_power_of_2(reg_width) || reg_width > max_width)
+ return -EINVAL;
+ else /* bus width is valid */
+ return 0;
+
+ /* Update undefined addr width value */
+ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV)
+ dwc->dma_sconfig.dst_addr_width = reg_width;
+ else /* DMA_DEV_TO_MEM */
+ dwc->dma_sconfig.src_addr_width = reg_width;
+
+ return 0;
+}
+
static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig)
{
struct dw_dma_chan *dwc = to_dw_dma_chan(chan);
struct dw_dma *dw = to_dw_dma(chan->device);
+ int ret;
memcpy(&dwc->dma_sconfig, sconfig, sizeof(*sconfig));
@@ -792,6 +826,10 @@ static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig)
dwc->dma_sconfig.dst_maxburst =
clamp(dwc->dma_sconfig.dst_maxburst, 0U, dwc->max_burst);
+ ret = dwc_verify_p_buswidth(chan);
+ if (ret)
+ return ret;
+
dw->encode_maxburst(dwc, &dwc->dma_sconfig.src_maxburst);
dw->encode_maxburst(dwc, &dwc->dma_sconfig.dst_maxburst);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 50/93] dmaengine: dw: Add memory bus width verification
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 49/93] dmaengine: dw: Add peripheral bus width verification Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 51/93] Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test Greg Kroah-Hartman
` (48 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Serge Semin, Andy Shevchenko,
Vinod Koul, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Serge Semin <fancer.lancer@gmail.com>
[ Upstream commit d04b21bfa1c50a2ade4816cab6fdc91827b346b1 ]
Currently in case of the DEV_TO_MEM or MEM_TO_DEV DMA transfers the memory
data width (single transfer width) is determined based on the buffer
length, buffer base address or DMA master-channel max address width
capability. It isn't enough in case of the channel disabling prior the
block transfer is finished. Here is what DW AHB DMA IP-core databook says
regarding the port suspension (DMA-transfer pause) implementation in the
controller:
"When CTLx.SRC_TR_WIDTH < CTLx.DST_TR_WIDTH and the CFGx.CH_SUSP bit is
high, the CFGx.FIFO_EMPTY is asserted once the contents of the FIFO do not
permit a single word of CTLx.DST_TR_WIDTH to be formed. However, there may
still be data in the channel FIFO, but not enough to form a single
transfer of CTLx.DST_TR_WIDTH. In this scenario, once the channel is
disabled, the remaining data in the channel FIFO is not transferred to the
destination peripheral."
So in case if the port gets to be suspended and then disabled it's
possible to have the data silently discarded even though the controller
reported that FIFO is empty and the CTLx.BLOCK_TS indicated the dropped
data already received from the source device. This looks as if the data
somehow got lost on a way from the peripheral device to memory and causes
problems for instance in the DW APB UART driver, which pauses and disables
the DMA-transfer as soon as the recv data timeout happens. Here is the way
it looks:
Memory <------- DMA FIFO <------ UART FIFO <---------------- UART
DST_TR_WIDTH -+--------| | |
| | | | No more data
Current lvl -+--------| |---------+- DMA-burst lvl
| | |---------+- Leftover data
| | |---------+- SRC_TR_WIDTH
-+--------+-------+---------+
In the example above: no more data is getting received over the UART port
and BLOCK_TS is not even close to be fully received; some data is left in
the UART FIFO, but not enough to perform a bursted DMA-xfer to the DMA
FIFO; some data is left in the DMA FIFO, but not enough to be passed
further to the system memory in a single transfer. In this situation the
8250 UART driver catches the recv timeout interrupt, pauses the
DMA-transfer and terminates it completely, after which the IRQ handler
manually fetches the leftover data from the UART FIFO into the
recv-buffer. But since the DMA-channel has been disabled with the data
left in the DMA FIFO, that data will be just discarded and the recv-buffer
will have a gap of the "current lvl" size in the recv-buffer at the tail
of the lately received data portion. So the data will be lost just due to
the misconfigured DMA transfer.
Note this is only relevant for the case of the transfer suspension and
_disabling_. No problem will happen if the transfer will be re-enabled
afterwards or the block transfer is fully completed. In the later case the
"FIFO flush mode" will be executed at the transfer final stage in order to
push out the data left in the DMA FIFO.
In order to fix the denoted problem the DW AHB DMA-engine driver needs to
make sure that the _bursted_ source transfer width is greater or equal to
the single destination transfer (note the HW databook describes more
strict constraint than actually required). Since the peripheral-device
side is prescribed by the client driver logic, the memory-side can be only
used for that. The solution can be easily implemented for the DEV_TO_MEM
transfers just by adjusting the memory-channel address width. Sadly it's
not that easy for the MEM_TO_DEV transfers since the mem-to-dma burst size
is normally dynamically determined by the controller. So the only thing
that can be done is to make sure that memory-side address width is greater
than the peripheral device address width.
Fixes: a09820043c9e ("dw_dmac: autoconfigure data_width or get it via platform data")
Signed-off-by: Serge Semin <fancer.lancer@gmail.com>
Acked-by: Andy Shevchenko <andy@kernel.org>
Link: https://lore.kernel.org/r/20240802075100.6475-3-fancer.lancer@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/dma/dw/core.c | 51 +++++++++++++++++++++++++++++++++++++------
1 file changed, 44 insertions(+), 7 deletions(-)
diff --git a/drivers/dma/dw/core.c b/drivers/dma/dw/core.c
index 11e269a31a092..b341a6f1b0438 100644
--- a/drivers/dma/dw/core.c
+++ b/drivers/dma/dw/core.c
@@ -622,12 +622,10 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
struct dw_desc *prev;
struct dw_desc *first;
u32 ctllo, ctlhi;
- u8 m_master = dwc->dws.m_master;
- u8 lms = DWC_LLP_LMS(m_master);
+ u8 lms = DWC_LLP_LMS(dwc->dws.m_master);
dma_addr_t reg;
unsigned int reg_width;
unsigned int mem_width;
- unsigned int data_width = dw->pdata->data_width[m_master];
unsigned int i;
struct scatterlist *sg;
size_t total_len = 0;
@@ -661,7 +659,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
mem = sg_dma_address(sg);
len = sg_dma_len(sg);
- mem_width = __ffs(data_width | mem | len);
+ mem_width = __ffs(sconfig->src_addr_width | mem | len);
slave_sg_todev_fill_desc:
desc = dwc_desc_get(dwc);
@@ -721,7 +719,7 @@ dwc_prep_slave_sg(struct dma_chan *chan, struct scatterlist *sgl,
lli_write(desc, sar, reg);
lli_write(desc, dar, mem);
lli_write(desc, ctlhi, ctlhi);
- mem_width = __ffs(data_width | mem);
+ mem_width = __ffs(sconfig->dst_addr_width | mem);
lli_write(desc, ctllo, ctllo | DWC_CTLL_DST_WIDTH(mem_width));
desc->len = dlen;
@@ -813,6 +811,41 @@ static int dwc_verify_p_buswidth(struct dma_chan *chan)
return 0;
}
+static int dwc_verify_m_buswidth(struct dma_chan *chan)
+{
+ struct dw_dma_chan *dwc = to_dw_dma_chan(chan);
+ struct dw_dma *dw = to_dw_dma(chan->device);
+ u32 reg_width, reg_burst, mem_width;
+
+ mem_width = dw->pdata->data_width[dwc->dws.m_master];
+
+ /*
+ * It's possible to have a data portion locked in the DMA FIFO in case
+ * of the channel suspension. Subsequent channel disabling will cause
+ * that data silent loss. In order to prevent that maintain the src and
+ * dst transfer widths coherency by means of the relation:
+ * (CTLx.SRC_TR_WIDTH * CTLx.SRC_MSIZE >= CTLx.DST_TR_WIDTH)
+ * Look for the details in the commit message that brings this change.
+ *
+ * Note the DMA configs utilized in the calculations below must have
+ * been verified to have correct values by this method call.
+ */
+ if (dwc->dma_sconfig.direction == DMA_MEM_TO_DEV) {
+ reg_width = dwc->dma_sconfig.dst_addr_width;
+ if (mem_width < reg_width)
+ return -EINVAL;
+
+ dwc->dma_sconfig.src_addr_width = mem_width;
+ } else if (dwc->dma_sconfig.direction == DMA_DEV_TO_MEM) {
+ reg_width = dwc->dma_sconfig.src_addr_width;
+ reg_burst = rounddown_pow_of_two(dwc->dma_sconfig.src_maxburst);
+
+ dwc->dma_sconfig.dst_addr_width = min(mem_width, reg_width * reg_burst);
+ }
+
+ return 0;
+}
+
static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig)
{
struct dw_dma_chan *dwc = to_dw_dma_chan(chan);
@@ -822,14 +855,18 @@ static int dwc_config(struct dma_chan *chan, struct dma_slave_config *sconfig)
memcpy(&dwc->dma_sconfig, sconfig, sizeof(*sconfig));
dwc->dma_sconfig.src_maxburst =
- clamp(dwc->dma_sconfig.src_maxburst, 0U, dwc->max_burst);
+ clamp(dwc->dma_sconfig.src_maxburst, 1U, dwc->max_burst);
dwc->dma_sconfig.dst_maxburst =
- clamp(dwc->dma_sconfig.dst_maxburst, 0U, dwc->max_burst);
+ clamp(dwc->dma_sconfig.dst_maxburst, 1U, dwc->max_burst);
ret = dwc_verify_p_buswidth(chan);
if (ret)
return ret;
+ ret = dwc_verify_m_buswidth(chan);
+ if (ret)
+ return ret;
+
dw->encode_maxburst(dwc, &dwc->dma_sconfig.src_maxburst);
dw->encode_maxburst(dwc, &dwc->dma_sconfig.dst_maxburst);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 51/93] Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 50/93] dmaengine: dw: Add memory " Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 52/93] Bluetooth: btnxpuart: Handle FW Download Abort scenario Greg Kroah-Hartman
` (47 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neeraj Sanjay Kale,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
[ Upstream commit e4db90e4eb8d5487098712ffb1048f3fa6d25e98 ]
This fixes the tx timeout issue seen while running a stress test on
btnxpuart for couple of hours, such that the interval between two HCI
commands coincide with the power save timeout value of 2 seconds.
Test procedure using bash script:
<load btnxpuart.ko>
hciconfig hci0 up
//Enable Power Save feature
hcitool -i hci0 cmd 3f 23 02 00 00
while (true)
do
hciconfig hci0 leadv
sleep 2
hciconfig hci0 noleadv
sleep 2
done
Error log, after adding few more debug prints:
Bluetooth: btnxpuart_queue_skb(): 01 0A 20 01 00
Bluetooth: hci0: Set UART break: on, status=0
Bluetooth: hci0: btnxpuart_tx_wakeup() tx_work scheduled
Bluetooth: hci0: btnxpuart_tx_work() dequeue: 01 0A 20 01 00
Can't set advertise mode on hci0: Connection timed out (110)
Bluetooth: hci0: command 0x200a tx timeout
When the power save mechanism turns on UART break, and btnxpuart_tx_work()
is scheduled simultaneously, psdata->ps_state is read as PS_STATE_AWAKE,
which prevents the psdata->work from being scheduled, which is responsible
to turn OFF UART break.
This issue is fixed by adding a ps_lock mutex around UART break on/off as
well as around ps_state read/write.
btnxpuart_tx_wakeup() will now read updated ps_state value. If ps_state is
PS_STATE_SLEEP, it will first schedule psdata->work, and then it will
reschedule itself once UART break has been turned off and ps_state is
PS_STATE_AWAKE.
Tested above script for 50,000 iterations and TX timeout error was not
observed anymore.
Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 35237475384a ("Bluetooth: btnxpuart: Fix random crash seen while removing driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btnxpuart.c | 24 +++++++++++++++++++++---
1 file changed, 21 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index b5d40e0e05f31..2e18f89a931b8 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -126,6 +126,7 @@ struct ps_data {
struct hci_dev *hdev;
struct work_struct work;
struct timer_list ps_timer;
+ struct mutex ps_lock;
};
struct wakeup_cmd_payload {
@@ -333,6 +334,9 @@ static void ps_start_timer(struct btnxpuart_dev *nxpdev)
if (psdata->cur_psmode == PS_MODE_ENABLE)
mod_timer(&psdata->ps_timer, jiffies + msecs_to_jiffies(psdata->h2c_ps_interval));
+
+ if (psdata->ps_state == PS_STATE_AWAKE && psdata->ps_cmd == PS_CMD_ENTER_PS)
+ cancel_work_sync(&psdata->work);
}
static void ps_cancel_timer(struct btnxpuart_dev *nxpdev)
@@ -353,6 +357,7 @@ static void ps_control(struct hci_dev *hdev, u8 ps_state)
!test_bit(BTNXPUART_SERDEV_OPEN, &nxpdev->tx_state))
return;
+ mutex_lock(&psdata->ps_lock);
switch (psdata->cur_h2c_wakeupmode) {
case WAKEUP_METHOD_DTR:
if (ps_state == PS_STATE_AWAKE)
@@ -366,12 +371,15 @@ static void ps_control(struct hci_dev *hdev, u8 ps_state)
status = serdev_device_break_ctl(nxpdev->serdev, 0);
else
status = serdev_device_break_ctl(nxpdev->serdev, -1);
+ msleep(20); /* Allow chip to detect UART-break and enter sleep */
bt_dev_dbg(hdev, "Set UART break: %s, status=%d",
str_on_off(ps_state == PS_STATE_SLEEP), status);
break;
}
if (!status)
psdata->ps_state = ps_state;
+ mutex_unlock(&psdata->ps_lock);
+
if (ps_state == PS_STATE_AWAKE)
btnxpuart_tx_wakeup(nxpdev);
}
@@ -407,17 +415,25 @@ static void ps_setup(struct hci_dev *hdev)
psdata->hdev = hdev;
INIT_WORK(&psdata->work, ps_work_func);
+ mutex_init(&psdata->ps_lock);
timer_setup(&psdata->ps_timer, ps_timeout_func, 0);
}
-static void ps_wakeup(struct btnxpuart_dev *nxpdev)
+static bool ps_wakeup(struct btnxpuart_dev *nxpdev)
{
struct ps_data *psdata = &nxpdev->psdata;
+ u8 ps_state;
- if (psdata->ps_state != PS_STATE_AWAKE) {
+ mutex_lock(&psdata->ps_lock);
+ ps_state = psdata->ps_state;
+ mutex_unlock(&psdata->ps_lock);
+
+ if (ps_state != PS_STATE_AWAKE) {
psdata->ps_cmd = PS_CMD_EXIT_PS;
schedule_work(&psdata->work);
+ return true;
}
+ return false;
}
static int send_ps_cmd(struct hci_dev *hdev, void *data)
@@ -1215,7 +1231,6 @@ static struct sk_buff *nxp_dequeue(void *data)
{
struct btnxpuart_dev *nxpdev = (struct btnxpuart_dev *)data;
- ps_wakeup(nxpdev);
ps_start_timer(nxpdev);
return skb_dequeue(&nxpdev->txq);
}
@@ -1230,6 +1245,9 @@ static void btnxpuart_tx_work(struct work_struct *work)
struct sk_buff *skb;
int len;
+ if (ps_wakeup(nxpdev))
+ return;
+
while ((skb = nxp_dequeue(nxpdev))) {
len = serdev_device_write_buf(serdev, skb->data, skb->len);
hdev->stat.byte_tx += len;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 52/93] Bluetooth: btnxpuart: Handle FW Download Abort scenario
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 51/93] Bluetooth: btnxpuart: Resolve TX timeout error in power save stress test Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 53/93] Bluetooth: btnxpuart: Fix random crash seen while removing driver Greg Kroah-Hartman
` (46 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neeraj Sanjay Kale,
Guillaume Legoupil, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
[ Upstream commit e3c4891098c875a63ab0c3b31d584f6d4f1895fd ]
This adds a new flag BTNXPUART_FW_DOWNLOAD_ABORT which handles the
situation where driver is removed while firmware download is in
progress.
logs:
modprobe btnxpuart
[65239.230431] Bluetooth: hci0: ChipID: 7601, Version: 0
[65239.236670] Bluetooth: hci0: Request Firmware: nxp/uartspi_n61x_v1.bin.se
rmmod btnxpuart
[65241.425300] Bluetooth: hci0: FW Download Aborted
Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Tested-by: Guillaume Legoupil <guillaume.legoupil@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: 35237475384a ("Bluetooth: btnxpuart: Fix random crash seen while removing driver")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btnxpuart.c | 47 ++++++++++++++++++++++++-----------
1 file changed, 33 insertions(+), 14 deletions(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index 2e18f89a931b8..f72086ee614fb 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -29,6 +29,7 @@
#define BTNXPUART_CHECK_BOOT_SIGNATURE 3
#define BTNXPUART_SERDEV_OPEN 4
#define BTNXPUART_IR_IN_PROGRESS 5
+#define BTNXPUART_FW_DOWNLOAD_ABORT 6
/* NXP HW err codes */
#define BTNXPUART_IR_HW_ERR 0xb0
@@ -159,6 +160,7 @@ struct btnxpuart_dev {
u8 fw_name[MAX_FW_FILE_NAME_LEN];
u32 fw_dnld_v1_offset;
u32 fw_v1_sent_bytes;
+ u32 fw_dnld_v3_offset;
u32 fw_v3_offset_correction;
u32 fw_v1_expected_len;
u32 boot_reg_offset;
@@ -566,6 +568,7 @@ static int nxp_download_firmware(struct hci_dev *hdev)
nxpdev->fw_v1_sent_bytes = 0;
nxpdev->fw_v1_expected_len = HDR_LEN;
nxpdev->boot_reg_offset = 0;
+ nxpdev->fw_dnld_v3_offset = 0;
nxpdev->fw_v3_offset_correction = 0;
nxpdev->baudrate_changed = false;
nxpdev->timeout_changed = false;
@@ -580,14 +583,23 @@ static int nxp_download_firmware(struct hci_dev *hdev)
!test_bit(BTNXPUART_FW_DOWNLOADING,
&nxpdev->tx_state),
msecs_to_jiffies(60000));
+
+ release_firmware(nxpdev->fw);
+ memset(nxpdev->fw_name, 0, sizeof(nxpdev->fw_name));
+
if (err == 0) {
- bt_dev_err(hdev, "FW Download Timeout.");
+ bt_dev_err(hdev, "FW Download Timeout. offset: %d",
+ nxpdev->fw_dnld_v1_offset ?
