* [PATCH 6.6 000/386] 6.6.55-rc1 review
@ 2024-10-08 12:04 Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 001/386] static_call: Handle module init failure correctly in static_call_del_module() Greg Kroah-Hartman
` (396 more replies)
0 siblings, 397 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
This is the start of the stable review cycle for the 6.6.55 release.
There are 386 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.6.55-rc1
Zhihao Cheng <chengzhihao1@huawei.com>
Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path"
Damien Le Moal <dlemoal@kernel.org>
null_blk: Fix return value of nullb_device_power_store()
Alex Hung <alex.hung@amd.com>
drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it
Namhyung Kim <namhyung@kernel.org>
perf report: Fix segfault when 'sym' sort key is not used
Gabe Teeger <Gabe.Teeger@amd.com>
drm/amd/display: Revert Avoid overflow assignment
Herbert Xu <herbert@gondor.apana.org.au>
crypto: octeontx* - Select CRYPTO_AUTHENC
Haoran Zhang <wh1sper@zju.edu.cn>
vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
David Howells <dhowells@redhat.com>
rxrpc: Fix a race between socket set up and I/O thread creation
Xiaolei Wang <xiaolei.wang@windriver.com>
net: stmmac: move the EST lock to struct stmmac_priv
Yu Kuai <yukuai3@huawei.com>
null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
null_blk: Remove usage of the deprecated ida_simple_xx() API
Mark Pearson <mpearson-lenovo@squebb.ca>
platform/x86: think-lmi: Fix password opcode ordering for workstations
Chen Yu <yu.c.chen@intel.com>
efi/unaccepted: touch soft lockup during memory accept
Mads Bligaard Nielsen <bli@bang-olufsen.dk>
drm/bridge: adv7511: fix crash on irq during probe
Nicolin Chen <nicolinc@nvidia.com>
iommufd: Fix protection fault in iommufd_test_syz_conv_iova
Vladimir Oltean <vladimir.oltean@nxp.com>
net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: restore set elements when delete set fails
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: fix memleak in map from abort path
Zhihao Cheng <chengzhihao1@huawei.com>
ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
Jonathan Gray <jsg@jsg.id.au>
Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link"
Val Packett <val@packett.cool>
drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066
Josef Bacik <josef@toxicpanda.com>
btrfs: drop the backref cache during relocation if we commit
David Sterba <dsterba@suse.com>
btrfs: relocation: constify parameters where possible
David Sterba <dsterba@suse.com>
btrfs: relocation: return bool from btrfs_should_ignore_reloc_root
Armin Wolf <W_Armin@gmx.de>
ACPI: battery: Fix possible crash when unregistering a battery hook
Armin Wolf <W_Armin@gmx.de>
ACPI: battery: Simplify battery hook locking
Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
clk: qcom: gcc-sc8180x: Add GPLL9 support
Heiner Kallweit <hkallweit1@gmail.com>
r8169: add tally counter fields added with RTL8125
Colin Ian King <colin.i.king@gmail.com>
r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun"
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: pressure: bmp280: Fix waiting time for BMP3xx configuration
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: pressure: bmp280: Fix regmap for BMP280 device
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: pressure: bmp280: Use BME prefix for BME280 specifics
Vasileios Amoiridis <vassilisamir@gmail.com>
iio: pressure: bmp280: Improve indentation and line wrapping
Angel Iglesias <ang.iglesiasg@gmail.com>
iio: pressure: bmp280: Allow multiple chips id per family of devices
Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x
Manivannan Sadhasivam <mani@kernel.org>
dt-bindings: clock: qcom: Add missing UFS QREF clocks
Udit Kumar <u-kumar1@ti.com>
remoteproc: k3-r5: Delay notification of wakeup event
Beleswar Padhi <b-padhi@ti.com>
remoteproc: k3-r5: Acquire mailbox handle during probe routine
Umang Jain <umang.jain@ideasonboard.com>
media: imx335: Fix reset-gpio handling
Kieran Bingham <kieran.bingham@ideasonboard.com>
media: i2c: imx335: Enable regulator supplies
Long Li <longli@microsoft.com>
RDMA/mana_ib: use the correct page table index based on hardware page size
Haiyang Zhang <haiyangz@microsoft.com>
net: mana: Add support for page sizes other than 4KB on ARM64
Haiyang Zhang <haiyangz@microsoft.com>
net: mana: Enable MANA driver on ARM64 with 4K page size
Johannes Weiner <hannes@cmpxchg.org>
sched: psi: fix bogus pressure spikes from aggregation race
Andrii Nakryiko <andrii@kernel.org>
lib/buildid: harden build ID parsing logic
Alexey Dobriyan <adobriyan@gmail.com>
build-id: require program headers to be right after ELF header
Mario Limonciello <mario.limonciello@amd.com>
drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`
Yosry Ahmed <yosryahmed@google.com>
mm: z3fold: deprecate CONFIG_Z3FOLD
Oleg Nesterov <oleg@redhat.com>
uprobes: fix kernel info leak via "[uprobes]" vma
Jens Axboe <axboe@kernel.dk>
io_uring/net: harden multishot termination case for recv
Mark Rutland <mark.rutland@arm.com>
arm64: errata: Expand speculative SSBS workaround once more
Mark Rutland <mark.rutland@arm.com>
arm64: cputype: Add Neoverse-N3 definitions
Ard Biesheuvel <ardb@kernel.org>
i2c: synquacer: Deal with optional PCLK correctly
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
i2c: synquacer: Remove a clk reference from struct synquacer_i2c
Heiner Kallweit <hkallweit1@gmail.com>
i2c: core: Lock address during client device instantiation
Wolfram Sang <wsa+renesas@sang-engineering.com>
i2c: create debugfs entry per adapter
Hans de Goede <hdegoede@redhat.com>
platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors
Hans de Goede <hdegoede@redhat.com>
platform/x86: x86-android-tablets: Create a platform_device from module_init()
Masahiro Yamada <masahiroy@kernel.org>
kconfig: qconf: fix buffer overflow in debug links
Uwe Kleine-König <ukleinek@debian.org>
cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock
Tom Chung <chiahsuan.chung@amd.com>
drm/amd/display: Fix system hang while resume with TBT monitor
Alex Hung <alex.hung@amd.com>
drm/amd/display: Add HDR workaround for specific eDP
Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
drm/sched: Add locking to drm_sched_entity_modify_sched
Jani Nikula <jani.nikula@intel.com>
drm/i915/gem: fix bitwise and logical AND mixup
Al Viro <viro@zeniv.linux.org.uk>
close_range(): fix the logics in descriptor table trimming
Eder Zulian <ezulian@redhat.com>
rtla: Fix the help text in osnoise and timerlat top tools
Wei Li <liwei391@huawei.com>
tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline
Wei Li <liwei391@huawei.com>
tracing/timerlat: Fix a race during cpuhp processing
Wei Li <liwei391@huawei.com>
tracing/timerlat: Drop interface_lock in stop_kthread()
Wei Li <liwei391@huawei.com>
tracing/hwlat: Fix a race during cpuhp processing
Patrick Donnelly <pdonnell@redhat.com>
ceph: fix cap ref leak via netfs init_request
Jiawei Ye <jiawei.ye@foxmail.com>
mac802154: Fix potential RCU dereference issue in mac802154_scan_worker
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
Jiawen Wu <jiawenwu@trustnetic.com>
net: pcs: xpcs: fix the wrong register that was written back
Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
gpio: davinci: fix lazy disable
Miquel Sabaté Solà <mikisabate@gmail.com>
cpufreq: Avoid a bad reference count on CPU node
Filipe Manana <fdmanana@suse.com>
btrfs: wait for fixup workers before stopping cleaner kthread during umount
Filipe Manana <fdmanana@suse.com>
btrfs: send: fix invalid clone operation for file that got its size decreased
Qu Wenruo <wqu@suse.com>
btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
Hans de Goede <hdegoede@redhat.com>
ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[]
Hans de Goede <hdegoede@redhat.com>
ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[]
Baokun Li <libaokun1@huawei.com>
cachefiles: fix dentry leak in cachefiles_open_file()
Nuno Sa <nuno.sa@analog.com>
Input: adp5589-keys - fix adp5589_gpio_get_value()
Nuno Sa <nuno.sa@analog.com>
Input: adp5589-keys - fix NULL pointer dereference
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
rtc: at91sam9: fix OF node leak in probe() error path
KhaiWenTan <khai.wen.tan@linux.intel.com>
net: stmmac: Fix zero-division error when disabling tc cbs
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
tomoyo: fallback to realpath if symlink's pathname does not exist
Willem de Bruijn <willemb@google.com>
gso: fix udp gso fraglist segmentation after pull from frag_list
Willem de Bruijn <willemb@google.com>
vrf: revert "vrf: Remove unnecessary RCU-bh critical section"
Barnabás Czémán <barnabas.czeman@mainlining.org>
iio: magnetometer: ak8975: Fix reading for ak099xx sensors
Steve French <stfrench@microsoft.com>
smb3: fix incorrect mode displayed for read-only files
wangrong <wangrong@uniontech.com>
smb: client: use actual path when queryfs
Ajit Pandey <quic_ajipan@quicinc.com>
clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL
Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
media: qcom: camss: Fix ordering of pm_runtime_enable
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
media: qcom: camss: Remove use_count guard in stop_streaming
Manivannan Sadhasivam <mani@kernel.org>
clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable()
Zheng Wang <zyytlz.wz@163.com>
media: venus: fix use after free bug in venus_remove due to race condition
Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src
David Virag <virag.david003@gmail.com>
clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix
Mike Tipton <quic_mdtipton@quicinc.com>
clk: qcom: clk-rpmh: Fix overflow in BCM vote
Hans Verkuil <hverkuil-cisco@xs4all.nl>
media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags
Manivannan Sadhasivam <mani@kernel.org>
clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable()
Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
media: sun4i_csi: Implement link validate for sun4i_csi subdev
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks
Jan Kiszka <jan.kiszka@siemens.com>
remoteproc: k3-r5: Fix error handling when power-up failed
Sebastian Reichel <sebastian.reichel@collabora.com>
clk: rockchip: fix error for unknown clocks
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
media: ov5675: Fix power on/off delay timings
Chun-Yi Lee <joeyli.kernel@gmail.com>
aoe: fix the potential use-after-free problem in more places
Alexandre Ghiti <alexghiti@rivosinc.com>
riscv: Fix kernel stack size when KASAN is enabled
Long Li <longli@microsoft.com>
RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page
Kaixin Wang <kxwang23@m.fudan.edu.cn>
i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
Chuck Lever <chuck.lever@oracle.com>
NFSD: Fix NFSv4's PUTPUBFH operation
Li Lingfeng <lilingfeng3@huawei.com>
nfsd: map the EBADMSG to nfserr_io to avoid warning
NeilBrown <neilb@suse.de>
nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
Matt Fleming <matt@readmodwrite.com>
perf hist: Update hist symbol when updating maps
Arnaldo Carvalho de Melo <acme@redhat.com>
perf python: Disable -Wno-cast-function-type-mismatch if present on clang
Yuezhang Mo <Yuezhang.Mo@sony.com>
exfat: fix memory leak in exfat_load_bitmap()
Jisheng Zhang <jszhang@kernel.org>
riscv: define ILLEGAL_POINTER_VALUE for 64bit
Easwar Hariharan <eahariha@linux.microsoft.com>
arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386
Mark Rutland <mark.rutland@arm.com>
arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS
Lizhi Xu <lizhi.xu@windriver.com>
ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
Julian Sun <sunjunchao2870@gmail.com>
ocfs2: fix null-ptr-deref when journal load failed.
Lizhi Xu <lizhi.xu@windriver.com>
ocfs2: remove unreasonable unlock in ocfs2_read_blocks
Joseph Qi <joseph.qi@linux.alibaba.com>
ocfs2: cancel dqi_sync_work before freeing oinfo
Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
ocfs2: reserve space for inline xattr before attaching reflink tree
Joseph Qi <joseph.qi@linux.alibaba.com>
ocfs2: fix uninit-value in ocfs2_get_block()
Heming Zhao <heming.zhao@suse.com>
ocfs2: fix the la space leak when unmounting an ocfs2 volume
Danilo Krummrich <dakr@kernel.org>
mm: krealloc: consider spare memory for __GFP_ZERO
Kemeng Shi <shikemeng@huaweicloud.com>
jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit
Baokun Li <libaokun1@huawei.com>
jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
Huang Ying <ying.huang@intel.com>
resource: fix region_intersects() vs add_memory_driver_managed()
Ma Ke <make24@iscas.ac.cn>
drm: omapdrm: Add missing check for alloc_ordered_workqueue
Andrew Jones <ajones@ventanamicro.com>
of/irq: Support #msi-cells=<0> in of_msi_get_domain
Thomas Weißschuh <thomas.weissschuh@linutronix.de>
of: address: Report error on resource bounds overflow
Val Packett <val@packett.cool>
drm/rockchip: vop: clear DMA stop bit on RK3066
Helge Deller <deller@gmx.de>
parisc: Fix stack start for ADDR_NO_RANDOMIZE personality
Helge Deller <deller@kernel.org>
parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards
Helge Deller <deller@kernel.org>
parisc: Fix 64-bit userspace syscall path
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: mark fc as ineligible using an handle in ext4_xattr_set()
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: use handle to mark fc as ineligible in __track_dentry_update()
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: fix fast commit inode enqueueing during a full journal commit
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list()
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()
Baokun Li <libaokun1@huawei.com>
ext4: update orig_path in ext4_find_extent()
Xiaxi Shen <shenxiaxi26@gmail.com>
ext4: fix timer use-after-free on failed mount
Baokun Li <libaokun1@huawei.com>
ext4: fix double brelse() the buffer of the extents path
Baokun Li <libaokun1@huawei.com>
ext4: aovid use-after-free in ext4_ext_insert_extent()
Baokun Li <libaokun1@huawei.com>
ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()
Zhihao Cheng <chengzhihao1@huawei.com>
ext4: dax: fix overflowing extents beyond inode size when partially writing
Luis Henriques (SUSE) <luis.henriques@linux.dev>
ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible()
Baokun Li <libaokun1@huawei.com>
ext4: propagate errors from ext4_find_extent() in ext4_insert_range()
Baokun Li <libaokun1@huawei.com>
ext4: fix slab-use-after-free in ext4_split_extent_at()
yao.ly <yao.ly@linux.alibaba.com>
ext4: correct encrypted dentry name hash when not casefolded
Edward Adam Davis <eadavis@qq.com>
ext4: no need to continue when the number of entries is 1
Abhishek Tamboli <abhishektamboli9@gmail.com>
ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200
Ai Chao <aichao@kylinos.cn>
ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9
Hans P. Moller <hmoller@uc.cl>
ALSA: line6: add hw monitor volume control to POD HD500X
Jan Lalinsky <lalinsky@c4.cz>
ALSA: usb-audio: Add native DSD support for Luxman D-08u
Lianqin Hu <hulianqin@vivo.com>
ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET
Jaroslav Kysela <perex@perex.cz>
ALSA: core: add isascii() check to card ID generator
Baojun Xu <baojun.xu@ti.com>
ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop
Thomas Zimmermann <tzimmermann@suse.de>
drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS
Javier Carrasco <javier.carrasco.cruz@gmail.com>
drm/mediatek: ovl_adaptor: Add missing of_node_put()
Helge Deller <deller@gmx.de>
parisc: Fix itlb miss handler for 64-bit programs
Luo Gengkun <luogengkun@huaweicloud.com>
perf/core: Fix small negative period being ignored
Hans de Goede <hdegoede@redhat.com>
power: supply: hwmon: Fix missing temp1_max_alarm attribute
Jinjie Ruan <ruanjinjie@huawei.com>
spi: bcm63xx: Fix missing pm_runtime_disable()
Jinjie Ruan <ruanjinjie@huawei.com>
spi: bcm63xx: Fix module autoloading
David Virag <virag.david003@gmail.com>
dt-bindings: clock: exynos7885: Fix duplicated binding
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
memory: tegra186-emc: drop unused to_tegra186_emc()
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp()
Mike Baynton <mike@mbaynton.com>
ovl: fail if trusted xattrs are needed but caller lacks permission
Alice Ryhl <aliceryhl@google.com>
rust: sync: require `T: Sync` for `LockedBy::access`
Kimriver Liu <kimriver.liu@siengine.com>
i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled
Jinjie Ruan <ruanjinjie@huawei.com>
i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled
Alexander Shiyan <eagle.alexander923@gmail.com>
media: i2c: ar0521: Use cansleep version of gpiod_set_value()
Robert Hancock <robert.hancock@calian.com>
i2c: xiic: Wait for TX empty to avoid missed TX NAKs
Jinjie Ruan <ruanjinjie@huawei.com>
i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq()
Marek Vasut <marex@denx.de>
i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume
Zach Wade <zachwade.k@gmail.com>
platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
Takashi Iwai <tiwai@suse.de>
Revert "ALSA: hda: Conditionally use snooping for AMD HDMI"
Heiko Carstens <hca@linux.ibm.com>
selftests: vDSO: fix vdso_config for s390
Jens Remus <jremus@linux.ibm.com>
selftests: vDSO: fix ELF hash table entry size for s390x
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/vdso: Fix VDSO data access when running in a non-root time namespace
David Hildenbrand <david@redhat.com>
selftests/mm: fix charge_reserved_hugetlb.sh test
Christophe Leroy <christophe.leroy@csgroup.eu>
selftests: vDSO: fix vDSO symbols lookup for powerpc64
Christophe Leroy <christophe.leroy@csgroup.eu>
selftests: vDSO: fix vdso_config for powerpc
Christophe Leroy <christophe.leroy@csgroup.eu>
selftests: vDSO: fix vDSO name for powerpc
Namhyung Kim <namhyung@kernel.org>
perf: Really fix event_function_call() locking
Ian Rogers <irogers@google.com>
perf callchain: Fix stitch LBR memory leaks
Biju Das <biju.das.jz@bp.renesas.com>
spi: rpc-if: Add missing MODULE_DEVICE_TABLE
Alexander F. Lent <lx@xanderlent.com>
accel/ivpu: Add missing MODULE_FIRMWARE metadata
Yifei Liu <yifei.l.liu@oracle.com>
selftests: breakpoints: use remaining time to check if suspend succeed
Ben Dooks <ben.dooks@codethink.co.uk>
spi: s3c64xx: fix timeout counters in flush_fifo
Yun Lu <luyun@kylinos.cn>
selftest: hid: add missing run-hid-tools-tests.sh
Jinjie Ruan <ruanjinjie@huawei.com>
spi: spi-cadence: Fix missing spi_controller_is_target() check
Jinjie Ruan <ruanjinjie@huawei.com>
spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled
Li Zetao <lizetao1@huawei.com>
spi: spi-cadence: Use helper function devm_clk_get_enabled()
Jinjie Ruan <ruanjinjie@huawei.com>
spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled
Kuan-Wei Chiu <visitorckw@gmail.com>
bpftool: Fix undefined behavior in qsort(NULL, 0, ...)
Christoph Hellwig <hch@lst.de>
iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release
Kuan-Wei Chiu <visitorckw@gmail.com>
bpftool: Fix undefined behavior caused by shifting into the sign bit
Artem Sadovnikov <ancowi69@gmail.com>
ext4: fix i_data_sem unlock order in ext4_ind_migrate()
Baokun Li <libaokun1@huawei.com>
ext4: avoid use-after-free in ext4_ext_show_leaf()
Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
ext4: ext4_search_dir should return a proper error
Juntong Deng <juntong.deng@outlook.com>
bpf: Make the pointer returned by iter next method valid
Jan Kara <jack@suse.cz>
ext4: don't set SB_RDONLY after filesystem errors
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: add refcnt to ksmbd_conn struct
Gergo Koteles <soyer@irl.hu>
platform/x86: lenovo-ymc: Ignore the 0x0 state
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx10: use rlc safe mode for soft recovery
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx11: use rlc safe mode for soft recovery
Haren Myneni <haren@linux.ibm.com>
powerpc/pseries: Use correct data types from pseries_hp_errorlog struct
Geert Uytterhoeven <geert+renesas@glider.be>
of/irq: Refer to actual buffer size in of_irq_parse_one()
Tim Huang <tim.huang@amd.com>
drm/amd/pm: ensure the fw_info is not null before using it
Alex Deucher <alexander.deucher@amd.com>
drm/amdgpu/gfx9: use rlc safe mode for soft recovery
Victor Skvortsov <victor.skvortsov@amd.com>
drm/amdgpu: Block MMR_READ IOCTL in reset
Geert Uytterhoeven <geert+renesas@glider.be>
drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()
Finn Thain <fthain@linux-m68k.org>
scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers
Peter Zijlstra <peterz@infradead.org>
perf: Fix event_function_call() locking
Tim Huang <tim.huang@amd.com>
drm/amdgpu: fix unchecked return value warning for amdgpu_gfx
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Update PRLO handling in direct attached topology
Kees Cook <kees@kernel.org>
scsi: aacraid: Rearrange order of struct aac_srb_unit
Andrii Nakryiko <andrii@kernel.org>
perf,x86: avoid missing caller address in stack traces captured in uprobe
Matthew Brost <matthew.brost@intel.com>
drm/printer: Allow NULL data in devcoredump printer
Alex Hung <alex.hung@amd.com>
drm/amd/display: Initialize get_bytes_per_element's default to 1
Alex Hung <alex.hung@amd.com>
drm/amd/display: Avoid overflow assignment in link_dp_cts
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix index out of bounds in DCN30 color transformation
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix index out of bounds in degamma hardware format translation
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation
Alex Hung <alex.hung@amd.com>
drm/amd/display: Check link_res->hpo_dp_link_enc before using it
Alex Hung <alex.hung@amd.com>
drm/amd/display: Check stream before comparing them
Yannick Fertre <yannick.fertre@foss.st.com>
drm/stm: ltdc: reset plane transparency after plane disable
Ckath <ckath@yandex.ru>
platform/x86: touchscreen_dmi: add nanote-next quirk
Vishnu Sankar <vishnuocv@gmail.com>
HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio
Jesse Zhang <jesse.zhang@amd.com>
drm/amdkfd: Fix resource leak in criu restore queue
Peng Liu <liupeng01@kylinos.cn>
drm/amdgpu: enable gfxoff quirk on HP 705G4
Peng Liu <liupeng01@kylinos.cn>
drm/amdgpu: add raven1 gfxoff quirk
Zhao Mengmeng <zhaomengmeng@kylinos.cn>
jfs: Fix uninit-value access of new_ea in ea_buffer
Konrad Dybcio <konrad.dybcio@linaro.org>
drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs
Mahesh Rajashekhara <mahesh.rajashekhara@microchip.com>
scsi: smartpqi: correct stream detection
Edward Adam Davis <eadavis@qq.com>
jfs: check if leafidx greater than num leaves per dmap tree
Edward Adam Davis <eadavis@qq.com>
jfs: Fix uaf in dbFreeBits
Remington Brasga <rbrasga@uci.edu>
jfs: UBSAN: shift-out-of-bounds in dbFindBits
Tim Huang <tim.huang@amd.com>
drm/amd/display: fix double free issue during amdgpu module unload
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Add null check for 'afb' in amdgpu_dm_plane_handle_cursor_update (v2)
Alex Hung <alex.hung@amd.com>
drm/amd/display: Check null pointers before using dc->clk_mgr
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Handle null 'stream_status' in 'planes_changed_for_existing_stream'
Hans de Goede <hdegoede@redhat.com>
HID: Ignore battery for all ELAN I2C-HID devices
Damien Le Moal <dlemoal@kernel.org>
ata: sata_sil: Rename sil_blacklist to sil_quirks
Damien Le Moal <dlemoal@kernel.org>
ata: pata_serverworks: Do not use the term blacklist
Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream
Philip Yang <Philip.Yang@amd.com>
drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit
Katya Orlova <e.orlova@ispras.ru>
drm/stm: Avoid use-after-free issues with crtc and plane
Michal Koutný <mkoutny@suse.com>
cgroup: Disallow mounting v1 hierarchies without controller implementation
Sanjay K Kumar <sanjay.k.kumar@intel.com>
iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count
Lu Baolu <baolu.lu@linux.intel.com>
iommu/vt-d: Always reserve a domain ID for identity setup
Andrew Davis <afd@ti.com>
power: reset: brcmstb: Do not go into infinite loop if reset fails
Paul E. McKenney <paulmck@kernel.org>
rcuscale: Provide clear error when async specified without primitives
Kaixin Wang <kxwang23@m.fudan.edu.cn>
fbdev: pxafb: Fix possible use after free in pxafb_task()
Thomas Weißschuh <linux@weissschuh.net>
fbdev: efifb: Register sysfs groups through driver core
Denis Pauk <pauk.denis@gmail.com>
hwmon: (nct6775) add G15CF to ASUS WMI monitoring list
Kees Cook <kees@kernel.org>
x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments()
Thomas Weißschuh <linux@weissschuh.net>
selftests/nolibc: avoid passing NULL to printf("%s")
Thomas Weißschuh <linux@weissschuh.net>
tools/nolibc: powerpc: limit stack-protector workaround to GCC
Takashi Iwai <tiwai@suse.de>
ALSA: hdsp: Break infinite MIDI input flush loop
Takashi Iwai <tiwai@suse.de>
ALSA: asihpi: Fix potential OOB array access
Tao Liu <ltao@redhat.com>
x86/kexec: Add EFI config table identity mapping for kexec kernel
Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
x86/pkeys: Restore altstack access in sigreturn()
Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
x86/pkeys: Add PKRU as a parameter in signal handling functions
Ahmed S. Darwish <darwi@linutronix.de>
tools/x86/kcpuid: Protect against faulty "max subleaf" values
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: codecs: wsa883x: Handle reading version failure
Joshua Pius <joshuapius@chromium.org>
ALSA: usb-audio: Add logitech Audio profile quirk
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Replace complex quirk lines with macros
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Define macros for quirk table entries
Karol Kosik <k.kosik@outlook.com>
ALSA: usb-audio: Support multiple control interfaces
Thomas Gleixner <tglx@linutronix.de>
x86/ioapic: Handle allocation failures gracefully
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Add input value sanity checks for standard types
Jinjie Ruan <ruanjinjie@huawei.com>
nfp: Use IRQF_NO_AUTOEN flag in request_irq()
Gustavo A. R. Silva <gustavoars@kernel.org>
wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
Felix Fietkau <nbd@nbd.name>
wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker
Benjamin Lin <benjamin-jw.lin@mediatek.com>
wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation
Stefan Mätje <stefan.maetje@esd.eu>
can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode
James Clark <james.clark@linaro.org>
drivers/perf: arm_spe: Use perf_allow_kernel() for permissions
Adrian Ratiu <adrian.ratiu@collabora.com>
proc: add config & param to block forcing mem writes
Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
ACPICA: iasl: handle empty connection_node
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix RCU list iterations
Miri Korenblit <miriam.rachel.korenblit@intel.com>
wifi: iwlwifi: mvm: avoid NULL pointer dereference
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: mvm: use correct key iteration
Jason Xing <kernelxing@tencent.com>
tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process
Breno Leitao <leitao@debian.org>
netpoll: Ensure clean state on setup failures
Herbert Xu <herbert@gondor.apana.org.au>
crypto: simd - Do not call crypto_alloc_tfm during registration
Simon Horman <horms@kernel.org>
net: atlantic: Avoid warning about potential string truncation
Ido Schimmel <idosch@nvidia.com>
ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtw89: correct base HT rate mask for firmware
Kuniyuki Iwashima <kuniyu@amazon.com>
ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).
Simon Horman <horms@kernel.org>
bnxt_en: Extend maximum length of version string by 1 byte
Simon Horman <horms@kernel.org>
net: mvpp2: Increase size of queue_name buffer
Simon Horman <horms@kernel.org>
tipc: guard against string buffer overrun
Pei Xiao <xiaopei01@kylinos.cn>
ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()
Rafael J. Wysocki <rafael.j.wysocki@intel.com>
ACPI: EC: Do not release locks during operation region accesses
Zong-Zhe Yang <kevin_yang@realtek.com>
wifi: rtw88: select WANT_DEV_COREDUMP
Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
wifi: ath11k: fix array out-of-bound access in SoC stats
Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
wifi: ath12k: fix array out-of-bound access in SoC stats
Konstantin Ovsepian <ovs@ovs.to>
blk_iocost: fix more out of bound shifts
Mario Limonciello <mario.limonciello@amd.com>
ACPI: CPPC: Add support for setting EPP register in FFH
Hans de Goede <hdegoede@redhat.com>
ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18
Hilda Wu <hildawu@realtek.com>
Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B
Hilda Wu <hildawu@realtek.com>
Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122
Dmitry Antipov <dmantipov@yandex.ru>
net: sched: consistently use rcu_replace_pointer() in taprio_change()
Felix Fietkau <nbd@nbd.name>
wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable
Vitaly Lifshits <vitaly.lifshits@intel.com>
e1000e: avoid failing the system during pm_suspend
Armin Wolf <W_Armin@gmx.de>
ACPICA: Fix memory leak if acpi_ps_get_next_field() fails
Armin Wolf <W_Armin@gmx.de>
ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails
Seiji Nishikawa <snishika@redhat.com>
ACPI: PAD: fix crash in exit_round_robin()
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
net: hisilicon: hns_mdio: fix OF node leak in probe()
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
net: hisilicon: hip04: fix OF node leak in probe()
Jeongjun Park <aha310510@gmail.com>
net/xen-netback: prevent UAF in xenvif_flush_hash()
Issam Hamdi <ih@simonwunderlich.de>
wifi: cfg80211: Set correct chandef when starting CAC
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: mvm: drop wrong STA selection in TX
Ilan Peer <ilan.peer@intel.com>
wifi: iwlwifi: mvm: Fix a race in scan abort flow
Aleksandr Mishin <amishin@t-argos.ru>
ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node()
Herbert Xu <herbert@gondor.apana.org.au>
crypto: octeontx2 - Fix authenc setkey
Herbert Xu <herbert@gondor.apana.org.au>
crypto: octeontx - Fix authenc setkey
Fangrui Song <maskray@google.com>
crypto: x86/sha256 - Add parentheses around macros' single arguments
Toke Høiland-Jørgensen <toke@redhat.com>
wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
Chih-Kang Chang <gary.chang@realtek.com>
wifi: rtw89: avoid to add interface to list twice when SER
Dmitry Kandybka <d.kandybka@gmail.com>
wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()
Takashi Iwai <tiwai@suse.de>
ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ALSA: gus: Fix some error handling paths related to get_bpos() usage
Pali Rohár <pali@kernel.org>
cifs: Do not convert delimiter when parsing NFS-style symlinks
Pali Rohár <pali@kernel.org>
cifs: Fix buffer overflow when parsing NFS reparse points
Hui Wang <hui.wang@canonical.com>
ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m
Takashi Iwai <tiwai@suse.de>
ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs
Pali Rohár <pali@kernel.org>
cifs: Remove intermediate object of failed create reparse call
Oder Chiou <oder_chiou@realtek.com>
ALSA: hda/realtek: Fix the push button function for the ALC257
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ALSA: mixer_oss: Remove some incorrect kfree_const() usages
Andrei Simion <andrei.simion@microchip.com>
ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix not validating setsockopt user input
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: ISO: Fix not validating setsockopt user input
Benjamin Gaignard <benjamin.gaignard@collabora.com>
media: usbtv: Remove useless locks in usbtv_video_free()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sock: Fix not validating setsockopt user input
Christoph Hellwig <hch@lst.de>
loop: don't set QUEUE_FLAG_NOMERGES
Robert Hancock <robert.hancock@calian.com>
i2c: xiic: Try re-initialization on bus busy timeout
Marc Ferland <marc.ferland@sonatest.com>
i2c: xiic: improve error message when transfer fails to start
Xin Long <lucien.xin@gmail.com>
sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
Ravikanth Tuniki <ravikanth.tuniki@amd.com>
dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems
Darrick J. Wong <djwong@kernel.org>
iomap: constrain the file range passed to iomap_file_unshare
Eric Dumazet <edumazet@google.com>
ppp: do not assume bh is held in ppp_channel_bridge_input()
Eric Dumazet <edumazet@google.com>
net: test for not too small csum_start in virtio_net_hdr_to_skb()
Anton Danilov <littlesmilingcloud@gmail.com>
ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
Shenwei Wang <shenwei.wang@nxp.com>
net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check
Eric Dumazet <edumazet@google.com>
net: add more sanity checks to qdisc_pkt_len_init()
Eric Dumazet <edumazet@google.com>
net: avoid potential underflow in qdisc_pkt_len_init() with UFO
Csókás, Bence <csokas.bence@prolan.hu>
net: fec: Reload PTP registers after link-state change
Csókás, Bence <csokas.bence@prolan.hu>
net: fec: Restart PPS after link state change
Aleksander Jan Bajkowski <olek2@wp.pl>
net: ethernet: lantiq_etop: fix memory disclosure
Daniel Borkmann <daniel@iogearbox.net>
net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size
Daniel Borkmann <daniel@iogearbox.net>
net: Add netif_get_gro_max_size helper for GRO
Jinjie Ruan <ruanjinjie@huawei.com>
Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix uaf in l2cap_connect
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
Eric Dumazet <edumazet@google.com>
netfilter: nf_tables: prevent nf_skb_duplicated corruption
Phil Sutter <phil@nwl.cc>
selftests: netfilter: Fix nft_audit.sh for newer nft binaries
Jinjie Ruan <ruanjinjie@huawei.com>
net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable()
Jinjie Ruan <ruanjinjie@huawei.com>
net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
Phil Sutter <phil@nwl.cc>
netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
Elena Salomatkina <esalomatkina@ispras.ru>
net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
Mohamed Khalfella <mkhalfella@purestorage.com>
net/mlx5: Added cond_resched() to crdump collection
Gerd Bayer <gbayer@linux.ibm.com>
net/mlx5: Fix error path in multi-packet WQE transmit
Aakash Menon <aakash.r.menon@gmail.com>
net: sparx5: Fix invalid timestamps
Jinjie Ruan <ruanjinjie@huawei.com>
ieee802154: Fix build error
Xiubo Li <xiubli@redhat.com>
ceph: remove the incorrect Fw reference check when dirtying pages
Stefan Wahren <wahrenst@gmx.net>
mailbox: bcm2835: Fix timeout during suspend mode
Liao Chen <liaochen4@huawei.com>
mailbox: rockchip: fix a typo in module autoloading
Asad Kamal <asad.kamal@amd.com>
drm/amdgpu: Fix get each xcp macro
Daniel Wagner <dwagner@suse.de>
scsi: pm8001: Do not overwrite PCI queue mapping
Rafael Rocha <rrochavi@fnal.gov>
scsi: st: Fix input/output error on empty drive reset
Peter Zijlstra <peterz@infradead.org>
jump_label: Fix static_key_slow_dec() yet again
Thomas Gleixner <tglx@linutronix.de>
jump_label: Simplify and clarify static_key_fast_inc_cpus_locked()
Thomas Gleixner <tglx@linutronix.de>
static_call: Replace pointless WARN_ON() in static_call_module_notify()
Thomas Gleixner <tglx@linutronix.de>
static_call: Handle module init failure correctly in static_call_del_module()
-------------
Diffstat:
Documentation/admin-guide/kernel-parameters.txt | 10 +
Documentation/arch/arm64/silicon-errata.rst | 6 +
.../devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 +-
Makefile | 4 +-
arch/arm/crypto/aes-ce-glue.c | 2 +-
arch/arm/crypto/aes-neonbs-glue.c | 2 +-
arch/arm64/Kconfig | 7 +-
arch/arm64/include/asm/cputype.h | 2 +
arch/arm64/kernel/cpu_errata.c | 3 +
arch/loongarch/configs/loongson3_defconfig | 1 -
arch/parisc/include/asm/mman.h | 14 +
arch/parisc/kernel/entry.S | 6 +-
arch/parisc/kernel/syscall.S | 14 +-
arch/powerpc/configs/ppc64_defconfig | 1 -
arch/powerpc/include/asm/vdso_datapage.h | 15 +
arch/powerpc/kernel/asm-offsets.c | 2 +
arch/powerpc/kernel/vdso/cacheflush.S | 2 +-
arch/powerpc/kernel/vdso/datapage.S | 4 +-
arch/powerpc/platforms/pseries/dlpar.c | 17 -
arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +-
arch/powerpc/platforms/pseries/hotplug-memory.c | 16 +-
arch/powerpc/platforms/pseries/pmem.c | 2 +-
arch/riscv/Kconfig | 8 +-
arch/riscv/include/asm/thread_info.h | 7 +-
arch/x86/crypto/sha256-avx2-asm.S | 16 +-
arch/x86/events/core.c | 63 +
arch/x86/include/asm/fpu/signal.h | 2 +-
arch/x86/include/asm/syscall.h | 7 +-
arch/x86/kernel/apic/io_apic.c | 46 +-
arch/x86/kernel/fpu/signal.c | 6 +-
arch/x86/kernel/machine_kexec_64.c | 27 +
arch/x86/kernel/signal.c | 3 +-
arch/x86/kernel/signal_64.c | 6 +-
block/blk-iocost.c | 8 +-
crypto/simd.c | 76 +-
drivers/accel/ivpu/ivpu_fw.c | 4 +
drivers/acpi/acpi_pad.c | 6 +-
drivers/acpi/acpica/dbconvert.c | 2 +
drivers/acpi/acpica/exprep.c | 3 +
drivers/acpi/acpica/psargs.c | 47 +
drivers/acpi/battery.c | 28 +-
drivers/acpi/cppc_acpi.c | 10 +-
drivers/acpi/ec.c | 55 +-
drivers/acpi/resource.c | 14 +
drivers/acpi/video_detect.c | 8 +
drivers/ata/pata_serverworks.c | 16 +-
drivers/ata/sata_sil.c | 12 +-
drivers/block/aoe/aoecmd.c | 13 +-
drivers/block/loop.c | 15 +-
drivers/block/null_blk/main.c | 45 +-
drivers/bluetooth/btmrvl_sdio.c | 3 +-
drivers/bluetooth/btrtl.c | 1 +
drivers/bluetooth/btusb.c | 2 +
drivers/clk/qcom/clk-alpha-pll.c | 2 +-
drivers/clk/qcom/clk-rpmh.c | 2 +
drivers/clk/qcom/dispcc-sm8250.c | 3 +
drivers/clk/qcom/gcc-sc8180x.c | 88 +-
drivers/clk/qcom/gcc-sm8250.c | 6 +-
drivers/clk/qcom/gcc-sm8450.c | 4 +-
drivers/clk/rockchip/clk.c | 3 +-
drivers/clk/samsung/clk-exynos7885.c | 2 +-
drivers/cpufreq/intel_pstate.c | 20 +-
drivers/crypto/marvell/Kconfig | 2 +
drivers/crypto/marvell/octeontx/otx_cptvf_algs.c | 265 +--
drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c | 256 +--
drivers/firmware/efi/unaccepted_memory.c | 4 +
drivers/firmware/tegra/bpmp.c | 6 -
drivers/gpio/gpio-davinci.c | 8 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 +
drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 45 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +-
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 +
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 6 +
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 +-
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +-
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 5 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 19 +-
.../drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 +
.../amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 -
.../drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 +-
drivers/gpu/drm/amd/display/dc/core/dc.c | 6 +-
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 6 +-
drivers/gpu/drm/amd/display/dc/dc_types.h | 1 +
.../gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 +
.../gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 4 +
.../dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +-
.../display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +-
.../amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 12 +
drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 +-
.../drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 +
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 +-
drivers/gpu/drm/drm_atomic_uapi.c | 2 +-