+ nxpdev->fw_dnld_v1_offset :
+ nxpdev->fw_dnld_v3_offset);
return -ETIMEDOUT;
}
+ if (test_bit(BTNXPUART_FW_DOWNLOAD_ABORT, &nxpdev->tx_state)) {
+ bt_dev_err(hdev, "FW Download Aborted");
+ return -EINTR;
+ }
serdev_device_set_flow_control(nxpdev->serdev, true);
- release_firmware(nxpdev->fw);
- memset(nxpdev->fw_name, 0, sizeof(nxpdev->fw_name));
/* Allow the downloaded FW to initialize */
msleep(1200);
@@ -998,8 +1010,9 @@ static int nxp_recv_fw_req_v3(struct hci_dev *hdev, struct sk_buff *skb)
goto free_skb;
}
- serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data + offset -
- nxpdev->fw_v3_offset_correction, len);
+ nxpdev->fw_dnld_v3_offset = offset - nxpdev->fw_v3_offset_correction;
+ serdev_device_write_buf(nxpdev->serdev, nxpdev->fw->data +
+ nxpdev->fw_dnld_v3_offset, len);
free_skb:
kfree_skb(skb);
@@ -1430,16 +1443,22 @@ static void nxp_serdev_remove(struct serdev_device *serdev)
struct btnxpuart_dev *nxpdev = serdev_device_get_drvdata(serdev);
struct hci_dev *hdev = nxpdev->hdev;
- /* Restore FW baudrate to fw_init_baudrate if changed.
- * This will ensure FW baudrate is in sync with
- * driver baudrate in case this driver is re-inserted.
- */
- if (nxpdev->current_baudrate != nxpdev->fw_init_baudrate) {
- nxpdev->new_baudrate = nxpdev->fw_init_baudrate;
- nxp_set_baudrate_cmd(hdev, NULL);
+ if (is_fw_downloading(nxpdev)) {
+ set_bit(BTNXPUART_FW_DOWNLOAD_ABORT, &nxpdev->tx_state);
+ clear_bit(BTNXPUART_FW_DOWNLOADING, &nxpdev->tx_state);
+ wake_up_interruptible(&nxpdev->check_boot_sign_wait_q);
+ wake_up_interruptible(&nxpdev->fw_dnld_done_wait_q);
+ } else {
+ /* Restore FW baudrate to fw_init_baudrate if changed.
+ * This will ensure FW baudrate is in sync with
+ * driver baudrate in case this driver is re-inserted.
+ */
+ if (nxpdev->current_baudrate != nxpdev->fw_init_baudrate) {
+ nxpdev->new_baudrate = nxpdev->fw_init_baudrate;
+ nxp_set_baudrate_cmd(hdev, NULL);
+ }
+ ps_cancel_timer(nxpdev);
}
-
- ps_cancel_timer(nxpdev);
hci_unregister_dev(hdev);
hci_free_dev(hdev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 53/93] Bluetooth: btnxpuart: Fix random crash seen while removing driver
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 52/93] Bluetooth: btnxpuart: Handle FW Download Abort scenario Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 54/93] Bluetooth: hci_core: Fix not handling hibernation actions Greg Kroah-Hartman
` (45 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Neeraj Sanjay Kale, Paul Menzel,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
[ Upstream commit 35237475384ab3622f63c3c09bdf6af6dacfe9c3 ]
This fixes the random kernel crash seen while removing the driver, when
running the load/unload test over multiple iterations.
1) modprobe btnxpuart
2) hciconfig hci0 reset
3) hciconfig (check hci0 interface up with valid BD address)
4) modprobe -r btnxpuart
Repeat steps 1 to 4
The ps_wakeup() call in btnxpuart_close() schedules the psdata->work(),
which gets scheduled after module is removed, causing a kernel crash.
This hidden issue got highlighted after enabling Power Save by default
in 4183a7be7700 (Bluetooth: btnxpuart: Enable Power Save feature on
startup)
The new ps_cleanup() deasserts UART break immediately while closing
serdev device, cancels any scheduled ps_work and destroys the ps_lock
mutex.
[ 85.884604] Unable to handle kernel paging request at virtual address ffffd4a61638f258
[ 85.884624] Mem abort info:
[ 85.884625] ESR = 0x0000000086000007
[ 85.884628] EC = 0x21: IABT (current EL), IL = 32 bits
[ 85.884633] SET = 0, FnV = 0
[ 85.884636] EA = 0, S1PTW = 0
[ 85.884638] FSC = 0x07: level 3 translation fault
[ 85.884642] swapper pgtable: 4k pages, 48-bit VAs, pgdp=0000000041dd0000
[ 85.884646] [ffffd4a61638f258] pgd=1000000095fff003, p4d=1000000095fff003, pud=100000004823d003, pmd=100000004823e003, pte=0000000000000000
[ 85.884662] Internal error: Oops: 0000000086000007 [#1] PREEMPT SMP
[ 85.890932] Modules linked in: algif_hash algif_skcipher af_alg overlay fsl_jr_uio caam_jr caamkeyblob_desc caamhash_desc caamalg_desc crypto_engine authenc libdes crct10dif_ce polyval_ce polyval_generic snd_soc_imx_spdif snd_soc_imx_card snd_soc_ak5558 snd_soc_ak4458 caam secvio error snd_soc_fsl_spdif snd_soc_fsl_micfil snd_soc_fsl_sai snd_soc_fsl_utils gpio_ir_recv rc_core fuse [last unloaded: btnxpuart(O)]
[ 85.927297] CPU: 1 PID: 67 Comm: kworker/1:3 Tainted: G O 6.1.36+g937b1be4345a #1
[ 85.936176] Hardware name: FSL i.MX8MM EVK board (DT)
[ 85.936182] Workqueue: events 0xffffd4a61638f380
[ 85.936198] pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
[ 85.952817] pc : 0xffffd4a61638f258
[ 85.952823] lr : 0xffffd4a61638f258
[ 85.952827] sp : ffff8000084fbd70
[ 85.952829] x29: ffff8000084fbd70 x28: 0000000000000000 x27: 0000000000000000
[ 85.963112] x26: ffffd4a69133f000 x25: ffff4bf1c8540990 x24: ffff4bf215b87305
[ 85.963119] x23: ffff4bf215b87300 x22: ffff4bf1c85409d0 x21: ffff4bf1c8540970
[ 85.977382] x20: 0000000000000000 x19: ffff4bf1c8540880 x18: 0000000000000000
[ 85.977391] x17: 0000000000000000 x16: 0000000000000133 x15: 0000ffffe2217090
[ 85.977399] x14: 0000000000000001 x13: 0000000000000133 x12: 0000000000000139
[ 85.977407] x11: 0000000000000001 x10: 0000000000000a60 x9 : ffff8000084fbc50
[ 85.977417] x8 : ffff4bf215b7d000 x7 : ffff4bf215b83b40 x6 : 00000000000003e8
[ 85.977424] x5 : 00000000410fd030 x4 : 0000000000000000 x3 : 0000000000000000
[ 85.977432] x2 : 0000000000000000 x1 : ffff4bf1c4265880 x0 : 0000000000000000
[ 85.977443] Call trace:
[ 85.977446] 0xffffd4a61638f258
[ 85.977451] 0xffffd4a61638f3e8
[ 85.977455] process_one_work+0x1d4/0x330
[ 85.977464] worker_thread+0x6c/0x430
[ 85.977471] kthread+0x108/0x10c
[ 85.977476] ret_from_fork+0x10/0x20
[ 85.977488] Code: bad PC value
[ 85.977491] ---[ end trace 0000000000000000 ]---
Preset since v6.9.11
Fixes: 86d55f124b52 ("Bluetooth: btnxpuart: Deasset UART break before closing serdev device")
Signed-off-by: Neeraj Sanjay Kale <neeraj.sanjaykale@nxp.com>
Reviewed-by: Paul Menzel <pmenzel@molgen.mpg.de>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btnxpuart.c | 20 ++++++++++++++++++--
1 file changed, 18 insertions(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btnxpuart.c b/drivers/bluetooth/btnxpuart.c
index f72086ee614fb..814dd966b1a45 100644
--- a/drivers/bluetooth/btnxpuart.c
+++ b/drivers/bluetooth/btnxpuart.c
@@ -438,6 +438,23 @@ static bool ps_wakeup(struct btnxpuart_dev *nxpdev)
return false;
}
+static void ps_cleanup(struct btnxpuart_dev *nxpdev)
+{
+ struct ps_data *psdata = &nxpdev->psdata;
+ u8 ps_state;
+
+ mutex_lock(&psdata->ps_lock);
+ ps_state = psdata->ps_state;
+ mutex_unlock(&psdata->ps_lock);
+
+ if (ps_state != PS_STATE_AWAKE)
+ ps_control(psdata->hdev, PS_STATE_AWAKE);
+
+ ps_cancel_timer(nxpdev);
+ cancel_work_sync(&psdata->work);
+ mutex_destroy(&psdata->ps_lock);
+}
+
static int send_ps_cmd(struct hci_dev *hdev, void *data)
{
struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev);
@@ -1307,7 +1324,6 @@ static int btnxpuart_close(struct hci_dev *hdev)
{
struct btnxpuart_dev *nxpdev = hci_get_drvdata(hdev);
- ps_wakeup(nxpdev);
serdev_device_close(nxpdev->serdev);
skb_queue_purge(&nxpdev->txq);
kfree_skb(nxpdev->rx_skb);
@@ -1457,8 +1473,8 @@ static void nxp_serdev_remove(struct serdev_device *serdev)
nxpdev->new_baudrate = nxpdev->fw_init_baudrate;
nxp_set_baudrate_cmd(hdev, NULL);
}
- ps_cancel_timer(nxpdev);
}
+ ps_cleanup(nxpdev);
hci_unregister_dev(hdev);
hci_free_dev(hdev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 54/93] Bluetooth: hci_core: Fix not handling hibernation actions
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 53/93] Bluetooth: btnxpuart: Fix random crash seen while removing driver Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 55/93] iommu: Do not return 0 from map_pages if it doesnt do anything Greg Kroah-Hartman
` (44 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 18b3256db76bd1130965acd99fbd38f87c3e6950 ]
This fixes not handling hibernation actions on suspend notifier so they
are treated in the same way as regular suspend actions.
Fixes: 9952d90ea288 ("Bluetooth: Handle PM_SUSPEND_PREPARE and PM_POST_SUSPEND")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index e660b3d661dae..1b56355c40eaf 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2394,10 +2394,16 @@ static int hci_suspend_notifier(struct notifier_block *nb, unsigned long action,
/* To avoid a potential race with hci_unregister_dev. */
hci_dev_hold(hdev);
- if (action == PM_SUSPEND_PREPARE)
+ switch (action) {
+ case PM_HIBERNATION_PREPARE:
+ case PM_SUSPEND_PREPARE:
ret = hci_suspend_dev(hdev);
- else if (action == PM_POST_SUSPEND)
+ break;
+ case PM_POST_HIBERNATION:
+ case PM_POST_SUSPEND:
ret = hci_resume_dev(hdev);
+ break;
+ }
if (ret)
bt_dev_err(hdev, "Suspend notifier action (%lu) failed: %d",
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 55/93] iommu: Do not return 0 from map_pages if it doesnt do anything
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 54/93] Bluetooth: hci_core: Fix not handling hibernation actions Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 56/93] netfilter: nf_tables: restore IP sanity checks for netdev/egress Greg Kroah-Hartman
` (43 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Will Deacon,
Kevin Tian, Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Gunthorpe <jgg@nvidia.com>
[ Upstream commit 6093cd582f8e027117a8d4ad5d129a1aacdc53d2 ]
These three implementations of map_pages() all succeed if a mapping is
requested with no read or write. Since they return back to __iommu_map()
leaving the mapped output as 0 it triggers an infinite loop. Therefore
nothing is using no-access protection bits.
Further, VFIO and iommufd rely on iommu_iova_to_phys() to get back PFNs
stored by map, if iommu_map() succeeds but iommu_iova_to_phys() fails that
will create serious bugs.
Thus remove this never used "nothing to do" concept and just fail map
immediately.
Fixes: e5fc9753b1a8 ("iommu/io-pgtable: Add ARMv7 short descriptor support")
Fixes: e1d3c0fd701d ("iommu: add ARM LPAE page table allocator")
Fixes: 745ef1092bcf ("iommu/io-pgtable: Move Apple DART support to its own file")
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
Acked-by: Will Deacon <will@kernel.org>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/2-v1-1211e1294c27+4b1-iommu_no_prot_jgg@nvidia.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/io-pgtable-arm-v7s.c | 3 +--
drivers/iommu/io-pgtable-arm.c | 3 +--
drivers/iommu/io-pgtable-dart.c | 3 +--
3 files changed, 3 insertions(+), 6 deletions(-)
diff --git a/drivers/iommu/io-pgtable-arm-v7s.c b/drivers/iommu/io-pgtable-arm-v7s.c
index 75f244a3e12df..06ffc683b28fe 100644
--- a/drivers/iommu/io-pgtable-arm-v7s.c
+++ b/drivers/iommu/io-pgtable-arm-v7s.c
@@ -552,9 +552,8 @@ static int arm_v7s_map_pages(struct io_pgtable_ops *ops, unsigned long iova,
paddr >= (1ULL << data->iop.cfg.oas)))
return -ERANGE;
- /* If no access, then nothing to do */
if (!(prot & (IOMMU_READ | IOMMU_WRITE)))
- return 0;
+ return -EINVAL;
while (pgcount--) {
ret = __arm_v7s_map(data, iova, paddr, pgsize, prot, 1, data->pgd,
diff --git a/drivers/iommu/io-pgtable-arm.c b/drivers/iommu/io-pgtable-arm.c
index 72dcdd468cf30..934dc97f5df9e 100644
--- a/drivers/iommu/io-pgtable-arm.c
+++ b/drivers/iommu/io-pgtable-arm.c
@@ -480,9 +480,8 @@ static int arm_lpae_map_pages(struct io_pgtable_ops *ops, unsigned long iova,
if (WARN_ON(iaext || paddr >> cfg->oas))
return -ERANGE;
- /* If no access, then nothing to do */
if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
- return 0;
+ return -EINVAL;
prot = arm_lpae_prot_to_pte(data, iommu_prot);
ret = __arm_lpae_map(data, iova, paddr, pgsize, pgcount, prot, lvl,
diff --git a/drivers/iommu/io-pgtable-dart.c b/drivers/iommu/io-pgtable-dart.c
index 74b1ef2b96bee..10811e0b773d3 100644
--- a/drivers/iommu/io-pgtable-dart.c
+++ b/drivers/iommu/io-pgtable-dart.c
@@ -250,9 +250,8 @@ static int dart_map_pages(struct io_pgtable_ops *ops, unsigned long iova,
if (WARN_ON(paddr >> cfg->oas))
return -ERANGE;
- /* If no access, then nothing to do */
if (!(iommu_prot & (IOMMU_READ | IOMMU_WRITE)))
- return 0;
+ return -EINVAL;
tbl = dart_get_table(data, iova);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 56/93] netfilter: nf_tables: restore IP sanity checks for netdev/egress
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 55/93] iommu: Do not return 0 from map_pages if it doesnt do anything Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 57/93] wifi: iwlwifi: fw: fix wgds rev 3 exact size Greg Kroah-Hartman
` (42 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Ortiz, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 5fd0628918977a0afdc2e6bc562d8751b5d3b8c5 ]
Subtract network offset to skb->len before performing IPv4 header sanity
checks, then adjust transport offset from offset from mac header.
Jorge Ortiz says:
When small UDP packets (< 4 bytes payload) are sent from eth0,
`meta l4proto udp` condition is not met because `NFT_PKTINFO_L4PROTO` is
not set. This happens because there is a comparison that checks if the
transport header offset exceeds the total length. This comparison does
not take into account the fact that the skb network offset might be
non-zero in egress mode (e.g., 14 bytes for Ethernet header).
Fixes: 0ae8e4cca787 ("netfilter: nf_tables: set transport offset from mac header for netdev/egress")
Reported-by: Jorge Ortiz <jorge.ortiz.escribano@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables_ipv4.h | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/net/netfilter/nf_tables_ipv4.h b/include/net/netfilter/nf_tables_ipv4.h
index 60a7d0ce30804..fcf967286e37c 100644
--- a/include/net/netfilter/nf_tables_ipv4.h
+++ b/include/net/netfilter/nf_tables_ipv4.h
@@ -19,7 +19,7 @@ static inline void nft_set_pktinfo_ipv4(struct nft_pktinfo *pkt)
static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
{
struct iphdr *iph, _iph;
- u32 len, thoff;
+ u32 len, thoff, skb_len;
iph = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
sizeof(*iph), &_iph);
@@ -30,8 +30,10 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
return -1;
len = iph_totlen(pkt->skb, iph);
- thoff = skb_network_offset(pkt->skb) + (iph->ihl * 4);
- if (pkt->skb->len < len)
+ thoff = iph->ihl * 4;
+ skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
+
+ if (skb_len < len)
return -1;
else if (len < thoff)
return -1;
@@ -40,7 +42,7 @@ static inline int __nft_set_pktinfo_ipv4_validate(struct nft_pktinfo *pkt)
pkt->flags = NFT_PKTINFO_L4PROTO;
pkt->tprot = iph->protocol;
- pkt->thoff = thoff;
+ pkt->thoff = skb_network_offset(pkt->skb) + thoff;
pkt->fragoff = ntohs(iph->frag_off) & IP_OFFSET;
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 57/93] wifi: iwlwifi: fw: fix wgds rev 3 exact size
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 56/93] netfilter: nf_tables: restore IP sanity checks for netdev/egress Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 58/93] ethtool: check device is present when getting link settings Greg Kroah-Hartman
` (41 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anjaneyulu, Miri Korenblit,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
[ Upstream commit 3ee22f07a35b76939c5b8d17d6af292f5fafb509 ]
Check size of WGDS revision 3 is equal to 8 entries size with some header,
but doesn't depend on the number of used entries. Check that used entries
are between min and max but allow more to be present than are used to fix
operation with some BIOSes that have such data.
Fixes: 97f8a3d1610b ("iwlwifi: ACPI: support revision 3 WGDS tables")
Signed-off-by: Anjaneyulu <pagadala.yesu.anjaneyulu@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240825191257.cc71dfc67ec3.Ic27ee15ac6128b275c210b6de88f2145bd83ca7b@changeid
[edit commit message]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/fw/acpi.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
index 2cda1dcfd059a..9943e2d21a8f5 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
+++ b/drivers/net/wireless/intel/iwlwifi/fw/acpi.c
@@ -867,22 +867,25 @@ int iwl_sar_get_wgds_table(struct iwl_fw_runtime *fwrt)
entry = &wifi_pkg->package.elements[entry_idx];
entry_idx++;
if (entry->type != ACPI_TYPE_INTEGER ||
- entry->integer.value > num_profiles) {
+ entry->integer.value > num_profiles ||
+ entry->integer.value <
+ rev_data[idx].min_profiles) {
ret = -EINVAL;
goto out_free;
}
- num_profiles = entry->integer.value;
/*
- * this also validates >= min_profiles since we
- * otherwise wouldn't have gotten the data when
- * looking up in ACPI
+ * Check to see if we received package count
+ * same as max # of profiles
*/
if (wifi_pkg->package.count !=
hdr_size + profile_size * num_profiles) {
ret = -EINVAL;
goto out_free;
}
+
+ /* Number of valid profiles */
+ num_profiles = entry->integer.value;
}
goto read_table;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 58/93] ethtool: check device is present when getting link settings
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 57/93] wifi: iwlwifi: fw: fix wgds rev 3 exact size Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 59/93] netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation Greg Kroah-Hartman
` (40 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamie Bainbridge, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jamie Bainbridge <jamie.bainbridge@gmail.com>
[ Upstream commit a699781c79ecf6cfe67fb00a0331b4088c7c8466 ]
A sysfs reader can race with a device reset or removal, attempting to
read device state when the device is not actually present. eg:
[exception RIP: qed_get_current_link+17]
#8 [ffffb9e4f2907c48] qede_get_link_ksettings at ffffffffc07a994a [qede]
#9 [ffffb9e4f2907cd8] __rh_call_get_link_ksettings at ffffffff992b01a3
#10 [ffffb9e4f2907d38] __ethtool_get_link_ksettings at ffffffff992b04e4
#11 [ffffb9e4f2907d90] duplex_show at ffffffff99260300
#12 [ffffb9e4f2907e38] dev_attr_show at ffffffff9905a01c
#13 [ffffb9e4f2907e50] sysfs_kf_seq_show at ffffffff98e0145b
#14 [ffffb9e4f2907e68] seq_read at ffffffff98d902e3
#15 [ffffb9e4f2907ec8] vfs_read at ffffffff98d657d1
#16 [ffffb9e4f2907f00] ksys_read at ffffffff98d65c3f
#17 [ffffb9e4f2907f38] do_syscall_64 at ffffffff98a052fb
crash> struct net_device.state ffff9a9d21336000
state = 5,
state 5 is __LINK_STATE_START (0b1) and __LINK_STATE_NOCARRIER (0b100).
The device is not present, note lack of __LINK_STATE_PRESENT (0b10).
This is the same sort of panic as observed in commit 4224cfd7fb65
("net-sysfs: add check for netdevice being present to speed_show").
There are many other callers of __ethtool_get_link_ksettings() which
don't have a device presence check.
Move this check into ethtool to protect all callers.
Fixes: d519e17e2d01 ("net: export device speed and duplex via sysfs")
Fixes: 4224cfd7fb65 ("net-sysfs: add check for netdevice being present to speed_show")
Signed-off-by: Jamie Bainbridge <jamie.bainbridge@gmail.com>
Link: https://patch.msgid.link/8bae218864beaa44ed01628140475b9bf641c5b0.1724393671.git.jamie.bainbridge@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/net-sysfs.c | 2 +-
net/ethtool/ioctl.c | 3 +++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/net/core/net-sysfs.c b/net/core/net-sysfs.c
index 5a9487af44e00..f7404bc679746 100644
--- a/net/core/net-sysfs.c
+++ b/net/core/net-sysfs.c
@@ -216,7 +216,7 @@ static ssize_t speed_show(struct device *dev,
if (!rtnl_trylock())
return restart_syscall();
- if (netif_running(netdev) && netif_device_present(netdev)) {
+ if (netif_running(netdev)) {
struct ethtool_link_ksettings cmd;
if (!__ethtool_get_link_ksettings(netdev, &cmd))
diff --git a/net/ethtool/ioctl.c b/net/ethtool/ioctl.c
index 7cb23bcf8ef7a..4486cbe2faf0c 100644
--- a/net/ethtool/ioctl.c
+++ b/net/ethtool/ioctl.c
@@ -438,6 +438,9 @@ int __ethtool_get_link_ksettings(struct net_device *dev,
if (!dev->ethtool_ops->get_link_ksettings)
return -EOPNOTSUPP;
+ if (!netif_device_present(dev))
+ return -ENODEV;
+
memset(link_ksettings, 0, sizeof(*link_ksettings));
return dev->ethtool_ops->get_link_ksettings(dev, link_ksettings);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 59/93] netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 58/93] ethtool: check device is present when getting link settings Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 60/93] selftests: forwarding: no_forwarding: Down ports on cleanup Greg Kroah-Hartman
` (39 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 70c261d500951cf3ea0fcf32651aab9a65a91471 ]
>From netdev/egress, skb->len can include the ethernet header, therefore,
subtract network offset from skb->len when validating IPv6 packet length.
Fixes: 42df6e1d221d ("netfilter: Introduce egress hook")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netfilter/nf_tables_ipv6.h | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/include/net/netfilter/nf_tables_ipv6.h b/include/net/netfilter/nf_tables_ipv6.h
index 467d59b9e5334..a0633eeaec977 100644
--- a/include/net/netfilter/nf_tables_ipv6.h
+++ b/include/net/netfilter/nf_tables_ipv6.h
@@ -31,8 +31,8 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
struct ipv6hdr *ip6h, _ip6h;
unsigned int thoff = 0;
unsigned short frag_off;
+ u32 pkt_len, skb_len;
int protohdr;
- u32 pkt_len;
ip6h = skb_header_pointer(pkt->skb, skb_network_offset(pkt->skb),
sizeof(*ip6h), &_ip6h);
@@ -43,7 +43,8 @@ static inline int __nft_set_pktinfo_ipv6_validate(struct nft_pktinfo *pkt)
return -1;
pkt_len = ntohs(ip6h->payload_len);
- if (pkt_len + sizeof(*ip6h) > pkt->skb->len)
+ skb_len = pkt->skb->len - skb_network_offset(pkt->skb);
+ if (pkt_len + sizeof(*ip6h) > skb_len)
return -1;
protohdr = ipv6_find_hdr(pkt->skb, &thoff, -1, &frag_off, &flags);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 60/93] selftests: forwarding: no_forwarding: Down ports on cleanup
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 59/93] netfilter: nf_tables_ipv6: consider network offset in netdev/egress validation Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 61/93] selftests: forwarding: local_termination: " Greg Kroah-Hartman
` (38 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
[ Upstream commit e8497d6951ee8541d73784f9aac9942a7f239980 ]
This test neglects to put ports down on cleanup. Fix it.
Fixes: 476a4f05d9b8 ("selftests: forwarding: add a no_forwarding.sh test")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/0baf91dc24b95ae0cadfdf5db05b74888e6a228a.1724430120.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/forwarding/no_forwarding.sh | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/testing/selftests/net/forwarding/no_forwarding.sh b/tools/testing/selftests/net/forwarding/no_forwarding.sh
index af3b398d13f01..9e677aa64a06a 100755
--- a/tools/testing/selftests/net/forwarding/no_forwarding.sh
+++ b/tools/testing/selftests/net/forwarding/no_forwarding.sh
@@ -233,6 +233,9 @@ cleanup()
{
pre_cleanup
+ ip link set dev $swp2 down
+ ip link set dev $swp1 down
+
h2_destroy
h1_destroy
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 61/93] selftests: forwarding: local_termination: Down ports on cleanup
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 60/93] selftests: forwarding: no_forwarding: Down ports on cleanup Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 62/93] bonding: implement xdo_dev_state_free and call it after deletion Greg Kroah-Hartman
` (37 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Petr Machata, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Petr Machata <petrm@nvidia.com>
[ Upstream commit 65a3cce43d5b4c53cf16b0be1a03991f665a0806 ]
This test neglects to put ports down on cleanup. Fix it.
Fixes: 90b9566aa5cd ("selftests: forwarding: add a test for local_termination.sh")
Signed-off-by: Petr Machata <petrm@nvidia.com>
Link: https://patch.msgid.link/bf9b79f45de378f88344d44550f0a5052b386199.1724692132.git.petrm@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/net/forwarding/local_termination.sh | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/tools/testing/selftests/net/forwarding/local_termination.sh b/tools/testing/selftests/net/forwarding/local_termination.sh
index c5b0cbc85b3e0..9b5a63519b949 100755
--- a/tools/testing/selftests/net/forwarding/local_termination.sh
+++ b/tools/testing/selftests/net/forwarding/local_termination.sh
@@ -278,6 +278,10 @@ bridge()
cleanup()
{
pre_cleanup
+
+ ip link set $h2 down
+ ip link set $h1 down
+
vrf_cleanup
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 62/93] bonding: implement xdo_dev_state_free and call it after deletion
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 61/93] selftests: forwarding: local_termination: " Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 63/93] bonding: extract the use of real_device into local variable Greg Kroah-Hartman
` (36 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Tariq Toukan,
Hangbin Liu, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit ec13009472f4a756288eb4e18e20a7845da98d10 ]
Add this implementation for bonding, so hardware resources can be
freed from the active slave after xfrm state is deleted. The netdev
used to invoke xdo_dev_state_free callback, is saved in the xfrm state
(xs->xso.real_dev), which is also the bond's active slave. To prevent
it from being freed, acquire netdev reference before leaving RCU
read-side critical section, and release it after callback is done.
And call it when deleting all SAs from old active real interface while
switching current active slave.
Fixes: 9a5605505d9c ("bonding: Add struct bond_ipesc to manage SA")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20240823031056.110999-2-jianbol@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 36 +++++++++++++++++++++++++++++++++
1 file changed, 36 insertions(+)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 566b02ca78261..c166c4b8cee78 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -581,12 +581,47 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
__func__);
} else {
slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
+ if (slave->dev->xfrmdev_ops->xdo_dev_state_free)
+ slave->dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
}
}
spin_unlock_bh(&bond->ipsec_lock);
rcu_read_unlock();
}
+static void bond_ipsec_free_sa(struct xfrm_state *xs)
+{
+ struct net_device *bond_dev = xs->xso.dev;
+ struct net_device *real_dev;
+ netdevice_tracker tracker;
+ struct bonding *bond;
+ struct slave *slave;
+
+ if (!bond_dev)
+ return;
+
+ rcu_read_lock();
+ bond = netdev_priv(bond_dev);
+ slave = rcu_dereference(bond->curr_active_slave);
+ real_dev = slave ? slave->dev : NULL;
+ netdev_hold(real_dev, &tracker, GFP_ATOMIC);
+ rcu_read_unlock();
+
+ if (!slave)
+ goto out;
+
+ if (!xs->xso.real_dev)
+ goto out;
+
+ WARN_ON(xs->xso.real_dev != real_dev);
+
+ if (real_dev && real_dev->xfrmdev_ops &&
+ real_dev->xfrmdev_ops->xdo_dev_state_free)
+ real_dev->xfrmdev_ops->xdo_dev_state_free(xs);
+out:
+ netdev_put(real_dev, &tracker);
+}
+
/**
* bond_ipsec_offload_ok - can this packet use the xfrm hw offload
* @skb: current data packet
@@ -627,6 +662,7 @@ static bool bond_ipsec_offload_ok(struct sk_buff *skb, struct xfrm_state *xs)
static const struct xfrmdev_ops bond_xfrmdev_ops = {
.xdo_dev_state_add = bond_ipsec_add_sa,
.xdo_dev_state_delete = bond_ipsec_del_sa,
+ .xdo_dev_state_free = bond_ipsec_free_sa,
.xdo_dev_offload_ok = bond_ipsec_offload_ok,
};
#endif /* CONFIG_XFRM_OFFLOAD */
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 63/93] bonding: extract the use of real_device into local variable
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 62/93] bonding: implement xdo_dev_state_free and call it after deletion Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 64/93] bonding: change ipsec_lock from spin lock to mutex Greg Kroah-Hartman
` (35 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Cosmin Ratiu,
Tariq Toukan, Hangbin Liu, Jay Vosburgh, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 907ed83a7583e8ffede88c5ac088392701a7d458 ]
Add a local variable for slave->dev, to prepare for the lock change in
the next patch. There is no functionality change.