drivers/gpu/drm/drm_print.c | 13 +-
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +-
drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 +-
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 +
drivers/gpu/drm/msm/msm_gpu.c | 1 -
drivers/gpu/drm/omapdrm/omap_drv.c | 5 +
drivers/gpu/drm/radeon/r100.c | 70 +-
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 +
drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 +
drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 2 +
drivers/gpu/drm/scheduler/sched_entity.c | 2 +
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 76 +-
drivers/hid/hid-ids.h | 17 +-
drivers/hid/hid-input.c | 37 +-
drivers/hid/hid-multitouch.c | 6 +
drivers/hwmon/nct6775-platform.c | 1 +
drivers/i2c/busses/i2c-designware-common.c | 14 +
drivers/i2c/busses/i2c-designware-core.h | 1 +
drivers/i2c/busses/i2c-designware-master.c | 38 +
drivers/i2c/busses/i2c-qcom-geni.c | 4 +-
drivers/i2c/busses/i2c-stm32f7.c | 6 +-
drivers/i2c/busses/i2c-synquacer.c | 12 +-
drivers/i2c/busses/i2c-xiic.c | 69 +-
drivers/i2c/i2c-core-base.c | 39 +
drivers/i3c/master/svc-i3c-master.c | 1 +
drivers/iio/magnetometer/ak8975.c | 32 +-
drivers/iio/pressure/bmp280-core.c | 185 +-
drivers/iio/pressure/bmp280-regmap.c | 47 +-
drivers/iio/pressure/bmp280-spi.c | 4 +-
drivers/iio/pressure/bmp280.h | 49 +-
drivers/infiniband/hw/mana/main.c | 8 +-
drivers/input/keyboard/adp5589-keys.c | 22 +-
drivers/iommu/intel/dmar.c | 16 +-
drivers/iommu/intel/iommu.c | 6 +-
drivers/iommu/iommufd/selftest.c | 27 +-
drivers/mailbox/bcm2835-mailbox.c | 3 +-
drivers/mailbox/rockchip-mailbox.c | 2 +-
drivers/media/i2c/ar0521.c | 5 +-
drivers/media/i2c/imx335.c | 43 +-
drivers/media/i2c/ov5675.c | 12 +-
drivers/media/platform/qcom/camss/camss-video.c | 6 -
drivers/media/platform/qcom/camss/camss.c | 5 +-
drivers/media/platform/qcom/venus/core.c | 1 +
drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +
drivers/media/usb/usbtv/usbtv-video.c | 7 -
drivers/memory/tegra/tegra186-emc.c | 5 -
drivers/net/can/dev/netlink.c | 102 +-
.../net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 +-
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
drivers/net/ethernet/freescale/fec.h | 9 +
drivers/net/ethernet/freescale/fec_main.c | 11 +-
drivers/net/ethernet/freescale/fec_ptp.c | 50 +
drivers/net/ethernet/hisilicon/hip04_eth.c | 1 +
drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 +
drivers/net/ethernet/hisilicon/hns_mdio.c | 1 +
drivers/net/ethernet/intel/e1000e/netdev.c | 19 +-
drivers/net/ethernet/intel/ice/ice_sched.c | 6 +-
drivers/net/ethernet/lantiq_etop.c | 4 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +
.../ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +-
drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 -
.../net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 +
.../net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +-
drivers/net/ethernet/microsoft/Kconfig | 3 +-
drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 +-
drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 +-
drivers/net/ethernet/microsoft/mana/mana_en.c | 8 +-
drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 +-
.../net/ethernet/netronome/nfp/nfp_net_common.c | 5 +-
drivers/net/ethernet/realtek/r8169_main.c | 31 +-
drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +-
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 +
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 +-
drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 19 +-
drivers/net/ieee802154/Kconfig | 1 +
drivers/net/ieee802154/mcr20a.c | 5 +-
drivers/net/pcs/pcs-xpcs-wx.c | 2 +-
drivers/net/ppp/ppp_generic.c | 4 +-
drivers/net/vrf.c | 2 +
drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +-
drivers/net/wireless/ath/ath9k/debug.c | 4 +-
drivers/net/wireless/ath/ath9k/hif_usb.c | 6 +-
drivers/net/wireless/intel/iwlwifi/fw/api/scan.h | 13 +
drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +-
drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 +-
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +-
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +-
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/scan.c | 3 +-
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +-
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 +
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +-
drivers/net/wireless/realtek/rtw88/Kconfig | 1 +
drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +-
drivers/net/wireless/realtek/rtw89/phy.c | 4 +-
drivers/net/wireless/realtek/rtw89/util.h | 18 +
drivers/net/wwan/qcom_bam_dmux.c | 11 +-
drivers/net/xen-netback/hash.c | 5 +-
drivers/of/address.c | 5 +
drivers/of/irq.c | 38 +-
drivers/perf/arm_spe_pmu.c | 9 +-
.../x86/intel/speed_select_if/isst_if_common.c | 4 +-
drivers/platform/x86/lenovo-ymc.c | 2 +
drivers/platform/x86/think-lmi.c | 16 +-
drivers/platform/x86/touchscreen_dmi.c | 26 +
drivers/platform/x86/x86-android-tablets/core.c | 57 +-
drivers/power/reset/brcmstb-reboot.c | 3 -
drivers/power/supply/power_supply_hwmon.c | 3 +-
drivers/remoteproc/ti_k3_r5_remoteproc.c | 86 +-
drivers/rtc/rtc-at91sam9.c | 1 +
drivers/scsi/NCR5380.c | 4 +
drivers/scsi/aacraid/aacraid.h | 2 +-
drivers/scsi/lpfc/lpfc_els.c | 27 +-
drivers/scsi/lpfc/lpfc_nportdisc.c | 22 +-
drivers/scsi/pm8001/pm8001_init.c | 6 +-
drivers/scsi/smartpqi/smartpqi_init.c | 2 +-
drivers/scsi/st.c | 5 +-
drivers/spi/spi-bcm63xx.c | 9 +-
drivers/spi/spi-cadence.c | 31 +-
drivers/spi/spi-imx.c | 2 +-
drivers/spi/spi-rpc-if.c | 7 +
drivers/spi/spi-s3c64xx.c | 4 +-
drivers/vhost/scsi.c | 25 +-
drivers/video/fbdev/efifb.c | 11 +-
drivers/video/fbdev/pxafb.c | 1 +
fs/btrfs/backref.c | 12 +-
fs/btrfs/disk-io.c | 11 +
fs/btrfs/relocation.c | 150 +-
fs/btrfs/relocation.h | 9 +-
fs/btrfs/send.c | 23 +-
fs/cachefiles/namei.c | 7 +-
fs/ceph/addr.c | 6 +-
fs/dax.c | 6 +-
fs/exec.c | 3 +-
fs/exfat/balloc.c | 10 +-
fs/ext4/dir.c | 14 +-
fs/ext4/extents.c | 55 +-
fs/ext4/fast_commit.c | 49 +-
fs/ext4/file.c | 8 +-
fs/ext4/inode.c | 11 +-
fs/ext4/migrate.c | 2 +-
fs/ext4/move_extent.c | 1 -
fs/ext4/namei.c | 14 +-
fs/ext4/super.c | 11 +-
fs/ext4/xattr.c | 3 +-
fs/file.c | 93 +-
fs/iomap/buffered-io.c | 16 +-
fs/jbd2/checkpoint.c | 21 +-
fs/jbd2/journal.c | 4 +-
fs/jfs/jfs_discard.c | 11 +-
fs/jfs/jfs_dmap.c | 7 +-
fs/jfs/xattr.c | 2 +
fs/nfsd/nfs4state.c | 5 +-
fs/nfsd/nfs4xdr.c | 10 +-
fs/nfsd/vfs.c | 1 +
fs/ocfs2/aops.c | 5 +-
fs/ocfs2/buffer_head_io.c | 4 +-
fs/ocfs2/journal.c | 7 +-
fs/ocfs2/localalloc.c | 19 +
fs/ocfs2/quota_local.c | 8 +-
fs/ocfs2/refcounttree.c | 26 +-
fs/ocfs2/xattr.c | 11 +-
fs/overlayfs/params.c | 38 +-
fs/proc/base.c | 61 +-
fs/smb/client/cifsfs.c | 13 +-
fs/smb/client/cifsglob.h | 2 +-
fs/smb/client/inode.c | 19 +-
fs/smb/client/reparse.c | 16 +-
fs/smb/client/smb1ops.c | 2 +-
fs/smb/client/smb2inode.c | 24 +-
fs/smb/client/smb2ops.c | 19 +-
fs/smb/server/connection.c | 4 +-
fs/smb/server/connection.h | 1 +
fs/smb/server/oplock.c | 55 +-
fs/smb/server/vfs_cache.c | 3 +
include/crypto/internal/simd.h | 12 +-
include/drm/drm_print.h | 54 +-
include/dt-bindings/clock/exynos7885.h | 2 +-
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 3 +
include/linux/cpufreq.h | 6 +-
include/linux/fdtable.h | 8 +-
include/linux/i2c.h | 5 +
include/linux/netdevice.h | 18 +
include/linux/perf_event.h | 8 +-
include/linux/stmmac.h | 1 -
include/linux/uprobes.h | 2 +
include/linux/virtio_net.h | 4 +-
include/net/mana/gdma.h | 10 +-
include/net/mana/mana.h | 3 +-
include/uapi/linux/cec.h | 6 +-
include/uapi/linux/netfilter/nf_tables.h | 2 +-
io_uring/net.c | 4 +-
kernel/bpf/verifier.c | 26 +-
kernel/cgroup/cgroup-v1.c | 12 +-
kernel/events/core.c | 33 +-
kernel/events/uprobes.c | 4 +-
kernel/fork.c | 32 +-
kernel/jump_label.c | 52 +-
kernel/rcu/rcuscale.c | 4 +-
kernel/resource.c | 58 +-
kernel/sched/psi.c | 26 +-
kernel/static_call_inline.c | 13 +-
kernel/trace/trace_hwlat.c | 2 +
kernel/trace/trace_osnoise.c | 22 +-
lib/buildid.c | 88 +-
mm/Kconfig | 25 +-
mm/slab_common.c | 7 +
net/bluetooth/hci_core.c | 2 +
net/bluetooth/hci_event.c | 15 +-
net/bluetooth/hci_sock.c | 21 +-
net/bluetooth/iso.c | 36 +-
net/bluetooth/l2cap_core.c | 8 -
net/bluetooth/l2cap_sock.c | 52 +-
net/bluetooth/mgmt.c | 23 +-
net/core/dev.c | 14 +-
net/core/gro.c | 9 +-
net/core/netpoll.c | 15 +-
net/dsa/slave.c | 7 +-
net/ipv4/devinet.c | 6 +-
net/ipv4/fib_frontend.c | 2 +-
net/ipv4/ip_gre.c | 6 +-
net/ipv4/netfilter/nf_dup_ipv4.c | 7 +-
net/ipv4/tcp_ipv4.c | 3 +
net/ipv4/udp_offload.c | 22 +-
net/ipv6/netfilter/nf_dup_ipv6.c | 7 +-
net/mac80211/chan.c | 4 +-
net/mac80211/mlme.c | 2 +-
net/mac80211/scan.c | 2 +-
net/mac80211/util.c | 4 +-
net/mac802154/scan.c | 4 +-
net/netfilter/nf_tables_api.c | 57 +-
net/netfilter/nft_set_bitmap.c | 4 +-
net/netfilter/nft_set_hash.c | 8 +-
net/netfilter/nft_set_pipapo.c | 5 +-
net/netfilter/nft_set_rbtree.c | 4 +-
net/rxrpc/ar-internal.h | 2 +-
net/rxrpc/io_thread.c | 10 +-
net/rxrpc/local_object.c | 2 +-
net/sched/sch_taprio.c | 4 +-
net/sctp/socket.c | 4 +-
net/tipc/bearer.c | 8 +-
net/wireless/nl80211.c | 15 +-
rust/kernel/sync/locked_by.rs | 18 +-
scripts/kconfig/qconf.cc | 2 +-
security/Kconfig | 32 +
security/tomoyo/domain.c | 9 +-
sound/core/init.c | 14 +-
sound/core/oss/mixer_oss.c | 4 +-
sound/isa/gus/gus_pcm.c | 4 +-
sound/pci/asihpi/hpimsgx.c | 2 +-
sound/pci/hda/hda_controller.h | 2 +-
sound/pci/hda/hda_generic.c | 4 +-
sound/pci/hda/hda_intel.c | 10 +-
sound/pci/hda/patch_conexant.c | 24 +-
sound/pci/hda/patch_realtek.c | 4 +
sound/pci/rme9652/hdsp.c | 6 +-
sound/pci/rme9652/hdspm.c | 6 +-
sound/soc/atmel/mchp-pdmc.c | 3 +
sound/soc/codecs/wsa883x.c | 16 +-
sound/soc/fsl/imx-card.c | 1 +
sound/usb/card.c | 8 +
sound/usb/clock.c | 62 +-
sound/usb/format.c | 6 +-
sound/usb/helper.c | 34 +
sound/usb/helper.h | 10 +-
sound/usb/line6/podhd.c | 2 +-
sound/usb/mixer.c | 37 +-
sound/usb/mixer.h | 1 +
sound/usb/mixer_quirks.c | 17 +-
sound/usb/mixer_scarlett.c | 4 +-
sound/usb/power.c | 3 +-
sound/usb/power.h | 1 +
sound/usb/quirks-table.h | 2283 ++++++--------------
sound/usb/quirks.c | 4 +
sound/usb/stream.c | 21 +-
sound/usb/usbaudio.h | 12 +
tools/arch/x86/kcpuid/kcpuid.c | 12 +-
tools/bpf/bpftool/net.c | 11 +-
tools/include/nolibc/arch-powerpc.h | 2 +-
tools/perf/util/hist.c | 7 +-
tools/perf/util/machine.c | 17 +-
tools/perf/util/setup.py | 2 +
tools/perf/util/thread.c | 4 +
tools/perf/util/thread.h | 1 +
.../breakpoints/step_after_suspend_test.c | 5 +-
tools/testing/selftests/hid/Makefile | 2 +
.../selftests/mm/charge_reserved_hugetlb.sh | 2 +-
tools/testing/selftests/mm/write_to_hugetlbfs.c | 23 +-
tools/testing/selftests/netfilter/nft_audit.sh | 57 +-
tools/testing/selftests/nolibc/nolibc-test.c | 4 +-
tools/testing/selftests/vDSO/parse_vdso.c | 17 +-
tools/testing/selftests/vDSO/vdso_config.h | 10 +-
.../testing/selftests/vDSO/vdso_test_correctness.c | 6 +
tools/tracing/rtla/src/osnoise_top.c | 2 +-
tools/tracing/rtla/src/timerlat_top.c | 4 +-
398 files changed, 4268 insertions(+), 3904 deletions(-)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 001/386] static_call: Handle module init failure correctly in static_call_del_module()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 002/386] static_call: Replace pointless WARN_ON() in static_call_module_notify() Greg Kroah-Hartman
` (395 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 4b30051c4864234ec57290c3d142db7c88f10d8a ]
Module insertion invokes static_call_add_module() to initialize the static
calls in a module. static_call_add_module() invokes __static_call_init(),
which allocates a struct static_call_mod to either encapsulate the built-in
static call sites of the associated key into it so further modules can be
added or to append the module to the module chain.
If that allocation fails the function returns with an error code and the
module core invokes static_call_del_module() to clean up eventually added
static_call_mod entries.
This works correctly, when all keys used by the module were converted over
to a module chain before the failure. If not then static_call_del_module()
causes a #GP as it blindly assumes that key::mods points to a valid struct
static_call_mod.
The problem is that key::mods is not a individual struct member of struct
static_call_key, it's part of a union to save space:
union {
/* bit 0: 0 = mods, 1 = sites */
unsigned long type;
struct static_call_mod *mods;
struct static_call_site *sites;
};
key::sites is a pointer to the list of built-in usage sites of the static
call. The type of the pointer is differentiated by bit 0. A mods pointer
has the bit clear, the sites pointer has the bit set.
As static_call_del_module() blidly assumes that the pointer is a valid
static_call_mod type, it fails to check for this failure case and
dereferences the pointer to the list of built-in call sites, which is
obviously bogus.
Cure it by checking whether the key has a sites or a mods pointer.
If it's a sites pointer then the key is not to be touched. As the sites are
walked in the same order as in __static_call_init() the site walk can be
terminated because all subsequent sites have not been touched by the init
code due to the error exit.
If it was converted before the allocation fail, then the inner loop which
searches for a module match will find nothing.
A fail in the second allocation in __static_call_init() is harmless and
does not require special treatment. The first allocation succeeded and
converted the key to a module chain. That first entry has mod::mod == NULL
and mod::next == NULL, so the inner loop of static_call_del_module() will
neither find a module match nor a module chain. The next site in the walk
was either already converted, but can't match the module, or it will exit
the outer loop because it has a static_call_site pointer and not a
static_call_mod pointer.
Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Closes: https://lore.kernel.org/all/20230915082126.4187913-1-ruanjinjie@huawei.com
Reported-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Tested-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/r/87zfon6b0s.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/static_call_inline.c | 11 +++++++++++
1 file changed, 11 insertions(+)
diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 639397b5491ca..7bb0962b52291 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -411,6 +411,17 @@ static void static_call_del_module(struct module *mod)
for (site = start; site < stop; site++) {
key = static_call_key(site);
+
+ /*
+ * If the key was not updated due to a memory allocation
+ * failure in __static_call_init() then treating key::sites
+ * as key::mods in the code below would cause random memory
+ * access and #GP. In that case all subsequent sites have
+ * not been touched either, so stop iterating.
+ */
+ if (!static_call_key_has_mods(key))
+ break;
+
if (key == prev_key)
continue;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 002/386] static_call: Replace pointless WARN_ON() in static_call_module_notify()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 001/386] static_call: Handle module init failure correctly in static_call_del_module() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 003/386] jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Greg Kroah-Hartman
` (394 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit fe513c2ef0a172a58f158e2e70465c4317f0a9a2 ]
static_call_module_notify() triggers a WARN_ON(), when memory allocation
fails in __static_call_add_module().
That's not really justified, because the failure case must be correctly
handled by the well known call chain and the error code is passed
through to the initiating userspace application.
A memory allocation fail is not a fatal problem, but the WARN_ON() takes
the machine out when panic_on_warn is set.
Replace it with a pr_warn().
Fixes: 9183c3f9ed71 ("static_call: Add inline static call infrastructure")
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/8734mf7pmb.ffs@tglx
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/static_call_inline.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/static_call_inline.c b/kernel/static_call_inline.c
index 7bb0962b52291..5259cda486d05 100644
--- a/kernel/static_call_inline.c
+++ b/kernel/static_call_inline.c
@@ -453,7 +453,7 @@ static int static_call_module_notify(struct notifier_block *nb,
case MODULE_STATE_COMING:
ret = static_call_add_module(mod);
if (ret) {
- WARN(1, "Failed to allocate memory for static calls");
+ pr_warn("Failed to allocate memory for static calls\n");
static_call_del_module(mod);
}
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 003/386] jump_label: Simplify and clarify static_key_fast_inc_cpus_locked()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 001/386] static_call: Handle module init failure correctly in static_call_del_module() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 002/386] static_call: Replace pointless WARN_ON() in static_call_module_notify() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 004/386] jump_label: Fix static_key_slow_dec() yet again Greg Kroah-Hartman
` (393 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 9bc2ff871f00437ad2f10c1eceff51aaa72b478f ]
Make the code more obvious and add proper comments to avoid future head
scratching.
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20240610124406.548322963@linutronix.de
Stable-dep-of: 1d7f856c2ca4 ("jump_label: Fix static_key_slow_dec() yet again")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/jump_label.c | 20 +++++++++++---------
1 file changed, 11 insertions(+), 9 deletions(-)
diff --git a/kernel/jump_label.c b/kernel/jump_label.c
index 1ed269b2c4035..7374053bbe049 100644
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -159,22 +159,24 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key)
if (static_key_fast_inc_not_disabled(key))
return true;
- jump_label_lock();
- if (atomic_read(&key->enabled) == 0) {
- atomic_set(&key->enabled, -1);
+ guard(mutex)(&jump_label_mutex);
+ /* Try to mark it as 'enabling in progress. */
+ if (!atomic_cmpxchg(&key->enabled, 0, -1)) {
jump_label_update(key);
/*
- * Ensure that if the above cmpxchg loop observes our positive
- * value, it must also observe all the text changes.
+ * Ensure that when static_key_fast_inc_not_disabled() or
+ * static_key_slow_try_dec() observe the positive value,
+ * they must also observe all the text changes.
*/
atomic_set_release(&key->enabled, 1);
} else {
- if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key))) {
- jump_label_unlock();
+ /*
+ * While holding the mutex this should never observe
+ * anything else than a value >= 1 and succeed
+ */
+ if (WARN_ON_ONCE(!static_key_fast_inc_not_disabled(key)))
return false;
- }
}
- jump_label_unlock();
return true;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 004/386] jump_label: Fix static_key_slow_dec() yet again
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 003/386] jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 005/386] scsi: st: Fix input/output error on empty drive reset Greg Kroah-Hartman
` (392 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Klara Modin,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 1d7f856c2ca449f04a22d876e36b464b7a9d28b6 ]
While commit 83ab38ef0a0b ("jump_label: Fix concurrency issues in
static_key_slow_dec()") fixed one problem, it created yet another,
notably the following is now possible:
slow_dec
if (try_dec) // dec_not_one-ish, false
// enabled == 1
slow_inc
if (inc_not_disabled) // inc_not_zero-ish
// enabled == 2
return
guard((mutex)(&jump_label_mutex);
if (atomic_cmpxchg(1,0)==1) // false, we're 2
slow_dec
if (try-dec) // dec_not_one, true
// enabled == 1
return
else
try_dec() // dec_not_one, false
WARN
Use dec_and_test instead of cmpxchg(), like it was prior to
83ab38ef0a0b. Add a few WARNs for the paranoid.
Fixes: 83ab38ef0a0b ("jump_label: Fix concurrency issues in static_key_slow_dec()")
Reported-by: "Darrick J. Wong" <djwong@kernel.org>
Tested-by: Klara Modin <klarasmodin@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/jump_label.c | 34 +++++++++++++++++++++++++++-------
1 file changed, 27 insertions(+), 7 deletions(-)
diff --git a/kernel/jump_label.c b/kernel/jump_label.c
index 7374053bbe049..554e04b25b13a 100644
--- a/kernel/jump_label.c
+++ b/kernel/jump_label.c
@@ -165,7 +165,7 @@ bool static_key_slow_inc_cpuslocked(struct static_key *key)
jump_label_update(key);
/*
* Ensure that when static_key_fast_inc_not_disabled() or
- * static_key_slow_try_dec() observe the positive value,
+ * static_key_dec_not_one() observe the positive value,
* they must also observe all the text changes.
*/
atomic_set_release(&key->enabled, 1);
@@ -247,7 +247,7 @@ void static_key_disable(struct static_key *key)
}
EXPORT_SYMBOL_GPL(static_key_disable);
-static bool static_key_slow_try_dec(struct static_key *key)
+static bool static_key_dec_not_one(struct static_key *key)
{
int v;
@@ -271,6 +271,14 @@ static bool static_key_slow_try_dec(struct static_key *key)
* enabled. This suggests an ordering problem on the user side.
*/
WARN_ON_ONCE(v < 0);
+
+ /*
+ * Warn about underflow, and lie about success in an attempt to
+ * not make things worse.
+ */
+ if (WARN_ON_ONCE(v == 0))
+ return true;
+
if (v <= 1)
return false;
} while (!likely(atomic_try_cmpxchg(&key->enabled, &v, v - 1)));
@@ -281,15 +289,27 @@ static bool static_key_slow_try_dec(struct static_key *key)
static void __static_key_slow_dec_cpuslocked(struct static_key *key)
{
lockdep_assert_cpus_held();
+ int val;
- if (static_key_slow_try_dec(key))
+ if (static_key_dec_not_one(key))
return;
guard(mutex)(&jump_label_mutex);
- if (atomic_cmpxchg(&key->enabled, 1, 0) == 1)
+ val = atomic_read(&key->enabled);
+ /*
+ * It should be impossible to observe -1 with jump_label_mutex held,
+ * see static_key_slow_inc_cpuslocked().
+ */
+ if (WARN_ON_ONCE(val == -1))
+ return;
+ /*
+ * Cannot already be 0, something went sideways.
+ */
+ if (WARN_ON_ONCE(val == 0))
+ return;
+
+ if (atomic_dec_and_test(&key->enabled))
jump_label_update(key);
- else
- WARN_ON_ONCE(!static_key_slow_try_dec(key));
}
static void __static_key_slow_dec(struct static_key *key)
@@ -326,7 +346,7 @@ void __static_key_slow_dec_deferred(struct static_key *key,
{
STATIC_KEY_CHECK_USE(key);
- if (static_key_slow_try_dec(key))
+ if (static_key_dec_not_one(key))
return;
schedule_delayed_work(work, timeout);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 005/386] scsi: st: Fix input/output error on empty drive reset
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 004/386] jump_label: Fix static_key_slow_dec() yet again Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 006/386] scsi: pm8001: Do not overwrite PCI queue mapping Greg Kroah-Hartman
` (391 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael Rocha, Kai Mäkisara,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael Rocha <rrochavi@fnal.gov>
[ Upstream commit 3d882cca73be830549833517ddccb3ac4668c04e ]
A previous change was introduced to prevent data loss during a power-on
reset when a tape is present inside the drive. This commit set the
"pos_unknown" flag to true to avoid operations that could compromise data
by performing actions from an untracked position. The relevant change is
commit 9604eea5bd3a ("scsi: st: Add third party poweron reset handling")
As a consequence of this change, a new issue has surfaced: the driver now
returns an "Input/output error" even for empty drives when the drive, host,
or bus is reset. This issue stems from the "flush_buffer" function, which
first checks whether the "pos_unknown" flag is set. If the flag is set, the
user will encounter an "Input/output error" until the tape position is
known again. This behavior differs from the previous implementation, where
empty drives were not affected at system start up time, allowing tape
software to send commands to the driver to retrieve the drive's status and
other information.
The current behavior prioritizes the "pos_unknown" flag over the
"ST_NO_TAPE" status, leading to issues for software that detects drives
during system startup. This software will receive an "Input/output error"
until a tape is loaded and its position is known.
To resolve this, the "ST_NO_TAPE" status should take priority when the
drive is empty, allowing communication with the drive following a power-on
reset. At the same time, the change should continue to protect data by
maintaining the "pos_unknown" flag when the drive contains a tape and its
position is unknown.
Signed-off-by: Rafael Rocha <rrochavi@fnal.gov>
Link: https://lore.kernel.org/r/20240905173921.10944-1-rrochavi@fnal.gov
Fixes: 9604eea5bd3a ("scsi: st: Add third party poweron reset handling")
Acked-by: Kai Mäkisara <kai.makisara@kolumbus.fi>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/st.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/st.c b/drivers/scsi/st.c
index 338aa8c429682..212a402e75358 100644
--- a/drivers/scsi/st.c
+++ b/drivers/scsi/st.c
@@ -835,6 +835,9 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next)
int backspace, result;
struct st_partstat *STps;
+ if (STp->ready != ST_READY)
+ return 0;
+
/*
* If there was a bus reset, block further access
* to this device.
@@ -842,8 +845,6 @@ static int flush_buffer(struct scsi_tape *STp, int seek_next)
if (STp->pos_unknown)
return (-EIO);
- if (STp->ready != ST_READY)
- return 0;
STps = &(STp->ps[STp->partition]);
if (STps->rw == ST_WRITING) /* Writing */
return st_flush_write_buffer(STp);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 006/386] scsi: pm8001: Do not overwrite PCI queue mapping
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 005/386] scsi: st: Fix input/output error on empty drive reset Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 007/386] drm/amdgpu: Fix get each xcp macro Greg Kroah-Hartman
` (390 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, John Garry,
Daniel Wagner, Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Wagner <dwagner@suse.de>
[ Upstream commit a141c17a543332fc1238eb5cba562bfc66879126 ]
blk_mq_pci_map_queues() maps all queues but right after this, we overwrite
these mappings by calling blk_mq_map_queues(). Just use one helper but not
both.
Fixes: 42f22fe36d51 ("scsi: pm8001: Expose hardware queues for pm80xx")
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: John Garry <john.g.garry@oracle.com>
Signed-off-by: Daniel Wagner <dwagner@suse.de>
Link: https://lore.kernel.org/r/20240912-do-not-overwrite-pci-mapping-v1-1-85724b6cec49@suse.de
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/pm8001/pm8001_init.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/pm8001/pm8001_init.c b/drivers/scsi/pm8001/pm8001_init.c
index 443a3176c6c0c..c2f6151cbd2d0 100644
--- a/drivers/scsi/pm8001/pm8001_init.c
+++ b/drivers/scsi/pm8001/pm8001_init.c
@@ -88,10 +88,12 @@ static void pm8001_map_queues(struct Scsi_Host *shost)
struct pm8001_hba_info *pm8001_ha = sha->lldd_ha;
struct blk_mq_queue_map *qmap = &shost->tag_set.map[HCTX_TYPE_DEFAULT];
- if (pm8001_ha->number_of_intr > 1)
+ if (pm8001_ha->number_of_intr > 1) {
blk_mq_pci_map_queues(qmap, pm8001_ha->pdev, 1);
+ return;
+ }
- return blk_mq_map_queues(qmap);
+ blk_mq_map_queues(qmap);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 007/386] drm/amdgpu: Fix get each xcp macro
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 006/386] scsi: pm8001: Do not overwrite PCI queue mapping Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 008/386] mailbox: rockchip: fix a typo in module autoloading Greg Kroah-Hartman
` (389 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Asad Kamal, Lijo Lazar, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Asad Kamal <asad.kamal@amd.com>
[ Upstream commit ef126c06a98bde1a41303970eb0fc0ac33c3cc02 ]
Fix get each xcp macro to loop over each partition correctly
Fixes: 4bdca2057933 ("drm/amdgpu: Add utility functions for xcp")
Signed-off-by: Asad Kamal <asad.kamal@amd.com>
Reviewed-by: Lijo Lazar <lijo.lazar@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
index 9a1036aeec2a0..9142238e7791a 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_xcp.h
@@ -179,6 +179,6 @@ amdgpu_get_next_xcp(struct amdgpu_xcp_mgr *xcp_mgr, int *from)
#define for_each_xcp(xcp_mgr, xcp, i) \
for (i = 0, xcp = amdgpu_get_next_xcp(xcp_mgr, &i); xcp; \
- xcp = amdgpu_get_next_xcp(xcp_mgr, &i))
+ ++i, xcp = amdgpu_get_next_xcp(xcp_mgr, &i))
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 008/386] mailbox: rockchip: fix a typo in module autoloading
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 007/386] drm/amdgpu: Fix get each xcp macro Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 009/386] mailbox: bcm2835: Fix timeout during suspend mode Greg Kroah-Hartman
` (388 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Liao Chen, Heiko Stuebner,
Jassi Brar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Liao Chen <liaochen4@huawei.com>
[ Upstream commit e92d87c9c5d769e4cb1dd7c90faa38dddd7e52e3 ]
MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match) could let the module
properly autoloaded based on the alias from of_device_id table. It
should be 'rockchip_mbox_of_match' instead of 'rockchp_mbox_of_match',
just fix it.
Fixes: f70ed3b5dc8b ("mailbox: rockchip: Add Rockchip mailbox driver")
Signed-off-by: Liao Chen <liaochen4@huawei.com>
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/rockchip-mailbox.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/mailbox/rockchip-mailbox.c b/drivers/mailbox/rockchip-mailbox.c
index 8ffad059e8984..4d966cb2ed036 100644
--- a/drivers/mailbox/rockchip-mailbox.c
+++ b/drivers/mailbox/rockchip-mailbox.c
@@ -159,7 +159,7 @@ static const struct of_device_id rockchip_mbox_of_match[] = {
{ .compatible = "rockchip,rk3368-mailbox", .data = &rk3368_drv_data},
{ },
};
-MODULE_DEVICE_TABLE(of, rockchp_mbox_of_match);
+MODULE_DEVICE_TABLE(of, rockchip_mbox_of_match);
static int rockchip_mbox_probe(struct platform_device *pdev)
{
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 009/386] mailbox: bcm2835: Fix timeout during suspend mode
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 008/386] mailbox: rockchip: fix a typo in module autoloading Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 010/386] ceph: remove the incorrect Fw reference check when dirtying pages Greg Kroah-Hartman
` (387 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Wahren, Florian Fainelli,
Jassi Brar, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Wahren <wahrenst@gmx.net>
[ Upstream commit dc09f007caed3b2f6a3b6bd7e13777557ae22bfd ]
During noirq suspend phase the Raspberry Pi power driver suffer of
firmware property timeouts. The reason is that the IRQ of the underlying
BCM2835 mailbox is disabled and rpi_firmware_property_list() will always
run into a timeout [1].
Since the VideoCore side isn't consider as a wakeup source, set the
IRQF_NO_SUSPEND flag for the mailbox IRQ in order to keep it enabled
during suspend-resume cycle.
[1]
PM: late suspend of devices complete after 1.754 msecs
WARNING: CPU: 0 PID: 438 at drivers/firmware/raspberrypi.c:128
rpi_firmware_property_list+0x204/0x22c
Firmware transaction 0x00028001 timeout
Modules linked in:
CPU: 0 PID: 438 Comm: bash Tainted: G C 6.9.3-dirty #17
Hardware name: BCM2835
Call trace:
unwind_backtrace from show_stack+0x18/0x1c
show_stack from dump_stack_lvl+0x34/0x44
dump_stack_lvl from __warn+0x88/0xec
__warn from warn_slowpath_fmt+0x7c/0xb0
warn_slowpath_fmt from rpi_firmware_property_list+0x204/0x22c
rpi_firmware_property_list from rpi_firmware_property+0x68/0x8c
rpi_firmware_property from rpi_firmware_set_power+0x54/0xc0
rpi_firmware_set_power from _genpd_power_off+0xe4/0x148
_genpd_power_off from genpd_sync_power_off+0x7c/0x11c
genpd_sync_power_off from genpd_finish_suspend+0xcc/0xe0
genpd_finish_suspend from dpm_run_callback+0x78/0xd0
dpm_run_callback from device_suspend_noirq+0xc0/0x238
device_suspend_noirq from dpm_suspend_noirq+0xb0/0x168
dpm_suspend_noirq from suspend_devices_and_enter+0x1b8/0x5ac
suspend_devices_and_enter from pm_suspend+0x254/0x2e4
pm_suspend from state_store+0xa8/0xd4
state_store from kernfs_fop_write_iter+0x154/0x1a0
kernfs_fop_write_iter from vfs_write+0x12c/0x184
vfs_write from ksys_write+0x78/0xc0
ksys_write from ret_fast_syscall+0x0/0x54
Exception stack(0xcc93dfa8 to 0xcc93dff0)
[...]
PM: noirq suspend of devices complete after 3095.584 msecs
Link: https://github.com/raspberrypi/firmware/issues/1894
Fixes: 0bae6af6d704 ("mailbox: Enable BCM2835 mailbox support")
Signed-off-by: Stefan Wahren <wahrenst@gmx.net>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Signed-off-by: Jassi Brar <jassisinghbrar@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mailbox/bcm2835-mailbox.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/mailbox/bcm2835-mailbox.c b/drivers/mailbox/bcm2835-mailbox.c
index fbfd0202047c3..ea12fb8d24015 100644
--- a/drivers/mailbox/bcm2835-mailbox.c
+++ b/drivers/mailbox/bcm2835-mailbox.c
@@ -145,7 +145,8 @@ static int bcm2835_mbox_probe(struct platform_device *pdev)
spin_lock_init(&mbox->lock);
ret = devm_request_irq(dev, irq_of_parse_and_map(dev->of_node, 0),
- bcm2835_mbox_irq, 0, dev_name(dev), mbox);
+ bcm2835_mbox_irq, IRQF_NO_SUSPEND, dev_name(dev),
+ mbox);
if (ret) {
dev_err(dev, "Failed to register a mailbox IRQ handler: %d\n",
ret);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 010/386] ceph: remove the incorrect Fw reference check when dirtying pages
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 009/386] mailbox: bcm2835: Fix timeout during suspend mode Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 011/386] ieee802154: Fix build error Greg Kroah-Hartman
` (386 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiubo Li, Patrick Donnelly,
Ilya Dryomov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiubo Li <xiubli@redhat.com>
[ Upstream commit c08dfb1b49492c09cf13838c71897493ea3b424e ]
When doing the direct-io reads it will also try to mark pages dirty,
but for the read path it won't hold the Fw caps and there is case
will it get the Fw reference.
Fixes: 5dda377cf0a6 ("ceph: set i_head_snapc when getting CEPH_CAP_FILE_WR reference")
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Patrick Donnelly <pdonnell@redhat.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/addr.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/ceph/addr.c b/fs/ceph/addr.c
index da64bb7325dbc..7549e2b07b6af 100644
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -95,7 +95,6 @@ static bool ceph_dirty_folio(struct address_space *mapping, struct folio *folio)
/* dirty the head */
spin_lock(&ci->i_ceph_lock);
- BUG_ON(ci->i_wr_ref == 0); // caller should hold Fw reference
if (__ceph_have_pending_cap_snap(ci)) {
struct ceph_cap_snap *capsnap =
list_last_entry(&ci->i_cap_snaps,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 011/386] ieee802154: Fix build error
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 010/386] ceph: remove the incorrect Fw reference check when dirtying pages Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 012/386] net: sparx5: Fix invalid timestamps Greg Kroah-Hartman
` (385 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Stefan Schmidt,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit addf89774e48c992316449ffab4f29c2309ebefb ]
If REGMAP_SPI is m and IEEE802154_MCR20A is y,
mcr20a.c:(.text+0x3ed6c5b): undefined reference to `__devm_regmap_init_spi'
ld: mcr20a.c:(.text+0x3ed6cb5): undefined reference to `__devm_regmap_init_spi'
Select REGMAP_SPI for IEEE802154_MCR20A to fix it.
Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/20240909131740.1296608-1-ruanjinjie@huawei.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ieee802154/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ieee802154/Kconfig b/drivers/net/ieee802154/Kconfig
index 95da876c56138..1075e24b11def 100644
--- a/drivers/net/ieee802154/Kconfig
+++ b/drivers/net/ieee802154/Kconfig
@@ -101,6 +101,7 @@ config IEEE802154_CA8210_DEBUGFS
config IEEE802154_MCR20A
tristate "MCR20A transceiver driver"
+ select REGMAP_SPI
depends on IEEE802154_DRIVERS && MAC802154
depends on SPI
help
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 012/386] net: sparx5: Fix invalid timestamps
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 011/386] ieee802154: Fix build error Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 013/386] net/mlx5: Fix error path in multi-packet WQE transmit Greg Kroah-Hartman
` (384 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aakash Menon, Horatiu Vultur,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aakash Menon <aakash.r.menon@gmail.com>
[ Upstream commit 151ac45348afc5b56baa584c7cd4876addf461ff ]
Bit 270-271 are occasionally unexpectedly set by the hardware. This issue
was observed with 10G SFPs causing huge time errors (> 30ms) in PTP. Only
30 bits are needed for the nanosecond part of the timestamp, clear 2 most
significant bits before extracting timestamp from the internal frame
header.
Fixes: 70dfe25cd866 ("net: sparx5: Update extraction/injection for timestamping")
Signed-off-by: Aakash Menon <aakash.menon@protempis.com>
Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microchip/sparx5/sparx5_packet.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
index ac7e1cffbcecf..dcf2e342fc14a 100644
--- a/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
+++ b/drivers/net/ethernet/microchip/sparx5/sparx5_packet.c
@@ -45,8 +45,12 @@ void sparx5_ifh_parse(u32 *ifh, struct frame_info *info)
fwd = (fwd >> 5);
info->src_port = FIELD_GET(GENMASK(7, 1), fwd);
+ /*
+ * Bit 270-271 are occasionally unexpectedly set by the hardware,
+ * clear bits before extracting timestamp
+ */
info->timestamp =
- ((u64)xtr_hdr[2] << 24) |
+ ((u64)(xtr_hdr[2] & GENMASK(5, 0)) << 24) |
((u64)xtr_hdr[3] << 16) |
((u64)xtr_hdr[4] << 8) |
((u64)xtr_hdr[5] << 0);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 013/386] net/mlx5: Fix error path in multi-packet WQE transmit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 012/386] net: sparx5: Fix invalid timestamps Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 014/386] net/mlx5: Added cond_resched() to crdump collection Greg Kroah-Hartman
` (383 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gerd Bayer, Zhu Yanjun,
Maxim Mikityanskiy, Saeed Mahameed, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gerd Bayer <gbayer@linux.ibm.com>
[ Upstream commit 2bcae12c795f32ddfbf8c80d1b5f1d3286341c32 ]
Remove the erroneous unmap in case no DMA mapping was established
The multi-packet WQE transmit code attempts to obtain a DMA mapping for
the skb. This could fail, e.g. under memory pressure, when the IOMMU
driver just can't allocate more memory for page tables. While the code
tries to handle this in the path below the err_unmap label it erroneously
unmaps one entry from the sq's FIFO list of active mappings. Since the
current map attempt failed this unmap is removing some random DMA mapping
that might still be required. If the PCI function now presents that IOVA,
the IOMMU may assumes a rogue DMA access and e.g. on s390 puts the PCI
function in error state.
The erroneous behavior was seen in a stress-test environment that created
memory pressure.