Fixes: 9a5605505d9c ("bonding: Add struct bond_ipesc to manage SA")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Cosmin Ratiu <cratiu@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20240823031056.110999-3-jianbol@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 58 +++++++++++++++++++--------------
1 file changed, 33 insertions(+), 25 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index c166c4b8cee78..6f61bb2f4b901 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -427,6 +427,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
struct netlink_ext_ack *extack)
{
struct net_device *bond_dev = xs->xso.dev;
+ struct net_device *real_dev;
struct bond_ipsec *ipsec;
struct bonding *bond;
struct slave *slave;
@@ -443,9 +444,10 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
return -ENODEV;
}
- if (!slave->dev->xfrmdev_ops ||
- !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
- netif_is_bond_master(slave->dev)) {
+ real_dev = slave->dev;
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_state_add ||
+ netif_is_bond_master(real_dev)) {
NL_SET_ERR_MSG_MOD(extack, "Slave does not support ipsec offload");
rcu_read_unlock();
return -EINVAL;
@@ -456,9 +458,9 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
rcu_read_unlock();
return -ENOMEM;
}
- xs->xso.real_dev = slave->dev;
- err = slave->dev->xfrmdev_ops->xdo_dev_state_add(xs, extack);
+ xs->xso.real_dev = real_dev;
+ err = real_dev->xfrmdev_ops->xdo_dev_state_add(xs, extack);
if (!err) {
ipsec->xs = xs;
INIT_LIST_HEAD(&ipsec->list);
@@ -475,6 +477,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
static void bond_ipsec_add_sa_all(struct bonding *bond)
{
struct net_device *bond_dev = bond->dev;
+ struct net_device *real_dev;
struct bond_ipsec *ipsec;
struct slave *slave;
@@ -483,12 +486,13 @@ static void bond_ipsec_add_sa_all(struct bonding *bond)
if (!slave)
goto out;
- if (!slave->dev->xfrmdev_ops ||
- !slave->dev->xfrmdev_ops->xdo_dev_state_add ||
- netif_is_bond_master(slave->dev)) {
+ real_dev = slave->dev;
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_state_add ||
+ netif_is_bond_master(real_dev)) {
spin_lock_bh(&bond->ipsec_lock);
if (!list_empty(&bond->ipsec_list))
- slave_warn(bond_dev, slave->dev,
+ slave_warn(bond_dev, real_dev,
"%s: no slave xdo_dev_state_add\n",
__func__);
spin_unlock_bh(&bond->ipsec_lock);
@@ -497,9 +501,9 @@ static void bond_ipsec_add_sa_all(struct bonding *bond)
spin_lock_bh(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
- ipsec->xs->xso.real_dev = slave->dev;
- if (slave->dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) {
- slave_warn(bond_dev, slave->dev, "%s: failed to add SA\n", __func__);
+ ipsec->xs->xso.real_dev = real_dev;
+ if (real_dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) {
+ slave_warn(bond_dev, real_dev, "%s: failed to add SA\n", __func__);
ipsec->xs->xso.real_dev = NULL;
}
}
@@ -515,6 +519,7 @@ static void bond_ipsec_add_sa_all(struct bonding *bond)
static void bond_ipsec_del_sa(struct xfrm_state *xs)
{
struct net_device *bond_dev = xs->xso.dev;
+ struct net_device *real_dev;
struct bond_ipsec *ipsec;
struct bonding *bond;
struct slave *slave;
@@ -532,16 +537,17 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
if (!xs->xso.real_dev)
goto out;
- WARN_ON(xs->xso.real_dev != slave->dev);
+ real_dev = slave->dev;
+ WARN_ON(xs->xso.real_dev != real_dev);
- if (!slave->dev->xfrmdev_ops ||
- !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
- netif_is_bond_master(slave->dev)) {
- slave_warn(bond_dev, slave->dev, "%s: no slave xdo_dev_state_delete\n", __func__);
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_state_delete ||
+ netif_is_bond_master(real_dev)) {
+ slave_warn(bond_dev, real_dev, "%s: no slave xdo_dev_state_delete\n", __func__);
goto out;
}
- slave->dev->xfrmdev_ops->xdo_dev_state_delete(xs);
+ real_dev->xfrmdev_ops->xdo_dev_state_delete(xs);
out:
spin_lock_bh(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
@@ -558,6 +564,7 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
static void bond_ipsec_del_sa_all(struct bonding *bond)
{
struct net_device *bond_dev = bond->dev;
+ struct net_device *real_dev;
struct bond_ipsec *ipsec;
struct slave *slave;
@@ -568,21 +575,22 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
return;
}
+ real_dev = slave->dev;
spin_lock_bh(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
if (!ipsec->xs->xso.real_dev)
continue;
- if (!slave->dev->xfrmdev_ops ||
- !slave->dev->xfrmdev_ops->xdo_dev_state_delete ||
- netif_is_bond_master(slave->dev)) {
- slave_warn(bond_dev, slave->dev,
+ if (!real_dev->xfrmdev_ops ||
+ !real_dev->xfrmdev_ops->xdo_dev_state_delete ||
+ netif_is_bond_master(real_dev)) {
+ slave_warn(bond_dev, real_dev,
"%s: no slave xdo_dev_state_delete\n",
__func__);
} else {
- slave->dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
- if (slave->dev->xfrmdev_ops->xdo_dev_state_free)
- slave->dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
+ real_dev->xfrmdev_ops->xdo_dev_state_delete(ipsec->xs);
+ if (real_dev->xfrmdev_ops->xdo_dev_state_free)
+ real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
}
}
spin_unlock_bh(&bond->ipsec_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 64/93] bonding: change ipsec_lock from spin lock to mutex
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 63/93] bonding: extract the use of real_device into local variable Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 65/93] gtp: fix a potential NULL pointer dereference Greg Kroah-Hartman
` (34 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Tariq Toukan,
Hangbin Liu, Jay Vosburgh, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 2aeeef906d5a526dc60cf4af92eda69836c39b1f ]
In the cited commit, bond->ipsec_lock is added to protect ipsec_list,
hence xdo_dev_state_add and xdo_dev_state_delete are called inside
this lock. As ipsec_lock is a spin lock and such xfrmdev ops may sleep,
"scheduling while atomic" will be triggered when changing bond's
active slave.
[ 101.055189] BUG: scheduling while atomic: bash/902/0x00000200
[ 101.055726] Modules linked in:
[ 101.058211] CPU: 3 PID: 902 Comm: bash Not tainted 6.9.0-rc4+ #1
[ 101.058760] Hardware name:
[ 101.059434] Call Trace:
[ 101.059436] <TASK>
[ 101.060873] dump_stack_lvl+0x51/0x60
[ 101.061275] __schedule_bug+0x4e/0x60
[ 101.061682] __schedule+0x612/0x7c0
[ 101.062078] ? __mod_timer+0x25c/0x370
[ 101.062486] schedule+0x25/0xd0
[ 101.062845] schedule_timeout+0x77/0xf0
[ 101.063265] ? asm_common_interrupt+0x22/0x40
[ 101.063724] ? __bpf_trace_itimer_state+0x10/0x10
[ 101.064215] __wait_for_common+0x87/0x190
[ 101.064648] ? usleep_range_state+0x90/0x90
[ 101.065091] cmd_exec+0x437/0xb20 [mlx5_core]
[ 101.065569] mlx5_cmd_do+0x1e/0x40 [mlx5_core]
[ 101.066051] mlx5_cmd_exec+0x18/0x30 [mlx5_core]
[ 101.066552] mlx5_crypto_create_dek_key+0xea/0x120 [mlx5_core]
[ 101.067163] ? bonding_sysfs_store_option+0x4d/0x80 [bonding]
[ 101.067738] ? kmalloc_trace+0x4d/0x350
[ 101.068156] mlx5_ipsec_create_sa_ctx+0x33/0x100 [mlx5_core]
[ 101.068747] mlx5e_xfrm_add_state+0x47b/0xaa0 [mlx5_core]
[ 101.069312] bond_change_active_slave+0x392/0x900 [bonding]
[ 101.069868] bond_option_active_slave_set+0x1c2/0x240 [bonding]
[ 101.070454] __bond_opt_set+0xa6/0x430 [bonding]
[ 101.070935] __bond_opt_set_notify+0x2f/0x90 [bonding]
[ 101.071453] bond_opt_tryset_rtnl+0x72/0xb0 [bonding]
[ 101.071965] bonding_sysfs_store_option+0x4d/0x80 [bonding]
[ 101.072567] kernfs_fop_write_iter+0x10c/0x1a0
[ 101.073033] vfs_write+0x2d8/0x400
[ 101.073416] ? alloc_fd+0x48/0x180
[ 101.073798] ksys_write+0x5f/0xe0
[ 101.074175] do_syscall_64+0x52/0x110
[ 101.074576] entry_SYSCALL_64_after_hwframe+0x4b/0x53
As bond_ipsec_add_sa_all and bond_ipsec_del_sa_all are only called
from bond_change_active_slave, which requires holding the RTNL lock.
And bond_ipsec_add_sa and bond_ipsec_del_sa are xfrm state
xdo_dev_state_add and xdo_dev_state_delete APIs, which are in user
context. So ipsec_lock doesn't have to be spin lock, change it to
mutex, and thus the above issue can be resolved.
Fixes: 9a5605505d9c ("bonding: Add struct bond_ipesc to manage SA")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Jay Vosburgh <jv@jvosburgh.net>
Link: https://patch.msgid.link/20240823031056.110999-4-jianbol@nvidia.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/bonding/bond_main.c | 79 ++++++++++++++++++---------------
include/net/bonding.h | 2 +-
2 files changed, 44 insertions(+), 37 deletions(-)
diff --git a/drivers/net/bonding/bond_main.c b/drivers/net/bonding/bond_main.c
index 6f61bb2f4b901..53a7b53618d94 100644
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -428,6 +428,7 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
{
struct net_device *bond_dev = xs->xso.dev;
struct net_device *real_dev;
+ netdevice_tracker tracker;
struct bond_ipsec *ipsec;
struct bonding *bond;
struct slave *slave;
@@ -439,24 +440,26 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
rcu_read_lock();
bond = netdev_priv(bond_dev);
slave = rcu_dereference(bond->curr_active_slave);
- if (!slave) {
- rcu_read_unlock();
- return -ENODEV;
+ real_dev = slave ? slave->dev : NULL;
+ netdev_hold(real_dev, &tracker, GFP_ATOMIC);
+ rcu_read_unlock();
+ if (!real_dev) {
+ err = -ENODEV;
+ goto out;
}
- real_dev = slave->dev;
if (!real_dev->xfrmdev_ops ||
!real_dev->xfrmdev_ops->xdo_dev_state_add ||
netif_is_bond_master(real_dev)) {
NL_SET_ERR_MSG_MOD(extack, "Slave does not support ipsec offload");
- rcu_read_unlock();
- return -EINVAL;
+ err = -EINVAL;
+ goto out;
}
- ipsec = kmalloc(sizeof(*ipsec), GFP_ATOMIC);
+ ipsec = kmalloc(sizeof(*ipsec), GFP_KERNEL);
if (!ipsec) {
- rcu_read_unlock();
- return -ENOMEM;
+ err = -ENOMEM;
+ goto out;
}
xs->xso.real_dev = real_dev;
@@ -464,13 +467,14 @@ static int bond_ipsec_add_sa(struct xfrm_state *xs,
if (!err) {
ipsec->xs = xs;
INIT_LIST_HEAD(&ipsec->list);
- spin_lock_bh(&bond->ipsec_lock);
+ mutex_lock(&bond->ipsec_lock);
list_add(&ipsec->list, &bond->ipsec_list);
- spin_unlock_bh(&bond->ipsec_lock);
+ mutex_unlock(&bond->ipsec_lock);
} else {
kfree(ipsec);
}
- rcu_read_unlock();
+out:
+ netdev_put(real_dev, &tracker);
return err;
}
@@ -481,35 +485,35 @@ static void bond_ipsec_add_sa_all(struct bonding *bond)
struct bond_ipsec *ipsec;
struct slave *slave;
- rcu_read_lock();
- slave = rcu_dereference(bond->curr_active_slave);
- if (!slave)
- goto out;
+ slave = rtnl_dereference(bond->curr_active_slave);
+ real_dev = slave ? slave->dev : NULL;
+ if (!real_dev)
+ return;
- real_dev = slave->dev;
+ mutex_lock(&bond->ipsec_lock);
if (!real_dev->xfrmdev_ops ||
!real_dev->xfrmdev_ops->xdo_dev_state_add ||
netif_is_bond_master(real_dev)) {
- spin_lock_bh(&bond->ipsec_lock);
if (!list_empty(&bond->ipsec_list))
slave_warn(bond_dev, real_dev,
"%s: no slave xdo_dev_state_add\n",
__func__);
- spin_unlock_bh(&bond->ipsec_lock);
goto out;
}
- spin_lock_bh(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
+ /* If new state is added before ipsec_lock acquired */
+ if (ipsec->xs->xso.real_dev == real_dev)
+ continue;
+
ipsec->xs->xso.real_dev = real_dev;
if (real_dev->xfrmdev_ops->xdo_dev_state_add(ipsec->xs, NULL)) {
slave_warn(bond_dev, real_dev, "%s: failed to add SA\n", __func__);
ipsec->xs->xso.real_dev = NULL;
}
}
- spin_unlock_bh(&bond->ipsec_lock);
out:
- rcu_read_unlock();
+ mutex_unlock(&bond->ipsec_lock);
}
/**
@@ -520,6 +524,7 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
{
struct net_device *bond_dev = xs->xso.dev;
struct net_device *real_dev;
+ netdevice_tracker tracker;
struct bond_ipsec *ipsec;
struct bonding *bond;
struct slave *slave;
@@ -530,6 +535,9 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
rcu_read_lock();
bond = netdev_priv(bond_dev);
slave = rcu_dereference(bond->curr_active_slave);
+ real_dev = slave ? slave->dev : NULL;
+ netdev_hold(real_dev, &tracker, GFP_ATOMIC);
+ rcu_read_unlock();
if (!slave)
goto out;
@@ -537,7 +545,6 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
if (!xs->xso.real_dev)
goto out;
- real_dev = slave->dev;
WARN_ON(xs->xso.real_dev != real_dev);
if (!real_dev->xfrmdev_ops ||
@@ -549,7 +556,8 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
real_dev->xfrmdev_ops->xdo_dev_state_delete(xs);
out:
- spin_lock_bh(&bond->ipsec_lock);
+ netdev_put(real_dev, &tracker);
+ mutex_lock(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
if (ipsec->xs == xs) {
list_del(&ipsec->list);
@@ -557,8 +565,7 @@ static void bond_ipsec_del_sa(struct xfrm_state *xs)
break;
}
}
- spin_unlock_bh(&bond->ipsec_lock);
- rcu_read_unlock();
+ mutex_unlock(&bond->ipsec_lock);
}
static void bond_ipsec_del_sa_all(struct bonding *bond)
@@ -568,15 +575,12 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
struct bond_ipsec *ipsec;
struct slave *slave;
- rcu_read_lock();
- slave = rcu_dereference(bond->curr_active_slave);
- if (!slave) {
- rcu_read_unlock();
+ slave = rtnl_dereference(bond->curr_active_slave);
+ real_dev = slave ? slave->dev : NULL;
+ if (!real_dev)
return;
- }
- real_dev = slave->dev;
- spin_lock_bh(&bond->ipsec_lock);
+ mutex_lock(&bond->ipsec_lock);
list_for_each_entry(ipsec, &bond->ipsec_list, list) {
if (!ipsec->xs->xso.real_dev)
continue;
@@ -593,8 +597,7 @@ static void bond_ipsec_del_sa_all(struct bonding *bond)
real_dev->xfrmdev_ops->xdo_dev_state_free(ipsec->xs);
}
}
- spin_unlock_bh(&bond->ipsec_lock);
- rcu_read_unlock();
+ mutex_unlock(&bond->ipsec_lock);
}
static void bond_ipsec_free_sa(struct xfrm_state *xs)
@@ -5941,7 +5944,7 @@ void bond_setup(struct net_device *bond_dev)
/* set up xfrm device ops (only supported in active-backup right now) */
bond_dev->xfrmdev_ops = &bond_xfrmdev_ops;
INIT_LIST_HEAD(&bond->ipsec_list);
- spin_lock_init(&bond->ipsec_lock);
+ mutex_init(&bond->ipsec_lock);
#endif /* CONFIG_XFRM_OFFLOAD */
/* don't acquire bond device's netif_tx_lock when transmitting */
@@ -5990,6 +5993,10 @@ static void bond_uninit(struct net_device *bond_dev)
__bond_release_one(bond_dev, slave->dev, true, true);
netdev_info(bond_dev, "Released all slaves\n");
+#ifdef CONFIG_XFRM_OFFLOAD
+ mutex_destroy(&bond->ipsec_lock);
+#endif /* CONFIG_XFRM_OFFLOAD */
+
bond_set_slave_arr(bond, NULL, NULL);
list_del(&bond->bond_list);
diff --git a/include/net/bonding.h b/include/net/bonding.h
index 5b8b1b644a2db..94594026a5c55 100644
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -258,7 +258,7 @@ struct bonding {
#ifdef CONFIG_XFRM_OFFLOAD
struct list_head ipsec_list;
/* protecting ipsec_list */
- spinlock_t ipsec_lock;
+ struct mutex ipsec_lock;
#endif /* CONFIG_XFRM_OFFLOAD */
struct bpf_prog *xdp_prog;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 65/93] gtp: fix a potential NULL pointer dereference
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 64/93] bonding: change ipsec_lock from spin lock to mutex Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 66/93] sctp: fix association labeling in the duplicate COOKIE-ECHO case Greg Kroah-Hartman
` (33 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Schultz, Harald Welte,
Cong Wang, Simon Horman, Pablo Neira Ayuso, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Cong Wang <cong.wang@bytedance.com>
[ Upstream commit defd8b3c37b0f9cb3e0f60f47d3d78d459d57fda ]
When sockfd_lookup() fails, gtp_encap_enable_socket() returns a
NULL pointer, but its callers only check for error pointers thus miss
the NULL pointer case.
Fix it by returning an error pointer with the error code carried from
sockfd_lookup().
(I found this bug during code inspection.)
Fixes: 1e3a3abd8b28 ("gtp: make GTP sockets in gtp_newlink optional")
Cc: Andreas Schultz <aschultz@tpip.net>
Cc: Harald Welte <laforge@gnumonks.org>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Pablo Neira Ayuso <pablo@netfilter.org>
Link: https://patch.msgid.link/20240825191638.146748-1-xiyou.wangcong@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/gtp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/gtp.c b/drivers/net/gtp.c
index 931b65591f4d1..9b0b22b65cb25 100644
--- a/drivers/net/gtp.c
+++ b/drivers/net/gtp.c
@@ -1220,7 +1220,7 @@ static struct sock *gtp_encap_enable_socket(int fd, int type,
sock = sockfd_lookup(fd, &err);
if (!sock) {
pr_debug("gtp socket fd=%d not found\n", fd);
- return NULL;
+ return ERR_PTR(err);
}
sk = sock->sk;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 66/93] sctp: fix association labeling in the duplicate COOKIE-ECHO case
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 65/93] gtp: fix a potential NULL pointer dereference Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 67/93] drm/amd/display: avoid using null object of framebuffer Greg Kroah-Hartman
` (32 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Ondrej Mosnacek,
Jakub Kicinski, Sasha Levin, Paul Moore
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ondrej Mosnacek <omosnace@redhat.com>
[ Upstream commit 3a0504d54b3b57f0d7bf3d9184a00c9f8887f6d7 ]
sctp_sf_do_5_2_4_dupcook() currently calls security_sctp_assoc_request()
on new_asoc, but as it turns out, this association is always discarded
and the LSM labels never get into the final association (asoc).
This can be reproduced by having two SCTP endpoints try to initiate an
association with each other at approximately the same time and then peel
off the association into a new socket, which exposes the unitialized
labels and triggers SELinux denials.
Fix it by calling security_sctp_assoc_request() on asoc instead of
new_asoc. Xin Long also suggested limit calling the hook only to cases
A, B, and D, since in cases C and E the COOKIE ECHO chunk is discarded
and the association doesn't enter the ESTABLISHED state, so rectify that
as well.
One related caveat with SELinux and peer labeling: When an SCTP
connection is set up simultaneously in this way, we will end up with an
association that is initialized with security_sctp_assoc_request() on
both sides, so the MLS component of the security context of the
association will get swapped between the peers, instead of just one side
setting it to the other's MLS component. However, at that point
security_sctp_assoc_request() had already been called on both sides in
sctp_sf_do_unexpected_init() (on a temporary association) and thus if
the exchange didn't fail before due to MLS, it won't fail now either
(most likely both endpoints have the same MLS range).
Tested by:
- reproducer from https://src.fedoraproject.org/tests/selinux/pull-request/530
- selinux-testsuite (https://github.com/SELinuxProject/selinux-testsuite/)
- sctp-tests (https://github.com/sctp/sctp-tests) - no tests failed
that wouldn't fail also without the patch applied
Fixes: c081d53f97a1 ("security: pass asoc to sctp_assoc_request and sctp_sk_clone")
Suggested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
Acked-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Paul Moore <paul@paul-moore.com> (LSM/SELinux)
Link: https://patch.msgid.link/20240826130711.141271-1-omosnace@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/sm_statefuns.c | 22 ++++++++++++++++------
1 file changed, 16 insertions(+), 6 deletions(-)
diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c
index 08fdf1251f46a..3649a4e1eb9de 100644
--- a/net/sctp/sm_statefuns.c
+++ b/net/sctp/sm_statefuns.c
@@ -2259,12 +2259,6 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
}
}
- /* Update socket peer label if first association. */
- if (security_sctp_assoc_request(new_asoc, chunk->head_skb ?: chunk->skb)) {
- sctp_association_free(new_asoc);
- return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
- }
-
/* Set temp so that it won't be added into hashtable */
new_asoc->temp = 1;
@@ -2273,6 +2267,22 @@ enum sctp_disposition sctp_sf_do_5_2_4_dupcook(
*/
action = sctp_tietags_compare(new_asoc, asoc);
+ /* In cases C and E the association doesn't enter the ESTABLISHED
+ * state, so there is no need to call security_sctp_assoc_request().
+ */
+ switch (action) {
+ case 'A': /* Association restart. */
+ case 'B': /* Collision case B. */
+ case 'D': /* Collision case D. */
+ /* Update socket peer label if first association. */
+ if (security_sctp_assoc_request((struct sctp_association *)asoc,
+ chunk->head_skb ?: chunk->skb)) {
+ sctp_association_free(new_asoc);
+ return sctp_sf_pdiscard(net, ep, asoc, type, arg, commands);
+ }
+ break;
+ }
+
switch (action) {
case 'A': /* Association restart. */
retval = sctp_sf_do_dupcook_a(net, ep, asoc, chunk, commands,
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 67/93] drm/amd/display: avoid using null object of framebuffer
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 66/93] sctp: fix association labeling in the duplicate COOKIE-ECHO case Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 68/93] net: busy-poll: use ktime_get_ns() instead of local_clock() Greg Kroah-Hartman
` (31 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
[ Upstream commit 3b9a33235c773c7a3768060cf1d2cf8a9153bc37 ]
Instead of using state->fb->obj[0] directly, get object from framebuffer
by calling drm_gem_fb_get_obj() and return error code when object is
null to avoid using null object of framebuffer.
Fixes: 5d945cbcd4b1 ("drm/amd/display: Create a file dedicated to planes")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 73dd0ad9e5dad53766ea3e631303430116f834b3)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 9 +++++++--
1 file changed, 7 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index cc74dd69acf2b..fa9f53b310793 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -28,6 +28,7 @@
#include <drm/drm_blend.h>
#include <drm/drm_gem_atomic_helper.h>
#include <drm/drm_plane_helper.h>
+#include <drm/drm_gem_framebuffer_helper.h>
#include <drm/drm_fourcc.h>
#include "amdgpu.h"
@@ -848,10 +849,14 @@ static int dm_plane_helper_prepare_fb(struct drm_plane *plane,
}
afb = to_amdgpu_framebuffer(new_state->fb);
- obj = new_state->fb->obj[0];
+ obj = drm_gem_fb_get_obj(new_state->fb, 0);
+ if (!obj) {
+ DRM_ERROR("Failed to get obj from framebuffer\n");
+ return -EINVAL;
+ }
+
rbo = gem_to_amdgpu_bo(obj);
adev = amdgpu_ttm_adev(rbo->tbo.bdev);
-
r = amdgpu_bo_reserve(rbo, true);
if (r) {
dev_err(adev->dev, "fail to reserve bo (%d)\n", r);
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 68/93] net: busy-poll: use ktime_get_ns() instead of local_clock()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 67/93] drm/amd/display: avoid using null object of framebuffer Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 69/93] nfc: pn533: Add poll mod list filling check Greg Kroah-Hartman
` (30 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Mina Almasry,
Willem de Bruijn, Joe Damato, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 0870b0d8b393dde53106678a1e2cec9dfa52f9b7 ]
Typically, busy-polling durations are below 100 usec.
When/if the busy-poller thread migrates to another cpu,
local_clock() can be off by +/-2msec or more for small
values of HZ, depending on the platform.
Use ktimer_get_ns() to ensure deterministic behavior,
which is the whole point of busy-polling.
Fixes: 060212928670 ("net: add low latency socket poll")
Fixes: 9a3c71aa8024 ("net: convert low latency sockets to sched_clock()")
Fixes: 37089834528b ("sched, net: Fixup busy_loop_us_clock()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Mina Almasry <almasrymina@google.com>
Cc: Willem de Bruijn <willemb@google.com>
Reviewed-by: Joe Damato <jdamato@fastly.com>
Link: https://patch.msgid.link/20240827114916.223377-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/busy_poll.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/busy_poll.h b/include/net/busy_poll.h
index 4dabeb6c76d31..9f2ce4d05c265 100644
--- a/include/net/busy_poll.h
+++ b/include/net/busy_poll.h
@@ -64,7 +64,7 @@ static inline bool sk_can_busy_loop(struct sock *sk)
static inline unsigned long busy_loop_current_time(void)
{
#ifdef CONFIG_NET_RX_BUSY_POLL
- return (unsigned long)(local_clock() >> 10);
+ return (unsigned long)(ktime_get_ns() >> 10);
#else
return 0;
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 69/93] nfc: pn533: Add poll mod list filling check
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 68/93] net: busy-poll: use ktime_get_ns() instead of local_clock() Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 70/93] soc: qcom: cmd-db: Map shared memory as WC, not WB Greg Kroah-Hartman
` (29 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Mishin,
Krzysztof Kozlowski, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Mishin <amishin@t-argos.ru>
[ Upstream commit febccb39255f9df35527b88c953b2e0deae50e53 ]
In case of im_protocols value is 1 and tm_protocols value is 0 this
combination successfully passes the check
'if (!im_protocols && !tm_protocols)' in the nfc_start_poll().
But then after pn533_poll_create_mod_list() call in pn533_start_poll()
poll mod list will remain empty and dev->poll_mod_count will remain 0
which lead to division by zero.
Normally no im protocol has value 1 in the mask, so this combination is
not expected by driver. But these protocol values actually come from
userspace via Netlink interface (NFC_CMD_START_POLL operation). So a
broken or malicious program may pass a message containing a "bad"
combination of protocol parameter values so that dev->poll_mod_count
is not incremented inside pn533_poll_create_mod_list(), thus leading
to division by zero.
Call trace looks like:
nfc_genl_start_poll()
nfc_start_poll()
->start_poll()
pn533_start_poll()
Add poll mod list filling check.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: dfccd0f58044 ("NFC: pn533: Add some polling entropy")
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20240827084822.18785-1-amishin@t-argos.ru
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/nfc/pn533/pn533.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/nfc/pn533/pn533.c b/drivers/nfc/pn533/pn533.c
index b19c39dcfbd93..e2bc67300a915 100644
--- a/drivers/nfc/pn533/pn533.c
+++ b/drivers/nfc/pn533/pn533.c
@@ -1723,6 +1723,11 @@ static int pn533_start_poll(struct nfc_dev *nfc_dev,
}
pn533_poll_create_mod_list(dev, im_protocols, tm_protocols);
+ if (!dev->poll_mod_count) {
+ nfc_err(dev->dev,
+ "Poll mod list is empty\n");
+ return -EINVAL;
+ }
/* Do not always start polling from the same modulation */
get_random_bytes(&rand_mod, sizeof(rand_mod));
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 70/93] soc: qcom: cmd-db: Map shared memory as WC, not WB
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 69/93] nfc: pn533: Add poll mod list filling check Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 71/93] soc: qcom: pmic_glink: Actually communicate when remote goes down Greg Kroah-Hartman
` (28 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Volodymyr Babchuk, Maulik Shah,
Pavankumar Kondeti, Caleb Connolly, Bjorn Andersson,
Nikita Travkin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Volodymyr Babchuk <Volodymyr_Babchuk@epam.com>
commit f9bb896eab221618927ae6a2f1d566567999839d upstream.
Linux does not write into cmd-db region. This region of memory is write
protected by XPU. XPU may sometime falsely detect clean cache eviction
as "write" into the write protected region leading to secure interrupt
which causes an endless loop somewhere in Trust Zone.
The only reason it is working right now is because Qualcomm Hypervisor
maps the same region as Non-Cacheable memory in Stage 2 translation
tables. The issue manifests if we want to use another hypervisor (like
Xen or KVM), which does not know anything about those specific mappings.
Changing the mapping of cmd-db memory from MEMREMAP_WB to MEMREMAP_WT/WC
removes dependency on correct mappings in Stage 2 tables. This patch
fixes the issue by updating the mapping to MEMREMAP_WC.
I tested this on SA8155P with Xen.
Fixes: 312416d9171a ("drivers: qcom: add command DB driver")
Cc: stable@vger.kernel.org # 5.4+
Signed-off-by: Volodymyr Babchuk <volodymyr_babchuk@epam.com>
Tested-by: Nikita Travkin <nikita@trvn.ru> # sc7180 WoA in EL2
Signed-off-by: Maulik Shah <quic_mkshah@quicinc.com>
Tested-by: Pavankumar Kondeti <quic_pkondeti@quicinc.com>
Reviewed-by: Caleb Connolly <caleb.connolly@linaro.org>
Link: https://lore.kernel.org/r/20240718-cmd_db_uncached-v2-1-f6cf53164c90@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/cmd-db.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/cmd-db.c
+++ b/drivers/soc/qcom/cmd-db.c
@@ -354,7 +354,7 @@ static int cmd_db_dev_probe(struct platf
return -EINVAL;
}
- cmd_db_header = memremap(rmem->base, rmem->size, MEMREMAP_WB);
+ cmd_db_header = memremap(rmem->base, rmem->size, MEMREMAP_WC);
if (!cmd_db_header) {
ret = -ENOMEM;
cmd_db_header = NULL;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 71/93] soc: qcom: pmic_glink: Actually communicate when remote goes down
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 70/93] soc: qcom: cmd-db: Map shared memory as WC, not WB Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:16 ` [PATCH 6.6 72/93] soc: qcom: pmic_glink: Fix race during initialization Greg Kroah-Hartman
` (27 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Neil Armstrong,
Dmitry Baryshkov, Amit Pundir, Johan Hovold, Bjorn Andersson,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <quic_bjorande@quicinc.com>
commit ad51126037a43c05f5f4af5eb262734e3e88ca59 upstream.
When the pmic_glink state is UP and we either receive a protection-
domain (PD) notification indicating that the PD is going down, or that
the whole remoteproc is going down, it's expected that the pmic_glink
client instances are notified that their function has gone DOWN.
This is not what the code does, which results in the client state either
not updating, or being wrong in many cases. So let's fix the conditions.
Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver")
Cc: stable@vger.kernel.org
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Tested-by: Amit Pundir <amit.pundir@linaro.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
Link: https://lore.kernel.org/r/20240820-pmic-glink-v6-11-races-v3-3-eec53c750a04@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/soc/qcom/pmic_glink.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/soc/qcom/pmic_glink.c
+++ b/drivers/soc/qcom/pmic_glink.c
@@ -178,7 +178,7 @@ static void pmic_glink_state_notify_clie
if (pg->pdr_state == SERVREG_SERVICE_STATE_UP && pg->ept)
new_state = SERVREG_SERVICE_STATE_UP;
} else {
- if (pg->pdr_state == SERVREG_SERVICE_STATE_UP && pg->ept)
+ if (pg->pdr_state == SERVREG_SERVICE_STATE_DOWN || !pg->ept)
new_state = SERVREG_SERVICE_STATE_DOWN;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 72/93] soc: qcom: pmic_glink: Fix race during initialization
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 71/93] soc: qcom: pmic_glink: Actually communicate when remote goes down Greg Kroah-Hartman
@ 2024-09-01 16:16 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 73/93] cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller Greg Kroah-Hartman
` (26 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:16 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amit Pundir, Johan Hovold,
Stephen Boyd, Heikki Krogerus, Neil Armstrong, Johan Hovold,
Sebastian Reichel, Bjorn Andersson, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bjorn Andersson <quic_bjorande@quicinc.com>
commit 3568affcddd68743e25aa3ec1647d9b82797757b upstream.
As pointed out by Stephen Boyd it is possible that during initialization
of the pmic_glink child drivers, the protection-domain notifiers fires,
and the associated work is scheduled, before the client registration
returns and as a result the local "client" pointer has been initialized.
The outcome of this is a NULL pointer dereference as the "client"
pointer is blindly dereferenced.
Timeline provided by Stephen:
CPU0 CPU1
---- ----
ucsi->client = NULL;
devm_pmic_glink_register_client()
client->pdr_notify(client->priv, pg->client_state)
pmic_glink_ucsi_pdr_notify()
schedule_work(&ucsi->register_work)
<schedule away>
pmic_glink_ucsi_register()
ucsi_register()
pmic_glink_ucsi_read_version()
pmic_glink_ucsi_read()
pmic_glink_ucsi_read()
pmic_glink_send(ucsi->client)
<client is NULL BAD>
ucsi->client = client // Too late!
This code is identical across the altmode, battery manager and usci
child drivers.
Resolve this by splitting the allocation of the "client" object and the
registration thereof into two operations.
This only happens if the protection domain registry is populated at the
time of registration, which by the introduction of commit '1ebcde047c54
("soc: qcom: add pd-mapper implementation")' became much more likely.