Fixes: 5af75c747e2a ("net/mlx5e: Enhanced TX MPWQE for SKBs")
Signed-off-by: Gerd Bayer <gbayer@linux.ibm.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Acked-by: Maxim Mikityanskiy <maxtram95@gmail.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_tx.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
index 3001a52e1ac2e..85d6334308e31 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tx.c
@@ -642,7 +642,6 @@ mlx5e_sq_xmit_mpwqe(struct mlx5e_txqsq *sq, struct sk_buff *skb,
return;
err_unmap:
- mlx5e_dma_unmap_wqe_err(sq, 1);
sq->stats->dropped++;
dev_kfree_skb_any(skb);
mlx5e_tx_flush(sq);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 014/386] net/mlx5: Added cond_resched() to crdump collection
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 013/386] net/mlx5: Fix error path in multi-packet WQE transmit Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 015/386] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Greg Kroah-Hartman
` (382 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yuanyuan Zhong, Mohamed Khalfella,
Moshe Shemesh, Saeed Mahameed, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mohamed Khalfella <mkhalfella@purestorage.com>
[ Upstream commit ec793155894140df7421d25903de2e6bc12c695b ]
Collecting crdump involves reading vsc registers from pci config space
of mlx device, which can take long time to complete. This might result
in starving other threads waiting to run on the cpu.
Numbers I got from testing ConnectX-5 Ex MCX516A-CDAT in the lab:
- mlx5_vsc_gw_read_block_fast() was called with length = 1310716.
- mlx5_vsc_gw_read_fast() reads 4 bytes at a time. It was not used to
read the entire 1310716 bytes. It was called 53813 times because
there are jumps in read_addr.
- On average mlx5_vsc_gw_read_fast() took 35284.4ns.
- In total mlx5_vsc_wait_on_flag() called vsc_read() 54707 times.
The average time for each call was 17548.3ns. In some instances
vsc_read() was called more than one time when the flag was not set.
As expected the thread released the cpu after 16 iterations in
mlx5_vsc_wait_on_flag().
- Total time to read crdump was 35284.4ns * 53813 ~= 1.898s.
It was seen in the field that crdump can take more than 5 seconds to
complete. During that time mlx5_vsc_wait_on_flag() did not release the
cpu because it did not complete 16 iterations. It is believed that pci
config reads were slow. Adding cond_resched() every 128 register read
improves the situation. In the common case the, crdump takes ~1.8989s,
the thread yields the cpu every ~4.51ms. If crdump takes ~5s, the thread
yields the cpu every ~18.0ms.
Fixes: 8b9d8baae1de ("net/mlx5: Add Crdump support")
Reviewed-by: Yuanyuan Zhong <yzhong@purestorage.com>
Signed-off-by: Mohamed Khalfella <mkhalfella@purestorage.com>
Reviewed-by: Moshe Shemesh <moshe@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
index d0b595ba61101..432c98f2626db 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/pci_vsc.c
@@ -24,6 +24,11 @@
pci_write_config_dword((dev)->pdev, (dev)->vsc_addr + (offset), (val))
#define VSC_MAX_RETRIES 2048
+/* Reading VSC registers can take relatively long time.
+ * Yield the cpu every 128 registers read.
+ */
+#define VSC_GW_READ_BLOCK_COUNT 128
+
enum {
VSC_CTRL_OFFSET = 0x4,
VSC_COUNTER_OFFSET = 0x8,
@@ -273,6 +278,7 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
{
unsigned int next_read_addr = 0;
unsigned int read_addr = 0;
+ unsigned int count = 0;
while (read_addr < length) {
if (mlx5_vsc_gw_read_fast(dev, read_addr, &next_read_addr,
@@ -280,6 +286,10 @@ int mlx5_vsc_gw_read_block_fast(struct mlx5_core_dev *dev, u32 *data,
return read_addr;
read_addr = next_read_addr;
+ if (++count == VSC_GW_READ_BLOCK_COUNT) {
+ cond_resched();
+ count = 0;
+ }
}
return length;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 015/386] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 014/386] net/mlx5: Added cond_resched() to crdump collection Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 016/386] net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Greg Kroah-Hartman
` (381 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Elena Salomatkina, Simon Horman,
Kalesh AP, Tariq Toukan, Gal Pressman, Saeed Mahameed,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Elena Salomatkina <esalomatkina@ispras.ru>
[ Upstream commit f25389e779500cf4a59ef9804534237841bce536 ]
In mlx5e_tir_builder_alloc() kvzalloc() may return NULL
which is dereferenced on the next line in a reference
to the modify field.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Fixes: a6696735d694 ("net/mlx5e: Convert TIR to a dedicated object")
Signed-off-by: Elena Salomatkina <esalomatkina@ispras.ru>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Kalesh AP <kalesh-anakkur.purayil@broadcom.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Gal Pressman <gal@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/tir.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
index d4239e3b3c88e..11f724ad90dbf 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tir.c
@@ -23,6 +23,9 @@ struct mlx5e_tir_builder *mlx5e_tir_builder_alloc(bool modify)
struct mlx5e_tir_builder *builder;
builder = kvzalloc(sizeof(*builder), GFP_KERNEL);
+ if (!builder)
+ return NULL;
+
builder->modify = modify;
return builder;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 016/386] net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 015/386] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 017/386] netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Greg Kroah-Hartman
` (380 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Leon Romanovsky,
Saeed Mahameed, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 7b124695db40d5c9c5295a94ae928a8d67a01c3d ]
The km.state is not checked in driver's delayed work. When
xfrm_state_check_expire() is called, the state can be reset to
XFRM_STATE_EXPIRED, even if it is XFRM_STATE_DEAD already. This
happens when xfrm state is deleted, but not freed yet. As
__xfrm_state_delete() is called again in xfrm timer, the following
crash occurs.
To fix this issue, skip xfrm_state_check_expire() if km.state is not
XFRM_STATE_VALID.
Oops: general protection fault, probably for non-canonical address 0xdead000000000108: 0000 [#1] SMP
CPU: 5 UID: 0 PID: 7448 Comm: kworker/u102:2 Not tainted 6.11.0-rc2+ #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
Workqueue: mlx5e_ipsec: eth%d mlx5e_ipsec_handle_sw_limits [mlx5_core]
RIP: 0010:__xfrm_state_delete+0x3d/0x1b0
Code: 0f 84 8b 01 00 00 48 89 fd c6 87 c8 00 00 00 05 48 8d bb 40 10 00 00 e8 11 04 1a 00 48 8b 95 b8 00 00 00 48 8b 85 c0 00 00 00 <48> 89 42 08 48 89 10 48 8b 55 10 48 b8 00 01 00 00 00 00 ad de 48
RSP: 0018:ffff88885f945ec8 EFLAGS: 00010246
RAX: dead000000000122 RBX: ffffffff82afa940 RCX: 0000000000000036
RDX: dead000000000100 RSI: 0000000000000000 RDI: ffffffff82afb980
RBP: ffff888109a20340 R08: ffff88885f945ea0 R09: 0000000000000000
R10: 0000000000000000 R11: ffff88885f945ff8 R12: 0000000000000246
R13: ffff888109a20340 R14: ffff88885f95f420 R15: ffff88885f95f400
FS: 0000000000000000(0000) GS:ffff88885f940000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2163102430 CR3: 00000001128d6001 CR4: 0000000000370eb0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<IRQ>
? die_addr+0x33/0x90
? exc_general_protection+0x1a2/0x390
? asm_exc_general_protection+0x22/0x30
? __xfrm_state_delete+0x3d/0x1b0
? __xfrm_state_delete+0x2f/0x1b0
xfrm_timer_handler+0x174/0x350
? __xfrm_state_delete+0x1b0/0x1b0
__hrtimer_run_queues+0x121/0x270
hrtimer_run_softirq+0x88/0xd0
handle_softirqs+0xcc/0x270
do_softirq+0x3c/0x50
</IRQ>
<TASK>
__local_bh_enable_ip+0x47/0x50
mlx5e_ipsec_handle_sw_limits+0x7d/0x90 [mlx5_core]
process_one_work+0x137/0x2d0
worker_thread+0x28d/0x3a0
? rescuer_thread+0x480/0x480
kthread+0xb8/0xe0
? kthread_park+0x80/0x80
ret_from_fork+0x2d/0x50
? kthread_park+0x80/0x80
ret_from_fork_asm+0x11/0x20
</TASK>
Fixes: b2f7b01d36a9 ("net/mlx5e: Simulate missing IPsec TX limits hardware functionality")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
index e2ffc572de188..015faddabc8e0 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_accel/ipsec.c
@@ -67,7 +67,6 @@ static void mlx5e_ipsec_handle_tx_limit(struct work_struct *_work)
return;
spin_lock_bh(&x->lock);
- xfrm_state_check_expire(x);
if (x->km.state == XFRM_STATE_EXPIRED) {
sa_entry->attrs.drop = true;
spin_unlock_bh(&x->lock);
@@ -75,6 +74,13 @@ static void mlx5e_ipsec_handle_tx_limit(struct work_struct *_work)
mlx5e_accel_ipsec_fs_modify(sa_entry);
return;
}
+
+ if (x->km.state != XFRM_STATE_VALID) {
+ spin_unlock_bh(&x->lock);
+ return;
+ }
+
+ xfrm_state_check_expire(x);
spin_unlock_bh(&x->lock);
queue_delayed_work(sa_entry->ipsec->wq, &dwork->dwork,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 017/386] netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 016/386] net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 018/386] net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
` (379 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 76f1ed087b562a469f2153076f179854b749c09a ]
Fix the comment which incorrectly defines it as NLA_U32.
Fixes: 3b49e2e94e6e ("netfilter: nf_tables: add flow table netlink frontend")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/uapi/linux/netfilter/nf_tables.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/uapi/linux/netfilter/nf_tables.h b/include/uapi/linux/netfilter/nf_tables.h
index 621e3035145eb..9c29015d09c10 100644
--- a/include/uapi/linux/netfilter/nf_tables.h
+++ b/include/uapi/linux/netfilter/nf_tables.h
@@ -1690,7 +1690,7 @@ enum nft_flowtable_flags {
*
* @NFTA_FLOWTABLE_TABLE: name of the table containing the expression (NLA_STRING)
* @NFTA_FLOWTABLE_NAME: name of this flow table (NLA_STRING)
- * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration(NLA_U32)
+ * @NFTA_FLOWTABLE_HOOK: netfilter hook configuration (NLA_NESTED)
* @NFTA_FLOWTABLE_USE: number of references to this flow table (NLA_U32)
* @NFTA_FLOWTABLE_HANDLE: object handle (NLA_U64)
* @NFTA_FLOWTABLE_FLAGS: flags (NLA_U32)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 018/386] net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 017/386] netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 019/386] net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Greg Kroah-Hartman
` (378 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Raynal, Jinjie Ruan,
Stefan Schmidt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit 09573b1cc76e7ff8f056ab29ea1cdc152ec8c653 ]
disable_irq() after request_irq() still has a time gap in which
interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
disable IRQ auto-enable when request IRQ.
Fixes: 8c6ad9cc5157 ("ieee802154: Add NXP MCR20A IEEE 802.15.4 transceiver driver")
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://lore.kernel.org/20240911094234.1922418-1-ruanjinjie@huawei.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ieee802154/mcr20a.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
diff --git a/drivers/net/ieee802154/mcr20a.c b/drivers/net/ieee802154/mcr20a.c
index 87abe3b46316e..bab92f19c4f48 100644
--- a/drivers/net/ieee802154/mcr20a.c
+++ b/drivers/net/ieee802154/mcr20a.c
@@ -1303,16 +1303,13 @@ mcr20a_probe(struct spi_device *spi)
irq_type = IRQF_TRIGGER_FALLING;
ret = devm_request_irq(&spi->dev, spi->irq, mcr20a_irq_isr,
- irq_type, dev_name(&spi->dev), lp);
+ irq_type | IRQF_NO_AUTOEN, dev_name(&spi->dev), lp);
if (ret) {
dev_err(&spi->dev, "could not request_irq for mcr20a\n");
ret = -ENODEV;
goto free_dev;
}
- /* disable_irq by default and wait for starting hardware */
- disable_irq(spi->irq);
-
ret = ieee802154_register_hw(hw);
if (ret) {
dev_crit(&spi->dev, "ieee802154_register_hw failed\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 019/386] net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 018/386] net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 020/386] selftests: netfilter: Fix nft_audit.sh for newer nft binaries Greg Kroah-Hartman
` (377 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stephan Gerhold, Jinjie Ruan,
Sergey Ryazanov, David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit d505d3593b52b6c43507f119572409087416ba28 ]
It's important to undo pm_runtime_use_autosuspend() with
pm_runtime_dont_use_autosuspend() at driver exit time.
But the pm_runtime_disable() and pm_runtime_dont_use_autosuspend()
is missing in the error path for bam_dmux_probe(). So add it.
Found by code review. Compile-tested only.
Fixes: 21a0ffd9b38c ("net: wwan: Add Qualcomm BAM-DMUX WWAN network driver")
Suggested-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: Stephan Gerhold <stephan.gerhold@linaro.org>
Reviewed-by: Sergey Ryazanov <ryazanov.s.a@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wwan/qcom_bam_dmux.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wwan/qcom_bam_dmux.c b/drivers/net/wwan/qcom_bam_dmux.c
index 17d46f4d29139..174a9156b3233 100644
--- a/drivers/net/wwan/qcom_bam_dmux.c
+++ b/drivers/net/wwan/qcom_bam_dmux.c
@@ -823,17 +823,17 @@ static int bam_dmux_probe(struct platform_device *pdev)
ret = devm_request_threaded_irq(dev, pc_ack_irq, NULL, bam_dmux_pc_ack_irq,
IRQF_ONESHOT, NULL, dmux);
if (ret)
- return ret;
+ goto err_disable_pm;
ret = devm_request_threaded_irq(dev, dmux->pc_irq, NULL, bam_dmux_pc_irq,
IRQF_ONESHOT, NULL, dmux);
if (ret)
- return ret;
+ goto err_disable_pm;
ret = irq_get_irqchip_state(dmux->pc_irq, IRQCHIP_STATE_LINE_LEVEL,
&dmux->pc_state);
if (ret)
- return ret;
+ goto err_disable_pm;
/* Check if remote finished initialization before us */
if (dmux->pc_state) {
@@ -844,6 +844,11 @@ static int bam_dmux_probe(struct platform_device *pdev)
}
return 0;
+
+err_disable_pm:
+ pm_runtime_disable(dev);
+ pm_runtime_dont_use_autosuspend(dev);
+ return ret;
}
static int bam_dmux_remove(struct platform_device *pdev)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 020/386] selftests: netfilter: Fix nft_audit.sh for newer nft binaries
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 019/386] net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 021/386] netfilter: nf_tables: prevent nf_skb_duplicated corruption Greg Kroah-Hartman
` (376 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Phil Sutter, Pablo Neira Ayuso,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
[ Upstream commit 8a89015644513ef69193a037eb966f2d55fe385a ]
As a side-effect of nftables' commit dbff26bfba833 ("cache: consolidate
reset command"), audit logs changed when more objects were reset than
fit into a single netlink message.
Since the objects' distribution in netlink messages is not relevant,
implement a summarizing function which combines repeated audit logs into
a single one with summed up 'entries=' value.
Fixes: 203bb9d39866 ("selftests: netfilter: Extend nft_audit.sh")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/netfilter/nft_audit.sh | 57 ++++++++++---------
1 file changed, 29 insertions(+), 28 deletions(-)
diff --git a/tools/testing/selftests/netfilter/nft_audit.sh b/tools/testing/selftests/netfilter/nft_audit.sh
index 99ed5bd6e8402..e4717444d38e7 100755
--- a/tools/testing/selftests/netfilter/nft_audit.sh
+++ b/tools/testing/selftests/netfilter/nft_audit.sh
@@ -25,12 +25,31 @@ logread_pid=$!
trap 'kill $logread_pid; rm -f $logfile $rulefile' EXIT
exec 3<"$logfile"
+lsplit='s/^\(.*\) entries=\([^ ]*\) \(.*\)$/pfx="\1"\nval="\2"\nsfx="\3"/'
+summarize_logs() {
+ sum=0
+ while read line; do
+ eval $(sed "$lsplit" <<< "$line")
+ [[ $sum -gt 0 ]] && {
+ [[ "$pfx $sfx" == "$tpfx $tsfx" ]] && {
+ let "sum += val"
+ continue
+ }
+ echo "$tpfx entries=$sum $tsfx"
+ }
+ tpfx="$pfx"
+ tsfx="$sfx"
+ sum=$val
+ done
+ echo "$tpfx entries=$sum $tsfx"
+}
+
do_test() { # (cmd, log)
echo -n "testing for cmd: $1 ... "
cat <&3 >/dev/null
$1 >/dev/null || exit 1
sleep 0.1
- res=$(diff -a -u <(echo "$2") - <&3)
+ res=$(diff -a -u <(echo "$2") <(summarize_logs <&3))
[ $? -eq 0 ] && { echo "OK"; return; }
echo "FAIL"
grep -v '^\(---\|+++\|@@\)' <<< "$res"
@@ -129,31 +148,17 @@ do_test 'nft reset rules t1 c2' \
'table=t1 family=2 entries=3 op=nft_reset_rule'
do_test 'nft reset rules table t1' \
-'table=t1 family=2 entries=3 op=nft_reset_rule
-table=t1 family=2 entries=3 op=nft_reset_rule
-table=t1 family=2 entries=3 op=nft_reset_rule'
+'table=t1 family=2 entries=9 op=nft_reset_rule'
do_test 'nft reset rules t2 c3' \
-'table=t2 family=2 entries=189 op=nft_reset_rule
-table=t2 family=2 entries=188 op=nft_reset_rule
-table=t2 family=2 entries=126 op=nft_reset_rule'
+'table=t2 family=2 entries=503 op=nft_reset_rule'
do_test 'nft reset rules t2' \
-'table=t2 family=2 entries=3 op=nft_reset_rule
-table=t2 family=2 entries=3 op=nft_reset_rule
-table=t2 family=2 entries=186 op=nft_reset_rule
-table=t2 family=2 entries=188 op=nft_reset_rule
-table=t2 family=2 entries=129 op=nft_reset_rule'
+'table=t2 family=2 entries=509 op=nft_reset_rule'
do_test 'nft reset rules' \
-'table=t1 family=2 entries=3 op=nft_reset_rule
-table=t1 family=2 entries=3 op=nft_reset_rule
-table=t1 family=2 entries=3 op=nft_reset_rule
-table=t2 family=2 entries=3 op=nft_reset_rule
-table=t2 family=2 entries=3 op=nft_reset_rule
-table=t2 family=2 entries=180 op=nft_reset_rule
-table=t2 family=2 entries=188 op=nft_reset_rule
-table=t2 family=2 entries=135 op=nft_reset_rule'
+'table=t1 family=2 entries=9 op=nft_reset_rule
+table=t2 family=2 entries=509 op=nft_reset_rule'
# resetting sets and elements
@@ -177,13 +182,11 @@ do_test 'nft reset counters t1' \
'table=t1 family=2 entries=1 op=nft_reset_obj'
do_test 'nft reset counters t2' \
-'table=t2 family=2 entries=342 op=nft_reset_obj
-table=t2 family=2 entries=158 op=nft_reset_obj'
+'table=t2 family=2 entries=500 op=nft_reset_obj'
do_test 'nft reset counters' \
'table=t1 family=2 entries=1 op=nft_reset_obj
-table=t2 family=2 entries=341 op=nft_reset_obj
-table=t2 family=2 entries=159 op=nft_reset_obj'
+table=t2 family=2 entries=500 op=nft_reset_obj'
# resetting quotas
@@ -194,13 +197,11 @@ do_test 'nft reset quotas t1' \
'table=t1 family=2 entries=1 op=nft_reset_obj'
do_test 'nft reset quotas t2' \
-'table=t2 family=2 entries=315 op=nft_reset_obj
-table=t2 family=2 entries=185 op=nft_reset_obj'
+'table=t2 family=2 entries=500 op=nft_reset_obj'
do_test 'nft reset quotas' \
'table=t1 family=2 entries=1 op=nft_reset_obj
-table=t2 family=2 entries=314 op=nft_reset_obj
-table=t2 family=2 entries=186 op=nft_reset_obj'
+table=t2 family=2 entries=500 op=nft_reset_obj'
# deleting rules
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 021/386] netfilter: nf_tables: prevent nf_skb_duplicated corruption
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 020/386] selftests: netfilter: Fix nft_audit.sh for newer nft binaries Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 022/386] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Greg Kroah-Hartman
` (375 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Pablo Neira Ayuso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 92ceba94de6fb4cee2bf40b485979c342f44a492 ]
syzbot found that nf_dup_ipv4() or nf_dup_ipv6() could write
per-cpu variable nf_skb_duplicated in an unsafe way [1].
Disabling preemption as hinted by the splat is not enough,
we have to disable soft interrupts as well.
[1]
BUG: using __this_cpu_write() in preemptible [00000000] code: syz.4.282/6316
caller is nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
CPU: 0 UID: 0 PID: 6316 Comm: syz.4.282 Not tainted 6.11.0-rc7-syzkaller-00104-g7052622fccb1 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
check_preemption_disabled+0x10e/0x120 lib/smp_processor_id.c:49
nf_dup_ipv4+0x651/0x8f0 net/ipv4/netfilter/nf_dup_ipv4.c:87
nft_dup_ipv4_eval+0x1db/0x300 net/ipv4/netfilter/nft_dup_ipv4.c:30
expr_call_ops_eval net/netfilter/nf_tables_core.c:240 [inline]
nft_do_chain+0x4ad/0x1da0 net/netfilter/nf_tables_core.c:288
nft_do_chain_ipv4+0x202/0x320 net/netfilter/nft_chain_filter.c:23
nf_hook_entry_hookfn include/linux/netfilter.h:154 [inline]
nf_hook_slow+0xc3/0x220 net/netfilter/core.c:626
nf_hook+0x2c4/0x450 include/linux/netfilter.h:269
NF_HOOK_COND include/linux/netfilter.h:302 [inline]
ip_output+0x185/0x230 net/ipv4/ip_output.c:433
ip_local_out net/ipv4/ip_output.c:129 [inline]
ip_send_skb+0x74/0x100 net/ipv4/ip_output.c:1495
udp_send_skb+0xacf/0x1650 net/ipv4/udp.c:981
udp_sendmsg+0x1c21/0x2a60 net/ipv4/udp.c:1269
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg+0x1a6/0x270 net/socket.c:745
____sys_sendmsg+0x525/0x7d0 net/socket.c:2597
___sys_sendmsg net/socket.c:2651 [inline]
__sys_sendmmsg+0x3b2/0x740 net/socket.c:2737
__do_sys_sendmmsg net/socket.c:2766 [inline]
__se_sys_sendmmsg net/socket.c:2763 [inline]
__x64_sys_sendmmsg+0xa0/0xb0 net/socket.c:2763
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f4ce4f7def9
Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 a8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f4ce5d4a038 EFLAGS: 00000246 ORIG_RAX: 0000000000000133
RAX: ffffffffffffffda RBX: 00007f4ce5135f80 RCX: 00007f4ce4f7def9
RDX: 0000000000000001 RSI: 0000000020005d40 RDI: 0000000000000006
RBP: 00007f4ce4ff0b76 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 00007f4ce5135f80 R15: 00007ffd4cbc6d68
</TASK>
Fixes: d877f07112f1 ("netfilter: nf_tables: add nft_dup expression")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/netfilter/nf_dup_ipv4.c | 7 +++++--
net/ipv6/netfilter/nf_dup_ipv6.c | 7 +++++--
2 files changed, 10 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/netfilter/nf_dup_ipv4.c b/net/ipv4/netfilter/nf_dup_ipv4.c
index 6cc5743c553a0..9a21175693db5 100644
--- a/net/ipv4/netfilter/nf_dup_ipv4.c
+++ b/net/ipv4/netfilter/nf_dup_ipv4.c
@@ -52,8 +52,9 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
{
struct iphdr *iph;
+ local_bh_disable();
if (this_cpu_read(nf_skb_duplicated))
- return;
+ goto out;
/*
* Copy the skb, and route the copy. Will later return %XT_CONTINUE for
* the original skb, which should continue on its way as if nothing has
@@ -61,7 +62,7 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
*/
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
- return;
+ goto out;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
/* Avoid counting cloned packets towards the original connection. */
@@ -90,6 +91,8 @@ void nf_dup_ipv4(struct net *net, struct sk_buff *skb, unsigned int hooknum,
} else {
kfree_skb(skb);
}
+out:
+ local_bh_enable();
}
EXPORT_SYMBOL_GPL(nf_dup_ipv4);
diff --git a/net/ipv6/netfilter/nf_dup_ipv6.c b/net/ipv6/netfilter/nf_dup_ipv6.c
index a0a2de30be3e7..0c39c77fe8a8a 100644
--- a/net/ipv6/netfilter/nf_dup_ipv6.c
+++ b/net/ipv6/netfilter/nf_dup_ipv6.c
@@ -47,11 +47,12 @@ static bool nf_dup_ipv6_route(struct net *net, struct sk_buff *skb,
void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
const struct in6_addr *gw, int oif)
{
+ local_bh_disable();
if (this_cpu_read(nf_skb_duplicated))
- return;
+ goto out;
skb = pskb_copy(skb, GFP_ATOMIC);
if (skb == NULL)
- return;
+ goto out;
#if IS_ENABLED(CONFIG_NF_CONNTRACK)
nf_reset_ct(skb);
@@ -69,6 +70,8 @@ void nf_dup_ipv6(struct net *net, struct sk_buff *skb, unsigned int hooknum,
} else {
kfree_skb(skb);
}
+out:
+ local_bh_enable();
}
EXPORT_SYMBOL_GPL(nf_dup_ipv6);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 022/386] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 021/386] netfilter: nf_tables: prevent nf_skb_duplicated corruption Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 023/386] Bluetooth: L2CAP: Fix uaf in l2cap_connect Greg Kroah-Hartman
` (374 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, jiaymao, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit f53e1c9c726d83092167f2226f32bd3b73f26c21 ]
If mgmt_index_removed is called while there are commands queued on
cmd_sync it could lead to crashes like the bellow trace:
0x0000053D: __list_del_entry_valid_or_report+0x98/0xdc
0x0000053D: mgmt_pending_remove+0x18/0x58 [bluetooth]
0x0000053E: mgmt_remove_adv_monitor_complete+0x80/0x108 [bluetooth]
0x0000053E: hci_cmd_sync_work+0xbc/0x164 [bluetooth]
So while handling mgmt_index_removed this attempts to dequeue
commands passed as user_data to cmd_sync.
Fixes: 7cf5c2978f23 ("Bluetooth: hci_sync: Refactor remove Adv Monitor")
Reported-by: jiaymao <quic_jiaymao@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/mgmt.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/mgmt.c b/net/bluetooth/mgmt.c
index 149aff29e5646..1f3a39c20a911 100644
--- a/net/bluetooth/mgmt.c
+++ b/net/bluetooth/mgmt.c
@@ -1446,10 +1446,15 @@ static void cmd_status_rsp(struct mgmt_pending_cmd *cmd, void *data)
static void cmd_complete_rsp(struct mgmt_pending_cmd *cmd, void *data)
{
- if (cmd->cmd_complete) {
- u8 *status = data;
+ struct cmd_lookup *match = data;
+
+ /* dequeue cmd_sync entries using cmd as data as that is about to be
+ * removed/freed.
+ */
+ hci_cmd_sync_dequeue(match->hdev, NULL, cmd, NULL);
- cmd->cmd_complete(cmd, *status);
+ if (cmd->cmd_complete) {
+ cmd->cmd_complete(cmd, match->mgmt_status);
mgmt_pending_remove(cmd);
return;
@@ -9342,12 +9347,12 @@ void mgmt_index_added(struct hci_dev *hdev)
void mgmt_index_removed(struct hci_dev *hdev)
{
struct mgmt_ev_ext_index ev;
- u8 status = MGMT_STATUS_INVALID_INDEX;
+ struct cmd_lookup match = { NULL, hdev, MGMT_STATUS_INVALID_INDEX };
if (test_bit(HCI_QUIRK_RAW_DEVICE, &hdev->quirks))
return;
- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
+ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
if (hci_dev_test_flag(hdev, HCI_UNCONFIGURED)) {
mgmt_index_event(MGMT_EV_UNCONF_INDEX_REMOVED, hdev, NULL, 0,
@@ -9398,7 +9403,7 @@ void mgmt_power_on(struct hci_dev *hdev, int err)
void __mgmt_power_off(struct hci_dev *hdev)
{
struct cmd_lookup match = { NULL, hdev };
- u8 status, zero_cod[] = { 0, 0, 0 };
+ u8 zero_cod[] = { 0, 0, 0 };
mgmt_pending_foreach(MGMT_OP_SET_POWERED, hdev, settings_rsp, &match);
@@ -9410,11 +9415,11 @@ void __mgmt_power_off(struct hci_dev *hdev)
* status responses.
*/
if (hci_dev_test_flag(hdev, HCI_UNREGISTER))
- status = MGMT_STATUS_INVALID_INDEX;
+ match.mgmt_status = MGMT_STATUS_INVALID_INDEX;
else
- status = MGMT_STATUS_NOT_POWERED;
+ match.mgmt_status = MGMT_STATUS_NOT_POWERED;
- mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &status);
+ mgmt_pending_foreach(0, hdev, cmd_complete_rsp, &match);
if (memcmp(hdev->dev_class, zero_cod, sizeof(zero_cod)) != 0) {
mgmt_limited_event(MGMT_EV_CLASS_OF_DEV_CHANGED, hdev,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 023/386] Bluetooth: L2CAP: Fix uaf in l2cap_connect
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 022/386] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 024/386] Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
` (373 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c12e2f941af1feb5632c,
Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 333b4fd11e89b29c84c269123f871883a30be586 ]
[Syzbot reported]
BUG: KASAN: slab-use-after-free in l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
Read of size 8 at addr ffff8880241e9800 by task kworker/u9:0/54
CPU: 0 UID: 0 PID: 54 Comm: kworker/u9:0 Not tainted 6.11.0-rc6-syzkaller-00268-g788220eee30d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Workqueue: hci2 hci_rx_work
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0xc3/0x620 mm/kasan/report.c:488
kasan_report+0xd9/0x110 mm/kasan/report.c:601
l2cap_connect.constprop.0+0x10d8/0x1270 net/bluetooth/l2cap_core.c:3949
l2cap_connect_req net/bluetooth/l2cap_core.c:4080 [inline]
l2cap_bredr_sig_cmd net/bluetooth/l2cap_core.c:4772 [inline]
l2cap_sig_channel net/bluetooth/l2cap_core.c:5543 [inline]
l2cap_recv_frame+0xf0b/0x8eb0 net/bluetooth/l2cap_core.c:6825
l2cap_recv_acldata+0x9b4/0xb70 net/bluetooth/l2cap_core.c:7514
hci_acldata_packet net/bluetooth/hci_core.c:3791 [inline]
hci_rx_work+0xaab/0x1610 net/bluetooth/hci_core.c:4028
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
...
Freed by task 5245:
kasan_save_stack+0x33/0x60 mm/kasan/common.c:47
kasan_save_track+0x14/0x30 mm/kasan/common.c:68
kasan_save_free_info+0x3b/0x60 mm/kasan/generic.c:579
poison_slab_object+0xf7/0x160 mm/kasan/common.c:240
__kasan_slab_free+0x32/0x50 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2256 [inline]
slab_free mm/slub.c:4477 [inline]
kfree+0x12a/0x3b0 mm/slub.c:4598
l2cap_conn_free net/bluetooth/l2cap_core.c:1810 [inline]
kref_put include/linux/kref.h:65 [inline]
l2cap_conn_put net/bluetooth/l2cap_core.c:1822 [inline]
l2cap_conn_del+0x59d/0x730 net/bluetooth/l2cap_core.c:1802
l2cap_connect_cfm+0x9e6/0xf80 net/bluetooth/l2cap_core.c:7241
hci_connect_cfm include/net/bluetooth/hci_core.h:1960 [inline]
hci_conn_failed+0x1c3/0x370 net/bluetooth/hci_conn.c:1265
hci_abort_conn_sync+0x75a/0xb50 net/bluetooth/hci_sync.c:5583
abort_conn_sync+0x197/0x360 net/bluetooth/hci_conn.c:2917
hci_cmd_sync_work+0x1a4/0x410 net/bluetooth/hci_sync.c:328
process_one_work+0x9c5/0x1b40 kernel/workqueue.c:3231
process_scheduled_works kernel/workqueue.c:3312 [inline]
worker_thread+0x6c8/0xed0 kernel/workqueue.c:3389
kthread+0x2c1/0x3a0 kernel/kthread.c:389
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Reported-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
Tested-by: syzbot+c12e2f941af1feb5632c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c12e2f941af1feb5632c
Fixes: 7b064edae38d ("Bluetooth: Fix authentication if acl data comes before remote feature evt")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_core.c | 2 ++
net/bluetooth/hci_event.c | 2 +-
net/bluetooth/l2cap_core.c | 8 --------
3 files changed, 3 insertions(+), 9 deletions(-)
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 1b56355c40eaf..f787b0eb7d669 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -3755,6 +3755,8 @@ static void hci_acldata_packet(struct hci_dev *hdev, struct sk_buff *skb)
hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (conn && hci_dev_test_flag(hdev, HCI_MGMT))
+ mgmt_device_connected(hdev, conn, NULL, 0);
hci_dev_unlock(hdev);
if (conn) {
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index d81c7fccdd404..b86a30c600a9a 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3707,7 +3707,7 @@ static void hci_remote_features_evt(struct hci_dev *hdev, void *data,
goto unlock;
}
- if (!ev->status && !test_bit(HCI_CONN_MGMT_CONNECTED, &conn->flags)) {
+ if (!ev->status) {
struct hci_cp_remote_name_req cp;
memset(&cp, 0, sizeof(cp));
bacpy(&cp.bdaddr, &conn->dst);
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index 2651cc2d5c283..93651c421767a 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4064,17 +4064,9 @@ static void l2cap_connect(struct l2cap_conn *conn, struct l2cap_cmd_hdr *cmd,
static int l2cap_connect_req(struct l2cap_conn *conn,
struct l2cap_cmd_hdr *cmd, u16 cmd_len, u8 *data)
{
- struct hci_dev *hdev = conn->hcon->hdev;
- struct hci_conn *hcon = conn->hcon;
-
if (cmd_len < sizeof(struct l2cap_conn_req))
return -EPROTO;
- hci_dev_lock(hdev);
- if (hci_dev_test_flag(hdev, HCI_MGMT))
- mgmt_device_connected(hdev, hcon, NULL, 0);
- hci_dev_unlock(hdev);
-
l2cap_connect(conn, cmd, data, L2CAP_CONN_RSP);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 024/386] Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 023/386] Bluetooth: L2CAP: Fix uaf in l2cap_connect Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 025/386] net: Add netif_get_gro_max_size helper for GRO Greg Kroah-Hartman
` (372 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit 7b1ab460592ca818e7b52f27cd3ec86af79220d1 ]
disable_irq() after request_irq() still has a time gap in which
interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
disable IRQ auto-enable when request IRQ.
Fixes: bb7f4f0bcee6 ("btmrvl: add platform specific wakeup interrupt support")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btmrvl_sdio.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/bluetooth/btmrvl_sdio.c b/drivers/bluetooth/btmrvl_sdio.c
index d76c799553aaa..468e4165c7cc0 100644
--- a/drivers/bluetooth/btmrvl_sdio.c
+++ b/drivers/bluetooth/btmrvl_sdio.c
@@ -92,7 +92,7 @@ static int btmrvl_sdio_probe_of(struct device *dev,
} else {
ret = devm_request_irq(dev, cfg->irq_bt,
btmrvl_wake_irq_bt,
- 0, "bt_wake", card);
+ IRQF_NO_AUTOEN, "bt_wake", card);
if (ret) {
dev_err(dev,
"Failed to request irq_bt %d (%d)\n",
@@ -101,7 +101,6 @@ static int btmrvl_sdio_probe_of(struct device *dev,
/* Configure wakeup (enabled by default) */
device_init_wakeup(dev, true);
- disable_irq(cfg->irq_bt);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 025/386] net: Add netif_get_gro_max_size helper for GRO
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 024/386] Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 026/386] net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Greg Kroah-Hartman
` (371 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Eric Dumazet,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e8d4d34df715133c319fabcf63fdec684be75ff8 ]
Add a small netif_get_gro_max_size() helper which returns the maximum IPv4
or IPv6 GRO size of the netdevice.
We later add a netif_get_gso_max_size() equivalent as well for GSO, so that
these helpers can be used consistently instead of open-coded checks.
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240923212242.15669-1-daniel@iogearbox.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: e609c959a939 ("net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 9 +++++++++
net/core/gro.c | 9 ++-------
2 files changed, 11 insertions(+), 7 deletions(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index b8e60a20416ba..e4f02e638b9d9 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -5029,6 +5029,15 @@ void netif_set_tso_max_segs(struct net_device *dev, unsigned int segs);
void netif_inherit_tso_max(struct net_device *to,
const struct net_device *from);
+static inline unsigned int
+netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb)
+{
+ /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */
+ return skb->protocol == htons(ETH_P_IPV6) ?
+ READ_ONCE(dev->gro_max_size) :
+ READ_ONCE(dev->gro_ipv4_max_size);
+}
+
static inline bool netif_is_macsec(const struct net_device *dev)
{
return dev->priv_flags & IFF_MACSEC;
diff --git a/net/core/gro.c b/net/core/gro.c
index 31e40f25fdf10..85d3f686ba539 100644
--- a/net/core/gro.c
+++ b/net/core/gro.c
@@ -100,7 +100,6 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
unsigned int headlen = skb_headlen(skb);
unsigned int len = skb_gro_len(skb);
unsigned int delta_truesize;
- unsigned int gro_max_size;
unsigned int new_truesize;
struct sk_buff *lp;
int segs;
@@ -114,12 +113,8 @@ int skb_gro_receive(struct sk_buff *p, struct sk_buff *skb)
if (p->pp_recycle != skb->pp_recycle)
return -ETOOMANYREFS;
- /* pairs with WRITE_ONCE() in netif_set_gro(_ipv4)_max_size() */
- gro_max_size = p->protocol == htons(ETH_P_IPV6) ?
- READ_ONCE(p->dev->gro_max_size) :
- READ_ONCE(p->dev->gro_ipv4_max_size);
-
- if (unlikely(p->len + len >= gro_max_size || NAPI_GRO_CB(skb)->flush))
+ if (unlikely(p->len + len >= netif_get_gro_max_size(p->dev, p) ||
+ NAPI_GRO_CB(skb)->flush))
return -E2BIG;
if (unlikely(p->len + len >= GRO_LEGACY_MAX_SIZE)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 026/386] net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 025/386] net: Add netif_get_gro_max_size helper for GRO Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 027/386] net: ethernet: lantiq_etop: fix memory disclosure Greg Kroah-Hartman
` (370 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Borkmann, Eric Dumazet,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Daniel Borkmann <daniel@iogearbox.net>
[ Upstream commit e609c959a939660c7519895f853dfa5624c6827a ]
Commit 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()")
added a dev->gso_max_size test to gso_features_check() in order to fall
back to GSO when needed.
This was added as it was noticed that some drivers could misbehave if TSO
packets get too big. However, the check doesn't respect dev->gso_ipv4_max_size
limit. For instance, a device could be configured with BIG TCP for IPv4,
but not IPv6.
Therefore, add a netif_get_gso_max_size() equivalent to netif_get_gro_max_size()
and use the helper to respect both limits before falling back to GSO engine.
Fixes: 24ab059d2ebd ("net: check dev->gso_max_size in gso_features_check()")
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240923212242.15669-2-daniel@iogearbox.net
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/netdevice.h | 9 +++++++++
net/core/dev.c | 2 +-
2 files changed, 10 insertions(+), 1 deletion(-)
diff --git a/include/linux/netdevice.h b/include/linux/netdevice.h
index e4f02e638b9d9..8f5ac20b4c03d 100644
--- a/include/linux/netdevice.h
+++ b/include/linux/netdevice.h
@@ -5038,6 +5038,15 @@ netif_get_gro_max_size(const struct net_device *dev, const struct sk_buff *skb)
READ_ONCE(dev->gro_ipv4_max_size);
}
+static inline unsigned int
+netif_get_gso_max_size(const struct net_device *dev, const struct sk_buff *skb)
+{
+ /* pairs with WRITE_ONCE() in netif_set_gso(_ipv4)_max_size() */
+ return skb->protocol == htons(ETH_P_IPV6) ?