Reported-by: Amit Pundir <amit.pundir@linaro.org>
Closes: https://lore.kernel.org/all/CAMi1Hd2_a7TjA7J9ShrAbNOd_CoZ3D87twmO5t+nZxC9sX18tA@mail.gmail.com/
Reported-by: Johan Hovold <johan@kernel.org>
Closes: https://lore.kernel.org/all/ZqiyLvP0gkBnuekL@hovoldconsulting.com/
Reported-by: Stephen Boyd <swboyd@chromium.org>
Closes: https://lore.kernel.org/all/CAE-0n52JgfCBWiFQyQWPji8cq_rCsviBpW-m72YitgNfdaEhQg@mail.gmail.com/
Fixes: 58ef4ece1e41 ("soc: qcom: pmic_glink: Introduce base PMIC GLINK driver")
Cc: stable@vger.kernel.org
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Tested-by: Amit Pundir <amit.pundir@linaro.org>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Acked-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Bjorn Andersson <quic_bjorande@quicinc.com>
Link: https://lore.kernel.org/r/20240820-pmic-glink-v6-11-races-v3-1-eec53c750a04@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/qcom_battmgr.c | 16 ++++++++++------
drivers/soc/qcom/pmic_glink.c | 28 ++++++++++++++++++----------
drivers/soc/qcom/pmic_glink_altmode.c | 17 +++++++++++------
drivers/usb/typec/ucsi/ucsi_glink.c | 16 ++++++++++------
include/linux/soc/qcom/pmic_glink.h | 11 ++++++-----
5 files changed, 55 insertions(+), 33 deletions(-)
--- a/drivers/power/supply/qcom_battmgr.c
+++ b/drivers/power/supply/qcom_battmgr.c
@@ -1384,12 +1384,16 @@ static int qcom_battmgr_probe(struct aux
"failed to register wireless charing power supply\n");
}
- battmgr->client = devm_pmic_glink_register_client(dev,
- PMIC_GLINK_OWNER_BATTMGR,
- qcom_battmgr_callback,
- qcom_battmgr_pdr_notify,
- battmgr);
- return PTR_ERR_OR_ZERO(battmgr->client);
+ battmgr->client = devm_pmic_glink_client_alloc(dev, PMIC_GLINK_OWNER_BATTMGR,
+ qcom_battmgr_callback,
+ qcom_battmgr_pdr_notify,
+ battmgr);
+ if (IS_ERR(battmgr->client))
+ return PTR_ERR(battmgr->client);
+
+ pmic_glink_client_register(battmgr->client);
+
+ return 0;
}
static const struct auxiliary_device_id qcom_battmgr_id_table[] = {
--- a/drivers/soc/qcom/pmic_glink.c
+++ b/drivers/soc/qcom/pmic_glink.c
@@ -69,15 +69,14 @@ static void _devm_pmic_glink_release_cli
spin_unlock_irqrestore(&pg->client_lock, flags);
}
-struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev,
- unsigned int id,
- void (*cb)(const void *, size_t, void *),
- void (*pdr)(void *, int),
- void *priv)
+struct pmic_glink_client *devm_pmic_glink_client_alloc(struct device *dev,
+ unsigned int id,
+ void (*cb)(const void *, size_t, void *),
+ void (*pdr)(void *, int),
+ void *priv)
{
struct pmic_glink_client *client;
struct pmic_glink *pg = dev_get_drvdata(dev->parent);
- unsigned long flags;
client = devres_alloc(_devm_pmic_glink_release_client, sizeof(*client), GFP_KERNEL);
if (!client)
@@ -88,6 +87,18 @@ struct pmic_glink_client *devm_pmic_glin
client->cb = cb;
client->pdr_notify = pdr;
client->priv = priv;
+ INIT_LIST_HEAD(&client->node);
+
+ devres_add(dev, client);
+
+ return client;
+}
+EXPORT_SYMBOL_GPL(devm_pmic_glink_client_alloc);
+
+void pmic_glink_client_register(struct pmic_glink_client *client)
+{
+ struct pmic_glink *pg = client->pg;
+ unsigned long flags;
mutex_lock(&pg->state_lock);
spin_lock_irqsave(&pg->client_lock, flags);
@@ -98,11 +109,8 @@ struct pmic_glink_client *devm_pmic_glin
spin_unlock_irqrestore(&pg->client_lock, flags);
mutex_unlock(&pg->state_lock);
- devres_add(dev, client);
-
- return client;
}
-EXPORT_SYMBOL_GPL(devm_pmic_glink_register_client);
+EXPORT_SYMBOL_GPL(pmic_glink_client_register);
int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len)
{
--- a/drivers/soc/qcom/pmic_glink_altmode.c
+++ b/drivers/soc/qcom/pmic_glink_altmode.c
@@ -529,12 +529,17 @@ static int pmic_glink_altmode_probe(stru
return ret;
}
- altmode->client = devm_pmic_glink_register_client(dev,
- altmode->owner_id,
- pmic_glink_altmode_callback,
- pmic_glink_altmode_pdr_notify,
- altmode);
- return PTR_ERR_OR_ZERO(altmode->client);
+ altmode->client = devm_pmic_glink_client_alloc(dev,
+ altmode->owner_id,
+ pmic_glink_altmode_callback,
+ pmic_glink_altmode_pdr_notify,
+ altmode);
+ if (IS_ERR(altmode->client))
+ return PTR_ERR(altmode->client);
+
+ pmic_glink_client_register(altmode->client);
+
+ return 0;
}
static const struct auxiliary_device_id pmic_glink_altmode_id_table[] = {
--- a/drivers/usb/typec/ucsi/ucsi_glink.c
+++ b/drivers/usb/typec/ucsi/ucsi_glink.c
@@ -376,12 +376,16 @@ static int pmic_glink_ucsi_probe(struct
"failed to acquire orientation-switch\n");
}
- ucsi->client = devm_pmic_glink_register_client(dev,
- PMIC_GLINK_OWNER_USBC,
- pmic_glink_ucsi_callback,
- pmic_glink_ucsi_pdr_notify,
- ucsi);
- return PTR_ERR_OR_ZERO(ucsi->client);
+ ucsi->client = devm_pmic_glink_client_alloc(dev, PMIC_GLINK_OWNER_USBC,
+ pmic_glink_ucsi_callback,
+ pmic_glink_ucsi_pdr_notify,
+ ucsi);
+ if (IS_ERR(ucsi->client))
+ return PTR_ERR(ucsi->client);
+
+ pmic_glink_client_register(ucsi->client);
+
+ return 0;
}
static void pmic_glink_ucsi_remove(struct auxiliary_device *adev)
--- a/include/linux/soc/qcom/pmic_glink.h
+++ b/include/linux/soc/qcom/pmic_glink.h
@@ -23,10 +23,11 @@ struct pmic_glink_hdr {
int pmic_glink_send(struct pmic_glink_client *client, void *data, size_t len);
-struct pmic_glink_client *devm_pmic_glink_register_client(struct device *dev,
- unsigned int id,
- void (*cb)(const void *, size_t, void *),
- void (*pdr)(void *, int),
- void *priv);
+struct pmic_glink_client *devm_pmic_glink_client_alloc(struct device *dev,
+ unsigned int id,
+ void (*cb)(const void *, size_t, void *),
+ void (*pdr)(void *, int),
+ void *priv);
+void pmic_glink_client_register(struct pmic_glink_client *client);
#endif
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 73/93] cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-09-01 16:16 ` [PATCH 6.6 72/93] soc: qcom: pmic_glink: Fix race during initialization Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 74/93] firmware: qcom: scm: Mark get_wq_ctx() as atomic call Greg Kroah-Hartman
` (25 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ian Ray, Oliver Neuku, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Ray <ian.ray@gehealthcare.com>
commit 0b00583ecacb0b51712a5ecd34cf7e6684307c67 upstream.
USB_DEVICE(0x1901, 0x0006) may send data before cdc_acm is ready, which
may be misinterpreted in the default N_TTY line discipline.
Signed-off-by: Ian Ray <ian.ray@gehealthcare.com>
Acked-by: Oliver Neuku <oneukum@suse.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20240814072905.2501-1-ian.ray@gehealthcare.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/cdc-acm.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/class/cdc-acm.c
+++ b/drivers/usb/class/cdc-acm.c
@@ -1761,6 +1761,9 @@ static const struct usb_device_id acm_id
{ USB_DEVICE(0x11ca, 0x0201), /* VeriFone Mx870 Gadget Serial */
.driver_info = SINGLE_RX_URB,
},
+ { USB_DEVICE(0x1901, 0x0006), /* GE Healthcare Patient Monitor UI Controller */
+ .driver_info = DISABLE_ECHO, /* DISABLE ECHO in termios flag */
+ },
{ USB_DEVICE(0x1965, 0x0018), /* Uniden UBC125XLT */
.driver_info = NO_UNION_NORMAL, /* has no union descriptor */
},
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 74/93] firmware: qcom: scm: Mark get_wq_ctx() as atomic call
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 73/93] cdc-acm: Add DISABLE_ECHO quirk for GE HealthCare UI Controller Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 75/93] scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress Greg Kroah-Hartman
` (24 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Murali Nalajala,
Unnathi Chalicheemala, Elliot Berman, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Murali Nalajala <quic_mnalajal@quicinc.com>
commit 9960085a3a82c58d3323c1c20b991db6045063b0 upstream.
Currently get_wq_ctx() is wrongly configured as a standard call. When two
SMC calls are in sleep and one SMC wakes up, it calls get_wq_ctx() to
resume the corresponding sleeping thread. But if get_wq_ctx() is
interrupted, goes to sleep and another SMC call is waiting to be allocated
a waitq context, it leads to a deadlock.
To avoid this get_wq_ctx() must be an atomic call and can't be a standard
SMC call. Hence mark get_wq_ctx() as a fast call.
Fixes: 6bf325992236 ("firmware: qcom: scm: Add wait-queue handling logic")
Cc: stable@vger.kernel.org
Signed-off-by: Murali Nalajala <quic_mnalajal@quicinc.com>
Signed-off-by: Unnathi Chalicheemala <quic_uchalich@quicinc.com>
Reviewed-by: Elliot Berman <quic_eberman@quicinc.com>
Link: https://lore.kernel.org/r/20240814223244.40081-1-quic_uchalich@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/qcom_scm-smc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/firmware/qcom_scm-smc.c
+++ b/drivers/firmware/qcom_scm-smc.c
@@ -71,7 +71,7 @@ int scm_get_wq_ctx(u32 *wq_ctx, u32 *fla
struct arm_smccc_res get_wq_res;
struct arm_smccc_args get_wq_ctx = {0};
- get_wq_ctx.args[0] = ARM_SMCCC_CALL_VAL(ARM_SMCCC_STD_CALL,
+ get_wq_ctx.args[0] = ARM_SMCCC_CALL_VAL(ARM_SMCCC_FAST_CALL,
ARM_SMCCC_SMC_64, ARM_SMCCC_OWNER_SIP,
SCM_SMC_FNID(QCOM_SCM_SVC_WAITQ, QCOM_SCM_WAITQ_GET_WQ_CTX));
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 75/93] scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 74/93] firmware: qcom: scm: Mark get_wq_ctx() as atomic call Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 76/93] USB: serial: option: add MeiG Smart SRM825L Greg Kroah-Hartman
` (23 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yihang Li, Bart Van Assche,
Damien Le Moal, Martin K. Petersen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yihang Li <liyihang9@huawei.com>
commit 4f9eedfa27ae5806ed10906bcceee7bae49c8941 upstream.
If formatting a suspended disk (such as formatting with different DIF
type), the disk will be resuming first, and then the format command will
submit to the disk through SG_IO ioctl.
When the disk is processing the format command, the system does not
submit other commands to the disk. Therefore, the system attempts to
suspend the disk again and sends the SYNCHRONIZE CACHE command. However,
the SYNCHRONIZE CACHE command will fail because the disk is in the
formatting process. This will cause the runtime_status of the disk to
error and it is difficult for user to recover it. Error info like:
[ 669.925325] sd 6:0:6:0: [sdg] Synchronizing SCSI cache
[ 670.202371] sd 6:0:6:0: [sdg] Synchronize Cache(10) failed: Result: hostbyte=0x00 driverbyte=DRIVER_OK
[ 670.216300] sd 6:0:6:0: [sdg] Sense Key : 0x2 [current]
[ 670.221860] sd 6:0:6:0: [sdg] ASC=0x4 ASCQ=0x4
To solve the issue, ignore the error and return success/0 when format is
in progress.
Cc: stable@vger.kernel.org
Signed-off-by: Yihang Li <liyihang9@huawei.com>
Link: https://lore.kernel.org/r/20240819090934.2130592-1-liyihang9@huawei.com
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/sd.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
--- a/drivers/scsi/sd.c
+++ b/drivers/scsi/sd.c
@@ -1690,13 +1690,15 @@ static int sd_sync_cache(struct scsi_dis
(sshdr.asc == 0x74 && sshdr.ascq == 0x71)) /* drive is password locked */
/* this is no error here */
return 0;
+
/*
- * This drive doesn't support sync and there's not much
- * we can do because this is called during shutdown
- * or suspend so just return success so those operations
- * can proceed.
+ * If a format is in progress or if the drive does not
+ * support sync, there is not much we can do because
+ * this is called during shutdown or suspend so just
+ * return success so those operations can proceed.
*/
- if (sshdr.sense_key == ILLEGAL_REQUEST)
+ if ((sshdr.asc == 0x04 && sshdr.ascq == 0x04) ||
+ sshdr.sense_key == ILLEGAL_REQUEST)
return 0;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 76/93] USB: serial: option: add MeiG Smart SRM825L
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 75/93] scsi: sd: Ignore command SYNCHRONIZE CACHE error if format in progress Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 77/93] ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design Greg Kroah-Hartman
` (22 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, ZHANG Yuntian, Johan Hovold
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: ZHANG Yuntian <yt@radxa.com>
commit 9a471de516c35219d1722c13367191ce1f120fe9 upstream.
Add support for MeiG Smart SRM825L which is based on Qualcomm 315 chip.
T: Bus=04 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=2dee ProdID=4d22 Rev= 4.14
S: Manufacturer=MEIG
S: Product=LTE-A Module
S: SerialNumber=6f345e48
C:* #Ifs= 6 Cfg#= 1 Atr=80 MxPwr=896mA
I:* If#= 0 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
E: Ad=81(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=02(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=option
E: Ad=85(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=84(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=03(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=60 Driver=option
E: Ad=87(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=86(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=04(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=42 Prot=01 Driver=(none)
E: Ad=05(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=88(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 5 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=50 Driver=qmi_wwan
E: Ad=89(I) Atr=03(Int.) MxPS= 8 Ivl=32ms
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
Signed-off-by: ZHANG Yuntian <yt@radxa.com>
Link: https://lore.kernel.org/0041DFA5200EFB1B+20240803074619.563116-1-yt@radxa.com/
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -619,6 +619,8 @@ static void option_instat_callback(struc
/* MeiG Smart Technology products */
#define MEIGSMART_VENDOR_ID 0x2dee
+/* MeiG Smart SRM825L based on Qualcomm 315 */
+#define MEIGSMART_PRODUCT_SRM825L 0x4d22
/* MeiG Smart SLM320 based on UNISOC UIS8910 */
#define MEIGSMART_PRODUCT_SLM320 0x4d41
@@ -2366,6 +2368,9 @@ static const struct usb_device_id option
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, LUAT_PRODUCT_AIR720U, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SLM320, 0xff, 0, 0) },
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x40) },
+ { USB_DEVICE_AND_INTERFACE_INFO(MEIGSMART_VENDOR_ID, MEIGSMART_PRODUCT_SRM825L, 0xff, 0xff, 0x60) },
{ } /* Terminating entry */
};
MODULE_DEVICE_TABLE(usb, option_ids);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 77/93] ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 76/93] USB: serial: option: add MeiG Smart SRM825L Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 78/93] usb: dwc3: omap: add missing depopulate in probe error path Greg Kroah-Hartman
` (21 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Vokáč, Shawn Guo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Vokáč <michal.vokac@ysoft.com>
commit 8512fbb64b0e599412da661412d10d4ba1cb003c upstream.
On the imx6dl-yapp4 revision based boards, the RGB LED is not driven
directly by the LP5562 driver but through FET transistors. Hence the LED
current is not determined by the driver but by the LED series resistors.
On the imx6dl-yapp43 revision based boards, we removed the FET transistors
to drive the LED directly from the LP5562 but forgot to tune the output
current to match the previous HW design.
Set the LED current on imx6dl-yapp43 based boards to the same values
measured on the imx6dl-yapp4 boards and limit the maximum current to 20mA.
Fixes: 7da4734751e0 ("ARM: dts: imx6dl-yapp43: Add support for new HW revision of the IOTA board")
Cc: <stable@vger.kernel.org>
Signed-off-by: Michal Vokáč <michal.vokac@ysoft.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/nxp/imx/imx6dl-yapp43-common.dtsi | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/arch/arm/boot/dts/nxp/imx/imx6dl-yapp43-common.dtsi b/arch/arm/boot/dts/nxp/imx/imx6dl-yapp43-common.dtsi
index 52a0f6ee426f..bcf4d9c870ec 100644
--- a/arch/arm/boot/dts/nxp/imx/imx6dl-yapp43-common.dtsi
+++ b/arch/arm/boot/dts/nxp/imx/imx6dl-yapp43-common.dtsi
@@ -274,24 +274,24 @@ leds: led-controller@30 {
led@0 {
chan-name = "R";
- led-cur = /bits/ 8 <0x20>;
- max-cur = /bits/ 8 <0x60>;
+ led-cur = /bits/ 8 <0x6e>;
+ max-cur = /bits/ 8 <0xc8>;
reg = <0>;
color = <LED_COLOR_ID_RED>;
};
led@1 {
chan-name = "G";
- led-cur = /bits/ 8 <0x20>;
- max-cur = /bits/ 8 <0x60>;
+ led-cur = /bits/ 8 <0xbe>;
+ max-cur = /bits/ 8 <0xc8>;
reg = <1>;
color = <LED_COLOR_ID_GREEN>;
};
led@2 {
chan-name = "B";
- led-cur = /bits/ 8 <0x20>;
- max-cur = /bits/ 8 <0x60>;
+ led-cur = /bits/ 8 <0xbe>;
+ max-cur = /bits/ 8 <0xc8>;
reg = <2>;
color = <LED_COLOR_ID_BLUE>;
};
--
2.46.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 78/93] usb: dwc3: omap: add missing depopulate in probe error path
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 77/93] ARM: dts: imx6dl-yapp43: Increase LED current to match the yapp4 HW design Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 79/93] usb: dwc3: core: Prevent USB core invalid event buffer address access Greg Kroah-Hartman
` (20 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thinh Nguyen, Krzysztof Kozlowski,
Radhey Shyam Pandey
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 2aa765a43817ec8add990f83c8e54a9a5d87aa9c upstream.
Depopulate device in probe error paths to fix leak of children
resources.