+ READ_ONCE(dev->gso_max_size) :
+ READ_ONCE(dev->gso_ipv4_max_size);
+}
+
static inline bool netif_is_macsec(const struct net_device *dev)
{
return dev->priv_flags & IFF_MACSEC;
diff --git a/net/core/dev.c b/net/core/dev.c
index 5a5bd339f11eb..decfa7cbba50a 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3500,7 +3500,7 @@ static netdev_features_t gso_features_check(const struct sk_buff *skb,
if (gso_segs > READ_ONCE(dev->gso_max_segs))
return features & ~NETIF_F_GSO_MASK;
- if (unlikely(skb->len >= READ_ONCE(dev->gso_max_size)))
+ if (unlikely(skb->len >= netif_get_gso_max_size(dev, skb)))
return features & ~NETIF_F_GSO_MASK;
if (!skb_shinfo(skb)->gso_type) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 027/386] net: ethernet: lantiq_etop: fix memory disclosure
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 026/386] net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 028/386] net: fec: Restart PPS after link state change Greg Kroah-Hartman
` (369 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksander Jan Bajkowski,
Jacob Keller, Florian Fainelli, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksander Jan Bajkowski <olek2@wp.pl>
[ Upstream commit 45c0de18ff2dc9af01236380404bbd6a46502c69 ]
When applying padding, the buffer is not zeroed, which results in memory
disclosure. The mentioned data is observed on the wire. This patch uses
skb_put_padto() to pad Ethernet frames properly. The mentioned function
zeroes the expanded buffer.
In case the packet cannot be padded it is silently dropped. Statistics
are also not incremented. This driver does not support statistics in the
old 32-bit format or the new 64-bit format. These will be added in the
future. In its current form, the patch should be easily backported to
stable versions.
Ethernet MACs on Amazon-SE and Danube cannot do padding of the packets
in hardware, so software padding must be applied.
Fixes: 504d4721ee8e ("MIPS: Lantiq: Add ethernet driver")
Signed-off-by: Aleksander Jan Bajkowski <olek2@wp.pl>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://patch.msgid.link/20240923214949.231511-2-olek2@wp.pl
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/lantiq_etop.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/lantiq_etop.c b/drivers/net/ethernet/lantiq_etop.c
index 61baf1da76eea..c33c31019562f 100644
--- a/drivers/net/ethernet/lantiq_etop.c
+++ b/drivers/net/ethernet/lantiq_etop.c
@@ -482,7 +482,9 @@ ltq_etop_tx(struct sk_buff *skb, struct net_device *dev)
unsigned long flags;
u32 byte_offset;
- len = skb->len < ETH_ZLEN ? ETH_ZLEN : skb->len;
+ if (skb_put_padto(skb, ETH_ZLEN))
+ return NETDEV_TX_OK;
+ len = skb->len;
if ((desc->ctl & (LTQ_DMA_OWN | LTQ_DMA_C)) || ch->skb[ch->dma.desc]) {
netdev_err(dev, "tx ring full\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 027/386] net: ethernet: lantiq_etop: fix memory disclosure Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 13:30 ` Csókás Bence
2024-10-08 12:04 ` [PATCH 6.6 029/386] net: fec: Reload PTP registers after link-state change Greg Kroah-Hartman
` (368 subsequent siblings)
396 siblings, 1 reply; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, =20Bence?=, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Csókás, Bence <csokas.bence@prolan.hu>
[ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
On link state change, the controller gets reset,
causing PPS to drop out. Re-enable PPS if it was
enabled before the controller reset.
Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec.h | 6 +++++
drivers/net/ethernet/freescale/fec_main.c | 11 ++++++++-
drivers/net/ethernet/freescale/fec_ptp.c | 30 +++++++++++++++++++++++
3 files changed, 46 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
index a8fbcada6b01f..cb58696ec03b2 100644
--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -691,10 +691,16 @@ struct fec_enet_private {
/* XDP BPF Program */
struct bpf_prog *xdp_prog;
+ struct {
+ int pps_enable;
+ } ptp_saved_state;
+
u64 ethtool_stats[];
};
void fec_ptp_init(struct platform_device *pdev, int irq_idx);
+void fec_ptp_restore_state(struct fec_enet_private *fep);
+void fec_ptp_save_state(struct fec_enet_private *fep);
void fec_ptp_stop(struct platform_device *pdev);
void fec_ptp_start_cyclecounter(struct net_device *ndev);
int fec_ptp_set(struct net_device *ndev, struct kernel_hwtstamp_config *config,
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 5604a47b35b2a..81e3173521589 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -1058,6 +1058,8 @@ fec_restart(struct net_device *ndev)
u32 rcntl = OPT_FRAME_SIZE | 0x04;
u32 ecntl = FEC_ECR_ETHEREN;
+ fec_ptp_save_state(fep);
+
/* Whack a reset. We should wait for this.
* For i.MX6SX SOC, enet use AXI bus, we use disable MAC
* instead of reset MAC itself.
@@ -1225,8 +1227,10 @@ fec_restart(struct net_device *ndev)
writel(ecntl, fep->hwp + FEC_ECNTRL);
fec_enet_active_rxring(ndev);
- if (fep->bufdesc_ex)
+ if (fep->bufdesc_ex) {
fec_ptp_start_cyclecounter(ndev);
+ fec_ptp_restore_state(fep);
+ }
/* Enable interrupts we wish to service */
if (fep->link)
@@ -1317,6 +1321,8 @@ fec_stop(struct net_device *ndev)
netdev_err(ndev, "Graceful transmit stop did not complete!\n");
}
+ fec_ptp_save_state(fep);
+
/* Whack a reset. We should wait for this.
* For i.MX6SX SOC, enet use AXI bus, we use disable MAC
* instead of reset MAC itself.
@@ -1347,6 +1353,9 @@ fec_stop(struct net_device *ndev)
val = readl(fep->hwp + FEC_ECNTRL);
val |= FEC_ECR_EN1588;
writel(val, fep->hwp + FEC_ECNTRL);
+
+ fec_ptp_start_cyclecounter(ndev);
+ fec_ptp_restore_state(fep);
}
}
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index 2e4f3e1782a25..8027b532de078 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -770,6 +770,36 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
schedule_delayed_work(&fep->time_keep, HZ);
}
+void fec_ptp_save_state(struct fec_enet_private *fep)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ fep->ptp_saved_state.pps_enable = fep->pps_enable;
+
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+}
+
+/* Restore PTP functionality after a reset */
+void fec_ptp_restore_state(struct fec_enet_private *fep)
+{
+ unsigned long flags;
+
+ spin_lock_irqsave(&fep->tmreg_lock, flags);
+
+ /* Reset turned it off, so adjust our status flag */
+ fep->pps_enable = 0;
+
+ spin_unlock_irqrestore(&fep->tmreg_lock, flags);
+
+ /* Restart PPS if needed */
+ if (fep->ptp_saved_state.pps_enable) {
+ /* Re-enable PPS */
+ fec_ptp_enable_pps(fep, 1);
+ }
+}
+
void fec_ptp_stop(struct platform_device *pdev)
{
struct net_device *ndev = platform_get_drvdata(pdev);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 029/386] net: fec: Reload PTP registers after link-state change
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 028/386] net: fec: Restart PPS after link state change Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 030/386] net: avoid potential underflow in qdisc_pkt_len_init() with UFO Greg Kroah-Hartman
` (367 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, =20Bence?=, Wei Fang, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Csókás, Bence <csokas.bence@prolan.hu>
[ Upstream commit d9335d0232d2da605585eea1518ac6733518f938 ]
On link-state change, the controller gets reset,
which clears all PTP registers, including PHC time,
calibrated clock correction values etc. For correct
IEEE 1588 operation we need to restore these after
the reset.
Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
Reviewed-by: Wei Fang <wei.fang@nxp.com>
Link: https://patch.msgid.link/20240924093705.2897329-2-csokas.bence@prolan.hu
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec.h | 3 +++
drivers/net/ethernet/freescale/fec_ptp.c | 20 ++++++++++++++++++++
2 files changed, 23 insertions(+)
diff --git a/drivers/net/ethernet/freescale/fec.h b/drivers/net/ethernet/freescale/fec.h
index cb58696ec03b2..733af928caffc 100644
--- a/drivers/net/ethernet/freescale/fec.h
+++ b/drivers/net/ethernet/freescale/fec.h
@@ -693,6 +693,9 @@ struct fec_enet_private {
struct {
int pps_enable;
+ u64 ns_sys, ns_phc;
+ u32 at_corr;
+ u8 at_inc_corr;
} ptp_saved_state;
u64 ethtool_stats[];
diff --git a/drivers/net/ethernet/freescale/fec_ptp.c b/drivers/net/ethernet/freescale/fec_ptp.c
index 8027b532de078..5e8fac50f945d 100644
--- a/drivers/net/ethernet/freescale/fec_ptp.c
+++ b/drivers/net/ethernet/freescale/fec_ptp.c
@@ -773,24 +773,44 @@ void fec_ptp_init(struct platform_device *pdev, int irq_idx)
void fec_ptp_save_state(struct fec_enet_private *fep)
{
unsigned long flags;
+ u32 atime_inc_corr;
spin_lock_irqsave(&fep->tmreg_lock, flags);
fep->ptp_saved_state.pps_enable = fep->pps_enable;
+ fep->ptp_saved_state.ns_phc = timecounter_read(&fep->tc);
+ fep->ptp_saved_state.ns_sys = ktime_get_ns();
+
+ fep->ptp_saved_state.at_corr = readl(fep->hwp + FEC_ATIME_CORR);
+ atime_inc_corr = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_CORR_MASK;
+ fep->ptp_saved_state.at_inc_corr = (u8)(atime_inc_corr >> FEC_T_INC_CORR_OFFSET);
+
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
}
/* Restore PTP functionality after a reset */
void fec_ptp_restore_state(struct fec_enet_private *fep)
{
+ u32 atime_inc = readl(fep->hwp + FEC_ATIME_INC) & FEC_T_INC_MASK;
unsigned long flags;
+ u32 counter;
+ u64 ns;
spin_lock_irqsave(&fep->tmreg_lock, flags);
/* Reset turned it off, so adjust our status flag */
fep->pps_enable = 0;
+ writel(fep->ptp_saved_state.at_corr, fep->hwp + FEC_ATIME_CORR);
+ atime_inc |= ((u32)fep->ptp_saved_state.at_inc_corr) << FEC_T_INC_CORR_OFFSET;
+ writel(atime_inc, fep->hwp + FEC_ATIME_INC);
+
+ ns = ktime_get_ns() - fep->ptp_saved_state.ns_sys + fep->ptp_saved_state.ns_phc;
+ counter = ns & fep->cc.mask;
+ writel(counter, fep->hwp + FEC_ATIME);
+ timecounter_init(&fep->tc, &fep->cc, ns);
+
spin_unlock_irqrestore(&fep->tmreg_lock, flags);
/* Restart PPS if needed */
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 030/386] net: avoid potential underflow in qdisc_pkt_len_init() with UFO
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 029/386] net: fec: Reload PTP registers after link-state change Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 031/386] net: add more sanity checks to qdisc_pkt_len_init() Greg Kroah-Hartman
` (366 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Jonathan Davies, Willem de Bruijn, David Ahern, Paolo Abeni,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit c20029db28399ecc50e556964eaba75c43b1e2f1 ]
After commit 7c6d2ecbda83 ("net: be more gentle about silly gso
requests coming from user") virtio_net_hdr_to_skb() had sanity check
to detect malicious attempts from user space to cook a bad GSO packet.
Then commit cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count
transport header in UFO") while fixing one issue, allowed user space
to cook a GSO packet with the following characteristic :
IPv4 SKB_GSO_UDP, gso_size=3, skb->len = 28.
When this packet arrives in qdisc_pkt_len_init(), we end up
with hdr_len = 28 (IPv4 header + UDP header), matching skb->len
Then the following sets gso_segs to 0 :
gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
shinfo->gso_size);
Then later we set qdisc_skb_cb(skb)->pkt_len to back to zero :/
qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
This leads to the following crash in fq_codel [1]
qdisc_pkt_len_init() is best effort, we only want an estimation
of the bytes sent on the wire, not crashing the kernel.
This patch is fixing this particular issue, a following one
adds more sanity checks for another potential bug.
[1]
[ 70.724101] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 70.724561] #PF: supervisor read access in kernel mode
[ 70.724561] #PF: error_code(0x0000) - not-present page
[ 70.724561] PGD 10ac61067 P4D 10ac61067 PUD 107ee2067 PMD 0
[ 70.724561] Oops: Oops: 0000 [#1] SMP NOPTI
[ 70.724561] CPU: 11 UID: 0 PID: 2163 Comm: b358537762 Not tainted 6.11.0-virtme #991
[ 70.724561] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 70.724561] RIP: 0010:fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] Code: 24 08 49 c1 e1 06 44 89 7c 24 18 45 31 ed 45 31 c0 31 ff 89 44 24 14 4c 03 8b 90 01 00 00 eb 04 39 ca 73 37 4d 8b 39 83 c7 01 <49> 8b 17 49 89 11 41 8b 57 28 45 8b 5f 34 49 c7 07 00 00 00 00 49
All code
========
0: 24 08 and $0x8,%al
2: 49 c1 e1 06 shl $0x6,%r9
6: 44 89 7c 24 18 mov %r15d,0x18(%rsp)
b: 45 31 ed xor %r13d,%r13d
e: 45 31 c0 xor %r8d,%r8d
11: 31 ff xor %edi,%edi
13: 89 44 24 14 mov %eax,0x14(%rsp)
17: 4c 03 8b 90 01 00 00 add 0x190(%rbx),%r9
1e: eb 04 jmp 0x24
20: 39 ca cmp %ecx,%edx
22: 73 37 jae 0x5b
24: 4d 8b 39 mov (%r9),%r15
27: 83 c7 01 add $0x1,%edi
2a:* 49 8b 17 mov (%r15),%rdx <-- trapping instruction
2d: 49 89 11 mov %rdx,(%r9)
30: 41 8b 57 28 mov 0x28(%r15),%edx
34: 45 8b 5f 34 mov 0x34(%r15),%r11d
38: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
3f: 49 rex.WB
Code starting with the faulting instruction
===========================================
0: 49 8b 17 mov (%r15),%rdx
3: 49 89 11 mov %rdx,(%r9)
6: 41 8b 57 28 mov 0x28(%r15),%edx
a: 45 8b 5f 34 mov 0x34(%r15),%r11d
e: 49 c7 07 00 00 00 00 movq $0x0,(%r15)
15: 49 rex.WB
[ 70.724561] RSP: 0018:ffff95ae85e6fb90 EFLAGS: 00000202
[ 70.724561] RAX: 0000000002000000 RBX: ffff95ae841de000 RCX: 0000000000000000
[ 70.724561] RDX: 0000000000000000 RSI: 0000000000000001 RDI: 0000000000000001
[ 70.724561] RBP: ffff95ae85e6fbf8 R08: 0000000000000000 R09: ffff95b710a30000
[ 70.724561] R10: 0000000000000000 R11: bdf289445ce31881 R12: ffff95ae85e6fc58
[ 70.724561] R13: 0000000000000000 R14: 0000000000000040 R15: 0000000000000000
[ 70.724561] FS: 000000002c5c1380(0000) GS:ffff95bd7fcc0000(0000) knlGS:0000000000000000
[ 70.724561] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 70.724561] CR2: 0000000000000000 CR3: 000000010c568000 CR4: 00000000000006f0
[ 70.724561] Call Trace:
[ 70.724561] <TASK>
[ 70.724561] ? __die (arch/x86/kernel/dumpstack.c:421 arch/x86/kernel/dumpstack.c:434)
[ 70.724561] ? page_fault_oops (arch/x86/mm/fault.c:715)
[ 70.724561] ? exc_page_fault (./arch/x86/include/asm/irqflags.h:26 ./arch/x86/include/asm/irqflags.h:87 ./arch/x86/include/asm/irqflags.h:147 arch/x86/mm/fault.c:1489 arch/x86/mm/fault.c:1539)
[ 70.724561] ? asm_exc_page_fault (./arch/x86/include/asm/idtentry.h:623)
[ 70.724561] ? fq_codel_enqueue (net/sched/sch_fq_codel.c:120 net/sched/sch_fq_codel.c:168 net/sched/sch_fq_codel.c:230) sch_fq_codel
[ 70.724561] dev_qdisc_enqueue (net/core/dev.c:3784)
[ 70.724561] __dev_queue_xmit (net/core/dev.c:3880 (discriminator 2) net/core/dev.c:4390 (discriminator 2))
[ 70.724561] ? irqentry_enter (kernel/entry/common.c:237)
[ 70.724561] ? sysvec_apic_timer_interrupt (./arch/x86/include/asm/hardirq.h:74 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2) arch/x86/kernel/apic/apic.c:1043 (discriminator 2))
[ 70.724561] ? trace_hardirqs_on (kernel/trace/trace_preemptirq.c:58 (discriminator 4))
[ 70.724561] ? asm_sysvec_apic_timer_interrupt (./arch/x86/include/asm/idtentry.h:702)
[ 70.724561] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/virtio_net.h:129 (discriminator 1))
[ 70.724561] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
[ 70.724561] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
[ 70.724561] ? netdev_name_node_lookup_rcu (net/core/dev.c:325 (discriminator 1))
[ 70.724561] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
[ 70.724561] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
[ 70.724561] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
[ 70.724561] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
[ 70.724561] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
[ 70.724561] RIP: 0033:0x41ae09
Fixes: cf9acc90c80ec ("net: virtio_net_hdr_to_skb: count transport header in UFO")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Jonathan Davies <jonathan.davies@nutanix.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Jonathan Davies <jonathan.davies@nutanix.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dev.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index decfa7cbba50a..877ebaff95586 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3746,7 +3746,7 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
sizeof(_tcphdr), &_tcphdr);
if (likely(th))
hdr_len += __tcp_hdrlen(th);
- } else {
+ } else if (shinfo->gso_type & SKB_GSO_UDP_L4) {
struct udphdr _udphdr;
if (skb_header_pointer(skb, hdr_len,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 031/386] net: add more sanity checks to qdisc_pkt_len_init()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 030/386] net: avoid potential underflow in qdisc_pkt_len_init() with UFO Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 032/386] net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Greg Kroah-Hartman
` (365 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Willem de Bruijn,
David Ahern, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit ab9a9a9e9647392a19e7a885b08000e89c86b535 ]
One path takes care of SKB_GSO_DODGY, assuming
skb->len is bigger than hdr_len.
virtio_net_hdr_to_skb() does not fully dissect TCP headers,
it only make sure it is at least 20 bytes.
It is possible for an user to provide a malicious 'GSO' packet,
total length of 80 bytes.
- 20 bytes of IPv4 header
- 60 bytes TCP header
- a small gso_size like 8
virtio_net_hdr_to_skb() would declare this packet as a normal
GSO packet, because it would see 40 bytes of payload,
bigger than gso_size.
We need to make detect this case to not underflow
qdisc_skb_cb(skb)->pkt_len.
Fixes: 1def9238d4aa ("net_sched: more precise pkt_len computation")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dev.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/net/core/dev.c b/net/core/dev.c
index 877ebaff95586..70f757707f1a2 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3754,10 +3754,14 @@ static void qdisc_pkt_len_init(struct sk_buff *skb)
hdr_len += sizeof(struct udphdr);
}
- if (shinfo->gso_type & SKB_GSO_DODGY)
- gso_segs = DIV_ROUND_UP(skb->len - hdr_len,
- shinfo->gso_size);
+ if (unlikely(shinfo->gso_type & SKB_GSO_DODGY)) {
+ int payload = skb->len - hdr_len;
+ /* Malicious packet. */
+ if (payload <= 0)
+ return;
+ gso_segs = DIV_ROUND_UP(payload, shinfo->gso_size);
+ }
qdisc_skb_cb(skb)->pkt_len += (gso_segs - 1) * hdr_len;
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 032/386] net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 031/386] net: add more sanity checks to qdisc_pkt_len_init() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 033/386] ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Greg Kroah-Hartman
` (364 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Shenwei Wang,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shenwei Wang <shenwei.wang@nxp.com>
[ Upstream commit 4c1b56671b68ffcbe6b78308bfdda6bcce6491ae ]
Increase the timeout for checking the busy bit of the VLAN Tag register
from 10µs to 500ms. This change is necessary to accommodate scenarios
where Energy Efficient Ethernet (EEE) is enabled.
Overnight testing revealed that when EEE is active, the busy bit can
remain set for up to approximately 300ms. The new 500ms timeout provides
a safety margin.
Fixes: ed64639bc1e0 ("net: stmmac: Add support for VLAN Rx filtering")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Shenwei Wang <shenwei.wang@nxp.com>
Link: https://patch.msgid.link/20240924205424.573913-1-shenwei.wang@nxp.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/stmicro/stmmac/dwmac4_core.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
index bf99495b51a9c..a9837985a483d 100644
--- a/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
+++ b/drivers/net/ethernet/stmicro/stmmac/dwmac4_core.c
@@ -14,6 +14,7 @@
#include <linux/slab.h>
#include <linux/ethtool.h>
#include <linux/io.h>
+#include <linux/iopoll.h>
#include "stmmac.h"
#include "stmmac_pcs.h"
#include "dwmac4.h"
@@ -475,7 +476,7 @@ static int dwmac4_write_vlan_filter(struct net_device *dev,
u8 index, u32 data)
{
void __iomem *ioaddr = (void __iomem *)dev->base_addr;
- int i, timeout = 10;
+ int ret;
u32 val;
if (index >= hw->num_vlan)
@@ -491,16 +492,15 @@ static int dwmac4_write_vlan_filter(struct net_device *dev,
writel(val, ioaddr + GMAC_VLAN_TAG);
- for (i = 0; i < timeout; i++) {
- val = readl(ioaddr + GMAC_VLAN_TAG);
- if (!(val & GMAC_VLAN_TAG_CTRL_OB))
- return 0;
- udelay(1);
+ ret = readl_poll_timeout(ioaddr + GMAC_VLAN_TAG, val,
+ !(val & GMAC_VLAN_TAG_CTRL_OB),
+ 1000, 500000);
+ if (ret) {
+ netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n");
+ return -EBUSY;
}
- netdev_err(dev, "Timeout accessing MAC_VLAN_Tag_Filter\n");
-
- return -EBUSY;
+ return 0;
}
static int dwmac4_add_hw_vlan_rx_fltr(struct net_device *dev,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 033/386] ipv4: ip_gre: Fix drops of small packets in ipgre_xmit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 032/386] net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 034/386] net: test for not too small csum_start in virtio_net_hdr_to_skb() Greg Kroah-Hartman
` (363 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Danilov, Eric Dumazet,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anton Danilov <littlesmilingcloud@gmail.com>
[ Upstream commit c4a14f6d9d17ad1e41a36182dd3b8a5fd91efbd7 ]
Regression Description:
Depending on the options specified for the GRE tunnel device, small
packets may be dropped. This occurs because the pskb_network_may_pull
function fails due to the packet's insufficient length.
For example, if only the okey option is specified for the tunnel device,
original (before encapsulation) packets smaller than 28 bytes (including
the IPv4 header) will be dropped. This happens because the required
length is calculated relative to the network header, not the skb->head.
Here is how the required length is computed and checked:
* The pull_len variable is set to 28 bytes, consisting of:
* IPv4 header: 20 bytes
* GRE header with Key field: 8 bytes
* The pskb_network_may_pull function adds the network offset, shifting
the checkable space further to the beginning of the network header and
extending it to the beginning of the packet. As a result, the end of
the checkable space occurs beyond the actual end of the packet.
Instead of ensuring that 28 bytes are present in skb->head, the function
is requesting these 28 bytes starting from the network header. For small
packets, this requested length exceeds the actual packet size, causing
the check to fail and the packets to be dropped.
This issue affects both locally originated and forwarded packets in
DMVPN-like setups.
How to reproduce (for local originated packets):
ip link add dev gre1 type gre ikey 1.9.8.4 okey 1.9.8.4 \
local <your-ip> remote 0.0.0.0
ip link set mtu 1400 dev gre1
ip link set up dev gre1
ip address add 192.168.13.1/24 dev gre1
ip neighbor add 192.168.13.2 lladdr <remote-ip> dev gre1
ping -s 1374 -c 10 192.168.13.2
tcpdump -vni gre1
tcpdump -vni <your-ext-iface> 'ip proto 47'
ip -s -s -d link show dev gre1
Solution:
Use the pskb_may_pull function instead the pskb_network_may_pull.
Fixes: 80d875cfc9d3 ("ipv4: ip_gre: Avoid skb_pull() failure in ipgre_xmit()")
Signed-off-by: Anton Danilov <littlesmilingcloud@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240924235158.106062-1-littlesmilingcloud@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/ip_gre.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/net/ipv4/ip_gre.c b/net/ipv4/ip_gre.c
index f21a1a5403723..890c15510b421 100644
--- a/net/ipv4/ip_gre.c
+++ b/net/ipv4/ip_gre.c
@@ -645,11 +645,11 @@ static netdev_tx_t ipgre_xmit(struct sk_buff *skb,
if (skb_cow_head(skb, 0))
goto free_skb;
- tnl_params = (const struct iphdr *)skb->data;
-
- if (!pskb_network_may_pull(skb, pull_len))
+ if (!pskb_may_pull(skb, pull_len))
goto free_skb;
+ tnl_params = (const struct iphdr *)skb->data;
+
/* ip_tunnel_xmit() needs skb->data pointing to gre header. */
skb_pull(skb, pull_len);
skb_reset_mac_header(skb);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 034/386] net: test for not too small csum_start in virtio_net_hdr_to_skb()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 033/386] ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 035/386] ppp: do not assume bh is held in ppp_channel_bridge_input() Greg Kroah-Hartman
` (362 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Willem de Bruijn,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 49d14b54a527289d09a9480f214b8c586322310a ]
syzbot was able to trigger this warning [1], after injecting a
malicious packet through af_packet, setting skb->csum_start and thus
the transport header to an incorrect value.
We can at least make sure the transport header is after
the end of the network header (with a estimated minimal size).
[1]
[ 67.873027] skb len=4096 headroom=16 headlen=14 tailroom=0
mac=(-1,-1) mac_len=0 net=(16,-6) trans=10
shinfo(txflags=0 nr_frags=1 gso(size=0 type=0 segs=0))
csum(0xa start=10 offset=0 ip_summed=3 complete_sw=0 valid=0 level=0)
hash(0x0 sw=0 l4=0) proto=0x0800 pkttype=0 iif=0
priority=0x0 mark=0x0 alloc_cpu=10 vlan_all=0x0
encapsulation=0 inner(proto=0x0000, mac=0, net=0, trans=0)
[ 67.877172] dev name=veth0_vlan feat=0x000061164fdd09e9
[ 67.877764] sk family=17 type=3 proto=0
[ 67.878279] skb linear: 00000000: 00 00 10 00 00 00 00 00 0f 00 00 00 08 00
[ 67.879128] skb frag: 00000000: 0e 00 07 00 00 00 28 00 08 80 1c 00 04 00 00 02
[ 67.879877] skb frag: 00000010: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.880647] skb frag: 00000020: 00 00 02 00 00 00 08 00 1b 00 00 00 00 00 00 00
[ 67.881156] skb frag: 00000030: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.881753] skb frag: 00000040: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.882173] skb frag: 00000050: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.882790] skb frag: 00000060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.883171] skb frag: 00000070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.883733] skb frag: 00000080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.884206] skb frag: 00000090: 00 00 00 00 00 00 00 00 00 00 69 70 76 6c 61 6e
[ 67.884704] skb frag: 000000a0: 31 00 00 00 00 00 00 00 00 00 2b 00 00 00 00 00
[ 67.885139] skb frag: 000000b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.885677] skb frag: 000000c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.886042] skb frag: 000000d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.886408] skb frag: 000000e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.887020] skb frag: 000000f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 67.887384] skb frag: 00000100: 00 00
[ 67.887878] ------------[ cut here ]------------
[ 67.887908] offset (-6) >= skb_headlen() (14)
[ 67.888445] WARNING: CPU: 10 PID: 2088 at net/core/dev.c:3332 skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.889353] Modules linked in: macsec macvtap macvlan hsr wireguard curve25519_x86_64 libcurve25519_generic libchacha20poly1305 chacha_x86_64 libchacha poly1305_x86_64 dummy bridge sr_mod cdrom evdev pcspkr i2c_piix4 9pnet_virtio 9p 9pnet netfs
[ 67.890111] CPU: 10 UID: 0 PID: 2088 Comm: b363492833 Not tainted 6.11.0-virtme #1011
[ 67.890183] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
[ 67.890309] RIP: 0010:skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891043] Call Trace:
[ 67.891173] <TASK>
[ 67.891274] ? __warn (kernel/panic.c:741)
[ 67.891320] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891333] ? report_bug (lib/bug.c:180 lib/bug.c:219)
[ 67.891348] ? handle_bug (arch/x86/kernel/traps.c:239)
[ 67.891363] ? exc_invalid_op (arch/x86/kernel/traps.c:260 (discriminator 1))
[ 67.891372] ? asm_exc_invalid_op (./arch/x86/include/asm/idtentry.h:621)
[ 67.891388] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891399] ? skb_checksum_help (net/core/dev.c:3332 (discriminator 2))
[ 67.891416] ip_do_fragment (net/ipv4/ip_output.c:777 (discriminator 1))
[ 67.891448] ? __ip_local_out (./include/linux/skbuff.h:1146 ./include/net/l3mdev.h:196 ./include/net/l3mdev.h:213 net/ipv4/ip_output.c:113)
[ 67.891459] ? __pfx_ip_finish_output2 (net/ipv4/ip_output.c:200)
[ 67.891470] ? ip_route_output_flow (./arch/x86/include/asm/preempt.h:84 (discriminator 13) ./include/linux/rcupdate.h:96 (discriminator 13) ./include/linux/rcupdate.h:871 (discriminator 13) net/ipv4/route.c:2625 (discriminator 13) ./include/net/route.h:141 (discriminator 13) net/ipv4/route.c:2852 (discriminator 13))
[ 67.891484] ipvlan_process_v4_outbound (drivers/net/ipvlan/ipvlan_core.c:445 (discriminator 1))
[ 67.891581] ipvlan_queue_xmit (drivers/net/ipvlan/ipvlan_core.c:542 drivers/net/ipvlan/ipvlan_core.c:604 drivers/net/ipvlan/ipvlan_core.c:670)
[ 67.891596] ipvlan_start_xmit (drivers/net/ipvlan/ipvlan_main.c:227)
[ 67.891607] dev_hard_start_xmit (./include/linux/netdevice.h:4916 ./include/linux/netdevice.h:4925 net/core/dev.c:3588 net/core/dev.c:3604)
[ 67.891620] __dev_queue_xmit (net/core/dev.h:168 (discriminator 25) net/core/dev.c:4425 (discriminator 25))
[ 67.891630] ? skb_copy_bits (./include/linux/uaccess.h:233 (discriminator 1) ./include/linux/uaccess.h:260 (discriminator 1) ./include/linux/highmem-internal.h:230 (discriminator 1) net/core/skbuff.c:3018 (discriminator 1))
[ 67.891645] ? __pskb_pull_tail (net/core/skbuff.c:2848 (discriminator 4))
[ 67.891655] ? skb_partial_csum_set (net/core/skbuff.c:5657)
[ 67.891666] ? virtio_net_hdr_to_skb.constprop.0 (./include/linux/skbuff.h:2791 (discriminator 3) ./include/linux/skbuff.h:2799 (discriminator 3) ./include/linux/virtio_net.h:109 (discriminator 3))
[ 67.891684] packet_sendmsg (net/packet/af_packet.c:3145 (discriminator 1) net/packet/af_packet.c:3177 (discriminator 1))
[ 67.891700] ? _raw_spin_lock_bh (./arch/x86/include/asm/atomic.h:107 (discriminator 4) ./include/linux/atomic/atomic-arch-fallback.h:2170 (discriminator 4) ./include/linux/atomic/atomic-instrumented.h:1302 (discriminator 4) ./include/asm-generic/qspinlock.h:111 (discriminator 4) ./include/linux/spinlock.h:187 (discriminator 4) ./include/linux/spinlock_api_smp.h:127 (discriminator 4) kernel/locking/spinlock.c:178 (discriminator 4))
[ 67.891716] __sys_sendto (net/socket.c:730 (discriminator 1) net/socket.c:745 (discriminator 1) net/socket.c:2210 (discriminator 1))
[ 67.891734] ? do_sock_setsockopt (net/socket.c:2335)
[ 67.891747] ? __sys_setsockopt (./include/linux/file.h:34 net/socket.c:2355)
[ 67.891761] __x64_sys_sendto (net/socket.c:2222 (discriminator 1) net/socket.c:2218 (discriminator 1) net/socket.c:2218 (discriminator 1))
[ 67.891772] do_syscall_64 (arch/x86/entry/common.c:52 (discriminator 1) arch/x86/entry/common.c:83 (discriminator 1))
[ 67.891785] entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130)
Fixes: 9181d6f8a2bb ("net: add more sanity check in virtio_net_hdr_to_skb()")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20240926165836.3797406-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/virtio_net.h | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
index 276ca543ef44d..02a9f4dc594d0 100644
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -103,8 +103,10 @@ static inline int virtio_net_hdr_to_skb(struct sk_buff *skb,
if (!skb_partial_csum_set(skb, start, off))
return -EINVAL;
+ if (skb_transport_offset(skb) < nh_min_len)
+ return -EINVAL;
- nh_min_len = max_t(u32, nh_min_len, skb_transport_offset(skb));
+ nh_min_len = skb_transport_offset(skb);
p_off = nh_min_len + thlen;
if (!pskb_may_pull(skb, p_off))
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 035/386] ppp: do not assume bh is held in ppp_channel_bridge_input()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 034/386] net: test for not too small csum_start in virtio_net_hdr_to_skb() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 036/386] iomap: constrain the file range passed to iomap_file_unshare Greg Kroah-Hartman
` (361 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+bd8d55ee2acd0a71d8ce,
Eric Dumazet, Tom Parkin, James Chapman, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit aec7291003df78cb71fd461d7b672912bde55807 ]
Networking receive path is usually handled from BH handler.
However, some protocols need to acquire the socket lock, and
packets might be stored in the socket backlog is the socket was
owned by a user process.
In this case, release_sock(), __release_sock(), and sk_backlog_rcv()
might call the sk->sk_backlog_rcv() handler in process context.
sybot caught ppp was not considering this case in
ppp_channel_bridge_input() :
WARNING: inconsistent lock state
6.11.0-rc7-syzkaller-g5f5673607153 #0 Not tainted
--------------------------------
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
ksoftirqd/1/24 [HC0[0]:SC1[1]:HE1:SE0] takes:
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: spin_lock include/linux/spinlock.h:351 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ffff0000db7f11e0 (&pch->downl){+.?.}-{2:2}, at: ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
{SOFTIRQ-ON-W} state was registered at:
lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
pppoe_rcv_core+0xfc/0x314 drivers/net/ppp/pppoe.c:379
sk_backlog_rcv include/net/sock.h:1111 [inline]
__release_sock+0x1a8/0x3d8 net/core/sock.c:3004
release_sock+0x68/0x1b8 net/core/sock.c:3558
pppoe_sendmsg+0xc8/0x5d8 drivers/net/ppp/pppoe.c:903
sock_sendmsg_nosec net/socket.c:730 [inline]
__sock_sendmsg net/socket.c:745 [inline]
__sys_sendto+0x374/0x4f4 net/socket.c:2204
__do_sys_sendto net/socket.c:2216 [inline]
__se_sys_sendto net/socket.c:2212 [inline]
__arm64_sys_sendto+0xd8/0xf8 net/socket.c:2212
__invoke_syscall arch/arm64/kernel/syscall.c:35 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:49
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:132
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:151
el0_svc+0x54/0x168 arch/arm64/kernel/entry-common.c:712
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:730
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:598
irq event stamp: 282914
hardirqs last enabled at (282914): [<ffff80008b42e30c>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (282914): [<ffff80008b42e30c>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (282913): [<ffff80008b42e13c>] __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:108 [inline]
hardirqs last disabled at (282913): [<ffff80008b42e13c>] _raw_spin_lock_irqsave+0x2c/0x7c kernel/locking/spinlock.c:162
softirqs last enabled at (282904): [<ffff8000801f8e88>] softirq_handle_end kernel/softirq.c:400 [inline]
softirqs last enabled at (282904): [<ffff8000801f8e88>] handle_softirqs+0xa3c/0xbfc kernel/softirq.c:582
softirqs last disabled at (282909): [<ffff8000801fbdf8>] run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(&pch->downl);
<Interrupt>
lock(&pch->downl);
*** DEADLOCK ***
1 lock held by ksoftirqd/1/24:
#0: ffff80008f74dfa0 (rcu_read_lock){....}-{1:2}, at: rcu_lock_acquire+0x10/0x4c include/linux/rcupdate.h:325
stack backtrace:
CPU: 1 UID: 0 PID: 24 Comm: ksoftirqd/1 Not tainted 6.11.0-rc7-syzkaller-g5f5673607153 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
Call trace:
dump_backtrace+0x1b8/0x1e4 arch/arm64/kernel/stacktrace.c:319
show_stack+0x2c/0x3c arch/arm64/kernel/stacktrace.c:326
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0xe4/0x150 lib/dump_stack.c:119
dump_stack+0x1c/0x28 lib/dump_stack.c:128
print_usage_bug+0x698/0x9ac kernel/locking/lockdep.c:4000
mark_lock_irq+0x980/0xd2c
mark_lock+0x258/0x360 kernel/locking/lockdep.c:4677
__lock_acquire+0xf48/0x779c kernel/locking/lockdep.c:5096
lock_acquire+0x240/0x728 kernel/locking/lockdep.c:5759
__raw_spin_lock include/linux/spinlock_api_smp.h:133 [inline]
_raw_spin_lock+0x48/0x60 kernel/locking/spinlock.c:154
spin_lock include/linux/spinlock.h:351 [inline]
ppp_channel_bridge_input drivers/net/ppp/ppp_generic.c:2272 [inline]
ppp_input+0x16c/0x854 drivers/net/ppp/ppp_generic.c:2304
ppp_async_process+0x98/0x150 drivers/net/ppp/ppp_async.c:495
tasklet_action_common+0x318/0x3f4 kernel/softirq.c:785
tasklet_action+0x68/0x8c kernel/softirq.c:811
handle_softirqs+0x2e4/0xbfc kernel/softirq.c:554
run_ksoftirqd+0x70/0x158 kernel/softirq.c:928
smpboot_thread_fn+0x4b0/0x90c kernel/smpboot.c:164
kthread+0x288/0x310 kernel/kthread.c:389
ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:860
Fixes: 4cf476ced45d ("ppp: add PPPIOCBRIDGECHAN and PPPIOCUNBRIDGECHAN ioctls")
Reported-by: syzbot+bd8d55ee2acd0a71d8ce@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/66f661e2.050a0220.38ace9.000f.GAE@google.com/T/#u
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Tom Parkin <tparkin@katalix.com>
Cc: James Chapman <jchapman@katalix.com>
Link: https://patch.msgid.link/20240927074553.341910-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ppp/ppp_generic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ppp/ppp_generic.c b/drivers/net/ppp/ppp_generic.c
index 370c84f393759..90f1cfbc7c50b 100644
--- a/drivers/net/ppp/ppp_generic.c
+++ b/drivers/net/ppp/ppp_generic.c
@@ -2269,7 +2269,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb)
if (!pchb)
goto out_rcu;
- spin_lock(&pchb->downl);
+ spin_lock_bh(&pchb->downl);
if (!pchb->chan) {
/* channel got unregistered */
kfree_skb(skb);
@@ -2281,7 +2281,7 @@ static bool ppp_channel_bridge_input(struct channel *pch, struct sk_buff *skb)
kfree_skb(skb);
outl:
- spin_unlock(&pchb->downl);
+ spin_unlock_bh(&pchb->downl);
out_rcu:
rcu_read_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 036/386] iomap: constrain the file range passed to iomap_file_unshare
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 035/386] ppp: do not assume bh is held in ppp_channel_bridge_input() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 037/386] dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Greg Kroah-Hartman
` (360 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Darrick J. Wong, Christoph Hellwig,
Brian Foster, Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Darrick J. Wong <djwong@kernel.org>
[ Upstream commit a311a08a4237241fb5b9d219d3e33346de6e83e0 ]
File contents can only be shared (i.e. reflinked) below EOF, so it makes
no sense to try to unshare ranges beyond EOF. Constrain the file range
parameters here so that we don't have to do that in the callers.