Fixes: ee249b455494 ("usb: dwc3: omap: remove IRQ_NOAUTOEN used with shared irq")
Cc: stable@vger.kernel.org
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Link: https://lore.kernel.org/r/20240816075409.23080-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-omap.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-omap.c
+++ b/drivers/usb/dwc3/dwc3-omap.c
@@ -522,11 +522,13 @@ static int dwc3_omap_probe(struct platfo
if (ret) {
dev_err(dev, "failed to request IRQ #%d --> %d\n",
omap->irq, ret);
- goto err1;
+ goto err2;
}
dwc3_omap_enable_irqs(omap);
return 0;
+err2:
+ of_platform_depopulate(dev);
err1:
pm_runtime_put_sync(dev);
pm_runtime_disable(dev);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 79/93] usb: dwc3: core: Prevent USB core invalid event buffer address access
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 78/93] usb: dwc3: omap: add missing depopulate in probe error path Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 80/93] usb: dwc3: st: fix probed platform device ref count on probe error path Greg Kroah-Hartman
` (19 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, stable, Selvarasu Ganesan,
Thinh Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Selvarasu Ganesan <selvarasu.g@samsung.com>
commit 14e497183df28c006603cc67fd3797a537eef7b9 upstream.
This commit addresses an issue where the USB core could access an
invalid event buffer address during runtime suspend, potentially causing
SMMU faults and other memory issues in Exynos platforms. The problem
arises from the following sequence.
1. In dwc3_gadget_suspend, there is a chance of a timeout when
moving the USB core to the halt state after clearing the
run/stop bit by software.
2. In dwc3_core_exit, the event buffer is cleared regardless of
the USB core's status, which may lead to an SMMU faults and
other memory issues. if the USB core tries to access the event
buffer address.
To prevent this hardware quirk on Exynos platforms, this commit ensures
that the event buffer address is not cleared by software when the USB
core is active during runtime suspend by checking its status before
clearing the buffer address.
Cc: stable <stable@kernel.org>
Signed-off-by: Selvarasu Ganesan <selvarasu.g@samsung.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240815064836.1491-1-selvarasu.g@samsung.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/core.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- a/drivers/usb/dwc3/core.c
+++ b/drivers/usb/dwc3/core.c
@@ -553,9 +553,17 @@ int dwc3_event_buffers_setup(struct dwc3
void dwc3_event_buffers_cleanup(struct dwc3 *dwc)
{
struct dwc3_event_buffer *evt;
+ u32 reg;
if (!dwc->ev_buf)
return;
+ /*
+ * Exynos platforms may not be able to access event buffer if the
+ * controller failed to halt on dwc3_core_exit().
+ */
+ reg = dwc3_readl(dwc->regs, DWC3_DSTS);
+ if (!(reg & DWC3_DSTS_DEVCTRLHLT))
+ return;
evt = dwc->ev_buf;
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 80/93] usb: dwc3: st: fix probed platform device ref count on probe error path
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 79/93] usb: dwc3: core: Prevent USB core invalid event buffer address access Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 81/93] usb: dwc3: st: add missing depopulate in " Greg Kroah-Hartman
` (18 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Thinh Nguyen,
Patrice Chotard
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit ddfcfeba891064b88bb844208b43bef2ef970f0c upstream.
The probe function never performs any paltform device allocation, thus
error path "undo_platform_dev_alloc" is entirely bogus. It drops the
reference count from the platform device being probed. If error path is
triggered, this will lead to unbalanced device reference counts and
premature release of device resources, thus possible use-after-free when
releasing remaining devm-managed resources.
Fixes: f83fca0707c6 ("usb: dwc3: add ST dwc3 glue layer to manage dwc3 HC")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Link: https://lore.kernel.org/r/20240814093957.37940-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-st.c | 11 +++--------
1 file changed, 3 insertions(+), 8 deletions(-)
--- a/drivers/usb/dwc3/dwc3-st.c
+++ b/drivers/usb/dwc3/dwc3-st.c
@@ -219,10 +219,8 @@ static int st_dwc3_probe(struct platform
dwc3_data->regmap = regmap;
res = platform_get_resource_byname(pdev, IORESOURCE_MEM, "syscfg-reg");
- if (!res) {
- ret = -ENXIO;
- goto undo_platform_dev_alloc;
- }
+ if (!res)
+ return -ENXIO;
dwc3_data->syscfg_reg_off = res->start;
@@ -233,8 +231,7 @@ static int st_dwc3_probe(struct platform
devm_reset_control_get_exclusive(dev, "powerdown");
if (IS_ERR(dwc3_data->rstc_pwrdn)) {
dev_err(&pdev->dev, "could not get power controller\n");
- ret = PTR_ERR(dwc3_data->rstc_pwrdn);
- goto undo_platform_dev_alloc;
+ return PTR_ERR(dwc3_data->rstc_pwrdn);
}
/* Manage PowerDown */
@@ -300,8 +297,6 @@ undo_softreset:
reset_control_assert(dwc3_data->rstc_rst);
undo_powerdown:
reset_control_assert(dwc3_data->rstc_pwrdn);
-undo_platform_dev_alloc:
- platform_device_put(pdev);
return ret;
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 81/93] usb: dwc3: st: add missing depopulate in probe error path
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 80/93] usb: dwc3: st: fix probed platform device ref count on probe error path Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 82/93] usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() Greg Kroah-Hartman
` (17 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Patrice Chotard,
Thinh Nguyen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit cd4897bfd14f6a5388b21ba45a066541a0425199 upstream.
Depopulate device in probe error paths to fix leak of children
resources.
Fixes: f83fca0707c6 ("usb: dwc3: add ST dwc3 glue layer to manage dwc3 HC")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20240814093957.37940-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/dwc3-st.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/drivers/usb/dwc3/dwc3-st.c
+++ b/drivers/usb/dwc3/dwc3-st.c
@@ -266,7 +266,7 @@ static int st_dwc3_probe(struct platform
if (!child_pdev) {
dev_err(dev, "failed to find dwc3 core device\n");
ret = -ENODEV;
- goto err_node_put;
+ goto depopulate;
}
dwc3_data->dr_mode = usb_get_dr_mode(&child_pdev->dev);
@@ -282,6 +282,7 @@ static int st_dwc3_probe(struct platform
ret = st_dwc3_drd_init(dwc3_data);
if (ret) {
dev_err(dev, "drd initialisation failed\n");
+ of_platform_depopulate(dev);
goto undo_softreset;
}
@@ -291,6 +292,8 @@ static int st_dwc3_probe(struct platform
platform_set_drvdata(pdev, dwc3_data);
return 0;
+depopulate:
+ of_platform_depopulate(dev);
err_node_put:
of_node_put(child);
undo_softreset:
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 82/93] usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes()
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 81/93] usb: dwc3: st: add missing depopulate in " Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 83/93] usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function Greg Kroah-Hartman
` (16 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zijun Hu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zijun Hu <quic_zijuhu@quicinc.com>
commit 3a8839bbb86da7968a792123ed2296d063871a52 upstream.
Device attribute group @usb3_hardware_lpm_attr_group is merged by
add_power_attributes(), but it is not unmerged explicitly, fixed by
unmerging it in remove_power_attributes().
Fixes: 655fe4effe0f ("usbcore: add sysfs support to xHCI usb3 hardware LPM")
Cc: stable@vger.kernel.org
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Link: https://lore.kernel.org/r/20240820-sysfs_fix-v2-1-a9441487077e@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/sysfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/core/sysfs.c
+++ b/drivers/usb/core/sysfs.c
@@ -668,6 +668,7 @@ static int add_power_attributes(struct d
static void remove_power_attributes(struct device *dev)
{
+ sysfs_unmerge_group(&dev->kobj, &usb3_hardware_lpm_attr_group);
sysfs_unmerge_group(&dev->kobj, &usb2_hardware_lpm_attr_group);
sysfs_unmerge_group(&dev->kobj, &power_attr_group);
}
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 83/93] usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 82/93] usb: core: sysfs: Unmerge @usb3_hardware_lpm_attr_group in remove_power_attributes() Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 84/93] usb: cdnsp: fix for Link TRB with TC Greg Kroah-Hartman
` (15 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pawel Laszczak, Peter Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit 0497a356d3c498221eb0c1edc1e8985816092f12 upstream.
Patch fixes the incorrect "stream_id" table index instead of
"ep_index" used in cdnsp_get_hw_deq function.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
cc: stable@vger.kernel.org
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB95381F2182688811D5C711CEDD8D2@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-ring.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -402,7 +402,7 @@ static u64 cdnsp_get_hw_deq(struct cdnsp
struct cdnsp_stream_ctx *st_ctx;
struct cdnsp_ep *pep;
- pep = &pdev->eps[stream_id];
+ pep = &pdev->eps[ep_index];
if (pep->ep_state & EP_HAS_STREAMS) {
st_ctx = &pep->stream_info.stream_ctx_array[stream_id];
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 84/93] usb: cdnsp: fix for Link TRB with TC
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 83/93] usb: cdnsp: fix incorrect index in cdnsp_get_hw_deq function Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 85/93] ARM: dts: omap3-n900: correct the accelerometer orientation Greg Kroah-Hartman
` (14 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pawel Laszczak, Peter Chen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pawel Laszczak <pawell@cadence.com>
commit 740f2e2791b98e47288b3814c83a3f566518fed2 upstream.
Stop Endpoint command on LINK TRB with TC bit set to 1 causes that
internal cycle bit can have incorrect state after command complete.
In consequence empty transfer ring can be incorrectly detected
when EP is resumed.
NOP TRB before LINK TRB avoid such scenario. Stop Endpoint command
is then on NOP TRB and internal cycle bit is not changed and have
correct value.
Fixes: 3d82904559f4 ("usb: cdnsp: cdns3 Add main part of Cadence USBSSP DRD Driver")
cc: <stable@vger.kernel.org>
Signed-off-by: Pawel Laszczak <pawell@cadence.com>
Reviewed-by: Peter Chen <peter.chen@kernel.org>
Link: https://lore.kernel.org/r/PH7PR07MB953878279F375CCCE6C6F40FDD8E2@PH7PR07MB9538.namprd07.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/cdns3/cdnsp-gadget.h | 3 +++
drivers/usb/cdns3/cdnsp-ring.c | 28 ++++++++++++++++++++++++++++
2 files changed, 31 insertions(+)
--- a/drivers/usb/cdns3/cdnsp-gadget.h
+++ b/drivers/usb/cdns3/cdnsp-gadget.h
@@ -811,6 +811,7 @@ struct cdnsp_stream_info {
* generate Missed Service Error Event.
* Set skip flag when receive a Missed Service Error Event and
* process the missed tds on the endpoint ring.
+ * @wa1_nop_trb: hold pointer to NOP trb.
*/
struct cdnsp_ep {
struct usb_ep endpoint;
@@ -838,6 +839,8 @@ struct cdnsp_ep {
#define EP_UNCONFIGURED BIT(7)
bool skip;
+ union cdnsp_trb *wa1_nop_trb;
+
};
/**
--- a/drivers/usb/cdns3/cdnsp-ring.c
+++ b/drivers/usb/cdns3/cdnsp-ring.c
@@ -1905,6 +1905,23 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev
return ret;
/*
+ * workaround 1: STOP EP command on LINK TRB with TC bit set to 1
+ * causes that internal cycle bit can have incorrect state after
+ * command complete. In consequence empty transfer ring can be
+ * incorrectly detected when EP is resumed.
+ * NOP TRB before LINK TRB avoid such scenario. STOP EP command is
+ * then on NOP TRB and internal cycle bit is not changed and have
+ * correct value.
+ */
+ if (pep->wa1_nop_trb) {
+ field = le32_to_cpu(pep->wa1_nop_trb->trans_event.flags);
+ field ^= TRB_CYCLE;
+
+ pep->wa1_nop_trb->trans_event.flags = cpu_to_le32(field);
+ pep->wa1_nop_trb = NULL;
+ }
+
+ /*
* Don't give the first TRB to the hardware (by toggling the cycle bit)
* until we've finished creating all the other TRBs. The ring's cycle
* state may change as we enqueue the other TRBs, so save it too.
@@ -1999,6 +2016,17 @@ int cdnsp_queue_bulk_tx(struct cdnsp_dev
send_addr = addr;
}
+ if (cdnsp_trb_is_link(ring->enqueue + 1)) {
+ field = TRB_TYPE(TRB_TR_NOOP) | TRB_IOC;
+ if (!ring->cycle_state)
+ field |= TRB_CYCLE;
+
+ pep->wa1_nop_trb = ring->enqueue;
+
+ cdnsp_queue_trb(pdev, ring, 0, 0x0, 0x0,
+ TRB_INTR_TARGET(0), field);
+ }
+
cdnsp_check_trb_math(preq, enqd_len);
ret = cdnsp_giveback_first_trb(pdev, pep, preq->request.stream_id,
start_cycle, start_trb);
^ permalink raw reply [flat|nested] 101+ messages in thread* [PATCH 6.6 85/93] ARM: dts: omap3-n900: correct the accelerometer orientation
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 84/93] usb: cdnsp: fix for Link TRB with TC Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 86/93] arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962 Greg Kroah-Hartman
` (13 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sicelo A. Mhlongo, Andreas Kemnade,
Kevin Hilman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sicelo A. Mhlongo <absicsz@gmail.com>
[ Upstream commit 5062d9c0cbbc202e495e9b20f147f64ef5cc2897 ]
Negate the values reported for the accelerometer z-axis in order to
match Documentation/devicetree/bindings/iio/mount-matrix.txt.
Fixes: 14a213dcb004 ("ARM: dts: n900: use iio driver for accelerometer")
Signed-off-by: Sicelo A. Mhlongo <absicsz@gmail.com>
Reviewed-By: Andreas Kemnade <andreas@kemnade.info>
Link: https://lore.kernel.org/r/20240722113137.3240847-1-absicsz@gmail.com
Signed-off-by: Kevin Hilman <khilman@baylibre.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/ti/omap/omap3-n900.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm/boot/dts/ti/omap/omap3-n900.dts b/arch/arm/boot/dts/ti/omap/omap3-n900.dts
index d334853412517..036e472b77beb 100644
--- a/arch/arm/boot/dts/ti/omap/omap3-n900.dts
+++ b/arch/arm/boot/dts/ti/omap/omap3-n900.dts
@@ -781,7 +781,7 @@
mount-matrix = "-1", "0", "0",
"0", "1", "0",
- "0", "0", "1";
+ "0", "0", "-1";
};
cam1: camera@3e {
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 86/93] arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 85/93] ARM: dts: omap3-n900: correct the accelerometer orientation Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 87/93] arm64: dts: imx93: add nvmem property for fec1 Greg Kroah-Hartman
` (12 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Ford, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adam Ford <aford173@gmail.com>
[ Upstream commit 4e69cd835a2d5c3915838491f59a68ee697a87d0 ]
The L/R clock needs to be controlled by the SAI3 instead of the
CODEC to properly achieve stereo sound. Doing this allows removes
the need for unnecessary clock manipulation to try to get the
CODEC's clock in sync with the SAI3 clock, since the CODEC can cope
with a wide variety of clock inputs.
Fixes: 161af16c18f3 ("arm64: dts: imx8mp-beacon-kit: Fix audio_pll2 clock")
Fixes: 69e2f37a6ddc ("arm64: dts: imx8mp-beacon-kit: Enable WM8962 Audio CODEC")
Signed-off-by: Adam Ford <aford173@gmail.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx8mp-beacon-kit.dts | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/arch/arm64/boot/dts/freescale/imx8mp-beacon-kit.dts b/arch/arm64/boot/dts/freescale/imx8mp-beacon-kit.dts
index acd265d8b58ed..e094f409028dd 100644
--- a/arch/arm64/boot/dts/freescale/imx8mp-beacon-kit.dts
+++ b/arch/arm64/boot/dts/freescale/imx8mp-beacon-kit.dts
@@ -163,13 +163,12 @@
simple-audio-card,cpu {
sound-dai = <&sai3>;
+ frame-master;
+ bitclock-master;
};
simple-audio-card,codec {
sound-dai = <&wm8962>;
- clocks = <&clk IMX8MP_CLK_IPP_DO_CLKO1>;
- frame-master;
- bitclock-master;
};
};
};
@@ -381,10 +380,9 @@
&sai3 {
pinctrl-names = "default";
pinctrl-0 = <&pinctrl_sai3>;
- assigned-clocks = <&clk IMX8MP_CLK_SAI3>,
- <&clk IMX8MP_AUDIO_PLL2> ;
- assigned-clock-parents = <&clk IMX8MP_AUDIO_PLL2_OUT>;
- assigned-clock-rates = <12288000>, <361267200>;
+ assigned-clocks = <&clk IMX8MP_CLK_SAI3>;
+ assigned-clock-parents = <&clk IMX8MP_AUDIO_PLL1_OUT>;
+ assigned-clock-rates = <12288000>;
fsl,sai-mclk-direction-output;
status = "okay";
};
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 87/93] arm64: dts: imx93: add nvmem property for fec1
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 86/93] arm64: dts: imx8mp-beacon-kit: Fix Stereo Audio on WM8962 Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 88/93] arm64: dts: imx93: add nvmem property for eqos Greg Kroah-Hartman
` (11 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit b2ab0edaf484d578e8d0c06093af0003586def72 ]
Add nvmem property for fec1 to get mac address.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Stable-dep-of: 109f256285dd ("arm64: dts: imx93: update default value for snps,clk-csr")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx93.dtsi | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx93.dtsi b/arch/arm64/boot/dts/freescale/imx93.dtsi
index 943b7e6655634..1b7260d2a0fff 100644
--- a/arch/arm64/boot/dts/freescale/imx93.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx93.dtsi
@@ -786,6 +786,8 @@
fsl,num-tx-queues = <3>;
fsl,num-rx-queues = <3>;
fsl,stop-mode = <&wakeupmix_gpr 0x0c 1>;
+ nvmem-cells = <ð_mac1>;
+ nvmem-cell-names = "mac-address";
status = "disabled";
};
@@ -888,6 +890,11 @@
reg = <0x47510000 0x10000>;
#address-cells = <1>;
#size-cells = <1>;
+
+ eth_mac1: mac-address@4ec {
+ reg = <0x4ec 0x6>;
+ };
+
};
s4muap: mailbox@47520000 {
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 88/93] arm64: dts: imx93: add nvmem property for eqos
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 87/93] arm64: dts: imx93: add nvmem property for fec1 Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 89/93] arm64: dts: imx93: update default value for snps,clk-csr Greg Kroah-Hartman
` (10 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Fan, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Fan <peng.fan@nxp.com>
[ Upstream commit 0d4fbaffbdcaec3fce29445b00324f470ee403c4 ]
Add nvmem properties for eqos to get mac address.