Fixes: 5f4e5752a8a3 ("fs: add iomap_file_dirty")
Signed-off-by: Darrick J. Wong <djwong@kernel.org>
Link: https://lore.kernel.org/r/20241002150213.GC21853@frogsfrogsfrogs
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/dax.c | 6 +++++-
fs/iomap/buffered-io.c | 6 +++++-
2 files changed, 10 insertions(+), 2 deletions(-)
diff --git a/fs/dax.c b/fs/dax.c
index 3380b43cb6bbb..d48b4fc7a4838 100644
--- a/fs/dax.c
+++ b/fs/dax.c
@@ -1305,11 +1305,15 @@ int dax_file_unshare(struct inode *inode, loff_t pos, loff_t len,
struct iomap_iter iter = {
.inode = inode,
.pos = pos,
- .len = len,
.flags = IOMAP_WRITE | IOMAP_UNSHARE | IOMAP_DAX,
};
+ loff_t size = i_size_read(inode);
int ret;
+ if (pos < 0 || pos >= size)
+ return 0;
+
+ iter.len = min(len, size - pos);
while ((ret = iomap_iter(&iter, ops)) > 0)
iter.processed = dax_unshare_iter(&iter);
return ret;
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 975fd88c1f0f4..5371b16341fff 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1316,11 +1316,15 @@ iomap_file_unshare(struct inode *inode, loff_t pos, loff_t len,
struct iomap_iter iter = {
.inode = inode,
.pos = pos,
- .len = len,
.flags = IOMAP_WRITE | IOMAP_UNSHARE,
};
+ loff_t size = i_size_read(inode);
int ret;
+ if (pos < 0 || pos >= size)
+ return 0;
+
+ iter.len = min(len, size - pos);
while ((ret = iomap_iter(&iter, ops)) > 0)
iter.processed = iomap_unshare_iter(&iter);
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 037/386] dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 036/386] iomap: constrain the file range passed to iomap_file_unshare Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 038/386] sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Greg Kroah-Hartman
` (359 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ravikanth Tuniki,
Radhey Shyam Pandey, Conor Dooley, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ravikanth Tuniki <ravikanth.tuniki@amd.com>
[ Upstream commit c6929644c1e0d6108e57061d427eb966e1746351 ]
Add missing reg minItems as based on current binding document
only ethernet MAC IO space is a supported configuration.
There is a bug in schema, current examples contain 64-bit
addressing as well as 32-bit addressing. The schema validation
does pass incidentally considering one 64-bit reg address as
two 32-bit reg address entries. If we change axi_ethernet_eth1
example node reg addressing to 32-bit schema validation reports:
Documentation/devicetree/bindings/net/xlnx,axi-ethernet.example.dtb:
ethernet@40000000: reg: [[1073741824, 262144]] is too short
To fix it add missing reg minItems constraints and to make things clearer
stick to 32-bit addressing in examples.
Fixes: cbb1ca6d5f9a ("dt-bindings: net: xlnx,axi-ethernet: convert bindings document to yaml")
Signed-off-by: Ravikanth Tuniki <ravikanth.tuniki@amd.com>
Signed-off-by: Radhey Shyam Pandey <radhey.shyam.pandey@amd.com>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://patch.msgid.link/1727723615-2109795-1-git-send-email-radhey.shyam.pandey@amd.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
index 1d33d80af11c3..652d696bc9e90 100644
--- a/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
+++ b/Documentation/devicetree/bindings/net/xlnx,axi-ethernet.yaml
@@ -34,6 +34,7 @@ properties:
and length of the AXI DMA controller IO space, unless
axistream-connected is specified, in which case the reg
attribute of the node referenced by it is used.
+ minItems: 1
maxItems: 2
interrupts:
@@ -165,7 +166,7 @@ examples:
clock-names = "s_axi_lite_clk", "axis_clk", "ref_clk", "mgt_clk";
clocks = <&axi_clk>, <&axi_clk>, <&pl_enet_ref_clk>, <&mgt_clk>;
phy-mode = "mii";
- reg = <0x00 0x40000000 0x00 0x40000>;
+ reg = <0x40000000 0x40000>;
xlnx,rxcsum = <0x2>;
xlnx,rxmem = <0x800>;
xlnx,txcsum = <0x2>;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 038/386] sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 037/386] dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 039/386] i2c: xiic: improve error message when transfer fails to start Greg Kroah-Hartman
` (358 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+f4e0f821e3a3b7cee51d,
Xin Long, Marcelo Ricardo Leitner, Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 8beee4d8dee76b67c75dc91fd8185d91e845c160 ]
In sctp_listen_start() invoked by sctp_inet_listen(), it should set the
sk_state back to CLOSED if sctp_autobind() fails due to whatever reason.
Otherwise, next time when calling sctp_inet_listen(), if sctp_sk(sk)->reuse
is already set via setsockopt(SCTP_REUSE_PORT), sctp_sk(sk)->bind_hash will
be dereferenced as sk_state is LISTENING, which causes a crash as bind_hash
is NULL.
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
RIP: 0010:sctp_inet_listen+0x7f0/0xa20 net/sctp/socket.c:8617
Call Trace:
<TASK>
__sys_listen_socket net/socket.c:1883 [inline]
__sys_listen+0x1b7/0x230 net/socket.c:1894
__do_sys_listen net/socket.c:1902 [inline]
Fixes: 5e8f3f703ae4 ("sctp: simplify sctp listening code")
Reported-by: syzbot+f4e0f821e3a3b7cee51d@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Link: https://patch.msgid.link/a93e655b3c153dc8945d7a812e6d8ab0d52b7aa0.1727729391.git.lucien.xin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sctp/socket.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 225dfacfd233f..4a1ebe46d045d 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -8551,8 +8551,10 @@ static int sctp_listen_start(struct sock *sk, int backlog)
*/
inet_sk_set_state(sk, SCTP_SS_LISTENING);
if (!ep->base.bind_addr.port) {
- if (sctp_autobind(sk))
+ if (sctp_autobind(sk)) {
+ inet_sk_set_state(sk, SCTP_SS_CLOSED);
return -EAGAIN;
+ }
} else {
if (sctp_get_port(sk, inet_sk(sk)->inet_num)) {
inet_sk_set_state(sk, SCTP_SS_CLOSED);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 039/386] i2c: xiic: improve error message when transfer fails to start
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 038/386] sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 040/386] i2c: xiic: Try re-initialization on bus busy timeout Greg Kroah-Hartman
` (357 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Ferland, Michal Simek,
Andi Shyti, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marc Ferland <marc.ferland@sonatest.com>
[ Upstream commit ee1691d0ae103ba7fd9439800ef454674fadad27 ]
xiic_start_xfer can fail for different reasons:
- EBUSY: bus is busy or i2c messages still in tx_msg or rx_msg
- ETIMEDOUT: timed-out trying to clear the RX fifo
- EINVAL: wrong clock settings
Both EINVAL and ETIMEDOUT will currently print a specific error
message followed by a generic one, for example:
Failed to clear rx fifo
Error xiic_start_xfer
however EBUSY will simply output the generic message:
Error xiic_start_xfer
which is not really helpful.
This commit adds a new error message when a busy condition is detected
and also removes the generic message since it does not provide any
relevant information to the user.
Signed-off-by: Marc Ferland <marc.ferland@sonatest.com>
Acked-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Stable-dep-of: 1d4a1adbed25 ("i2c: xiic: Try re-initialization on bus busy timeout")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-xiic.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c
index 71391b590adae..19468565120e1 100644
--- a/drivers/i2c/busses/i2c-xiic.c
+++ b/drivers/i2c/busses/i2c-xiic.c
@@ -1105,8 +1105,11 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num)
mutex_lock(&i2c->lock);
ret = xiic_busy(i2c);
- if (ret)
+ if (ret) {
+ dev_err(i2c->adap.dev.parent,
+ "cannot start a transfer while busy\n");
goto out;
+ }
i2c->tx_msg = msgs;
i2c->rx_msg = NULL;
@@ -1164,10 +1167,8 @@ static int xiic_xfer(struct i2c_adapter *adap, struct i2c_msg *msgs, int num)
return err;
err = xiic_start_xfer(i2c, msgs, num);
- if (err < 0) {
- dev_err(adap->dev.parent, "Error xiic_start_xfer\n");
+ if (err < 0)
goto out;
- }
err = wait_for_completion_timeout(&i2c->completion, XIIC_XFER_TIMEOUT);
mutex_lock(&i2c->lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 040/386] i2c: xiic: Try re-initialization on bus busy timeout
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 039/386] i2c: xiic: improve error message when transfer fails to start Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 041/386] loop: dont set QUEUE_FLAG_NOMERGES Greg Kroah-Hartman
` (356 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Hancock, Manikanta Guntupalli,
Michal Simek, Andi Shyti, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Hancock <robert.hancock@calian.com>
[ Upstream commit 1d4a1adbed2582444aaf97671858b7d12915bd05 ]
In the event that the I2C bus was powered down when the I2C controller
driver loads, or some spurious pulses occur on the I2C bus, it's
possible that the controller detects a spurious I2C "start" condition.
In this situation it may continue to report the bus is busy indefinitely
and block the controller from working.
The "single-master" DT flag can be specified to disable bus busy checks
entirely, but this may not be safe to use in situations where other I2C
masters may potentially exist.
In the event that the controller reports "bus busy" for too long when
starting a transaction, we can try reinitializing the controller to see
if the busy condition clears. This allows recovering from this scenario.
Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Cc: <stable@vger.kernel.org> # v2.6.34+
Reviewed-by: Manikanta Guntupalli <manikanta.guntupalli@amd.com>
Acked-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-xiic.c | 41 ++++++++++++++++++++++-------------
1 file changed, 26 insertions(+), 15 deletions(-)
diff --git a/drivers/i2c/busses/i2c-xiic.c b/drivers/i2c/busses/i2c-xiic.c
index 19468565120e1..d3ca7d2f81a61 100644
--- a/drivers/i2c/busses/i2c-xiic.c
+++ b/drivers/i2c/busses/i2c-xiic.c
@@ -844,23 +844,11 @@ static int xiic_bus_busy(struct xiic_i2c *i2c)
return (sr & XIIC_SR_BUS_BUSY_MASK) ? -EBUSY : 0;
}
-static int xiic_busy(struct xiic_i2c *i2c)
+static int xiic_wait_not_busy(struct xiic_i2c *i2c)
{
int tries = 3;
int err;
- if (i2c->tx_msg || i2c->rx_msg)
- return -EBUSY;
-
- /* In single master mode bus can only be busy, when in use by this
- * driver. If the register indicates bus being busy for some reason we
- * should ignore it, since bus will never be released and i2c will be
- * stuck forever.
- */
- if (i2c->singlemaster) {
- return 0;
- }
-
/* for instance if previous transfer was terminated due to TX error
* it might be that the bus is on it's way to become available
* give it at most 3 ms to wake
@@ -1104,13 +1092,36 @@ static int xiic_start_xfer(struct xiic_i2c *i2c, struct i2c_msg *msgs, int num)
mutex_lock(&i2c->lock);
- ret = xiic_busy(i2c);
- if (ret) {
+ if (i2c->tx_msg || i2c->rx_msg) {
dev_err(i2c->adap.dev.parent,
"cannot start a transfer while busy\n");
+ ret = -EBUSY;
goto out;
}
+ /* In single master mode bus can only be busy, when in use by this
+ * driver. If the register indicates bus being busy for some reason we
+ * should ignore it, since bus will never be released and i2c will be
+ * stuck forever.
+ */
+ if (!i2c->singlemaster) {
+ ret = xiic_wait_not_busy(i2c);
+ if (ret) {
+ /* If the bus is stuck in a busy state, such as due to spurious low
+ * pulses on the bus causing a false start condition to be detected,
+ * then try to recover by re-initializing the controller and check
+ * again if the bus is still busy.
+ */
+ dev_warn(i2c->adap.dev.parent, "I2C bus busy timeout, reinitializing\n");
+ ret = xiic_reinit(i2c);
+ if (ret)
+ goto out;
+ ret = xiic_wait_not_busy(i2c);
+ if (ret)
+ goto out;
+ }
+ }
+
i2c->tx_msg = msgs;
i2c->rx_msg = NULL;
i2c->nmsgs = num;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 041/386] loop: dont set QUEUE_FLAG_NOMERGES
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 040/386] i2c: xiic: Try re-initialization on bus busy timeout Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 042/386] Bluetooth: hci_sock: Fix not validating setsockopt user input Greg Kroah-Hartman
` (355 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Bart Van Assche,
Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 667ea36378cf7f669044b27871c496e1559c872a ]
QUEUE_FLAG_NOMERGES isn't really a driver interface, but a user tunable.
There also isn't any good reason to set it in the loop driver.
The original commit adding it (5b5e20f421c0b6d "block: loop: set
QUEUE_FLAG_NOMERGES for request queue of loop") claims that "It doesn't
make sense to enable merge because the I/O submitted to backing file is
handled page by page." which of course isn't true for multi-page bvec
now, and it never has been for direct I/O, for which commit 40326d8a33d
("block/loop: allow request merge for directio mode") alredy disabled
the nomerges flag.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Link: https://lore.kernel.org/r/20240627124926.512662-2-hch@lst.de
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/loop.c | 15 ++-------------
1 file changed, 2 insertions(+), 13 deletions(-)
diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index 552f56a84a7eb..886c635990377 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -211,13 +211,10 @@ static void __loop_update_dio(struct loop_device *lo, bool dio)
if (lo->lo_state == Lo_bound)
blk_mq_freeze_queue(lo->lo_queue);
lo->use_dio = use_dio;
- if (use_dio) {
- blk_queue_flag_clear(QUEUE_FLAG_NOMERGES, lo->lo_queue);
+ if (use_dio)
lo->lo_flags |= LO_FLAGS_DIRECT_IO;
- } else {
- blk_queue_flag_set(QUEUE_FLAG_NOMERGES, lo->lo_queue);
+ else
lo->lo_flags &= ~LO_FLAGS_DIRECT_IO;
- }
if (lo->lo_state == Lo_bound)
blk_mq_unfreeze_queue(lo->lo_queue);
}
@@ -2038,14 +2035,6 @@ static int loop_add(int i)
blk_queue_max_hw_sectors(lo->lo_queue, BLK_DEF_MAX_SECTORS);
- /*
- * By default, we do buffer IO, so it doesn't make sense to enable
- * merge because the I/O submitted to backing file is handled page by
- * page. For directio mode, merge does help to dispatch bigger request
- * to underlayer disk. We will enable merge once directio is enabled.
- */
- blk_queue_flag_set(QUEUE_FLAG_NOMERGES, lo->lo_queue);
-
/*
* Disable partition scanning by default. The in-kernel partition
* scanning can be requested individually per-device during its
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 042/386] Bluetooth: hci_sock: Fix not validating setsockopt user input
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 041/386] loop: dont set QUEUE_FLAG_NOMERGES Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 043/386] media: usbtv: Remove useless locks in usbtv_video_free() Greg Kroah-Hartman
` (354 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit b2186061d6043d6345a97100460363e990af0d46 ]
Check user input length before copying data.
Fixes: 09572fca7223 ("Bluetooth: hci_sock: Add support for BT_{SND,RCV}BUF")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sock.c | 21 ++++++++-------------
1 file changed, 8 insertions(+), 13 deletions(-)
diff --git a/net/bluetooth/hci_sock.c b/net/bluetooth/hci_sock.c
index 3d904ca92e9e8..69c2ba1e843eb 100644
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -1943,10 +1943,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
switch (optname) {
case HCI_DATA_DIR:
- if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
+ if (err)
break;
- }
if (opt)
hci_pi(sk)->cmsg_mask |= HCI_CMSG_DIR;
@@ -1955,10 +1954,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
break;
case HCI_TIME_STAMP:
- if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
+ if (err)
break;
- }
if (opt)
hci_pi(sk)->cmsg_mask |= HCI_CMSG_TSTAMP;
@@ -1976,11 +1974,9 @@ static int hci_sock_setsockopt_old(struct socket *sock, int level, int optname,
uf.event_mask[1] = *((u32 *) f->event_mask + 1);
}
- len = min_t(unsigned int, len, sizeof(uf));
- if (copy_from_sockptr(&uf, optval, len)) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&uf, sizeof(uf), optval, len);
+ if (err)
break;
- }
if (!capable(CAP_NET_RAW)) {
uf.type_mask &= hci_sec_filter.type_mask;
@@ -2039,10 +2035,9 @@ static int hci_sock_setsockopt(struct socket *sock, int level, int optname,
goto done;
}
- if (copy_from_sockptr(&opt, optval, sizeof(opt))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, len);
+ if (err)
break;
- }
hci_pi(sk)->mtu = opt;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 043/386] media: usbtv: Remove useless locks in usbtv_video_free()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 042/386] Bluetooth: hci_sock: Fix not validating setsockopt user input Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 044/386] Bluetooth: ISO: Fix not validating setsockopt user input Greg Kroah-Hartman
` (353 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Gaignard, Tomasz Figa,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Gaignard <benjamin.gaignard@collabora.com>
[ Upstream commit 65e6a2773d655172143cc0b927cdc89549842895 ]
Remove locks calls in usbtv_video_free() because
are useless and may led to a deadlock as reported here:
https://syzkaller.appspot.com/x/bisect.txt?x=166dc872180000
Also remove usbtv_stop() call since it will be called when
unregistering the device.
Before 'c838530d230b' this issue would only be noticed if you
disconnect while streaming and now it is noticeable even when
disconnecting while not streaming.
Fixes: c838530d230b ("media: media videobuf2: Be more flexible on the number of queue stored buffers")
Fixes: f3d27f34fdd7 ("[media] usbtv: Add driver for Fushicai USBTV007 video frame grabber")
Signed-off-by: Benjamin Gaignard <benjamin.gaignard@collabora.com>
Reviewed-by: Tomasz Figa <tfiga@chromium.org>
Tested-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
[hverkuil: fix minor spelling mistake in log message]
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/usb/usbtv/usbtv-video.c | 7 -------
1 file changed, 7 deletions(-)
diff --git a/drivers/media/usb/usbtv/usbtv-video.c b/drivers/media/usb/usbtv/usbtv-video.c
index 1e30e05953dc6..7495df6b51912 100644
--- a/drivers/media/usb/usbtv/usbtv-video.c
+++ b/drivers/media/usb/usbtv/usbtv-video.c
@@ -962,15 +962,8 @@ int usbtv_video_init(struct usbtv *usbtv)
void usbtv_video_free(struct usbtv *usbtv)
{
- mutex_lock(&usbtv->vb2q_lock);
- mutex_lock(&usbtv->v4l2_lock);
-
- usbtv_stop(usbtv);
vb2_video_unregister_device(&usbtv->vdev);
v4l2_device_disconnect(&usbtv->v4l2_dev);
- mutex_unlock(&usbtv->v4l2_lock);
- mutex_unlock(&usbtv->vb2q_lock);
-
v4l2_device_put(&usbtv->v4l2_dev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 044/386] Bluetooth: ISO: Fix not validating setsockopt user input
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 043/386] media: usbtv: Remove useless locks in usbtv_video_free() Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 045/386] Bluetooth: L2CAP: " Greg Kroah-Hartman
` (352 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 9e8742cdfc4b0e65266bb4a901a19462bda9285e ]
Check user input length before copying data.
Fixes: ccf74f2390d6 ("Bluetooth: Add BTPROTO_ISO socket type")
Fixes: 0731c5ab4d51 ("Bluetooth: ISO: Add support for BT_PKT_STATUS")
Fixes: f764a6c2c1e4 ("Bluetooth: ISO: Add broadcast support")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/iso.c | 36 ++++++++++++------------------------
1 file changed, 12 insertions(+), 24 deletions(-)
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 3ccba592f7349..c46d123c30e14 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -1349,7 +1349,7 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
sockptr_t optval, unsigned int optlen)
{
struct sock *sk = sock->sk;
- int len, err = 0;
+ int err = 0;
struct bt_iso_qos qos = default_qos;
u32 opt;
@@ -1364,10 +1364,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
if (opt)
set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
@@ -1376,10 +1375,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
break;
case BT_PKT_STATUS:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
if (opt)
set_bit(BT_SK_PKT_STATUS, &bt_sk(sk)->flags);
@@ -1394,17 +1392,9 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- len = min_t(unsigned int, sizeof(qos), optlen);
-
- if (copy_from_sockptr(&qos, optval, len)) {
- err = -EFAULT;
- break;
- }
-
- if (len == sizeof(qos.ucast) && !check_ucast_qos(&qos)) {
- err = -EINVAL;
+ err = bt_copy_from_sockptr(&qos, sizeof(qos), optval, optlen);
+ if (err)
break;
- }
iso_pi(sk)->qos = qos;
iso_pi(sk)->qos_user_set = true;
@@ -1419,18 +1409,16 @@ static int iso_sock_setsockopt(struct socket *sock, int level, int optname,
}
if (optlen > sizeof(iso_pi(sk)->base)) {
- err = -EOVERFLOW;
+ err = -EINVAL;
break;
}
- len = min_t(unsigned int, sizeof(iso_pi(sk)->base), optlen);
-
- if (copy_from_sockptr(iso_pi(sk)->base, optval, len)) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(iso_pi(sk)->base, optlen, optval,
+ optlen);
+ if (err)
break;
- }
- iso_pi(sk)->base_len = len;
+ iso_pi(sk)->base_len = optlen;
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 045/386] Bluetooth: L2CAP: Fix not validating setsockopt user input
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 044/386] Bluetooth: ISO: Fix not validating setsockopt user input Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 046/386] ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Greg Kroah-Hartman
` (351 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 4f3951242ace5efc7131932e2e01e6ac6baed846 ]
Check user input length before copying data.
Fixes: 33575df7be67 ("Bluetooth: move l2cap_sock_setsockopt() to l2cap_sock.c")
Fixes: 3ee7b7cd8390 ("Bluetooth: Add BT_MODE socket option")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_sock.c | 52 +++++++++++++++-----------------------
1 file changed, 20 insertions(+), 32 deletions(-)
diff --git a/net/bluetooth/l2cap_sock.c b/net/bluetooth/l2cap_sock.c
index 5d332e69c7e1a..f04ce84267988 100644
--- a/net/bluetooth/l2cap_sock.c
+++ b/net/bluetooth/l2cap_sock.c
@@ -727,7 +727,7 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
struct sock *sk = sock->sk;
struct l2cap_chan *chan = l2cap_pi(sk)->chan;
struct l2cap_options opts;
- int len, err = 0;
+ int err = 0;
u32 opt;
BT_DBG("sk %p", sk);
@@ -754,11 +754,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
opts.max_tx = chan->max_tx;
opts.txwin_size = chan->tx_win;
- len = min_t(unsigned int, sizeof(opts), optlen);
- if (copy_from_sockptr(&opts, optval, len)) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opts, sizeof(opts), optval, optlen);
+ if (err)
break;
- }
if (opts.txwin_size > L2CAP_DEFAULT_EXT_WINDOW) {
err = -EINVAL;
@@ -801,10 +799,9 @@ static int l2cap_sock_setsockopt_old(struct socket *sock, int optname,
break;
case L2CAP_LM:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
if (opt & L2CAP_LM_FIPS) {
err = -EINVAL;
@@ -885,7 +882,7 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
struct bt_security sec;
struct bt_power pwr;
struct l2cap_conn *conn;
- int len, err = 0;
+ int err = 0;
u32 opt;
u16 mtu;
u8 mode;
@@ -911,11 +908,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
sec.level = BT_SECURITY_LOW;
- len = min_t(unsigned int, sizeof(sec), optlen);
- if (copy_from_sockptr(&sec, optval, len)) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&sec, sizeof(sec), optval, optlen);
+ if (err)
break;
- }
if (sec.level < BT_SECURITY_LOW ||
sec.level > BT_SECURITY_FIPS) {
@@ -960,10 +955,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
if (opt) {
set_bit(BT_SK_DEFER_SETUP, &bt_sk(sk)->flags);
@@ -975,10 +969,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
case BT_FLUSHABLE:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
if (opt > BT_FLUSHABLE_ON) {
err = -EINVAL;
@@ -1010,11 +1003,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
pwr.force_active = BT_POWER_FORCE_ACTIVE_ON;
- len = min_t(unsigned int, sizeof(pwr), optlen);
- if (copy_from_sockptr(&pwr, optval, len)) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&pwr, sizeof(pwr), optval, optlen);
+ if (err)
break;
- }
if (pwr.force_active)
set_bit(FLAG_FORCE_ACTIVE, &chan->flags);
@@ -1023,10 +1014,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
case BT_CHANNEL_POLICY:
- if (copy_from_sockptr(&opt, optval, sizeof(u32))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&opt, sizeof(opt), optval, optlen);
+ if (err)
break;
- }
err = -EOPNOTSUPP;
break;
@@ -1055,10 +1045,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- if (copy_from_sockptr(&mtu, optval, sizeof(u16))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&mtu, sizeof(mtu), optval, optlen);
+ if (err)
break;
- }
if (chan->mode == L2CAP_MODE_EXT_FLOWCTL &&
sk->sk_state == BT_CONNECTED)
@@ -1086,10 +1075,9 @@ static int l2cap_sock_setsockopt(struct socket *sock, int level, int optname,
break;
}
- if (copy_from_sockptr(&mode, optval, sizeof(u8))) {
- err = -EFAULT;
+ err = bt_copy_from_sockptr(&mode, sizeof(mode), optval, optlen);
+ if (err)
break;
- }
BT_DBG("mode %u", mode);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 046/386] ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 045/386] Bluetooth: L2CAP: " Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 047/386] ALSA: mixer_oss: Remove some incorrect kfree_const() usages Greg Kroah-Hartman
` (350 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrei Simion, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrei Simion <andrei.simion@microchip.com>
[ Upstream commit 09cfc6a532d249a51d3af5022d37ebbe9c3d31f6 ]
Update the driver to prevent alsa-restore.service from failing when
reading data from /var/lib/alsa/asound.state at boot. Ensure that the
restoration of ALSA mixer configurations is skipped if substream->runtime
is NULL.
Fixes: 50291652af52 ("ASoC: atmel: mchp-pdmc: add PDMC driver")
Signed-off-by: Andrei Simion <andrei.simion@microchip.com>
Link: https://patch.msgid.link/20240924081237.50046-1-andrei.simion@microchip.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/atmel/mchp-pdmc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/sound/soc/atmel/mchp-pdmc.c b/sound/soc/atmel/mchp-pdmc.c
index dcc4e14b3dde2..206bbb5aaab5d 100644
--- a/sound/soc/atmel/mchp-pdmc.c
+++ b/sound/soc/atmel/mchp-pdmc.c
@@ -285,6 +285,9 @@ static int mchp_pdmc_chmap_ctl_put(struct snd_kcontrol *kcontrol,
if (!substream)
return -ENODEV;
+ if (!substream->runtime)
+ return 0; /* just for avoiding error from alsactl restore */
+
map = mchp_pdmc_chmap_get(substream, info);
if (!map)
return -EINVAL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 047/386] ALSA: mixer_oss: Remove some incorrect kfree_const() usages
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 046/386] ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 048/386] ALSA: hda/realtek: Fix the push button function for the ALC257 Greg Kroah-Hartman
` (349 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 368e4663c557de4a33f321b44e7eeec0a21b2e4e ]
"assigned" and "assigned->name" are allocated in snd_mixer_oss_proc_write()
using kmalloc() and kstrdup(), so there is no point in using kfree_const()
to free these resources.
Switch to the more standard kfree() to free these resources.
This could avoid a memory leak.
Fixes: 454f5ec1d2b7 ("ALSA: mixer: oss: Constify snd_mixer_oss_assign_table definition")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://patch.msgid.link/63ac20f64234b7c9ea87a7fa9baf41e8255852f7.1727374631.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/core/oss/mixer_oss.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/core/oss/mixer_oss.c b/sound/core/oss/mixer_oss.c
index dae2da3808351..abc99ae333282 100644
--- a/sound/core/oss/mixer_oss.c
+++ b/sound/core/oss/mixer_oss.c
@@ -967,8 +967,8 @@ static void snd_mixer_oss_slot_free(struct snd_mixer_oss_slot *chn)
struct slot *p = chn->private_data;
if (p) {
if (p->allocated && p->assigned) {
- kfree_const(p->assigned->name);
- kfree_const(p->assigned);
+ kfree(p->assigned->name);
+ kfree(p->assigned);
}
kfree(p);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 048/386] ALSA: hda/realtek: Fix the push button function for the ALC257
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 047/386] ALSA: mixer_oss: Remove some incorrect kfree_const() usages Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 049/386] cifs: Remove intermediate object of failed create reparse call Greg Kroah-Hartman
` (348 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Oder Chiou, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oder Chiou <oder_chiou@realtek.com>
[ Upstream commit 05df9732a0894846c46d0062d4af535c5002799d ]
The headset push button cannot work properly in case of the ALC257.
This patch reverted the previous commit to correct the side effect.
Fixes: ef9718b3d54e ("ALSA: hda/realtek: Fix noise from speakers on Lenovo IdeaPad 3 15IAU7")
Signed-off-by: Oder Chiou <oder_chiou@realtek.com>
Link: https://patch.msgid.link/20240930105039.3473266-1-oder_chiou@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 130508f5ad9c8..657223c49515c 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -585,6 +585,7 @@ static void alc_shutup_pins(struct hda_codec *codec)
switch (codec->core.vendor_id) {
case 0x10ec0236:
case 0x10ec0256:
+ case 0x10ec0257:
case 0x19e58326:
case 0x10ec0283:
case 0x10ec0285:
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 049/386] cifs: Remove intermediate object of failed create reparse call
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 048/386] ALSA: hda/realtek: Fix the push button function for the ALC257 Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 050/386] ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Greg Kroah-Hartman
` (347 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pali Rohár,
Paulo Alcantara (Red Hat), Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit c9432ad5e32f066875b1bf95939c363bc46d6a45 ]
If CREATE was successful but SMB2_OP_SET_REPARSE failed then remove the
intermediate object created by CREATE. Otherwise empty object stay on the
server when reparse call failed.
This ensures that if the creating of special files is unsupported by the
server then no empty file stay on the server as a result of unsupported
operation.
Fixes: 102466f303ff ("smb: client: allow creating special files via reparse points")
Signed-off-by: Pali Rohár <pali@kernel.org>
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/smb2inode.c | 24 ++++++++++++++++++++++--
1 file changed, 22 insertions(+), 2 deletions(-)
diff --git a/fs/smb/client/smb2inode.c b/fs/smb/client/smb2inode.c
index dd8acd2077521..8010b3ed4b3fe 100644
--- a/fs/smb/client/smb2inode.c
+++ b/fs/smb/client/smb2inode.c
@@ -1205,9 +1205,12 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data,
struct cifs_sb_info *cifs_sb = CIFS_SB(sb);
struct cifsFileInfo *cfile;
struct inode *new = NULL;
+ int out_buftype[4] = {};
+ struct kvec out_iov[4] = {};
struct kvec in_iov[2];
int cmds[2];
int rc;
+ int i;
oparms = CIFS_OPARMS(cifs_sb, tcon, full_path,
SYNCHRONIZE | DELETE |
@@ -1228,7 +1231,7 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data,
cmds[1] = SMB2_OP_POSIX_QUERY_INFO;
cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, &oparms,
- in_iov, cmds, 2, cfile, NULL, NULL, NULL);
+ in_iov, cmds, 2, cfile, out_iov, out_buftype, NULL);
if (!rc) {
rc = smb311_posix_get_inode_info(&new, full_path,
data, sb, xid);
@@ -1237,12 +1240,29 @@ struct inode *smb2_get_reparse_inode(struct cifs_open_info_data *data,
cmds[1] = SMB2_OP_QUERY_INFO;
cifs_get_writable_path(tcon, full_path, FIND_WR_ANY, &cfile);
rc = smb2_compound_op(xid, tcon, cifs_sb, full_path, &oparms,
- in_iov, cmds, 2, cfile, NULL, NULL, NULL);
+ in_iov, cmds, 2, cfile, out_iov, out_buftype, NULL);
if (!rc) {
rc = cifs_get_inode_info(&new, full_path,
data, sb, xid, NULL);
}
}
+
+
+ /*
+ * If CREATE was successful but SMB2_OP_SET_REPARSE failed then
+ * remove the intermediate object created by CREATE. Otherwise
+ * empty object stay on the server when reparse call failed.
+ */
+ if (rc &&
+ out_iov[0].iov_base != NULL && out_buftype[0] != CIFS_NO_BUFFER &&
+ ((struct smb2_hdr *)out_iov[0].iov_base)->Status == STATUS_SUCCESS &&
+ (out_iov[1].iov_base == NULL || out_buftype[1] == CIFS_NO_BUFFER ||
+ ((struct smb2_hdr *)out_iov[1].iov_base)->Status != STATUS_SUCCESS))
+ smb2_unlink(xid, tcon, full_path, cifs_sb, NULL);
+
+ for (i = 0; i < ARRAY_SIZE(out_buftype); i++)
+ free_rsp_buf(out_buftype[i], out_iov[i].iov_base);
+
return rc ? ERR_PTR(rc) : new;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 050/386] ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 049/386] cifs: Remove intermediate object of failed create reparse call Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 051/386] ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Greg Kroah-Hartman
` (346 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 1c801e7f77445bc56e5e1fec6191fd4503534787 ]
Some time ago, we introduced the obey_preferred_dacs flag for choosing
the DAC/pin pairs specified by the driver instead of parsing the
paths. This works as expected, per se, but there have been a few
cases where we forgot to set this flag while preferred_dacs table is
already set up. It ended up with incorrect wiring and made us
wondering why it doesn't work.
Basically, when the preferred_dacs table is provided, it means that
the driver really wants to wire up to follow that. That is, the
presence of the preferred_dacs table itself is already a "do-it"
flag.
In this patch, we simply replace the evaluation of obey_preferred_dacs
flag with the presence of preferred_dacs table for fixing the
misbehavior. Another patch to drop of the obsoleted flag will
follow.
Fixes: 242d990c158d ("ALSA: hda/generic: Add option to enforce preferred_dacs pairs")
Link: https://bugzilla.suse.com/show_bug.cgi?id=1219803
Link: https://patch.msgid.link/20241001121439.26060-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/hda_generic.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/pci/hda/hda_generic.c b/sound/pci/hda/hda_generic.c
index d3ed3e21b1979..8e8d4c667923c 100644
--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -1383,7 +1383,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs,
struct nid_path *path;
hda_nid_t pin = pins[i];
- if (!spec->obey_preferred_dacs) {
+ if (!spec->preferred_dacs) {
path = snd_hda_get_path_from_idx(codec, path_idx[i]);
if (path) {
badness += assign_out_path_ctls(codec, path);
@@ -1395,7 +1395,7 @@ static int try_assign_dacs(struct hda_codec *codec, int num_outs,
if (dacs[i]) {
if (is_dac_already_used(codec, dacs[i]))
badness += bad->shared_primary;
- } else if (spec->obey_preferred_dacs) {
+ } else if (spec->preferred_dacs) {
badness += BAD_NO_PRIMARY_DAC;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 051/386] ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 050/386] ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 052/386] cifs: Fix buffer overflow when parsing NFS reparse points Greg Kroah-Hartman
` (345 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hui Wang, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hui Wang <hui.wang@canonical.com>
[ Upstream commit 47d7d3fd72afc7dcd548806291793ee6f3848215 ]
In most Linux distribution kernels, the SND is set to m, in such a
case, when booting the kernel on i.MX8MP EVK board, there is a
warning calltrace like below:
Call trace:
snd_card_init+0x484/0x4cc [snd]
snd_card_new+0x70/0xa8 [snd]
snd_soc_bind_card+0x310/0xbd0 [snd_soc_core]
snd_soc_register_card+0xf0/0x108 [snd_soc_core]
devm_snd_soc_register_card+0x4c/0xa4 [snd_soc_core]
That is because the card.owner is not set, a warning calltrace is
raised in the snd_card_init() due to it.
Fixes: aa736700f42f ("ASoC: imx-card: Add imx-card machine driver")
Signed-off-by: Hui Wang <hui.wang@canonical.com>
Link: https://patch.msgid.link/20241002025659.723544-1-hui.wang@canonical.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/fsl/imx-card.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/fsl/imx-card.c b/sound/soc/fsl/imx-card.c
index 356a0bc3b126b..f8144bf4c90d3 100644
--- a/sound/soc/fsl/imx-card.c
+++ b/sound/soc/fsl/imx-card.c
@@ -714,6 +714,7 @@ static int imx_card_probe(struct platform_device *pdev)
data->plat_data = plat_data;
data->card.dev = &pdev->dev;
+ data->card.owner = THIS_MODULE;
dev_set_drvdata(&pdev->dev, &data->card);
snd_soc_card_set_drvdata(&data->card, data);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 052/386] cifs: Fix buffer overflow when parsing NFS reparse points
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 051/386] ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 053/386] cifs: Do not convert delimiter when parsing NFS-style symlinks Greg Kroah-Hartman
` (344 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Pali Rohár, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit e2a8910af01653c1c268984855629d71fb81f404 ]
ReparseDataLength is sum of the InodeType size and DataBuffer size.
So to get DataBuffer size it is needed to subtract InodeType's size from
ReparseDataLength.
Function cifs_strndup_from_utf16() is currentlly accessing buf->DataBuffer
at position after the end of the buffer because it does not subtract
InodeType size from the length. Fix this problem and correctly subtract
variable len.
Member InodeType is present only when reparse buffer is large enough. Check
for ReparseDataLength before accessing InodeType to prevent another invalid
memory access.
Major and minor rdev values are present also only when reparse buffer is
large enough. Check for reparse buffer size before calling reparse_mkdev().
Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points")
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/reparse.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index 48c27581ec511..cfa03c166de8c 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -320,9 +320,16 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
unsigned int len;
u64 type;
+ len = le16_to_cpu(buf->ReparseDataLength);
+ if (len < sizeof(buf->InodeType)) {
+ cifs_dbg(VFS, "srv returned malformed nfs buffer\n");
+ return -EIO;
+ }
+
+ len -= sizeof(buf->InodeType);
+
switch ((type = le64_to_cpu(buf->InodeType))) {
case NFS_SPECFILE_LNK:
- len = le16_to_cpu(buf->ReparseDataLength);
data->symlink_target = cifs_strndup_from_utf16(buf->DataBuffer,
len, true,
cifs_sb->local_nls);
@@ -482,12 +489,18 @@ bool cifs_reparse_point_to_fattr(struct cifs_sb_info *cifs_sb,
u32 tag = data->reparse.tag;
if (tag == IO_REPARSE_TAG_NFS && buf) {
+ if (le16_to_cpu(buf->ReparseDataLength) < sizeof(buf->InodeType))
+ return false;
switch (le64_to_cpu(buf->InodeType)) {
case NFS_SPECFILE_CHR:
+ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
+ return false;
fattr->cf_mode |= S_IFCHR;
fattr->cf_rdev = reparse_nfs_mkdev(buf);
break;
case NFS_SPECFILE_BLK:
+ if (le16_to_cpu(buf->ReparseDataLength) != sizeof(buf->InodeType) + 8)
+ return false;
fattr->cf_mode |= S_IFBLK;
fattr->cf_rdev = reparse_nfs_mkdev(buf);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 053/386] cifs: Do not convert delimiter when parsing NFS-style symlinks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 052/386] cifs: Fix buffer overflow when parsing NFS reparse points Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 054/386] ALSA: gus: Fix some error handling paths related to get_bpos() usage Greg Kroah-Hartman
` (343 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paulo Alcantara (Red Hat),
Pali Rohár, Steve French, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pali Rohár <pali@kernel.org>
[ Upstream commit d3a49f60917323228f8fdeee313260ef14f94df7 ]
NFS-style symlinks have target location always stored in NFS/UNIX form
where backslash means the real UNIX backslash and not the SMB path
separator.
So do not mangle slash and backslash content of NFS-style symlink during
readlink() syscall as it is already in the correct Linux form.
This fixes interoperability of NFS-style symlinks with backslashes created
by Linux NFS3 client throw Windows NFS server and retrieved by Linux SMB
client throw Windows SMB server, where both Windows servers exports the
same directory.
Fixes: d5ecebc4900d ("smb3: Allow query of symlinks stored as reparse points")
Acked-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/client/reparse.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/smb/client/reparse.c b/fs/smb/client/reparse.c
index cfa03c166de8c..ad0e0de9a165d 100644
--- a/fs/smb/client/reparse.c
+++ b/fs/smb/client/reparse.c
@@ -335,7 +335,6 @@ static int parse_reparse_posix(struct reparse_posix_data *buf,
cifs_sb->local_nls);
if (!data->symlink_target)
return -ENOMEM;
- convert_delimiter(data->symlink_target, '/');
cifs_dbg(FYI, "%s: target path: %s\n",
__func__, data->symlink_target);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 054/386] ALSA: gus: Fix some error handling paths related to get_bpos() usage
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 053/386] cifs: Do not convert delimiter when parsing NFS-style symlinks Greg Kroah-Hartman
@ 2024-10-08 12:04 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 055/386] ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Greg Kroah-Hartman
` (342 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:04 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 9df39a872c462ea07a3767ebd0093c42b2ff78a2 ]
If get_bpos() fails, it is likely that the corresponding error code should
be returned.