Signed-off-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Stable-dep-of: 109f256285dd ("arm64: dts: imx93: update default value for snps,clk-csr")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx93.dtsi | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/arch/arm64/boot/dts/freescale/imx93.dtsi b/arch/arm64/boot/dts/freescale/imx93.dtsi
index 1b7260d2a0fff..8ca5c7b6fbf03 100644
--- a/arch/arm64/boot/dts/freescale/imx93.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx93.dtsi
@@ -810,6 +810,8 @@
assigned-clock-rates = <100000000>, <250000000>;
intf_mode = <&wakeupmix_gpr 0x28>;
snps,clk-csr = <0>;
+ nvmem-cells = <ð_mac2>;
+ nvmem-cell-names = "mac-address";
status = "disabled";
};
@@ -895,6 +897,10 @@
reg = <0x4ec 0x6>;
};
+ eth_mac2: mac-address@4f2 {
+ reg = <0x4f2 0x6>;
+ };
+
};
s4muap: mailbox@47520000 {
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 89/93] arm64: dts: imx93: update default value for snps,clk-csr
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 88/93] arm64: dts: imx93: add nvmem property for eqos Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 90/93] arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges Greg Kroah-Hartman
` (9 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shenwei Wang, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shenwei Wang <shenwei.wang@nxp.com>
[ Upstream commit 109f256285dd6a5f8c3bd0d80d39b2ccd4fe314e ]
For the i.MX93 SoC, the default clock rate for the IP of STMMAC EQOS is
312.5 MHz. According to the following mapping table from the i.MX93
reference manual, this clock rate corresponds to a CSR value of 6.
0000: CSR clock = 60-100 MHz; MDC clock = CSR clock/42
0001: CSR clock = 100-150 MHz; MDC clock = CSR clock/62
0010: CSR clock = 20-35 MHz; MDC clock = CSR clock/16
0011: CSR clock = 35-60 MHz; MDC clock = CSR clock/26
0100: CSR clock = 150-250 MHz; MDC clock = CSR clock/102
0101: CSR clock = 250-300 MHz; MDC clock = CSR clock/124
0110: CSR clock = 300-500 MHz; MDC clock = CSR clock/204
0111: CSR clock = 500-800 MHz; MDC clock = CSR clock/324
Fixes: f2d03ba997cb ("arm64: dts: imx93: reorder device nodes")
Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx93.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx93.dtsi b/arch/arm64/boot/dts/freescale/imx93.dtsi
index 8ca5c7b6fbf03..35155b009dd24 100644
--- a/arch/arm64/boot/dts/freescale/imx93.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx93.dtsi
@@ -809,7 +809,7 @@
<&clk IMX93_CLK_SYS_PLL_PFD0_DIV2>;
assigned-clock-rates = <100000000>, <250000000>;
intf_mode = <&wakeupmix_gpr 0x28>;
- snps,clk-csr = <0>;
+ snps,clk-csr = <6>;
nvmem-cells = <ð_mac2>;
nvmem-cell-names = "mac-address";
status = "disabled";
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 90/93] arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 89/93] arm64: dts: imx93: update default value for snps,clk-csr Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 91/93] arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo Greg Kroah-Hartman
` (8 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Niebel, Alexander Stein,
Peng Fan, Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
[ Upstream commit cd0c6872aab4d2c556a5e953e6926a1b4485e543 ]
DRAM starts at 0x80000000.
Fixes: c982ecfa7992 ("arm64: dts: freescale: add initial device tree for MBa93xxLA SBC board")
Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
index f6e422dc2663e..b6f3c076fe54a 100644
--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352.dtsi
@@ -19,7 +19,7 @@
linux,cma {
compatible = "shared-dma-pool";
reusable;
- alloc-ranges = <0 0x60000000 0 0x40000000>;
+ alloc-ranges = <0 0x80000000 0 0x40000000>;
size = <0 0x10000000>;
linux,cma-default;
};
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 91/93] arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 90/93] arm64: dts: freescale: imx93-tqma9352: fix CMA alloc-ranges Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 92/93] scsi: aacraid: Fix double-free on probe failure Greg Kroah-Hartman
` (7 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Markus Niebel, Alexander Stein,
Shawn Guo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Markus Niebel <Markus.Niebel@ew.tq-group.com>
[ Upstream commit 5f0a894bfa3c26ce61deda4c52b12e8ec84d876a ]
Fix typo in assignment of SD-Card cd-gpios.
Fixes: c982ecfa7992 ("arm64: dts: freescale: add initial device tree for MBa93xxLA SBC board")
Signed-off-by: Markus Niebel <Markus.Niebel@ew.tq-group.com>
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/freescale/imx93-tqma9352-mba93xxla.dts | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/arm64/boot/dts/freescale/imx93-tqma9352-mba93xxla.dts b/arch/arm64/boot/dts/freescale/imx93-tqma9352-mba93xxla.dts
index 3c5c67ebee5d3..aaf9685ef0fbb 100644
--- a/arch/arm64/boot/dts/freescale/imx93-tqma9352-mba93xxla.dts
+++ b/arch/arm64/boot/dts/freescale/imx93-tqma9352-mba93xxla.dts
@@ -437,7 +437,7 @@
pinctrl-0 = <&pinctrl_usdhc2_hs>, <&pinctrl_usdhc2_gpio>;
pinctrl-1 = <&pinctrl_usdhc2_uhs>, <&pinctrl_usdhc2_gpio>;
pinctrl-2 = <&pinctrl_usdhc2_uhs>, <&pinctrl_usdhc2_gpio>;
- cd-gpios = <&gpio3 00 GPIO_ACTIVE_LOW>;
+ cd-gpios = <&gpio3 0 GPIO_ACTIVE_LOW>;
vmmc-supply = <®_usdhc2_vmmc>;
bus-width = <4>;
no-sdio;
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 92/93] scsi: aacraid: Fix double-free on probe failure
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 91/93] arm64: dts: freescale: imx93-tqma9352-mba93xxla: fix typo Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-01 16:17 ` [PATCH 6.6 93/93] apparmor: fix policy_unpack_test on big endian systems Greg Kroah-Hartman
` (6 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Gordon, Ben Hutchings,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Hutchings <benh@debian.org>
[ Upstream commit 919ddf8336f0b84c0453bac583808c9f165a85c2 ]
aac_probe_one() calls hardware-specific init functions through the
aac_driver_ident::init pointer, all of which eventually call down to
aac_init_adapter().
If aac_init_adapter() fails after allocating memory for aac_dev::queues,
it frees the memory but does not clear that member.
After the hardware-specific init function returns an error,
aac_probe_one() goes down an error path that frees the memory pointed to
by aac_dev::queues, resulting.in a double-free.
Reported-by: Michael Gordon <m.gordon.zelenoborsky@gmail.com>
Link: https://bugs.debian.org/1075855
Fixes: 8e0c5ebde82b ("[SCSI] aacraid: Newer adapter communication iterface support")
Signed-off-by: Ben Hutchings <benh@debian.org>
Link: https://lore.kernel.org/r/ZsZvfqlQMveoL5KQ@decadent.org.uk
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/comminit.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/scsi/aacraid/comminit.c b/drivers/scsi/aacraid/comminit.c
index bd99c5492b7d4..0f64b02443037 100644
--- a/drivers/scsi/aacraid/comminit.c
+++ b/drivers/scsi/aacraid/comminit.c
@@ -642,6 +642,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
if (aac_comm_init(dev)<0){
kfree(dev->queues);
+ dev->queues = NULL;
return NULL;
}
/*
@@ -649,6 +650,7 @@ struct aac_dev *aac_init_adapter(struct aac_dev *dev)
*/
if (aac_fib_setup(dev) < 0) {
kfree(dev->queues);
+ dev->queues = NULL;
return NULL;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* [PATCH 6.6 93/93] apparmor: fix policy_unpack_test on big endian systems
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 92/93] scsi: aacraid: Fix double-free on probe failure Greg Kroah-Hartman
@ 2024-09-01 16:17 ` Greg Kroah-Hartman
2024-09-02 10:58 ` [PATCH 6.6 00/93] 6.6.49-rc1 review Frank Scheiner
` (5 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Greg Kroah-Hartman @ 2024-09-01 16:17 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brendan Higgins, Kees Cook,
Guenter Roeck, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guenter Roeck <linux@roeck-us.net>
[ Upstream commit 98c0cc48e27e9d269a3e4db2acd72b486c88ec77 ]
policy_unpack_test fails on big endian systems because data byte order
is expected to be little endian but is generated in host byte order.
This results in test failures such as:
# policy_unpack_test_unpack_array_with_null_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:150
Expected array_size == (u16)16, but
array_size == 4096 (0x1000)
(u16)16 == 16 (0x10)
# policy_unpack_test_unpack_array_with_null_name: pass:0 fail:1 skip:0 total:1
not ok 3 policy_unpack_test_unpack_array_with_null_name
# policy_unpack_test_unpack_array_with_name: EXPECTATION FAILED at security/apparmor/policy_unpack_test.c:164
Expected array_size == (u16)16, but
array_size == 4096 (0x1000)
(u16)16 == 16 (0x10)
# policy_unpack_test_unpack_array_with_name: pass:0 fail:1 skip:0 total:1
Add the missing endianness conversions when generating test data.
Fixes: 4d944bcd4e73 ("apparmor: add AppArmor KUnit tests for policy unpack")
Cc: Brendan Higgins <brendanhiggins@google.com>
Cc: Kees Cook <keescook@chromium.org>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
security/apparmor/policy_unpack_test.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/security/apparmor/policy_unpack_test.c b/security/apparmor/policy_unpack_test.c
index 5c9bde25e56df..2b8003eb4f463 100644
--- a/security/apparmor/policy_unpack_test.c
+++ b/security/apparmor/policy_unpack_test.c
@@ -80,14 +80,14 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf,
*(buf + 1) = strlen(TEST_U32_NAME) + 1;
strscpy(buf + 3, TEST_U32_NAME, e->end - (void *)(buf + 3));
*(buf + 3 + strlen(TEST_U32_NAME) + 1) = AA_U32;
- *((u32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = TEST_U32_DATA;
+ *((__le32 *)(buf + 3 + strlen(TEST_U32_NAME) + 2)) = cpu_to_le32(TEST_U32_DATA);
buf = e->start + TEST_NAMED_U64_BUF_OFFSET;
*buf = AA_NAME;
*(buf + 1) = strlen(TEST_U64_NAME) + 1;
strscpy(buf + 3, TEST_U64_NAME, e->end - (void *)(buf + 3));
*(buf + 3 + strlen(TEST_U64_NAME) + 1) = AA_U64;
- *((u64 *)(buf + 3 + strlen(TEST_U64_NAME) + 2)) = TEST_U64_DATA;
+ *((__le64 *)(buf + 3 + strlen(TEST_U64_NAME) + 2)) = cpu_to_le64(TEST_U64_DATA);
buf = e->start + TEST_NAMED_BLOB_BUF_OFFSET;
*buf = AA_NAME;
@@ -103,7 +103,7 @@ static struct aa_ext *build_aa_ext_struct(struct policy_unpack_fixture *puf,
*(buf + 1) = strlen(TEST_ARRAY_NAME) + 1;
strscpy(buf + 3, TEST_ARRAY_NAME, e->end - (void *)(buf + 3));
*(buf + 3 + strlen(TEST_ARRAY_NAME) + 1) = AA_ARRAY;
- *((u16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = TEST_ARRAY_SIZE;
+ *((__le16 *)(buf + 3 + strlen(TEST_ARRAY_NAME) + 2)) = cpu_to_le16(TEST_ARRAY_SIZE);
return e;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-09-01 16:17 ` [PATCH 6.6 93/93] apparmor: fix policy_unpack_test on big endian systems Greg Kroah-Hartman
@ 2024-09-02 10:58 ` Frank Scheiner
2024-09-02 15:38 ` Naresh Kamboju
` (4 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Frank Scheiner @ 2024-09-02 10:58 UTC (permalink / raw)
To: gregkh
Cc: akpm, allen.lkml, broonie, conor, f.fainelli, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, srw, stable, sudipm.mukherjee, torvalds
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.49-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Cross-builds for ia64/hp-sim and runs fine in ski ([1]).
[1]:
https://github.com/linux-ia64/linux-stable-rc/actions/runs/10660100556#summary-29543888306
Tested-by: Frank Scheiner <frank.scheiner@web.de>
Cheers,
Frank
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-09-02 10:58 ` [PATCH 6.6 00/93] 6.6.49-rc1 review Frank Scheiner
@ 2024-09-02 15:38 ` Naresh Kamboju
2024-09-03 7:16 ` Ron Economos
` (3 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Naresh Kamboju @ 2024-09-02 15:38 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Sun, 1 Sept 2024 at 21:56, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.49-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.6.49-rc1
* git: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
* git commit: 8723d70ba720be0b854d252a378ac45c0a6db8a7
* git describe: v6.6.48-94-g8723d70ba720
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.6.y/build/v6.6.48-94-g8723d70ba720
## Test Regressions (compared to v6.6.47-342-g0ec2cf1e20ad)
## Metric Regressions (compared to v6.6.47-342-g0ec2cf1e20ad)
## Test Fixes (compared to v6.6.47-342-g0ec2cf1e20ad)
## Metric Fixes (compared to v6.6.47-342-g0ec2cf1e20ad)
## Test result summary
total: 198423, pass: 174521, fail: 1723, skip: 21956, xfail: 223
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 129 total, 129 passed, 0 failed
* arm64: 41 total, 41 passed, 0 failed
* i386: 28 total, 26 passed, 2 failed
* mips: 26 total, 25 passed, 1 failed
* parisc: 4 total, 4 passed, 0 failed
* powerpc: 36 total, 35 passed, 1 failed
* riscv: 19 total, 19 passed, 0 failed
* s390: 14 total, 13 passed, 1 failed
* sh: 10 total, 10 passed, 0 failed
* sparc: 7 total, 7 passed, 0 failed
* x86_64: 33 total, 33 passed, 0 failed
## Test suites summary
* boot
* commands
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-efivarfs
* kselftest-exec
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-filesystems-epoll
* kselftest-firmware
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-kcmp
* kselftest-kvm
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-mincore
* kselftest-mqueue
* kselftest-net
* kselftest-net-mptcp
* kselftest-openat2
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user_events
* kselftest-vDSO
* kselftest-x86
* kselftesu
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-hugetlb
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* perf
* rcutorture
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-09-02 15:38 ` Naresh Kamboju
@ 2024-09-03 7:16 ` Ron Economos
2024-09-03 8:45 ` Jon Hunter
` (2 subsequent siblings)
98 siblings, 0 replies; 101+ messages in thread
From: Ron Economos @ 2024-09-03 7:16 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 9/1/24 9:15 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.49-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-09-03 7:16 ` Ron Economos
@ 2024-09-03 8:45 ` Jon Hunter
2024-09-03 11:41 ` Takeshi Ogasawara
2024-09-03 11:44 ` Mark Brown
98 siblings, 0 replies; 101+ messages in thread
From: Jon Hunter @ 2024-09-03 8:45 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
linux-tegra, stable
On Sun, 01 Sep 2024 18:15:47 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.49-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.6:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
116 tests: 116 pass, 0 fail
Linux version: 6.6.49-rc1-g8723d70ba720
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-09-03 8:45 ` Jon Hunter
@ 2024-09-03 11:41 ` Takeshi Ogasawara
2024-09-03 11:44 ` Mark Brown
98 siblings, 0 replies; 101+ messages in thread
From: Takeshi Ogasawara @ 2024-09-03 11:41 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
Hi Greg
On Mon, Sep 2, 2024 at 1:26 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 03 Sep 2024 16:07:34 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.49-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
6.6.49-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.6.49-rc1rv
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 14.2.1 20240805, GNU ld (GNU
Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Tue Sep 3 19:41:58 JST 2024
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 101+ messages in thread* Re: [PATCH 6.6 00/93] 6.6.49-rc1 review
2024-09-01 16:15 [PATCH 6.6 00/93] 6.6.49-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-09-03 11:41 ` Takeshi Ogasawara
@ 2024-09-03 11:44 ` Mark Brown
98 siblings, 0 replies; 101+ messages in thread
From: Mark Brown @ 2024-09-03 11:44 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
[-- Attachment #1: Type: text/plain, Size: 344 bytes --]
On Sun, Sep 01, 2024 at 06:15:47PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.49 release.
> There are 93 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 101+ messages in thread