Fixes: a6970bb1dd99 ("ALSA: gus: Convert to the new PCM ops")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://patch.msgid.link/d9ca841edad697154afa97c73a5d7a14919330d9.1727984008.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/isa/gus/gus_pcm.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/sound/isa/gus/gus_pcm.c b/sound/isa/gus/gus_pcm.c
index 850544725da79..d55c3dc229c0e 100644
--- a/sound/isa/gus/gus_pcm.c
+++ b/sound/isa/gus/gus_pcm.c
@@ -378,7 +378,7 @@ static int snd_gf1_pcm_playback_copy(struct snd_pcm_substream *substream,
bpos = get_bpos(pcmp, voice, pos, len);
if (bpos < 0)
- return pos;
+ return bpos;
if (copy_from_iter(runtime->dma_area + bpos, len, src) != len)
return -EFAULT;
return playback_copy_ack(substream, bpos, len);
@@ -395,7 +395,7 @@ static int snd_gf1_pcm_playback_silence(struct snd_pcm_substream *substream,
bpos = get_bpos(pcmp, voice, pos, len);
if (bpos < 0)
- return pos;
+ return bpos;
snd_pcm_format_set_silence(runtime->format, runtime->dma_area + bpos,
bytes_to_samples(runtime, count));
return playback_copy_ack(substream, bpos, len);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 055/386] ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2024-10-08 12:04 ` [PATCH 6.6 054/386] ALSA: gus: Fix some error handling paths related to get_bpos() usage Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 056/386] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Greg Kroah-Hartman
` (341 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Heusel, Jerry,
Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit b3ebb007060f89d5a45c9b99f06a55e36a1945b5 ]
We received a regression report for System76 Pangolin (pang14) due to
the recent fix for Tuxedo Sirius devices to support the top speaker.
The reason was the conflicting PCI SSID, as often seen.
As a workaround, now the codec SSID is checked and the quirk is
applied conditionally only to Sirius devices.
Fixes: 4178d78cd7a8 ("ALSA: hda/conexant: Add pincfg quirk to enable top speakers on Sirius devices")
Reported-by: Christian Heusel <christian@heusel.eu>
Reported-by: Jerry <jerryluo225@gmail.com>
Closes: https://lore.kernel.org/c930b6a6-64e5-498f-b65a-1cd5e0a1d733@heusel.eu
Link: https://patch.msgid.link/20241004082602.29016-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_conexant.c | 24 +++++++++++++++++++-----
1 file changed, 19 insertions(+), 5 deletions(-)
diff --git a/sound/pci/hda/patch_conexant.c b/sound/pci/hda/patch_conexant.c
index 63bd0e384bae2..8a3abd4babba6 100644
--- a/sound/pci/hda/patch_conexant.c
+++ b/sound/pci/hda/patch_conexant.c
@@ -820,6 +820,23 @@ static const struct hda_pintbl cxt_pincfg_sws_js201d[] = {
{}
};
+/* pincfg quirk for Tuxedo Sirius;
+ * unfortunately the (PCI) SSID conflicts with System76 Pangolin pang14,
+ * which has incompatible pin setup, so we check the codec SSID (luckily
+ * different one!) and conditionally apply the quirk here
+ */
+static void cxt_fixup_sirius_top_speaker(struct hda_codec *codec,
+ const struct hda_fixup *fix,
+ int action)
+{
+ /* ignore for incorrectly picked-up pang14 */
+ if (codec->core.subsystem_id == 0x278212b3)
+ return;
+ /* set up the top speaker pin */
+ if (action == HDA_FIXUP_ACT_PRE_PROBE)
+ snd_hda_codec_set_pincfg(codec, 0x1d, 0x82170111);
+}
+
static const struct hda_fixup cxt_fixups[] = {
[CXT_PINCFG_LENOVO_X200] = {
.type = HDA_FIXUP_PINS,
@@ -980,11 +997,8 @@ static const struct hda_fixup cxt_fixups[] = {
.v.pins = cxt_pincfg_sws_js201d,
},
[CXT_PINCFG_TOP_SPEAKER] = {
- .type = HDA_FIXUP_PINS,
- .v.pins = (const struct hda_pintbl[]) {
- { 0x1d, 0x82170111 },
- { }
- },
+ .type = HDA_FIXUP_FUNC,
+ .v.func = cxt_fixup_sirius_top_speaker,
},
};
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 056/386] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 055/386] ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 057/386] wifi: rtw89: avoid to add interface to list twice when SER Greg Kroah-Hartman
` (340 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Kandybka,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Kandybka <d.kandybka@gmail.com>
[ Upstream commit 3f66f26703093886db81f0610b97a6794511917c ]
In 'ath9k_get_et_stats()', promote TX stats counters to 'u64'
to avoid possible integer overflow. Compile tested only.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Signed-off-by: Dmitry Kandybka <d.kandybka@gmail.com>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240725111743.14422-1-d.kandybka@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/debug.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/debug.c b/drivers/net/wireless/ath/ath9k/debug.c
index 808fb6747a7f7..7791f4df6d484 100644
--- a/drivers/net/wireless/ath/ath9k/debug.c
+++ b/drivers/net/wireless/ath/ath9k/debug.c
@@ -1325,11 +1325,11 @@ void ath9k_get_et_stats(struct ieee80211_hw *hw,
struct ath_softc *sc = hw->priv;
int i = 0;
- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all +
+ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_pkts_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_pkts_all);
- data[i++] = (sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all +
+ data[i++] = ((u64)sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BE)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_BK)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VI)].tx_bytes_all +
sc->debug.stats.txstats[PR_QNUM(IEEE80211_AC_VO)].tx_bytes_all);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 057/386] wifi: rtw89: avoid to add interface to list twice when SER
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 056/386] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 058/386] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Greg Kroah-Hartman
` (339 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chih-Kang Chang, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chih-Kang Chang <gary.chang@realtek.com>
[ Upstream commit 7dd5d2514a8ea58f12096e888b0bd050d7eae20a ]
If SER L2 occurs during the WoWLAN resume flow, the add interface flow
is triggered by ieee80211_reconfig(). However, due to
rtw89_wow_resume() return failure, it will cause the add interface flow
to be executed again, resulting in a double add list and causing a kernel
panic. Therefore, we have added a check to prevent double adding of the
list.
list_add double add: new=ffff99d6992e2010, prev=ffff99d6992e2010, next=ffff99d695302628.
------------[ cut here ]------------
kernel BUG at lib/list_debug.c:37!
invalid opcode: 0000 [#1] PREEMPT SMP NOPTI
CPU: 0 PID: 9 Comm: kworker/0:1 Tainted: G W O 6.6.30-02659-gc18865c4dfbd #1 770df2933251a0e3c888ba69d1053a817a6376a7
Hardware name: HP Grunt/Grunt, BIOS Google_Grunt.11031.169.0 06/24/2021
Workqueue: events_freezable ieee80211_restart_work [mac80211]
RIP: 0010:__list_add_valid_or_report+0x5e/0xb0
Code: c7 74 18 48 39 ce 74 13 b0 01 59 5a 5e 5f 41 58 41 59 41 5a 5d e9 e2 d6 03 00 cc 48 c7 c7 8d 4f 17 83 48 89 c2 e8 02 c0 00 00 <0f> 0b 48 c7 c7 aa 8c 1c 83 e8 f4 bf 00 00 0f 0b 48 c7 c7 c8 bc 12
RSP: 0018:ffffa91b8007bc50 EFLAGS: 00010246
RAX: 0000000000000058 RBX: ffff99d6992e0900 RCX: a014d76c70ef3900
RDX: ffffa91b8007bae8 RSI: 00000000ffffdfff RDI: 0000000000000001
RBP: ffffa91b8007bc88 R08: 0000000000000000 R09: ffffa91b8007bae0
R10: 00000000ffffdfff R11: ffffffff83a79800 R12: ffff99d695302060
R13: ffff99d695300900 R14: ffff99d6992e1be0 R15: ffff99d6992e2010
FS: 0000000000000000(0000) GS:ffff99d6aac00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000078fbdba43480 CR3: 000000010e464000 CR4: 00000000001506f0
Call Trace:
<TASK>
? __die_body+0x1f/0x70
? die+0x3d/0x60
? do_trap+0xa4/0x110
? __list_add_valid_or_report+0x5e/0xb0
? do_error_trap+0x6d/0x90
? __list_add_valid_or_report+0x5e/0xb0
? handle_invalid_op+0x30/0x40
? __list_add_valid_or_report+0x5e/0xb0
? exc_invalid_op+0x3c/0x50
? asm_exc_invalid_op+0x16/0x20
? __list_add_valid_or_report+0x5e/0xb0
rtw89_ops_add_interface+0x309/0x310 [rtw89_core 7c32b1ee6854761c0321027c8a58c5160e41f48f]
drv_add_interface+0x5c/0x130 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
ieee80211_reconfig+0x241/0x13d0 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
? finish_wait+0x3e/0x90
? synchronize_rcu_expedited+0x174/0x260
? sync_rcu_exp_done_unlocked+0x50/0x50
? wake_bit_function+0x40/0x40
ieee80211_restart_work+0xf0/0x140 [mac80211 83e989e6e616bd5b4b8a2b0a9f9352a2c385a3bc]
process_scheduled_works+0x1e5/0x480
worker_thread+0xea/0x1e0
kthread+0xdb/0x110
? move_linked_works+0x90/0x90
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork+0x3b/0x50
? kthread_associate_blkcg+0xa0/0xa0
ret_from_fork_asm+0x11/0x20
</TASK>
Modules linked in: dm_integrity async_xor xor async_tx lz4 lz4_compress zstd zstd_compress zram zsmalloc rfcomm cmac uinput algif_hash algif_skcipher af_alg btusb btrtl iio_trig_hrtimer industrialio_sw_trigger btmtk industrialio_configfs btbcm btintel uvcvideo videobuf2_vmalloc iio_trig_sysfs videobuf2_memops videobuf2_v4l2 videobuf2_common uvc snd_hda_codec_hdmi veth snd_hda_intel snd_intel_dspcfg acpi_als snd_hda_codec industrialio_triggered_buffer kfifo_buf snd_hwdep industrialio i2c_piix4 snd_hda_core designware_i2s ip6table_nat snd_soc_max98357a xt_MASQUERADE xt_cgroup snd_soc_acp_rt5682_mach fuse rtw89_8922ae(O) rtw89_8922a(O) rtw89_pci(O) rtw89_core(O) 8021q mac80211(O) bluetooth ecdh_generic ecc cfg80211 r8152 mii joydev
gsmi: Log Shutdown Reason 0x03
---[ end trace 0000000000000000 ]---
Signed-off-by: Chih-Kang Chang <gary.chang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240731070506.46100-4-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/mac80211.c | 4 +++-
drivers/net/wireless/realtek/rtw89/util.h | 18 ++++++++++++++++++
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/realtek/rtw89/mac80211.c b/drivers/net/wireless/realtek/rtw89/mac80211.c
index 487d79938bc71..5b9de1f41dc78 100644
--- a/drivers/net/wireless/realtek/rtw89/mac80211.c
+++ b/drivers/net/wireless/realtek/rtw89/mac80211.c
@@ -126,7 +126,9 @@ static int rtw89_ops_add_interface(struct ieee80211_hw *hw,
rtwvif->rtwdev = rtwdev;
rtwvif->roc.state = RTW89_ROC_IDLE;
rtwvif->offchan = false;
- list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list);
+ if (!rtw89_rtwvif_in_list(rtwdev, rtwvif))
+ list_add_tail(&rtwvif->list, &rtwdev->rtwvifs_list);
+
INIT_WORK(&rtwvif->update_beacon_work, rtw89_core_update_beacon_work);
INIT_DELAYED_WORK(&rtwvif->roc.roc_work, rtw89_roc_work);
rtw89_leave_ps_mode(rtwdev);
diff --git a/drivers/net/wireless/realtek/rtw89/util.h b/drivers/net/wireless/realtek/rtw89/util.h
index e2ed4565025dd..d4ee9078a4f48 100644
--- a/drivers/net/wireless/realtek/rtw89/util.h
+++ b/drivers/net/wireless/realtek/rtw89/util.h
@@ -14,6 +14,24 @@
#define rtw89_for_each_rtwvif(rtwdev, rtwvif) \
list_for_each_entry(rtwvif, &(rtwdev)->rtwvifs_list, list)
+/* Before adding rtwvif to list, we need to check if it already exist, beacase
+ * in some case such as SER L2 happen during WoWLAN flow, calling reconfig
+ * twice cause the list to be added twice.
+ */
+static inline bool rtw89_rtwvif_in_list(struct rtw89_dev *rtwdev,
+ struct rtw89_vif *new)
+{
+ struct rtw89_vif *rtwvif;
+
+ lockdep_assert_held(&rtwdev->mutex);
+
+ rtw89_for_each_rtwvif(rtwdev, rtwvif)
+ if (rtwvif == new)
+ return true;
+
+ return false;
+}
+
/* The result of negative dividend and positive divisor is undefined, but it
* should be one case of round-down or round-up. So, make it round-down if the
* result is round-up.
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 058/386] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 057/386] wifi: rtw89: avoid to add interface to list twice when SER Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 059/386] crypto: x86/sha256 - Add parentheses around macros single arguments Greg Kroah-Hartman
` (338 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+98afa303be379af6cdb2,
Toke Høiland-Jørgensen, Kalle Valo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Toke Høiland-Jørgensen <toke@redhat.com>
[ Upstream commit 94745807f3ebd379f23865e6dab196f220664179 ]
Syzbot points out that skb_trim() has a sanity check on the existing length of
the skb, which can be uninitialised in some error paths. The intent here is
clearly just to reset the length to zero before resubmitting, so switch to
calling __skb_set_length(skb, 0) directly. In addition, __skb_set_length()
already contains a call to skb_reset_tail_pointer(), so remove the redundant
call.
The syzbot report came from ath9k_hif_usb_reg_in_cb(), but there's a similar
usage of skb_trim() in ath9k_hif_usb_rx_cb(), change both while we're at it.
Reported-by: syzbot+98afa303be379af6cdb2@syzkaller.appspotmail.com
Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240812142447.12328-1-toke@toke.dk
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath9k/hif_usb.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/wireless/ath/ath9k/hif_usb.c b/drivers/net/wireless/ath/ath9k/hif_usb.c
index e5414435b1414..ab728a70ed279 100644
--- a/drivers/net/wireless/ath/ath9k/hif_usb.c
+++ b/drivers/net/wireless/ath/ath9k/hif_usb.c
@@ -716,8 +716,7 @@ static void ath9k_hif_usb_rx_cb(struct urb *urb)
}
resubmit:
- skb_reset_tail_pointer(skb);
- skb_trim(skb, 0);
+ __skb_set_length(skb, 0);
usb_anchor_urb(urb, &hif_dev->rx_submitted);
ret = usb_submit_urb(urb, GFP_ATOMIC);
@@ -754,8 +753,7 @@ static void ath9k_hif_usb_reg_in_cb(struct urb *urb)
case -ESHUTDOWN:
goto free_skb;
default:
- skb_reset_tail_pointer(skb);
- skb_trim(skb, 0);
+ __skb_set_length(skb, 0);
goto resubmit;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 059/386] crypto: x86/sha256 - Add parentheses around macros single arguments
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 058/386] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 060/386] crypto: octeontx - Fix authenc setkey Greg Kroah-Hartman
` (337 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fangrui Song, Jan Beulich,
Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fangrui Song <maskray@google.com>
[ Upstream commit 3363c460ef726ba693704dbcd73b7e7214ccc788 ]
The macros FOUR_ROUNDS_AND_SCHED and DO_4ROUNDS rely on an
unexpected/undocumented behavior of the GNU assembler, which might
change in the future
(https://sourceware.org/bugzilla/show_bug.cgi?id=32073).
M (1) (2) // 1 arg !? Future: 2 args
M 1 + 2 // 1 arg !? Future: 3 args
M 1 2 // 2 args
Add parentheses around the single arguments to support future GNU
assembler and LLVM integrated assembler (when the IsOperator hack from
the following link is dropped).
Link: https://github.com/llvm/llvm-project/commit/055006475e22014b28a070db1bff41ca15f322f0
Signed-off-by: Fangrui Song <maskray@google.com>
Reviewed-by: Jan Beulich <jbeulich@suse.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/crypto/sha256-avx2-asm.S | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/arch/x86/crypto/sha256-avx2-asm.S b/arch/x86/crypto/sha256-avx2-asm.S
index 0ffb072be9561..0bbec1c75cd0b 100644
--- a/arch/x86/crypto/sha256-avx2-asm.S
+++ b/arch/x86/crypto/sha256-avx2-asm.S
@@ -592,22 +592,22 @@ SYM_TYPED_FUNC_START(sha256_transform_rorx)
leaq K256+0*32(%rip), INP ## reuse INP as scratch reg
vpaddd (INP, SRND), X0, XFER
vmovdqa XFER, 0*32+_XFER(%rsp, SRND)
- FOUR_ROUNDS_AND_SCHED _XFER + 0*32
+ FOUR_ROUNDS_AND_SCHED (_XFER + 0*32)
leaq K256+1*32(%rip), INP
vpaddd (INP, SRND), X0, XFER
vmovdqa XFER, 1*32+_XFER(%rsp, SRND)
- FOUR_ROUNDS_AND_SCHED _XFER + 1*32
+ FOUR_ROUNDS_AND_SCHED (_XFER + 1*32)
leaq K256+2*32(%rip), INP
vpaddd (INP, SRND), X0, XFER
vmovdqa XFER, 2*32+_XFER(%rsp, SRND)
- FOUR_ROUNDS_AND_SCHED _XFER + 2*32
+ FOUR_ROUNDS_AND_SCHED (_XFER + 2*32)
leaq K256+3*32(%rip), INP
vpaddd (INP, SRND), X0, XFER
vmovdqa XFER, 3*32+_XFER(%rsp, SRND)
- FOUR_ROUNDS_AND_SCHED _XFER + 3*32
+ FOUR_ROUNDS_AND_SCHED (_XFER + 3*32)
add $4*32, SRND
cmp $3*4*32, SRND
@@ -618,12 +618,12 @@ SYM_TYPED_FUNC_START(sha256_transform_rorx)
leaq K256+0*32(%rip), INP
vpaddd (INP, SRND), X0, XFER
vmovdqa XFER, 0*32+_XFER(%rsp, SRND)
- DO_4ROUNDS _XFER + 0*32
+ DO_4ROUNDS (_XFER + 0*32)
leaq K256+1*32(%rip), INP
vpaddd (INP, SRND), X1, XFER
vmovdqa XFER, 1*32+_XFER(%rsp, SRND)
- DO_4ROUNDS _XFER + 1*32
+ DO_4ROUNDS (_XFER + 1*32)
add $2*32, SRND
vmovdqa X2, X0
@@ -651,8 +651,8 @@ SYM_TYPED_FUNC_START(sha256_transform_rorx)
xor SRND, SRND
.align 16
.Lloop3:
- DO_4ROUNDS _XFER + 0*32 + 16
- DO_4ROUNDS _XFER + 1*32 + 16
+ DO_4ROUNDS (_XFER + 0*32 + 16)
+ DO_4ROUNDS (_XFER + 1*32 + 16)
add $2*32, SRND
cmp $4*4*32, SRND
jb .Lloop3
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 060/386] crypto: octeontx - Fix authenc setkey
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 059/386] crypto: x86/sha256 - Add parentheses around macros single arguments Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 061/386] crypto: octeontx2 " Greg Kroah-Hartman
` (336 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 311eea7e37c4c0b44b557d0c100860a03b4eab65 ]
Use the generic crypto_authenc_extractkeys helper instead of custom
parsing code that is slightly broken. Also fix a number of memory
leaks by moving memory allocation from setkey to init_tfm (setkey
can be called multiple times over the life of a tfm).
Finally accept all hash key lengths by running the digest over
extra-long keys.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../crypto/marvell/octeontx/otx_cptvf_algs.c | 261 +++++++-----------
1 file changed, 93 insertions(+), 168 deletions(-)
diff --git a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
index 1c2c870e887aa..f64b72398eced 100644
--- a/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
+++ b/drivers/crypto/marvell/octeontx/otx_cptvf_algs.c
@@ -17,7 +17,6 @@
#include <crypto/sha2.h>
#include <crypto/xts.h>
#include <crypto/scatterwalk.h>
-#include <linux/rtnetlink.h>
#include <linux/sort.h>
#include <linux/module.h>
#include "otx_cptvf.h"
@@ -66,6 +65,8 @@ static struct cpt_device_table ae_devices = {
.count = ATOMIC_INIT(0)
};
+static struct otx_cpt_sdesc *alloc_sdesc(struct crypto_shash *alg);
+
static inline int get_se_device(struct pci_dev **pdev, int *cpu_num)
{
int count, ret = 0;
@@ -515,44 +516,61 @@ static int cpt_aead_init(struct crypto_aead *tfm, u8 cipher_type, u8 mac_type)
ctx->cipher_type = cipher_type;
ctx->mac_type = mac_type;
+ switch (ctx->mac_type) {
+ case OTX_CPT_SHA1:
+ ctx->hashalg = crypto_alloc_shash("sha1", 0, 0);
+ break;
+
+ case OTX_CPT_SHA256:
+ ctx->hashalg = crypto_alloc_shash("sha256", 0, 0);
+ break;
+
+ case OTX_CPT_SHA384:
+ ctx->hashalg = crypto_alloc_shash("sha384", 0, 0);
+ break;
+
+ case OTX_CPT_SHA512:
+ ctx->hashalg = crypto_alloc_shash("sha512", 0, 0);
+ break;
+ }
+
+ if (IS_ERR(ctx->hashalg))
+ return PTR_ERR(ctx->hashalg);
+
+ crypto_aead_set_reqsize_dma(tfm, sizeof(struct otx_cpt_req_ctx));
+
+ if (!ctx->hashalg)
+ return 0;
+
/*
* When selected cipher is NULL we use HMAC opcode instead of
* FLEXICRYPTO opcode therefore we don't need to use HASH algorithms
* for calculating ipad and opad
*/
if (ctx->cipher_type != OTX_CPT_CIPHER_NULL) {
- switch (ctx->mac_type) {
- case OTX_CPT_SHA1:
- ctx->hashalg = crypto_alloc_shash("sha1", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
-
- case OTX_CPT_SHA256:
- ctx->hashalg = crypto_alloc_shash("sha256", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ int ss = crypto_shash_statesize(ctx->hashalg);
- case OTX_CPT_SHA384:
- ctx->hashalg = crypto_alloc_shash("sha384", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ ctx->ipad = kzalloc(ss, GFP_KERNEL);
+ if (!ctx->ipad) {
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
+ }
- case OTX_CPT_SHA512:
- ctx->hashalg = crypto_alloc_shash("sha512", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ ctx->opad = kzalloc(ss, GFP_KERNEL);
+ if (!ctx->opad) {
+ kfree(ctx->ipad);
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
}
}
- crypto_aead_set_reqsize_dma(tfm, sizeof(struct otx_cpt_req_ctx));
+ ctx->sdesc = alloc_sdesc(ctx->hashalg);
+ if (!ctx->sdesc) {
+ kfree(ctx->opad);
+ kfree(ctx->ipad);
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
+ }
return 0;
}
@@ -608,8 +626,7 @@ static void otx_cpt_aead_exit(struct crypto_aead *tfm)
kfree(ctx->ipad);
kfree(ctx->opad);
- if (ctx->hashalg)
- crypto_free_shash(ctx->hashalg);
+ crypto_free_shash(ctx->hashalg);
kfree(ctx->sdesc);
}
@@ -705,7 +722,7 @@ static inline void swap_data64(void *buf, u32 len)
*dst = cpu_to_be64p(src);
}
-static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
+static int swap_pad(u8 mac_type, u8 *pad)
{
struct sha512_state *sha512;
struct sha256_state *sha256;
@@ -713,22 +730,19 @@ static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
switch (mac_type) {
case OTX_CPT_SHA1:
- sha1 = (struct sha1_state *) in_pad;
+ sha1 = (struct sha1_state *)pad;
swap_data32(sha1->state, SHA1_DIGEST_SIZE);
- memcpy(out_pad, &sha1->state, SHA1_DIGEST_SIZE);
break;
case OTX_CPT_SHA256:
- sha256 = (struct sha256_state *) in_pad;
+ sha256 = (struct sha256_state *)pad;
swap_data32(sha256->state, SHA256_DIGEST_SIZE);
- memcpy(out_pad, &sha256->state, SHA256_DIGEST_SIZE);
break;
case OTX_CPT_SHA384:
case OTX_CPT_SHA512:
- sha512 = (struct sha512_state *) in_pad;
+ sha512 = (struct sha512_state *)pad;
swap_data64(sha512->state, SHA512_DIGEST_SIZE);
- memcpy(out_pad, &sha512->state, SHA512_DIGEST_SIZE);
break;
default:
@@ -738,55 +752,53 @@ static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
return 0;
}
-static int aead_hmac_init(struct crypto_aead *cipher)
+static int aead_hmac_init(struct crypto_aead *cipher,
+ struct crypto_authenc_keys *keys)
{
struct otx_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- int state_size = crypto_shash_statesize(ctx->hashalg);
int ds = crypto_shash_digestsize(ctx->hashalg);
int bs = crypto_shash_blocksize(ctx->hashalg);
- int authkeylen = ctx->auth_key_len;
+ int authkeylen = keys->authkeylen;
u8 *ipad = NULL, *opad = NULL;
- int ret = 0, icount = 0;
+ int icount = 0;
+ int ret;
- ctx->sdesc = alloc_sdesc(ctx->hashalg);
- if (!ctx->sdesc)
- return -ENOMEM;
+ if (authkeylen > bs) {
+ ret = crypto_shash_digest(&ctx->sdesc->shash, keys->authkey,
+ authkeylen, ctx->key);
+ if (ret)
+ return ret;
+ authkeylen = ds;
+ } else
+ memcpy(ctx->key, keys->authkey, authkeylen);
- ctx->ipad = kzalloc(bs, GFP_KERNEL);
- if (!ctx->ipad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ ctx->enc_key_len = keys->enckeylen;
+ ctx->auth_key_len = authkeylen;
- ctx->opad = kzalloc(bs, GFP_KERNEL);
- if (!ctx->opad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ if (ctx->cipher_type == OTX_CPT_CIPHER_NULL)
+ return keys->enckeylen ? -EINVAL : 0;
- ipad = kzalloc(state_size, GFP_KERNEL);
- if (!ipad) {
- ret = -ENOMEM;
- goto calc_fail;
+ switch (keys->enckeylen) {
+ case AES_KEYSIZE_128:
+ ctx->key_type = OTX_CPT_AES_128_BIT;
+ break;
+ case AES_KEYSIZE_192:
+ ctx->key_type = OTX_CPT_AES_192_BIT;
+ break;
+ case AES_KEYSIZE_256:
+ ctx->key_type = OTX_CPT_AES_256_BIT;
+ break;
+ default:
+ /* Invalid key length */
+ return -EINVAL;
}
- opad = kzalloc(state_size, GFP_KERNEL);
- if (!opad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ memcpy(ctx->key + authkeylen, keys->enckey, keys->enckeylen);
- if (authkeylen > bs) {
- ret = crypto_shash_digest(&ctx->sdesc->shash, ctx->key,
- authkeylen, ipad);
- if (ret)
- goto calc_fail;
-
- authkeylen = ds;
- } else {
- memcpy(ipad, ctx->key, authkeylen);
- }
+ ipad = ctx->ipad;
+ opad = ctx->opad;
+ memcpy(ipad, ctx->key, authkeylen);
memset(ipad + authkeylen, 0, bs - authkeylen);
memcpy(opad, ipad, bs);
@@ -804,7 +816,7 @@ static int aead_hmac_init(struct crypto_aead *cipher)
crypto_shash_init(&ctx->sdesc->shash);
crypto_shash_update(&ctx->sdesc->shash, ipad, bs);
crypto_shash_export(&ctx->sdesc->shash, ipad);
- ret = copy_pad(ctx->mac_type, ctx->ipad, ipad);
+ ret = swap_pad(ctx->mac_type, ipad);
if (ret)
goto calc_fail;
@@ -812,25 +824,9 @@ static int aead_hmac_init(struct crypto_aead *cipher)
crypto_shash_init(&ctx->sdesc->shash);
crypto_shash_update(&ctx->sdesc->shash, opad, bs);
crypto_shash_export(&ctx->sdesc->shash, opad);
- ret = copy_pad(ctx->mac_type, ctx->opad, opad);
- if (ret)
- goto calc_fail;
-
- kfree(ipad);
- kfree(opad);
-
- return 0;
+ ret = swap_pad(ctx->mac_type, opad);
calc_fail:
- kfree(ctx->ipad);
- ctx->ipad = NULL;
- kfree(ctx->opad);
- ctx->opad = NULL;
- kfree(ipad);
- kfree(opad);
- kfree(ctx->sdesc);
- ctx->sdesc = NULL;
-
return ret;
}
@@ -838,57 +834,15 @@ static int otx_cpt_aead_cbc_aes_sha_setkey(struct crypto_aead *cipher,
const unsigned char *key,
unsigned int keylen)
{
- struct otx_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- struct crypto_authenc_key_param *param;
- int enckeylen = 0, authkeylen = 0;
- struct rtattr *rta = (void *)key;
- int status = -EINVAL;
-
- if (!RTA_OK(rta, keylen))
- goto badkey;
-
- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
- goto badkey;
-
- if (RTA_PAYLOAD(rta) < sizeof(*param))
- goto badkey;
-
- param = RTA_DATA(rta);
- enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
- if (keylen < enckeylen)
- goto badkey;
+ struct crypto_authenc_keys authenc_keys;
+ int status;
- if (keylen > OTX_CPT_MAX_KEY_SIZE)
- goto badkey;
-
- authkeylen = keylen - enckeylen;
- memcpy(ctx->key, key, keylen);
-
- switch (enckeylen) {
- case AES_KEYSIZE_128:
- ctx->key_type = OTX_CPT_AES_128_BIT;
- break;
- case AES_KEYSIZE_192:
- ctx->key_type = OTX_CPT_AES_192_BIT;
- break;
- case AES_KEYSIZE_256:
- ctx->key_type = OTX_CPT_AES_256_BIT;
- break;
- default:
- /* Invalid key length */
- goto badkey;
- }
-
- ctx->enc_key_len = enckeylen;
- ctx->auth_key_len = authkeylen;
-
- status = aead_hmac_init(cipher);
+ status = crypto_authenc_extractkeys(&authenc_keys, key, keylen);
if (status)
goto badkey;
- return 0;
+ status = aead_hmac_init(cipher, &authenc_keys);
+
badkey:
return status;
}
@@ -897,36 +851,7 @@ static int otx_cpt_aead_ecb_null_sha_setkey(struct crypto_aead *cipher,
const unsigned char *key,
unsigned int keylen)
{
- struct otx_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- struct crypto_authenc_key_param *param;
- struct rtattr *rta = (void *)key;
- int enckeylen = 0;
-
- if (!RTA_OK(rta, keylen))
- goto badkey;
-
- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
- goto badkey;
-
- if (RTA_PAYLOAD(rta) < sizeof(*param))
- goto badkey;
-
- param = RTA_DATA(rta);
- enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
- if (enckeylen != 0)
- goto badkey;
-
- if (keylen > OTX_CPT_MAX_KEY_SIZE)
- goto badkey;
-
- memcpy(ctx->key, key, keylen);
- ctx->enc_key_len = enckeylen;
- ctx->auth_key_len = keylen;
- return 0;
-badkey:
- return -EINVAL;
+ return otx_cpt_aead_cbc_aes_sha_setkey(cipher, key, keylen);
}
static int otx_cpt_aead_gcm_aes_setkey(struct crypto_aead *cipher,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 061/386] crypto: octeontx2 - Fix authenc setkey
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 060/386] crypto: octeontx - Fix authenc setkey Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 062/386] ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Greg Kroah-Hartman
` (335 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 7ccb750dcac8abbfc7743aab0db6a72c1c3703c7 ]
Use the generic crypto_authenc_extractkeys helper instead of custom
parsing code that is slightly broken. Also fix a number of memory
leaks by moving memory allocation from setkey to init_tfm (setkey
can be called multiple times over the life of a tfm).
Finally accept all hash key lengths by running the digest over
extra-long keys.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../marvell/octeontx2/otx2_cptvf_algs.c | 254 +++++++-----------
1 file changed, 90 insertions(+), 164 deletions(-)
diff --git a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c
index e27ddd3c4e558..4385d3df52b4d 100644
--- a/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c
+++ b/drivers/crypto/marvell/octeontx2/otx2_cptvf_algs.c
@@ -11,7 +11,6 @@
#include <crypto/xts.h>
#include <crypto/gcm.h>
#include <crypto/scatterwalk.h>
-#include <linux/rtnetlink.h>
#include <linux/sort.h>
#include <linux/module.h>
#include "otx2_cptvf.h"
@@ -54,6 +53,8 @@ static struct cpt_device_table se_devices = {
.count = ATOMIC_INIT(0)
};
+static struct otx2_cpt_sdesc *alloc_sdesc(struct crypto_shash *alg);
+
static inline int get_se_device(struct pci_dev **pdev, int *cpu_num)
{
int count;
@@ -580,40 +581,56 @@ static int cpt_aead_init(struct crypto_aead *atfm, u8 cipher_type, u8 mac_type)
ctx->cipher_type = cipher_type;
ctx->mac_type = mac_type;
+ switch (ctx->mac_type) {
+ case OTX2_CPT_SHA1:
+ ctx->hashalg = crypto_alloc_shash("sha1", 0, 0);
+ break;
+
+ case OTX2_CPT_SHA256:
+ ctx->hashalg = crypto_alloc_shash("sha256", 0, 0);
+ break;
+
+ case OTX2_CPT_SHA384:
+ ctx->hashalg = crypto_alloc_shash("sha384", 0, 0);
+ break;
+
+ case OTX2_CPT_SHA512:
+ ctx->hashalg = crypto_alloc_shash("sha512", 0, 0);
+ break;
+ }
+
+ if (IS_ERR(ctx->hashalg))
+ return PTR_ERR(ctx->hashalg);
+
+ if (ctx->hashalg) {
+ ctx->sdesc = alloc_sdesc(ctx->hashalg);
+ if (!ctx->sdesc) {
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
+ }
+ }
+
/*
* When selected cipher is NULL we use HMAC opcode instead of
* FLEXICRYPTO opcode therefore we don't need to use HASH algorithms
* for calculating ipad and opad
*/
- if (ctx->cipher_type != OTX2_CPT_CIPHER_NULL) {
- switch (ctx->mac_type) {
- case OTX2_CPT_SHA1:
- ctx->hashalg = crypto_alloc_shash("sha1", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
-
- case OTX2_CPT_SHA256:
- ctx->hashalg = crypto_alloc_shash("sha256", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ if (ctx->cipher_type != OTX2_CPT_CIPHER_NULL && ctx->hashalg) {
+ int ss = crypto_shash_statesize(ctx->hashalg);
- case OTX2_CPT_SHA384:
- ctx->hashalg = crypto_alloc_shash("sha384", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ ctx->ipad = kzalloc(ss, GFP_KERNEL);
+ if (!ctx->ipad) {
+ kfree(ctx->sdesc);
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
+ }
- case OTX2_CPT_SHA512:
- ctx->hashalg = crypto_alloc_shash("sha512", 0,
- CRYPTO_ALG_ASYNC);
- if (IS_ERR(ctx->hashalg))
- return PTR_ERR(ctx->hashalg);
- break;
+ ctx->opad = kzalloc(ss, GFP_KERNEL);
+ if (!ctx->opad) {
+ kfree(ctx->ipad);
+ kfree(ctx->sdesc);
+ crypto_free_shash(ctx->hashalg);
+ return -ENOMEM;
}
}
switch (ctx->cipher_type) {
@@ -686,8 +703,7 @@ static void otx2_cpt_aead_exit(struct crypto_aead *tfm)
kfree(ctx->ipad);
kfree(ctx->opad);
- if (ctx->hashalg)
- crypto_free_shash(ctx->hashalg);
+ crypto_free_shash(ctx->hashalg);
kfree(ctx->sdesc);
if (ctx->fbk_cipher) {
@@ -760,7 +776,7 @@ static inline void swap_data64(void *buf, u32 len)
cpu_to_be64s(src);
}
-static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
+static int swap_pad(u8 mac_type, u8 *pad)
{
struct sha512_state *sha512;
struct sha256_state *sha256;
@@ -768,22 +784,19 @@ static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
switch (mac_type) {
case OTX2_CPT_SHA1:
- sha1 = (struct sha1_state *) in_pad;
+ sha1 = (struct sha1_state *)pad;
swap_data32(sha1->state, SHA1_DIGEST_SIZE);
- memcpy(out_pad, &sha1->state, SHA1_DIGEST_SIZE);
break;
case OTX2_CPT_SHA256:
- sha256 = (struct sha256_state *) in_pad;
+ sha256 = (struct sha256_state *)pad;
swap_data32(sha256->state, SHA256_DIGEST_SIZE);
- memcpy(out_pad, &sha256->state, SHA256_DIGEST_SIZE);
break;
case OTX2_CPT_SHA384:
case OTX2_CPT_SHA512:
- sha512 = (struct sha512_state *) in_pad;
+ sha512 = (struct sha512_state *)pad;
swap_data64(sha512->state, SHA512_DIGEST_SIZE);
- memcpy(out_pad, &sha512->state, SHA512_DIGEST_SIZE);
break;
default:
@@ -793,55 +806,54 @@ static int copy_pad(u8 mac_type, u8 *out_pad, u8 *in_pad)
return 0;
}
-static int aead_hmac_init(struct crypto_aead *cipher)
+static int aead_hmac_init(struct crypto_aead *cipher,
+ struct crypto_authenc_keys *keys)
{
struct otx2_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- int state_size = crypto_shash_statesize(ctx->hashalg);
int ds = crypto_shash_digestsize(ctx->hashalg);
int bs = crypto_shash_blocksize(ctx->hashalg);
- int authkeylen = ctx->auth_key_len;
+ int authkeylen = keys->authkeylen;
u8 *ipad = NULL, *opad = NULL;
- int ret = 0, icount = 0;
+ int icount = 0;
+ int ret;
- ctx->sdesc = alloc_sdesc(ctx->hashalg);
- if (!ctx->sdesc)
- return -ENOMEM;
+ if (authkeylen > bs) {
+ ret = crypto_shash_digest(&ctx->sdesc->shash, keys->authkey,
+ authkeylen, ctx->key);
+ if (ret)
+ goto calc_fail;
- ctx->ipad = kzalloc(bs, GFP_KERNEL);
- if (!ctx->ipad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ authkeylen = ds;
+ } else
+ memcpy(ctx->key, keys->authkey, authkeylen);
- ctx->opad = kzalloc(bs, GFP_KERNEL);
- if (!ctx->opad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ ctx->enc_key_len = keys->enckeylen;
+ ctx->auth_key_len = authkeylen;
- ipad = kzalloc(state_size, GFP_KERNEL);
- if (!ipad) {
- ret = -ENOMEM;
- goto calc_fail;
- }
+ if (ctx->cipher_type == OTX2_CPT_CIPHER_NULL)
+ return keys->enckeylen ? -EINVAL : 0;
- opad = kzalloc(state_size, GFP_KERNEL);
- if (!opad) {
- ret = -ENOMEM;
- goto calc_fail;
+ switch (keys->enckeylen) {
+ case AES_KEYSIZE_128:
+ ctx->key_type = OTX2_CPT_AES_128_BIT;
+ break;
+ case AES_KEYSIZE_192:
+ ctx->key_type = OTX2_CPT_AES_192_BIT;
+ break;
+ case AES_KEYSIZE_256:
+ ctx->key_type = OTX2_CPT_AES_256_BIT;
+ break;
+ default:
+ /* Invalid key length */
+ return -EINVAL;
}
- if (authkeylen > bs) {
- ret = crypto_shash_digest(&ctx->sdesc->shash, ctx->key,
- authkeylen, ipad);
- if (ret)
- goto calc_fail;
+ memcpy(ctx->key + authkeylen, keys->enckey, keys->enckeylen);
- authkeylen = ds;
- } else {
- memcpy(ipad, ctx->key, authkeylen);
- }
+ ipad = ctx->ipad;
+ opad = ctx->opad;
+ memcpy(ipad, ctx->key, authkeylen);
memset(ipad + authkeylen, 0, bs - authkeylen);
memcpy(opad, ipad, bs);
@@ -859,7 +871,7 @@ static int aead_hmac_init(struct crypto_aead *cipher)
crypto_shash_init(&ctx->sdesc->shash);
crypto_shash_update(&ctx->sdesc->shash, ipad, bs);
crypto_shash_export(&ctx->sdesc->shash, ipad);
- ret = copy_pad(ctx->mac_type, ctx->ipad, ipad);
+ ret = swap_pad(ctx->mac_type, ipad);
if (ret)
goto calc_fail;
@@ -867,25 +879,9 @@ static int aead_hmac_init(struct crypto_aead *cipher)
crypto_shash_init(&ctx->sdesc->shash);
crypto_shash_update(&ctx->sdesc->shash, opad, bs);
crypto_shash_export(&ctx->sdesc->shash, opad);
- ret = copy_pad(ctx->mac_type, ctx->opad, opad);
- if (ret)
- goto calc_fail;
-
- kfree(ipad);
- kfree(opad);
-
- return 0;
+ ret = swap_pad(ctx->mac_type, opad);
calc_fail:
- kfree(ctx->ipad);
- ctx->ipad = NULL;
- kfree(ctx->opad);
- ctx->opad = NULL;
- kfree(ipad);
- kfree(opad);
- kfree(ctx->sdesc);
- ctx->sdesc = NULL;
-
return ret;
}
@@ -893,87 +889,17 @@ static int otx2_cpt_aead_cbc_aes_sha_setkey(struct crypto_aead *cipher,
const unsigned char *key,
unsigned int keylen)
{
- struct otx2_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- struct crypto_authenc_key_param *param;
- int enckeylen = 0, authkeylen = 0;
- struct rtattr *rta = (void *)key;
-
- if (!RTA_OK(rta, keylen))
- return -EINVAL;
+ struct crypto_authenc_keys authenc_keys;
- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
- return -EINVAL;
-
- if (RTA_PAYLOAD(rta) < sizeof(*param))
- return -EINVAL;
-
- param = RTA_DATA(rta);
- enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
- if (keylen < enckeylen)
- return -EINVAL;
-
- if (keylen > OTX2_CPT_MAX_KEY_SIZE)
- return -EINVAL;
-
- authkeylen = keylen - enckeylen;
- memcpy(ctx->key, key, keylen);
-
- switch (enckeylen) {
- case AES_KEYSIZE_128:
- ctx->key_type = OTX2_CPT_AES_128_BIT;
- break;
- case AES_KEYSIZE_192:
- ctx->key_type = OTX2_CPT_AES_192_BIT;
- break;
- case AES_KEYSIZE_256:
- ctx->key_type = OTX2_CPT_AES_256_BIT;
- break;
- default:
- /* Invalid key length */
- return -EINVAL;
- }
-
- ctx->enc_key_len = enckeylen;
- ctx->auth_key_len = authkeylen;
-
- return aead_hmac_init(cipher);
+ return crypto_authenc_extractkeys(&authenc_keys, key, keylen) ?:
+ aead_hmac_init(cipher, &authenc_keys);
}
static int otx2_cpt_aead_ecb_null_sha_setkey(struct crypto_aead *cipher,
const unsigned char *key,
unsigned int keylen)
{
- struct otx2_cpt_aead_ctx *ctx = crypto_aead_ctx_dma(cipher);
- struct crypto_authenc_key_param *param;
- struct rtattr *rta = (void *)key;
- int enckeylen = 0;
-
- if (!RTA_OK(rta, keylen))
- return -EINVAL;
-
- if (rta->rta_type != CRYPTO_AUTHENC_KEYA_PARAM)
- return -EINVAL;
-
- if (RTA_PAYLOAD(rta) < sizeof(*param))
- return -EINVAL;
-
- param = RTA_DATA(rta);
- enckeylen = be32_to_cpu(param->enckeylen);
- key += RTA_ALIGN(rta->rta_len);
- keylen -= RTA_ALIGN(rta->rta_len);
- if (enckeylen != 0)
- return -EINVAL;
-
- if (keylen > OTX2_CPT_MAX_KEY_SIZE)
- return -EINVAL;
-
- memcpy(ctx->key, key, keylen);
- ctx->enc_key_len = enckeylen;
- ctx->auth_key_len = keylen;
-
- return 0;
+ return otx2_cpt_aead_cbc_aes_sha_setkey(cipher, key, keylen);
}
static int otx2_cpt_aead_gcm_aes_setkey(struct crypto_aead *cipher,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 062/386] ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 061/386] crypto: octeontx2 " Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 063/386] wifi: iwlwifi: mvm: Fix a race in scan abort flow Greg Kroah-Hartman
` (334 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Aleksandr Mishin,
Simon Horman, Tony Nguyen, Sasha Levin, Pucha Himasekhar Reddy
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandr Mishin <amishin@t-argos.ru>
[ Upstream commit 62fdaf9e8056e9a9e6fe63aa9c816ec2122d60c6 ]
In ice_sched_add_root_node() and ice_sched_add_node() there are calls to
devm_kcalloc() in order to allocate memory for array of pointers to
'ice_sched_node' structure. But incorrect types are used as sizeof()
arguments in these calls (structures instead of pointers) which leads to
over allocation of memory.
Adjust over allocation of memory by correcting types in devm_kcalloc()
sizeof() arguments.
Found by Linux Verification Center (linuxtesting.org) with SVACE.
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Aleksandr Mishin <amishin@t-argos.ru>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/ice/ice_sched.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/intel/ice/ice_sched.c b/drivers/net/ethernet/intel/ice/ice_sched.c
index c0533d7b66b99..908bcd0738033 100644
--- a/drivers/net/ethernet/intel/ice/ice_sched.c
+++ b/drivers/net/ethernet/intel/ice/ice_sched.c
@@ -28,9 +28,8 @@ ice_sched_add_root_node(struct ice_port_info *pi,
if (!root)
return -ENOMEM;
- /* coverity[suspicious_sizeof] */
root->children = devm_kcalloc(ice_hw_to_dev(hw), hw->max_children[0],
- sizeof(*root), GFP_KERNEL);
+ sizeof(*root->children), GFP_KERNEL);
if (!root->children) {
devm_kfree(ice_hw_to_dev(hw), root);
return -ENOMEM;
@@ -186,10 +185,9 @@ ice_sched_add_node(struct ice_port_info *pi, u8 layer,
if (!node)
return -ENOMEM;
if (hw->max_children[layer]) {
- /* coverity[suspicious_sizeof] */
node->children = devm_kcalloc(ice_hw_to_dev(hw),
hw->max_children[layer],
- sizeof(*node), GFP_KERNEL);
+ sizeof(*node->children), GFP_KERNEL);
if (!node->children) {
devm_kfree(ice_hw_to_dev(hw), node);
return -ENOMEM;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 063/386] wifi: iwlwifi: mvm: Fix a race in scan abort flow
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 062/386] ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 064/386] wifi: iwlwifi: mvm: drop wrong STA selection in TX Greg Kroah-Hartman
` (333 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilan Peer, Miri Korenblit,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 87c1c28a9aa149489e1667f5754fc24f4973d2d0 ]
When the upper layer requests to cancel an ongoing scan, a race
is possible in which by the time the driver starts to handle the
upper layers scan cancel flow, the FW already completed handling
the scan request and the driver received the scan complete
notification but still did not handle the notification. In such a
case the FW will simply ignore the scan abort request coming from
the driver, no notification would arrive from the FW and the entire
abort flow would be considered a failure.
To better handle this, check the status code returned by the FW for
the scan abort command. In case the status indicates that
no scan was aborted, complete the scan abort flow with success, i.e.,
the scan was aborted, as the flow is expected to consume the scan
complete notification.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240825085558.483989d3baef.I3340556a222388504c6330b333360bf77d10f9e2@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/intel/iwlwifi/fw/api/scan.h | 13 ++++++
drivers/net/wireless/intel/iwlwifi/mvm/scan.c | 42 +++++++++++++++----
2 files changed, 47 insertions(+), 8 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h b/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
index 93078f8cc08c0..af487a2738f82 100644
--- a/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
+++ b/drivers/net/wireless/intel/iwlwifi/fw/api/scan.h
@@ -1123,6 +1123,19 @@ struct iwl_umac_scan_abort {
__le32 flags;
} __packed; /* SCAN_ABORT_CMD_UMAC_API_S_VER_1 */
+/**
+ * enum iwl_umac_scan_abort_status
+ *
+ * @IWL_UMAC_SCAN_ABORT_STATUS_SUCCESS: scan was successfully aborted
+ * @IWL_UMAC_SCAN_ABORT_STATUS_IN_PROGRESS: scan abort is in progress
+ * @IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND: nothing to abort
+ */
+enum iwl_umac_scan_abort_status {
+ IWL_UMAC_SCAN_ABORT_STATUS_SUCCESS = 0,
+ IWL_UMAC_SCAN_ABORT_STATUS_IN_PROGRESS,
+ IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND,
+};
+
/**
* struct iwl_umac_scan_complete
* @uid: scan id, &enum iwl_umac_scan_uid_offsets
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
index 626620cd892f0..ded06602f6ced 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/scan.c
@@ -3222,13 +3222,23 @@ void iwl_mvm_rx_umac_scan_iter_complete_notif(struct iwl_mvm *mvm,
mvm->scan_start);
}
-static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type)
+static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type, bool *wait)
{
- struct iwl_umac_scan_abort cmd = {};
+ struct iwl_umac_scan_abort abort_cmd = {};
+ struct iwl_host_cmd cmd = {
+ .id = WIDE_ID(IWL_ALWAYS_LONG_GROUP, SCAN_ABORT_UMAC),
+ .len = { sizeof(abort_cmd), },
+ .data = { &abort_cmd, },
+ .flags = CMD_SEND_IN_RFKILL,
+ };
+
int uid, ret;
+ u32 status = IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND;
lockdep_assert_held(&mvm->mutex);
+ *wait = true;
+
/* We should always get a valid index here, because we already
* checked that this type of scan was running in the generic
* code.
@@ -3237,17 +3247,28 @@ static int iwl_mvm_umac_scan_abort(struct iwl_mvm *mvm, int type)
if (WARN_ON_ONCE(uid < 0))
return uid;
- cmd.uid = cpu_to_le32(uid);
+ abort_cmd.uid = cpu_to_le32(uid);
IWL_DEBUG_SCAN(mvm, "Sending scan abort, uid %u\n", uid);
- ret = iwl_mvm_send_cmd_pdu(mvm,
- WIDE_ID(IWL_ALWAYS_LONG_GROUP, SCAN_ABORT_UMAC),
- CMD_SEND_IN_RFKILL, sizeof(cmd), &cmd);
+ ret = iwl_mvm_send_cmd_status(mvm, &cmd, &status);
+
+ IWL_DEBUG_SCAN(mvm, "Scan abort: ret=%d, status=%u\n", ret, status);
if (!ret)
mvm->scan_uid_status[uid] = type << IWL_MVM_SCAN_STOPPING_SHIFT;
- IWL_DEBUG_SCAN(mvm, "Scan abort: ret=%d\n", ret);
+ /* Handle the case that the FW is no longer familiar with the scan that
+ * is to be stopped. In such a case, it is expected that the scan
+ * complete notification was already received but not yet processed.
+ * In such a case, there is no need to wait for a scan complete
+ * notification and the flow should continue similar to the case that
+ * the scan was really aborted.
+ */
+ if (status == IWL_UMAC_SCAN_ABORT_STATUS_NOT_FOUND) {
+ mvm->scan_uid_status[uid] = type << IWL_MVM_SCAN_STOPPING_SHIFT;
+ *wait = false;
+ }
+
return ret;
}
@@ -3257,6 +3278,7 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
static const u16 scan_done_notif[] = { SCAN_COMPLETE_UMAC,
SCAN_OFFLOAD_COMPLETE, };
int ret;
+ bool wait = true;
lockdep_assert_held(&mvm->mutex);
@@ -3268,7 +3290,7 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
IWL_DEBUG_SCAN(mvm, "Preparing to stop scan, type %x\n", type);
if (fw_has_capa(&mvm->fw->ucode_capa, IWL_UCODE_TLV_CAPA_UMAC_SCAN))
- ret = iwl_mvm_umac_scan_abort(mvm, type);
+ ret = iwl_mvm_umac_scan_abort(mvm, type, &wait);
else
ret = iwl_mvm_lmac_scan_abort(mvm);
@@ -3276,6 +3298,10 @@ static int iwl_mvm_scan_stop_wait(struct iwl_mvm *mvm, int type)
IWL_DEBUG_SCAN(mvm, "couldn't stop scan type %d\n", type);
iwl_remove_notification(&mvm->notif_wait, &wait_scan_done);
return ret;
+ } else if (!wait) {
+ IWL_DEBUG_SCAN(mvm, "no need to wait for scan type %d\n", type);
+ iwl_remove_notification(&mvm->notif_wait, &wait_scan_done);
+ return 0;
}
return iwl_wait_notification(&mvm->notif_wait, &wait_scan_done,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 064/386] wifi: iwlwifi: mvm: drop wrong STA selection in TX
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 063/386] wifi: iwlwifi: mvm: Fix a race in scan abort flow Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 065/386] wifi: cfg80211: Set correct chandef when starting CAC Greg Kroah-Hartman
` (332 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Miri Korenblit,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 1c7e1068a7c9c39ed27636db93e71911e0045419 ]
This shouldn't happen at all, since in station mode all MMPDUs
go through the TXQ for the STA, and not this function. There
may or may not be a race in mac80211 through which this might
happen for some frames while a station is being added, but in
that case we can also just drop the frame and pretend the STA
didn't exist yet.
Also, the code is simply wrong since it uses deflink, and it's
not easy to fix it since the mvmvif->ap_sta pointer cannot be
used without the mutex, and perhaps the right link might not
even be known.
Just drop the frame at that point instead of trying to fix it
up.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240808232017.45ad105dc7fe.I6d45c82e5758395d9afb8854057ded03c7dc81d7@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/intel/iwlwifi/mvm/mac80211.c | 16 +++-------------
1 file changed, 3 insertions(+), 13 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
index d2daea3b1f38a..2d35a8865d00b 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mac80211.c
@@ -766,20 +766,10 @@ void iwl_mvm_mac_tx(struct ieee80211_hw *hw,
if (ieee80211_is_mgmt(hdr->frame_control))
sta = NULL;
- /* If there is no sta, and it's not offchannel - send through AP */
+ /* this shouldn't even happen: just drop */
if (!sta && info->control.vif->type == NL80211_IFTYPE_STATION &&
- !offchannel) {
- struct iwl_mvm_vif *mvmvif =
- iwl_mvm_vif_from_mac80211(info->control.vif);
- u8 ap_sta_id = READ_ONCE(mvmvif->deflink.ap_sta_id);
-
- if (ap_sta_id < mvm->fw->ucode_capa.num_stations) {
- /* mac80211 holds rcu read lock */
- sta = rcu_dereference(mvm->fw_id_to_mac_id[ap_sta_id]);
- if (IS_ERR_OR_NULL(sta))
- goto drop;
- }
- }
+ !offchannel)
+ goto drop;
if (tmp_sta && !sta && link_id != IEEE80211_LINK_UNSPECIFIED &&
!ieee80211_is_probe_resp(hdr->frame_control)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 065/386] wifi: cfg80211: Set correct chandef when starting CAC
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 064/386] wifi: iwlwifi: mvm: drop wrong STA selection in TX Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 066/386] net/xen-netback: prevent UAF in xenvif_flush_hash() Greg Kroah-Hartman
` (331 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kretschmer Mathias, Issam Hamdi,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Issam Hamdi <ih@simonwunderlich.de>
[ Upstream commit 20361712880396e44ce80aaeec2d93d182035651 ]
When starting CAC in a mode other than AP mode, it return a
"WARNING: CPU: 0 PID: 63 at cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]"
caused by the chandef.chan being null at the end of CAC.
Solution: Ensure the channel definition is set for the different modes
when starting CAC to avoid getting a NULL 'chan' at the end of CAC.
Call Trace:
? show_regs.part.0+0x14/0x16
? __warn+0x67/0xc0
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? report_bug+0xa7/0x130
? exc_overflow+0x30/0x30
? handle_bug+0x27/0x50
? exc_invalid_op+0x18/0x60
? handle_exception+0xf6/0xf6
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? exc_overflow+0x30/0x30
? cfg80211_chandef_dfs_usable+0x20/0xaf [cfg80211]
? regulatory_propagate_dfs_state.cold+0x1b/0x4c [cfg80211]
? cfg80211_propagate_cac_done_wk+0x1a/0x30 [cfg80211]
? process_one_work+0x165/0x280
? worker_thread+0x120/0x3f0
? kthread+0xc2/0xf0
? process_one_work+0x280/0x280
? kthread_complete_and_exit+0x20/0x20
? ret_from_fork+0x19/0x24
Reported-by: Kretschmer Mathias <mathias.kretschmer@fit.fraunhofer.de>
Signed-off-by: Issam Hamdi <ih@simonwunderlich.de>
Link: https://patch.msgid.link/20240816142418.3381951-1-ih@simonwunderlich.de
[shorten subject, remove OCB, reorder cases to match previous list]
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 4ce23762b1c95..9e74f249cb45f 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -10048,7 +10048,20 @@ static int nl80211_start_radar_detection(struct sk_buff *skb,
err = rdev_start_radar_detection(rdev, dev, &chandef, cac_time_ms);
if (!err) {
- wdev->links[0].ap.chandef = chandef;
+ switch (wdev->iftype) {
+ case NL80211_IFTYPE_AP:
+ case NL80211_IFTYPE_P2P_GO:
+ wdev->links[0].ap.chandef = chandef;
+ break;
+ case NL80211_IFTYPE_ADHOC:
+ wdev->u.ibss.chandef = chandef;
+ break;
+ case NL80211_IFTYPE_MESH_POINT:
+ wdev->u.mesh.chandef = chandef;
+ break;
+ default:
+ break;
+ }
wdev->cac_started = true;
wdev->cac_start_time = jiffies;
wdev->cac_time_ms = cac_time_ms;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 066/386] net/xen-netback: prevent UAF in xenvif_flush_hash()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 065/386] wifi: cfg80211: Set correct chandef when starting CAC Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 067/386] net: hisilicon: hip04: fix OF node leak in probe() Greg Kroah-Hartman
` (330 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeongjun Park, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeongjun Park <aha310510@gmail.com>
[ Upstream commit 0fa5e94a1811d68fbffa0725efe6d4ca62c03d12 ]
During the list_for_each_entry_rcu iteration call of xenvif_flush_hash,
kfree_rcu does not exist inside the rcu read critical section, so if
kfree_rcu is called when the rcu grace period ends during the iteration,
UAF occurs when accessing head->next after the entry becomes free.
Therefore, to solve this, you need to change it to list_for_each_entry_safe.
Signed-off-by: Jeongjun Park <aha310510@gmail.com>
Link: https://patch.msgid.link/20240822181109.2577354-1-aha310510@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/xen-netback/hash.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/xen-netback/hash.c b/drivers/net/xen-netback/hash.c
index ff96f22648efd..45ddce35f6d2c 100644
--- a/drivers/net/xen-netback/hash.c
+++ b/drivers/net/xen-netback/hash.c
@@ -95,7 +95,7 @@ static u32 xenvif_new_hash(struct xenvif *vif, const u8 *data,
static void xenvif_flush_hash(struct xenvif *vif)
{
- struct xenvif_hash_cache_entry *entry;
+ struct xenvif_hash_cache_entry *entry, *n;
unsigned long flags;
if (xenvif_hash_cache_size == 0)
@@ -103,8 +103,7 @@ static void xenvif_flush_hash(struct xenvif *vif)
spin_lock_irqsave(&vif->hash.cache.lock, flags);
- list_for_each_entry_rcu(entry, &vif->hash.cache.list, link,
- lockdep_is_held(&vif->hash.cache.lock)) {
+ list_for_each_entry_safe(entry, n, &vif->hash.cache.list, link) {
list_del_rcu(&entry->link);
vif->hash.cache.count--;
kfree_rcu(entry, rcu);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 067/386] net: hisilicon: hip04: fix OF node leak in probe()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 066/386] net/xen-netback: prevent UAF in xenvif_flush_hash() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 068/386] net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Greg Kroah-Hartman
` (329 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 17555297dbd5bccc93a01516117547e26a61caf1 ]
Driver is leaking OF node reference from
of_parse_phandle_with_fixed_args() in probe().
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240827144421.52852-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hip04_eth.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/hisilicon/hip04_eth.c b/drivers/net/ethernet/hisilicon/hip04_eth.c
index ecf92a5d56bbf..4b893d162e85d 100644
--- a/drivers/net/ethernet/hisilicon/hip04_eth.c
+++ b/drivers/net/ethernet/hisilicon/hip04_eth.c
@@ -947,6 +947,7 @@ static int hip04_mac_probe(struct platform_device *pdev)
priv->tx_coalesce_timer.function = tx_done;
priv->map = syscon_node_to_regmap(arg.np);
+ of_node_put(arg.np);
if (IS_ERR(priv->map)) {
dev_warn(d, "no syscon hisilicon,hip04-ppe\n");
ret = PTR_ERR(priv->map);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 068/386] net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 067/386] net: hisilicon: hip04: fix OF node leak in probe() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 069/386] net: hisilicon: hns_mdio: fix OF node leak in probe() Greg Kroah-Hartman
` (328 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 5680cf8d34e1552df987e2f4bb1bff0b2a8c8b11 ]
Driver is leaking OF node reference from
of_parse_phandle_with_fixed_args() in hns_mac_get_info().
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240827144421.52852-3-krzysztof.kozlowski@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
index f75668c479351..616a2768e5048 100644
--- a/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
+++ b/drivers/net/ethernet/hisilicon/hns/hns_dsaf_mac.c
@@ -933,6 +933,7 @@ static int hns_mac_get_info(struct hns_mac_cb *mac_cb)
mac_cb->cpld_ctrl = NULL;
} else {
syscon = syscon_node_to_regmap(cpld_args.np);
+ of_node_put(cpld_args.np);
if (IS_ERR_OR_NULL(syscon)) {
dev_dbg(mac_cb->dev, "no cpld-syscon found!\n");
mac_cb->cpld_ctrl = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 069/386] net: hisilicon: hns_mdio: fix OF node leak in probe()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 068/386] net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 070/386] ACPI: PAD: fix crash in exit_round_robin() Greg Kroah-Hartman
` (327 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Simon Horman,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit e62beddc45f487b9969821fad3a0913d9bc18a2f ]
Driver is leaking OF node reference from
of_parse_phandle_with_fixed_args() in probe().
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240827144421.52852-4-krzysztof.kozlowski@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns_mdio.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/ethernet/hisilicon/hns_mdio.c b/drivers/net/ethernet/hisilicon/hns_mdio.c
index 409a89d802208..9ffd479c75088 100644
--- a/drivers/net/ethernet/hisilicon/hns_mdio.c
+++ b/drivers/net/ethernet/hisilicon/hns_mdio.c
@@ -575,6 +575,7 @@ static int hns_mdio_probe(struct platform_device *pdev)
MDIO_SC_RESET_ST;
}
}
+ of_node_put(reg_args.np);
} else {
dev_warn(&pdev->dev, "find syscon ret = %#x\n", ret);
mdio_dev->subctrl_vbase = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 070/386] ACPI: PAD: fix crash in exit_round_robin()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 069/386] net: hisilicon: hns_mdio: fix OF node leak in probe() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 071/386] ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Greg Kroah-Hartman
` (326 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Seiji Nishikawa, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Seiji Nishikawa <snishika@redhat.com>
[ Upstream commit 0a2ed70a549e61c5181bad5db418d223b68ae932 ]
The kernel occasionally crashes in cpumask_clear_cpu(), which is called
within exit_round_robin(), because when executing clear_bit(nr, addr) with
nr set to 0xffffffff, the address calculation may cause misalignment within
the memory, leading to access to an invalid memory address.
----------
BUG: unable to handle kernel paging request at ffffffffe0740618
...
CPU: 3 PID: 2919323 Comm: acpi_pad/14 Kdump: loaded Tainted: G OE X --------- - - 4.18.0-425.19.2.el8_7.x86_64 #1
...
RIP: 0010:power_saving_thread+0x313/0x411 [acpi_pad]
Code: 89 cd 48 89 d3 eb d1 48 c7 c7 55 70 72 c0 e8 64 86 b0 e4 c6 05 0d a1 02 00 01 e9 bc fd ff ff 45 89 e4 42 8b 04 a5 20 82 72 c0 <f0> 48 0f b3 05 f4 9c 01 00 42 c7 04 a5 20 82 72 c0 ff ff ff ff 31
RSP: 0018:ff72a5d51fa77ec8 EFLAGS: 00010202
RAX: 00000000ffffffff RBX: ff462981e5d8cb80 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000246 RDI: 0000000000000246
RBP: ff46297556959d80 R08: 0000000000000382 R09: ff46297c8d0f38d8
R10: 0000000000000000 R11: 0000000000000001 R12: 000000000000000e
R13: 0000000000000000 R14: ffffffffffffffff R15: 000000000000000e
FS: 0000000000000000(0000) GS:ff46297a800c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: ffffffffe0740618 CR3: 0000007e20410004 CR4: 0000000000771ee0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
PKRU: 55555554
Call Trace:
? acpi_pad_add+0x120/0x120 [acpi_pad]
kthread+0x10b/0x130
? set_kthread_struct+0x50/0x50
ret_from_fork+0x1f/0x40
...
CR2: ffffffffe0740618
crash> dis -lr ffffffffc0726923
...
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 114
0xffffffffc0726918 <power_saving_thread+776>: mov %r12d,%r12d
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./include/linux/cpumask.h: 325
0xffffffffc072691b <power_saving_thread+779>: mov -0x3f8d7de0(,%r12,4),%eax
/usr/src/debug/kernel-4.18.0-425.19.2.el8_7/linux-4.18.0-425.19.2.el8_7.x86_64/./arch/x86/include/asm/bitops.h: 80
0xffffffffc0726923 <power_saving_thread+787>: lock btr %rax,0x19cf4(%rip) # 0xffffffffc0740620 <pad_busy_cpus_bits>
crash> px tsk_in_cpu[14]
$66 = 0xffffffff
crash> px 0xffffffffc072692c+0x19cf4
$99 = 0xffffffffc0740620
crash> sym 0xffffffffc0740620
ffffffffc0740620 (b) pad_busy_cpus_bits [acpi_pad]
crash> px pad_busy_cpus_bits[0]
$42 = 0xfffc0
----------
To fix this, ensure that tsk_in_cpu[tsk_index] != -1 before calling
cpumask_clear_cpu() in exit_round_robin(), just as it is done in
round_robin_cpu().
Signed-off-by: Seiji Nishikawa <snishika@redhat.com>
Link: https://patch.msgid.link/20240825141352.25280-1-snishika@redhat.com
[ rjw: Subject edit, avoid updates to the same value ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpi_pad.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/acpi/acpi_pad.c b/drivers/acpi/acpi_pad.c
index 7a453c5ff303a..71e25c7989762 100644
--- a/drivers/acpi/acpi_pad.c
+++ b/drivers/acpi/acpi_pad.c
@@ -131,8 +131,10 @@ static void exit_round_robin(unsigned int tsk_index)
{
struct cpumask *pad_busy_cpus = to_cpumask(pad_busy_cpus_bits);
- cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus);
- tsk_in_cpu[tsk_index] = -1;
+ if (tsk_in_cpu[tsk_index] != -1) {
+ cpumask_clear_cpu(tsk_in_cpu[tsk_index], pad_busy_cpus);
+ tsk_in_cpu[tsk_index] = -1;
+ }
}
static unsigned int idle_pct = 5; /* percentage */
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 071/386] ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 070/386] ACPI: PAD: fix crash in exit_round_robin() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 072/386] ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Greg Kroah-Hartman
` (325 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 5accb265f7a1b23e52b0ec42313d1e12895552f4 ]
ACPICA commit 2802af722bbde7bf1a7ac68df68e179e2555d361
If acpi_ps_get_next_namepath() fails, the previously allocated
union acpi_parse_object needs to be freed before returning the
status code.
The issue was first being reported on the Linux ACPI mailing list:
Link: https://lore.kernel.org/linux-acpi/56f94776-484f-48c0-8855-dba8e6a7793b@yandex.ru/T/
Link: https://github.com/acpica/acpica/commit/2802af72
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/psargs.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 422c074ed2897..7debfd5ce0d86 100644
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -820,6 +820,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state,
acpi_ps_get_next_namepath(walk_state, parser_state,
arg,
ACPI_NOT_METHOD_CALL);
+ if (ACPI_FAILURE(status)) {
+ acpi_ps_free_op(arg);
+ return_ACPI_STATUS(status);
+ }
} else {
/* Single complex argument, nothing returned */
@@ -854,6 +858,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state,
acpi_ps_get_next_namepath(walk_state, parser_state,
arg,
ACPI_POSSIBLE_METHOD_CALL);
+ if (ACPI_FAILURE(status)) {
+ acpi_ps_free_op(arg);
+ return_ACPI_STATUS(status);
+ }
if (arg->common.aml_opcode == AML_INT_METHODCALL_OP) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 072/386] ACPICA: Fix memory leak if acpi_ps_get_next_field() fails
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 071/386] ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 073/386] e1000e: avoid failing the system during pm_suspend Greg Kroah-Hartman
` (324 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit e6169a8ffee8a012badd8c703716e761ce851b15 ]
ACPICA commit 1280045754264841b119a5ede96cd005bc09b5a7
If acpi_ps_get_next_field() fails, the previously created field list
needs to be properly disposed before returning the status code.
Link: https://github.com/acpica/acpica/commit/12800457
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
[ rjw: Rename local variable to avoid compiler confusion ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/psargs.c | 39 ++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
diff --git a/drivers/acpi/acpica/psargs.c b/drivers/acpi/acpica/psargs.c
index 7debfd5ce0d86..28582adfc0aca 100644
--- a/drivers/acpi/acpica/psargs.c
+++ b/drivers/acpi/acpica/psargs.c
@@ -25,6 +25,8 @@ acpi_ps_get_next_package_length(struct acpi_parse_state *parser_state);
static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
*parser_state);
+static void acpi_ps_free_field_list(union acpi_parse_object *start);
+
/*******************************************************************************
*
* FUNCTION: acpi_ps_get_next_package_length
@@ -683,6 +685,39 @@ static union acpi_parse_object *acpi_ps_get_next_field(struct acpi_parse_state
return_PTR(field);
}
+/*******************************************************************************
+ *
+ * FUNCTION: acpi_ps_free_field_list
+ *
+ * PARAMETERS: start - First Op in field list
+ *
+ * RETURN: None.
+ *
+ * DESCRIPTION: Free all Op objects inside a field list.
+ *
+ ******************************************************************************/
+
+static void acpi_ps_free_field_list(union acpi_parse_object *start)
+{
+ union acpi_parse_object *cur = start;
+ union acpi_parse_object *next;
+ union acpi_parse_object *arg;
+
+ while (cur) {
+ next = cur->common.next;
+
+ /* AML_INT_CONNECTION_OP can have a single argument */
+
+ arg = acpi_ps_get_arg(cur, 0);
+ if (arg) {
+ acpi_ps_free_op(arg);
+ }
+
+ acpi_ps_free_op(cur);
+ cur = next;
+ }
+}
+
/*******************************************************************************
*
* FUNCTION: acpi_ps_get_next_arg
@@ -751,6 +786,10 @@ acpi_ps_get_next_arg(struct acpi_walk_state *walk_state,
while (parser_state->aml < parser_state->pkg_end) {
field = acpi_ps_get_next_field(parser_state);
if (!field) {
+ if (arg) {
+ acpi_ps_free_field_list(arg);
+ }
+
return_ACPI_STATUS(AE_NO_MEMORY);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 073/386] e1000e: avoid failing the system during pm_suspend
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 072/386] ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 074/386] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Greg Kroah-Hartman
` (323 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dima Ruinskiy, Vitaly Lifshits,
Mor Bar-Gabay, Tony Nguyen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vitaly Lifshits <vitaly.lifshits@intel.com>
[ Upstream commit 0a6ad4d9e1690c7faa3a53f762c877e477093657 ]
Occasionally when the system goes into pm_suspend, the suspend might fail
due to a PHY access error on the network adapter. Previously, this would
have caused the whole system to fail to go to a low power state.
An example of this was reported in the following Bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=205015
[ 1663.694828] e1000e 0000:00:19.0 eth0: Failed to disable ULP
[ 1664.731040] asix 2-3:1.0 eth1: link up, 100Mbps, full-duplex, lpa 0xC1E1
[ 1665.093513] e1000e 0000:00:19.0 eth0: Hardware Error
[ 1665.596760] e1000e 0000:00:19.0: pci_pm_resume+0x0/0x80 returned 0 after 2975399 usecs
and then the system never recovers from it, and all the following suspend failed due to this
[22909.393854] PM: pci_pm_suspend(): e1000e_pm_suspend+0x0/0x760 [e1000e] returns -2
[22909.393858] PM: dpm_run_callback(): pci_pm_suspend+0x0/0x160 returns -2
[22909.393861] PM: Device 0000:00:1f.6 failed to suspend async: error -2
This can be avoided by changing the return values of __e1000_shutdown and
e1000e_pm_suspend functions so that they always return 0 (success). This
is consistent with what other drivers do.
If the e1000e driver encounters a hardware error during suspend, potential
side effects include slightly higher power draw or non-working wake on
LAN. This is preferred to a system-level suspend failure, and a warning
message is written to the system log, so that the user can be aware that
the LAN controller experienced a problem during suspend.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=205015
Suggested-by: Dima Ruinskiy <dima.ruinskiy@intel.com>
Signed-off-by: Vitaly Lifshits <vitaly.lifshits@intel.com>
Tested-by: Mor Bar-Gabay <morx.bar.gabay@intel.com>
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/e1000e/netdev.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/intel/e1000e/netdev.c b/drivers/net/ethernet/intel/e1000e/netdev.c
index 334f652c60601..d377a286c0e1b 100644
--- a/drivers/net/ethernet/intel/e1000e/netdev.c
+++ b/drivers/net/ethernet/intel/e1000e/netdev.c
@@ -6672,8 +6672,10 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool runtime)
if (adapter->flags2 & FLAG2_HAS_PHY_WAKEUP) {
/* enable wakeup by the PHY */
retval = e1000_init_phy_wakeup(adapter, wufc);
- if (retval)
- return retval;
+ if (retval) {
+ e_err("Failed to enable wakeup\n");
+ goto skip_phy_configurations;
+ }
} else {
/* enable wakeup by the MAC */
ew32(WUFC, wufc);
@@ -6694,8 +6696,10 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool runtime)
* or broadcast.
*/
retval = e1000_enable_ulp_lpt_lp(hw, !runtime);
- if (retval)
- return retval;
+ if (retval) {
+ e_err("Failed to enable ULP\n");
+ goto skip_phy_configurations;
+ }
}
/* Force SMBUS to allow WOL */
@@ -6744,6 +6748,7 @@ static int __e1000_shutdown(struct pci_dev *pdev, bool runtime)
hw->phy.ops.release(hw);
}
+skip_phy_configurations:
/* Release control of h/w to f/w. If f/w is AMT enabled, this
* would have already happened in close and is redundant.
*/
@@ -6986,15 +6991,13 @@ static __maybe_unused int e1000e_pm_suspend(struct device *dev)
e1000e_pm_freeze(dev);
rc = __e1000_shutdown(pdev, false);
- if (rc) {
- e1000e_pm_thaw(dev);
- } else {
+ if (!rc) {
/* Introduce S0ix implementation */
if (adapter->flags2 & FLAG2_ENABLE_S0IX_FLOWS)
e1000e_s0ix_entry_flow(adapter);
}
- return rc;
+ return 0;
}
static __maybe_unused int e1000e_pm_resume(struct device *dev)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 074/386] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 073/386] e1000e: avoid failing the system during pm_suspend Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 075/386] net: sched: consistently use rcu_replace_pointer() in taprio_change() Greg Kroah-Hartman
` (322 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 256cbd26fbafb30ba3314339106e5c594e9bd5f9 ]
Avoids firmware race condition.
Link: https://patch.msgid.link/20240827093011.18621-7-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
index 272e55ef8e2d2..5fba103bfd65d 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mcu.c
@@ -688,13 +688,17 @@ int mt7915_mcu_add_tx_ba(struct mt7915_dev *dev,
{
struct mt7915_sta *msta = (struct mt7915_sta *)params->sta->drv_priv;
struct mt7915_vif *mvif = msta->vif;
+ int ret;
+ mt76_worker_disable(&dev->mt76.tx_worker);
if (enable && !params->amsdu)
msta->wcid.amsdu = false;
+ ret = mt76_connac_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
+ MCU_EXT_CMD(STA_REC_UPDATE),
+ enable, true);
+ mt76_worker_enable(&dev->mt76.tx_worker);
- return mt76_connac_mcu_sta_ba(&dev->mt76, &mvif->mt76, params,
- MCU_EXT_CMD(STA_REC_UPDATE),
- enable, true);
+ return ret;
}
int mt7915_mcu_add_rx_ba(struct mt7915_dev *dev,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 075/386] net: sched: consistently use rcu_replace_pointer() in taprio_change()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 074/386] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 076/386] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Greg Kroah-Hartman
` (321 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vinicius Costa Gomes, Dmitry Antipov,
David S. Miller, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Antipov <dmantipov@yandex.ru>
[ Upstream commit d5c4546062fd6f5dbce575c7ea52ad66d1968678 ]
According to Vinicius (and carefully looking through the whole
https://syzkaller.appspot.com/bug?extid=b65e0af58423fc8a73aa
once again), txtime branch of 'taprio_change()' is not going to
race against 'advance_sched()'. But using 'rcu_replace_pointer()'
in the former may be a good idea as well.
Suggested-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: Dmitry Antipov <dmantipov@yandex.ru>
Acked-by: Vinicius Costa Gomes <vinicius.gomes@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sched/sch_taprio.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/net/sched/sch_taprio.c b/net/sched/sch_taprio.c
index 418d4a846d04a..87090d6790362 100644
--- a/net/sched/sch_taprio.c
+++ b/net/sched/sch_taprio.c
@@ -1975,7 +1975,9 @@ static int taprio_change(struct Qdisc *sch, struct nlattr *opt,
goto unlock;
}
- rcu_assign_pointer(q->admin_sched, new_admin);
+ /* Not going to race against advance_sched(), but still */
+ admin = rcu_replace_pointer(q->admin_sched, new_admin,
+ lockdep_rtnl_is_held());
if (admin)
call_rcu(&admin->rcu, taprio_free_sched_cb);
} else {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 076/386] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 075/386] net: sched: consistently use rcu_replace_pointer() in taprio_change() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 077/386] Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Greg Kroah-Hartman
` (320 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hilda Wu, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hilda Wu <hildawu@realtek.com>
[ Upstream commit bdf9557f70e7512bb2f754abf90d9e9958745316 ]
Add the support ID (0x0489, 0xe122) to usb_device_id table for
Realtek RTL8852C.
The device info from /sys/kernel/debug/usb/devices as below.
T: Bus=03 Lev=01 Prnt=01 Port=02 Cnt=01 Dev#= 2 Spd=12 MxCh= 0
D: Ver= 1.00 Cls=e0(wlcon) Sub=01 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=0489 ProdID=e122 Rev= 0.00
S: Manufacturer=Realtek
S: Product=Bluetooth Radio
S: SerialNumber=00e04c000001
C:* #Ifs= 2 Cfg#= 1 Atr=e0 MxPwr=500mA
I:* If#= 0 Alt= 0 #EPs= 3 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=81(I) Atr=03(Int.) MxPS= 16 Ivl=1ms
E: Ad=02(O) Atr=02(Bulk) MxPS= 64 Ivl=0ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 64 Ivl=0ms
I:* If#= 1 Alt= 0 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 0 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 0 Ivl=1ms
I: If#= 1 Alt= 1 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 9 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 9 Ivl=1ms
I: If#= 1 Alt= 2 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 17 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 17 Ivl=1ms
I: If#= 1 Alt= 3 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 25 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 25 Ivl=1ms
I: If#= 1 Alt= 4 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 33 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 33 Ivl=1ms
I: If#= 1 Alt= 5 #EPs= 2 Cls=e0(wlcon) Sub=01 Prot=01 Driver=btusb
E: Ad=03(O) Atr=01(Isoc) MxPS= 49 Ivl=1ms
E: Ad=83(I) Atr=01(Isoc) MxPS= 49 Ivl=1ms
Signed-off-by: Hilda Wu <hildawu@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index 0a58106207b0c..bc53da383f855 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -537,6 +537,8 @@ static const struct usb_device_id quirks_table[] = {
BTUSB_WIDEBAND_SPEECH },
{ USB_DEVICE(0x13d3, 0x3592), .driver_info = BTUSB_REALTEK |
BTUSB_WIDEBAND_SPEECH },
+ { USB_DEVICE(0x0489, 0xe122), .driver_info = BTUSB_REALTEK |
+ BTUSB_WIDEBAND_SPEECH },
/* Realtek 8852BE Bluetooth devices */
{ USB_DEVICE(0x0cb8, 0xc559), .driver_info = BTUSB_REALTEK |
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 077/386] Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 076/386] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 078/386] ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Greg Kroah-Hartman
` (319 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hilda Wu, Luiz Augusto von Dentz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hilda Wu <hildawu@realtek.com>
[ Upstream commit 9a0570948c5def5c59e588dc0e009ed850a1f5a1 ]
For tracking multiple devices concurrently with a condition.
The patch enables the HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER quirk
on RTL8852B controller.
The quirk setting is based on commit 9e14606d8f38 ("Bluetooth: msft:
Extended monitor tracking by address filter")
With this setting, when a pattern monitor detects a device, this
feature issues an address monitor for tracking that device. Let the
original pattern monitor keep monitor new devices.
Signed-off-by: Hilda Wu <hildawu@realtek.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btrtl.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/btrtl.c b/drivers/bluetooth/btrtl.c
index 277d039ecbb42..1e7c1f9db9e4b 100644
--- a/drivers/bluetooth/btrtl.c
+++ b/drivers/bluetooth/btrtl.c
@@ -1285,6 +1285,7 @@ void btrtl_set_quirks(struct hci_dev *hdev, struct btrtl_device_info *btrtl_dev)
btrealtek_set_flag(hdev, REALTEK_ALT6_CONTINUOUS_TX_CHIP);
if (btrtl_dev->project_id == CHIP_ID_8852A ||
+ btrtl_dev->project_id == CHIP_ID_8852B ||
btrtl_dev->project_id == CHIP_ID_8852C)
set_bit(HCI_QUIRK_USE_MSFT_EXT_ADDRESS_FILTER, &hdev->quirks);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 078/386] ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 077/386] Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 079/386] ACPI: CPPC: Add support for setting EPP register in FFH Greg Kroah-Hartman
` (318 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit eb7b0f12e13ba99e64e3a690c2166895ed63b437 ]
The Panasonic Toughbook CF-18 advertises both native and vendor backlight
control interfaces. But only the vendor one actually works.
acpi_video_get_backlight_type() will pick the non working native backlight
by default, add a quirk to select the working vendor backlight instead.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patch.msgid.link/20240907124419.21195-1-hdegoede@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/video_detect.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/acpi/video_detect.c b/drivers/acpi/video_detect.c
index 16ab2d9ef67f3..e96afb1622f95 100644
--- a/drivers/acpi/video_detect.c
+++ b/drivers/acpi/video_detect.c
@@ -260,6 +260,14 @@ static const struct dmi_system_id video_detect_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "PCG-FRV35"),
},
},
+ {
+ .callback = video_detect_force_vendor,
+ /* Panasonic Toughbook CF-18 */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Matsushita Electric Industrial"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "CF-18"),
+ },
+ },
/*
* Toshiba models with Transflective display, these need to use
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 079/386] ACPI: CPPC: Add support for setting EPP register in FFH
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 078/386] ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 080/386] blk_iocost: fix more out of bound shifts Greg Kroah-Hartman
` (317 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, al0uette, vderp, Mario Limonciello,
Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit aaf21ac93909e08a12931173336bdb52ac8499f1 ]
Some Asus AMD systems are reported to not be able to change EPP values
because the BIOS doesn't advertise support for the CPPC MSR and the PCC
region is not configured.
However the ACPI 6.2 specification allows CPC registers to be declared
in FFH:
```
Starting with ACPI Specification 6.2, all _CPC registers can be in
PCC, System Memory, System IO, or Functional Fixed Hardware address
spaces. OSPM support for this more flexible register space scheme
is indicated by the “Flexible Address Space for CPPC Registers” _OSC
bit.
```
If this _OSC has been set allow using FFH to configure EPP.
Reported-by: al0uette@outlook.com
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=218686
Suggested-by: al0uette@outlook.com
Tested-by: vderp@icloud.com
Tested-by: al0uette@outlook.com
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Link: https://patch.msgid.link/20240910031524.106387-1-superm1@kernel.org
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/cppc_acpi.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/drivers/acpi/cppc_acpi.c b/drivers/acpi/cppc_acpi.c
index 28217a995f795..7aced0b9bad7c 100644
--- a/drivers/acpi/cppc_acpi.c
+++ b/drivers/acpi/cppc_acpi.c
@@ -100,6 +100,11 @@ static DEFINE_PER_CPU(struct cpc_desc *, cpc_desc_ptr);
(cpc)->cpc_entry.reg.space_id == \
ACPI_ADR_SPACE_PLATFORM_COMM)
+/* Check if a CPC register is in FFH */
+#define CPC_IN_FFH(cpc) ((cpc)->type == ACPI_TYPE_BUFFER && \
+ (cpc)->cpc_entry.reg.space_id == \
+ ACPI_ADR_SPACE_FIXED_HARDWARE)
+
/* Check if a CPC register is in SystemMemory */
#define CPC_IN_SYSTEM_MEMORY(cpc) ((cpc)->type == ACPI_TYPE_BUFFER && \
(cpc)->cpc_entry.reg.space_id == \
@@ -1514,9 +1519,12 @@ int cppc_set_epp_perf(int cpu, struct cppc_perf_ctrls *perf_ctrls, bool enable)
/* after writing CPC, transfer the ownership of PCC to platform */
ret = send_pcc_cmd(pcc_ss_id, CMD_WRITE);
up_write(&pcc_ss_data->pcc_lock);
+ } else if (osc_cpc_flexible_adr_space_confirmed &&
+ CPC_SUPPORTED(epp_set_reg) && CPC_IN_FFH(epp_set_reg)) {
+ ret = cpc_write(cpu, epp_set_reg, perf_ctrls->energy_perf);
} else {
ret = -ENOTSUPP;
- pr_debug("_CPC in PCC is not supported\n");
+ pr_debug("_CPC in PCC and _CPC in FFH are not supported\n");
}
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 080/386] blk_iocost: fix more out of bound shifts
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 079/386] ACPI: CPPC: Add support for setting EPP register in FFH Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 081/386] wifi: ath12k: fix array out-of-bound access in SoC stats Greg Kroah-Hartman
` (316 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Konstantin Ovsepian,
Tejun Heo, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Ovsepian <ovs@ovs.to>
[ Upstream commit 9bce8005ec0dcb23a58300e8522fe4a31da606fa ]
Recently running UBSAN caught few out of bound shifts in the
ioc_forgive_debts() function:
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2142:38
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
UBSAN: shift-out-of-bounds in block/blk-iocost.c:2144:30
shift exponent 80 is too large for 64-bit type 'u64' (aka 'unsigned long
long')
...
Call Trace:
<IRQ>
dump_stack_lvl+0xca/0x130
__ubsan_handle_shift_out_of_bounds+0x22c/0x280
? __lock_acquire+0x6441/0x7c10
ioc_timer_fn+0x6cec/0x7750
? blk_iocost_init+0x720/0x720
? call_timer_fn+0x5d/0x470
call_timer_fn+0xfa/0x470
? blk_iocost_init+0x720/0x720
__run_timer_base+0x519/0x700
...
Actual impact of this issue was not identified but I propose to fix the
undefined behaviour.
The proposed fix to prevent those out of bound shifts consist of
precalculating exponent before using it the shift operations by taking
min value from the actual exponent and maximum possible number of bits.
Reported-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Konstantin Ovsepian <ovs@ovs.to>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20240822154137.2627818-1-ovs@ovs.to
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
block/blk-iocost.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/block/blk-iocost.c b/block/blk-iocost.c
index 0dca77591d66c..c3cb9c20b306c 100644
--- a/block/blk-iocost.c
+++ b/block/blk-iocost.c
@@ -2076,7 +2076,7 @@ static void ioc_forgive_debts(struct ioc *ioc, u64 usage_us_sum, int nr_debtors,
struct ioc_now *now)
{
struct ioc_gq *iocg;
- u64 dur, usage_pct, nr_cycles;
+ u64 dur, usage_pct, nr_cycles, nr_cycles_shift;
/* if no debtor, reset the cycle */
if (!nr_debtors) {
@@ -2138,10 +2138,12 @@ static void ioc_forgive_debts(struct ioc *ioc, u64 usage_us_sum, int nr_debtors,
old_debt = iocg->abs_vdebt;
old_delay = iocg->delay;
+ nr_cycles_shift = min_t(u64, nr_cycles, BITS_PER_LONG - 1);
if (iocg->abs_vdebt)
- iocg->abs_vdebt = iocg->abs_vdebt >> nr_cycles ?: 1;
+ iocg->abs_vdebt = iocg->abs_vdebt >> nr_cycles_shift ?: 1;
+
if (iocg->delay)
- iocg->delay = iocg->delay >> nr_cycles ?: 1;
+ iocg->delay = iocg->delay >> nr_cycles_shift ?: 1;
iocg_kick_waitq(iocg, true, now);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 081/386] wifi: ath12k: fix array out-of-bound access in SoC stats
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 080/386] blk_iocost: fix more out of bound shifts Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 082/386] wifi: ath11k: " Greg Kroah-Hartman
` (315 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karthikeyan Periyasamy, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
[ Upstream commit e106b7ad13c1d246adaa57df73edb8f8b8acb240 ]
Currently, the ath12k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath12k_dp_rx_process()
function access ath12k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To
fix this issue, modify ath12k_dp_rx_process() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9274 hw2.0 PCI WLAN.WBE.1.0.1-00029-QCAHKSWPL_SILICONZ-1
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240704070811.4186543-2-quic_periyasa@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath12k/dp_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath12k/dp_rx.c b/drivers/net/wireless/ath/ath12k/dp_rx.c
index d9bc07844fb71..70ad035acac75 100644
--- a/drivers/net/wireless/ath/ath12k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath12k/dp_rx.c
@@ -2670,7 +2670,7 @@ int ath12k_dp_rx_process(struct ath12k_base *ab, int ring_id,
if (push_reason !=
HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION) {
dev_kfree_skb_any(msdu);
- ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++;
+ ab->soc_stats.hal_reo_error[ring_id]++;
continue;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 082/386] wifi: ath11k: fix array out-of-bound access in SoC stats
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 081/386] wifi: ath12k: fix array out-of-bound access in SoC stats Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 083/386] wifi: rtw88: select WANT_DEV_COREDUMP Greg Kroah-Hartman
` (314 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karthikeyan Periyasamy, Kalle Valo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
[ Upstream commit 69f253e46af98af17e3efa3e5dfa72fcb7d1983d ]
Currently, the ath11k_soc_dp_stats::hal_reo_error array is defined with a
maximum size of DP_REO_DST_RING_MAX. However, the ath11k_dp_process_rx()
function access ath11k_soc_dp_stats::hal_reo_error using the REO
destination SRNG ring ID, which is incorrect. SRNG ring ID differ from
normal ring ID, and this usage leads to out-of-bounds array access. To fix
this issue, modify ath11k_dp_process_rx() to use the normal ring ID
directly instead of the SRNG ring ID to avoid out-of-bounds array access.
Tested-on: QCN9074 hw1.0 PCI WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Karthikeyan Periyasamy <quic_periyasa@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://patch.msgid.link/20240704070811.4186543-3-quic_periyasa@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index b3499f966a9d6..a4d56136f42f7 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -2700,7 +2700,7 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
if (unlikely(push_reason !=
HAL_REO_DEST_RING_PUSH_REASON_ROUTING_INSTRUCTION)) {
dev_kfree_skb_any(msdu);
- ab->soc_stats.hal_reo_error[dp->reo_dst_ring[ring_id].ring_id]++;
+ ab->soc_stats.hal_reo_error[ring_id]++;
continue;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 083/386] wifi: rtw88: select WANT_DEV_COREDUMP
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 082/386] wifi: ath11k: " Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 084/386] ACPI: EC: Do not release locks during operation region accesses Greg Kroah-Hartman
` (313 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zong-Zhe Yang, Ping-Ke Shih,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zong-Zhe Yang <kevin_yang@realtek.com>
[ Upstream commit 7e989b0c1e33210c07340bf5228aa83ea52515b5 ]
We have invoked device coredump when fw crash.
Should select WANT_DEV_COREDUMP by ourselves.
Signed-off-by: Zong-Zhe Yang <kevin_yang@realtek.com>
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240718070616.42217-1-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw88/Kconfig | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/net/wireless/realtek/rtw88/Kconfig b/drivers/net/wireless/realtek/rtw88/Kconfig
index cffad1c012499..2af2bc613458d 100644
--- a/drivers/net/wireless/realtek/rtw88/Kconfig
+++ b/drivers/net/wireless/realtek/rtw88/Kconfig
@@ -12,6 +12,7 @@ if RTW88
config RTW88_CORE
tristate
+ select WANT_DEV_COREDUMP
config RTW88_PCI
tristate
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 084/386] ACPI: EC: Do not release locks during operation region accesses
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 083/386] wifi: rtw88: select WANT_DEV_COREDUMP Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 085/386] ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Greg Kroah-Hartman
` (312 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rafael J. Wysocki, Hans de Goede,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ Upstream commit dc171114926ec390ab90f46534545420ec03e458 ]
It is not particularly useful to release locks (the EC mutex and the
ACPI global lock, if present) and re-acquire them immediately thereafter
during EC address space accesses in acpi_ec_space_handler().
First, releasing them for a while before grabbing them again does not
really help anyone because there may not be enough time for another
thread to acquire them.
Second, if another thread successfully acquires them and carries out
a new EC write or read in the middle if an operation region access in
progress, it may confuse the EC firmware, especially after the burst
mode has been enabled.
Finally, manipulating the locks after writing or reading every single
byte of data is overhead that it is better to avoid.
Accordingly, modify the code to carry out EC address space accesses
entirely without releasing the locks.
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patch.msgid.link/12473338.O9o76ZdvQC@rjwysocki.net
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/ec.c | 55 +++++++++++++++++++++++++++++++++++++++++------
1 file changed, 49 insertions(+), 6 deletions(-)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 35e22a2af4e4b..115994dfefec1 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -783,6 +783,9 @@ static int acpi_ec_transaction_unlocked(struct acpi_ec *ec,
unsigned long tmp;
int ret = 0;
+ if (t->rdata)
+ memset(t->rdata, 0, t->rlen);
+
/* start transaction */
spin_lock_irqsave(&ec->lock, tmp);
/* Enable GPE for command processing (IBF=0/OBF=1) */
@@ -819,8 +822,6 @@ static int acpi_ec_transaction(struct acpi_ec *ec, struct transaction *t)
if (!ec || (!t) || (t->wlen && !t->wdata) || (t->rlen && !t->rdata))
return -EINVAL;
- if (t->rdata)
- memset(t->rdata, 0, t->rlen);
mutex_lock(&ec->mutex);
if (ec->global_lock) {
@@ -847,7 +848,7 @@ static int acpi_ec_burst_enable(struct acpi_ec *ec)
.wdata = NULL, .rdata = &d,
.wlen = 0, .rlen = 1};
- return acpi_ec_transaction(ec, &t);
+ return acpi_ec_transaction_unlocked(ec, &t);
}
static int acpi_ec_burst_disable(struct acpi_ec *ec)
@@ -857,7 +858,7 @@ static int acpi_ec_burst_disable(struct acpi_ec *ec)
.wlen = 0, .rlen = 0};
return (acpi_ec_read_status(ec) & ACPI_EC_FLAG_BURST) ?
- acpi_ec_transaction(ec, &t) : 0;
+ acpi_ec_transaction_unlocked(ec, &t) : 0;
}
static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data)
@@ -873,6 +874,19 @@ static int acpi_ec_read(struct acpi_ec *ec, u8 address, u8 *data)
return result;
}
+static int acpi_ec_read_unlocked(struct acpi_ec *ec, u8 address, u8 *data)
+{
+ int result;
+ u8 d;
+ struct transaction t = {.command = ACPI_EC_COMMAND_READ,
+ .wdata = &address, .rdata = &d,
+ .wlen = 1, .rlen = 1};
+
+ result = acpi_ec_transaction_unlocked(ec, &t);
+ *data = d;
+ return result;
+}
+
static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data)
{
u8 wdata[2] = { address, data };
@@ -883,6 +897,16 @@ static int acpi_ec_write(struct acpi_ec *ec, u8 address, u8 data)
return acpi_ec_transaction(ec, &t);
}
+static int acpi_ec_write_unlocked(struct acpi_ec *ec, u8 address, u8 data)
+{
+ u8 wdata[2] = { address, data };
+ struct transaction t = {.command = ACPI_EC_COMMAND_WRITE,
+ .wdata = wdata, .rdata = NULL,
+ .wlen = 2, .rlen = 0};
+
+ return acpi_ec_transaction_unlocked(ec, &t);
+}
+
int ec_read(u8 addr, u8 *val)
{
int err;
@@ -1323,6 +1347,7 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address,
struct acpi_ec *ec = handler_context;
int result = 0, i, bytes = bits / 8;
u8 *value = (u8 *)value64;
+ u32 glk;
if ((address > 0xFF) || !value || !handler_context)
return AE_BAD_PARAMETER;
@@ -1330,13 +1355,25 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address,
if (function != ACPI_READ && function != ACPI_WRITE)
return AE_BAD_PARAMETER;
+ mutex_lock(&ec->mutex);
+
+ if (ec->global_lock) {
+ acpi_status status;
+
+ status = acpi_acquire_global_lock(ACPI_EC_UDELAY_GLK, &glk);
+ if (ACPI_FAILURE(status)) {
+ result = -ENODEV;
+ goto unlock;
+ }
+ }
+
if (ec->busy_polling || bits > 8)
acpi_ec_burst_enable(ec);
for (i = 0; i < bytes; ++i, ++address, ++value) {
result = (function == ACPI_READ) ?
- acpi_ec_read(ec, address, value) :
- acpi_ec_write(ec, address, *value);
+ acpi_ec_read_unlocked(ec, address, value) :
+ acpi_ec_write_unlocked(ec, address, *value);
if (result < 0)
break;
}
@@ -1344,6 +1381,12 @@ acpi_ec_space_handler(u32 function, acpi_physical_address address,
if (ec->busy_polling || bits > 8)
acpi_ec_burst_disable(ec);
+ if (ec->global_lock)
+ acpi_release_global_lock(glk);
+
+unlock:
+ mutex_unlock(&ec->mutex);
+
switch (result) {
case -EINVAL:
return AE_BAD_PARAMETER;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 085/386] ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 084/386] ACPI: EC: Do not release locks during operation region accesses Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 086/386] tipc: guard against string buffer overrun Greg Kroah-Hartman
` (311 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pei Xiao, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pei Xiao <xiaopei01@kylinos.cn>
[ Upstream commit a5242874488eba2b9062985bf13743c029821330 ]
ACPICA commit 4d4547cf13cca820ff7e0f859ba83e1a610b9fd0
ACPI_ALLOCATE_ZEROED() may fail, elements might be NULL and will cause
NULL pointer dereference later.
Link: https://github.com/acpica/acpica/commit/4d4547cf
Signed-off-by: Pei Xiao <xiaopei01@kylinos.cn>
Link: https://patch.msgid.link/tencent_4A21A2865B8B0A0D12CAEBEB84708EDDB505@qq.com
[ rjw: Subject and changelog edits ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dbconvert.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/acpi/acpica/dbconvert.c b/drivers/acpi/acpica/dbconvert.c
index 2b84ac093698a..8dbab69320499 100644
--- a/drivers/acpi/acpica/dbconvert.c
+++ b/drivers/acpi/acpica/dbconvert.c
@@ -174,6 +174,8 @@ acpi_status acpi_db_convert_to_package(char *string, union acpi_object *object)
elements =
ACPI_ALLOCATE_ZEROED(DB_DEFAULT_PKG_ELEMENTS *
sizeof(union acpi_object));
+ if (!elements)
+ return (AE_NO_MEMORY);
this = string;
for (i = 0; i < (DB_DEFAULT_PKG_ELEMENTS - 1); i++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 086/386] tipc: guard against string buffer overrun
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 085/386] ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 087/386] net: mvpp2: Increase size of queue_name buffer Greg Kroah-Hartman
` (310 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Simon Horman,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit 6555a2a9212be6983d2319d65276484f7c5f431a ]
Smatch reports that copying media_name and if_name to name_parts may
overwrite the destination.
.../bearer.c:166 bearer_name_validate() error: strcpy() 'media_name' too large for 'name_parts->media_name' (32 vs 16)
.../bearer.c:167 bearer_name_validate() error: strcpy() 'if_name' too large for 'name_parts->if_name' (1010102 vs 16)
This does seem to be the case so guard against this possibility by using
strscpy() and failing if truncation occurs.
Introduced by commit b97bf3fd8f6a ("[TIPC] Initial merge")
Compile tested only.
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240801-tipic-overrun-v2-1-c5b869d1f074@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/bearer.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 878415c435276..fec638e494c9d 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -163,8 +163,12 @@ static int bearer_name_validate(const char *name,
/* return bearer name components, if necessary */
if (name_parts) {
- strcpy(name_parts->media_name, media_name);
- strcpy(name_parts->if_name, if_name);
+ if (strscpy(name_parts->media_name, media_name,
+ TIPC_MAX_MEDIA_NAME) < 0)
+ return 0;
+ if (strscpy(name_parts->if_name, if_name,
+ TIPC_MAX_IF_NAME) < 0)
+ return 0;
}
return 1;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 087/386] net: mvpp2: Increase size of queue_name buffer
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 086/386] tipc: guard against string buffer overrun Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 088/386] bnxt_en: Extend maximum length of version string by 1 byte Greg Kroah-Hartman
` (309 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Marcin Wojtas,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit 91d516d4de48532d967a77967834e00c8c53dfe6 ]
Increase size of queue_name buffer from 30 to 31 to accommodate
the largest string written to it. This avoids truncation in
the possibly unlikely case where the string is name is the
maximum size.
Flagged by gcc-14:
.../mvpp2_main.c: In function 'mvpp2_probe':
.../mvpp2_main.c:7636:32: warning: 'snprintf' output may be truncated before the last format character [-Wformat-truncation=]
7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev),
| ^
.../mvpp2_main.c:7635:9: note: 'snprintf' output between 10 and 31 bytes into a destination of size 30
7635 | snprintf(priv->queue_name, sizeof(priv->queue_name),
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7636 | "stats-wq-%s%s", netdev_name(priv->port_list[0]->dev),
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
7637 | priv->port_count > 1 ? "+" : "");
| ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Introduced by commit 118d6298f6f0 ("net: mvpp2: add ethtool GOP statistics").
I am not flagging this as a bug as I am not aware that it is one.
Compile tested only.
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Marcin Wojtas <marcin.s.wojtas@gmail.com>
Link: https://patch.msgid.link/20240806-mvpp2-namelen-v1-1-6dc773653f2f@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
index e809f91c08fb9..9e02e4367bec8 100644
--- a/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
+++ b/drivers/net/ethernet/marvell/mvpp2/mvpp2.h
@@ -1088,7 +1088,7 @@ struct mvpp2 {
unsigned int max_port_rxqs;
/* Workqueue to gather hardware statistics */
- char queue_name[30];
+ char queue_name[31];
struct workqueue_struct *stats_queue;
/* Debugfs root entry */
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 088/386] bnxt_en: Extend maximum length of version string by 1 byte
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 087/386] net: mvpp2: Increase size of queue_name buffer Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 089/386] ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) Greg Kroah-Hartman
` (308 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Michael Chan,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit ffff7ee843c351ce71d6e0d52f0f20bea35e18c9 ]
This corrects an out-by-one error in the maximum length of the package
version string. The size argument of snprintf includes space for the
trailing '\0' byte, so there is no need to allow extra space for it by
reducing the value of the size argument by 1.
Found by inspection.
Compile tested only.
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Michael Chan <michael.chan@broadcom.com>
Link: https://patch.msgid.link/20240813-bnxt-str-v2-1-872050a157e7@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
index 3c36dd8051485..2e7ddbca9d53b 100644
--- a/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
+++ b/drivers/net/ethernet/broadcom/bnxt/bnxt_ethtool.c
@@ -3021,7 +3021,7 @@ static void bnxt_get_pkgver(struct net_device *dev)
if (!bnxt_get_pkginfo(dev, buf, sizeof(buf))) {
len = strlen(bp->fw_ver_str);
- snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len - 1,
+ snprintf(bp->fw_ver_str + len, FW_VER_STR_LEN - len,
"/pkg %s", buf);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 089/386] ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR).
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 088/386] bnxt_en: Extend maximum length of version string by 1 byte Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 090/386] wifi: rtw89: correct base HT rate mask for firmware Greg Kroah-Hartman
` (307 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuniyuki Iwashima, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit e3af3d3c5b26c33a7950e34e137584f6056c4319 ]
dev->ip_ptr could be NULL if we set an invalid MTU.
Even then, if we issue ioctl(SIOCSIFADDR) for a new IPv4 address,
devinet_ioctl() allocates struct in_ifaddr and fails later in
inet_set_ifa() because in_dev is NULL.
Let's move the check earlier.
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://patch.msgid.link/20240809235406.50187-2-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/devinet.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/devinet.c b/net/ipv4/devinet.c
index bc74f131fe4df..cb0c80328eebf 100644
--- a/net/ipv4/devinet.c
+++ b/net/ipv4/devinet.c
@@ -569,10 +569,6 @@ static int inet_set_ifa(struct net_device *dev, struct in_ifaddr *ifa)
ASSERT_RTNL();
- if (!in_dev) {
- inet_free_ifa(ifa);
- return -ENOBUFS;
- }
ipv4_devconf_setall(in_dev);
neigh_parms_data_state_setall(in_dev->arp_parms);
if (ifa->ifa_dev != in_dev) {
@@ -1174,6 +1170,8 @@ int devinet_ioctl(struct net *net, unsigned int cmd, struct ifreq *ifr)
if (!ifa) {
ret = -ENOBUFS;
+ if (!in_dev)
+ break;
ifa = inet_alloc_ifa();
if (!ifa)
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 090/386] wifi: rtw89: correct base HT rate mask for firmware
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 089/386] ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 091/386] ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Greg Kroah-Hartman
` (306 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping-Ke Shih, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ping-Ke Shih <pkshih@realtek.com>
[ Upstream commit 45742881f9eee2a4daeb6008e648a460dd3742cd ]
Coverity reported that u8 rx_mask << 24 will become signed 32 bits, which
casting to unsigned 64 bits will do sign extension. For example,
putting 0x80000000 (signed 32 bits) to a u64 variable will become
0xFFFFFFFF_80000000.
The real case we meet is:
rx_mask[0...3] = ff ff 00 00
ra_mask = 0xffffffff_ff0ff000
After this fix:
rx_mask[0...3] = ff ff 00 00
ra_mask = 0x00000000_ff0ff000
Fortunately driver does bitwise-AND with incorrect ra_mask and supported
rates (1ss and 2ss rate only) afterward, so the final rate mask of
original code is still correct.
Addresses-Coverity-ID: 1504762 ("Unintended sign extension")
Signed-off-by: Ping-Ke Shih <pkshih@realtek.com>
Link: https://patch.msgid.link/20240809072012.84152-5-pkshih@realtek.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/realtek/rtw89/phy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/wireless/realtek/rtw89/phy.c b/drivers/net/wireless/realtek/rtw89/phy.c
index 7139146cb3fad..fac83b718a30c 100644
--- a/drivers/net/wireless/realtek/rtw89/phy.c
+++ b/drivers/net/wireless/realtek/rtw89/phy.c
@@ -284,8 +284,8 @@ static void rtw89_phy_ra_sta_update(struct rtw89_dev *rtwdev,
csi_mode = RTW89_RA_RPT_MODE_HT;
ra_mask |= ((u64)sta->deflink.ht_cap.mcs.rx_mask[3] << 48) |
((u64)sta->deflink.ht_cap.mcs.rx_mask[2] << 36) |
- (sta->deflink.ht_cap.mcs.rx_mask[1] << 24) |
- (sta->deflink.ht_cap.mcs.rx_mask[0] << 12);
+ ((u64)sta->deflink.ht_cap.mcs.rx_mask[1] << 24) |
+ ((u64)sta->deflink.ht_cap.mcs.rx_mask[0] << 12);
high_rate_masks = rtw89_ra_mask_ht_rates;
if (sta->deflink.ht_cap.cap & IEEE80211_HT_CAP_RX_STBC)
stbc_en = 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 091/386] ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 090/386] wifi: rtw89: correct base HT rate mask for firmware Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 092/386] net: atlantic: Avoid warning about potential string truncation Greg Kroah-Hartman
` (305 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ido Schimmel, Guillaume Nault,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ido Schimmel <idosch@nvidia.com>
[ Upstream commit 8fed54758cd248cd311a2b5c1e180abef1866237 ]
The NETLINK_FIB_LOOKUP netlink family can be used to perform a FIB
lookup according to user provided parameters and communicate the result
back to user space.
However, unlike other users of the FIB lookup API, the upper DSCP bits
and the ECN bits of the DS field are not masked, which can result in the
wrong result being returned.
Solve this by masking the upper DSCP bits and the ECN bits using
IPTOS_RT_MASK.
The structure that communicates the request and the response is not
exported to user space, so it is unlikely that this netlink family is
actually in use [1].
[1] https://lore.kernel.org/netdev/ZpqpB8vJU%2FQ6LSqa@debian/
Signed-off-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Guillaume Nault <gnault@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/fib_frontend.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/fib_frontend.c b/net/ipv4/fib_frontend.c
index 390f4be7f7bec..90ce87ffed461 100644
--- a/net/ipv4/fib_frontend.c
+++ b/net/ipv4/fib_frontend.c
@@ -1343,7 +1343,7 @@ static void nl_fib_lookup(struct net *net, struct fib_result_nl *frn)
struct flowi4 fl4 = {
.flowi4_mark = frn->fl_mark,
.daddr = frn->fl_addr,
- .flowi4_tos = frn->fl_tos,
+ .flowi4_tos = frn->fl_tos & IPTOS_RT_MASK,
.flowi4_scope = frn->fl_scope,
};
struct fib_table *tb;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 092/386] net: atlantic: Avoid warning about potential string truncation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 091/386] ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 093/386] crypto: simd - Do not call crypto_alloc_tfm during registration Greg Kroah-Hartman
` (304 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Simon Horman <horms@kernel.org>
[ Upstream commit 5874e0c9f25661c2faefe4809907166defae3d7f ]
W=1 builds with GCC 14.2.0 warn that:
.../aq_ethtool.c:278:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 6 [-Wformat-truncation=]
278 | snprintf(tc_string, 8, "TC%d ", tc);
| ^~
.../aq_ethtool.c:278:56: note: directive argument in the range [-2147483641, 254]
278 | snprintf(tc_string, 8, "TC%d ", tc);
| ^~~~~~~
.../aq_ethtool.c:278:33: note: ‘snprintf’ output between 5 and 15 bytes into a destination of size 8
278 | snprintf(tc_string, 8, "TC%d ", tc);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
tc is always in the range 0 - cfg->tcs. And as cfg->tcs is a u8,
the range is 0 - 255. Further, on inspecting the code, it seems
that cfg->tcs will never be more than AQ_CFG_TCS_MAX (8), so
the range is actually 0 - 8.
So, it seems that the condition that GCC flags will not occur.
But, nonetheless, it would be nice if it didn't emit the warning.
It seems that this can be achieved by changing the format specifier
from %d to %u, in which case I believe GCC recognises an upper bound
on the range of tc of 0 - 255. After some experimentation I think
this is due to the combination of the use of %u and the type of
cfg->tcs (u8).
Empirically, updating the type of the tc variable to unsigned int
has the same effect.
As both of these changes seem to make sense in relation to what the code
is actually doing - iterating over unsigned values - do both.
Compile tested only.
Signed-off-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240821-atlantic-str-v1-1-fa2cfe38ca00@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
index ac4ea93bd8dda..eaef14ea5dd2e 100644
--- a/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
+++ b/drivers/net/ethernet/aquantia/atlantic/aq_ethtool.c
@@ -265,7 +265,7 @@ static void aq_ethtool_get_strings(struct net_device *ndev,
const int rx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_rx_stat_names);
const int tx_stat_cnt = ARRAY_SIZE(aq_ethtool_queue_tx_stat_names);
char tc_string[8];
- int tc;
+ unsigned int tc;
memset(tc_string, 0, sizeof(tc_string));
memcpy(p, aq_ethtool_stat_names,
@@ -274,7 +274,7 @@ static void aq_ethtool_get_strings(struct net_device *ndev,
for (tc = 0; tc < cfg->tcs; tc++) {
if (cfg->is_qos)
- snprintf(tc_string, 8, "TC%d ", tc);
+ snprintf(tc_string, 8, "TC%u ", tc);
for (i = 0; i < cfg->vecs; i++) {
for (si = 0; si < rx_stat_cnt; si++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 093/386] crypto: simd - Do not call crypto_alloc_tfm during registration
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 092/386] net: atlantic: Avoid warning about potential string truncation Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 094/386] netpoll: Ensure clean state on setup failures Greg Kroah-Hartman
` (303 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Herbert Xu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
[ Upstream commit 3c44d31cb34ce4eb8311a2e73634d57702948230 ]
Algorithm registration is usually carried out during module init,
where as little work as possible should be carried out. The SIMD
code violated this rule by allocating a tfm, this then triggers a
full test of the algorithm which may dead-lock in certain cases.
SIMD is only allocating the tfm to get at the alg object, which is
in fact already available as it is what we are registering. Use
that directly and remove the crypto_alloc_tfm call.
Also remove some obsolete and unused SIMD API.
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/crypto/aes-ce-glue.c | 2 +-
arch/arm/crypto/aes-neonbs-glue.c | 2 +-
crypto/simd.c | 76 ++++++-------------------------
include/crypto/internal/simd.h | 12 +----
4 files changed, 19 insertions(+), 73 deletions(-)
diff --git a/arch/arm/crypto/aes-ce-glue.c b/arch/arm/crypto/aes-ce-glue.c
index b668c97663ec0..f5b66f4cf45d9 100644
--- a/arch/arm/crypto/aes-ce-glue.c
+++ b/arch/arm/crypto/aes-ce-glue.c
@@ -711,7 +711,7 @@ static int __init aes_init(void)
algname = aes_algs[i].base.cra_name + 2;
drvname = aes_algs[i].base.cra_driver_name + 2;
basename = aes_algs[i].base.cra_driver_name;
- simd = simd_skcipher_create_compat(algname, drvname, basename);
+ simd = simd_skcipher_create_compat(aes_algs + i, algname, drvname, basename);
err = PTR_ERR(simd);
if (IS_ERR(simd))
goto unregister_simds;
diff --git a/arch/arm/crypto/aes-neonbs-glue.c b/arch/arm/crypto/aes-neonbs-glue.c
index f00f042ef3570..0ca94b90bc4ec 100644
--- a/arch/arm/crypto/aes-neonbs-glue.c
+++ b/arch/arm/crypto/aes-neonbs-glue.c
@@ -539,7 +539,7 @@ static int __init aes_init(void)
algname = aes_algs[i].base.cra_name + 2;
drvname = aes_algs[i].base.cra_driver_name + 2;
basename = aes_algs[i].base.cra_driver_name;
- simd = simd_skcipher_create_compat(algname, drvname, basename);
+ simd = simd_skcipher_create_compat(aes_algs + i, algname, drvname, basename);
err = PTR_ERR(simd);
if (IS_ERR(simd))
goto unregister_simds;
diff --git a/crypto/simd.c b/crypto/simd.c
index edaa479a1ec5e..d109866641a26 100644
--- a/crypto/simd.c
+++ b/crypto/simd.c
@@ -136,27 +136,19 @@ static int simd_skcipher_init(struct crypto_skcipher *tfm)
return 0;
}
-struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
+struct simd_skcipher_alg *simd_skcipher_create_compat(struct skcipher_alg *ialg,
+ const char *algname,
const char *drvname,
const char *basename)
{
struct simd_skcipher_alg *salg;
- struct crypto_skcipher *tfm;
- struct skcipher_alg *ialg;
struct skcipher_alg *alg;
int err;
- tfm = crypto_alloc_skcipher(basename, CRYPTO_ALG_INTERNAL,
- CRYPTO_ALG_INTERNAL | CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- return ERR_CAST(tfm);
-
- ialg = crypto_skcipher_alg(tfm);
-
salg = kzalloc(sizeof(*salg), GFP_KERNEL);
if (!salg) {
salg = ERR_PTR(-ENOMEM);
- goto out_put_tfm;
+ goto out;
}
salg->ialg_name = basename;
@@ -195,30 +187,16 @@ struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
if (err)
goto out_free_salg;
-out_put_tfm:
- crypto_free_skcipher(tfm);
+out:
return salg;
out_free_salg:
kfree(salg);
salg = ERR_PTR(err);
- goto out_put_tfm;
+ goto out;
}
EXPORT_SYMBOL_GPL(simd_skcipher_create_compat);
-struct simd_skcipher_alg *simd_skcipher_create(const char *algname,
- const char *basename)
-{
- char drvname[CRYPTO_MAX_ALG_NAME];
-
- if (snprintf(drvname, CRYPTO_MAX_ALG_NAME, "simd-%s", basename) >=
- CRYPTO_MAX_ALG_NAME)
- return ERR_PTR(-ENAMETOOLONG);
-
- return simd_skcipher_create_compat(algname, drvname, basename);
-}
-EXPORT_SYMBOL_GPL(simd_skcipher_create);
-
void simd_skcipher_free(struct simd_skcipher_alg *salg)
{
crypto_unregister_skcipher(&salg->alg);
@@ -246,7 +224,7 @@ int simd_register_skciphers_compat(struct skcipher_alg *algs, int count,
algname = algs[i].base.cra_name + 2;
drvname = algs[i].base.cra_driver_name + 2;
basename = algs[i].base.cra_driver_name;
- simd = simd_skcipher_create_compat(algname, drvname, basename);
+ simd = simd_skcipher_create_compat(algs + i, algname, drvname, basename);
err = PTR_ERR(simd);
if (IS_ERR(simd))
goto err_unregister;
@@ -383,27 +361,19 @@ static int simd_aead_init(struct crypto_aead *tfm)
return 0;
}
-struct simd_aead_alg *simd_aead_create_compat(const char *algname,
- const char *drvname,
- const char *basename)
+static struct simd_aead_alg *simd_aead_create_compat(struct aead_alg *ialg,
+ const char *algname,
+ const char *drvname,
+ const char *basename)
{
struct simd_aead_alg *salg;
- struct crypto_aead *tfm;
- struct aead_alg *ialg;
struct aead_alg *alg;
int err;
- tfm = crypto_alloc_aead(basename, CRYPTO_ALG_INTERNAL,
- CRYPTO_ALG_INTERNAL | CRYPTO_ALG_ASYNC);
- if (IS_ERR(tfm))
- return ERR_CAST(tfm);
-
- ialg = crypto_aead_alg(tfm);
-
salg = kzalloc(sizeof(*salg), GFP_KERNEL);
if (!salg) {
salg = ERR_PTR(-ENOMEM);
- goto out_put_tfm;
+ goto out;
}
salg->ialg_name = basename;
@@ -442,36 +412,20 @@ struct simd_aead_alg *simd_aead_create_compat(const char *algname,
if (err)
goto out_free_salg;
-out_put_tfm:
- crypto_free_aead(tfm);
+out:
return salg;
out_free_salg:
kfree(salg);
salg = ERR_PTR(err);
- goto out_put_tfm;
-}
-EXPORT_SYMBOL_GPL(simd_aead_create_compat);
-
-struct simd_aead_alg *simd_aead_create(const char *algname,
- const char *basename)
-{
- char drvname[CRYPTO_MAX_ALG_NAME];
-
- if (snprintf(drvname, CRYPTO_MAX_ALG_NAME, "simd-%s", basename) >=
- CRYPTO_MAX_ALG_NAME)
- return ERR_PTR(-ENAMETOOLONG);
-
- return simd_aead_create_compat(algname, drvname, basename);
+ goto out;
}
-EXPORT_SYMBOL_GPL(simd_aead_create);
-void simd_aead_free(struct simd_aead_alg *salg)
+static void simd_aead_free(struct simd_aead_alg *salg)
{
crypto_unregister_aead(&salg->alg);
kfree(salg);
}
-EXPORT_SYMBOL_GPL(simd_aead_free);
int simd_register_aeads_compat(struct aead_alg *algs, int count,
struct simd_aead_alg **simd_algs)
@@ -493,7 +447,7 @@ int simd_register_aeads_compat(struct aead_alg *algs, int count,
algname = algs[i].base.cra_name + 2;
drvname = algs[i].base.cra_driver_name + 2;
basename = algs[i].base.cra_driver_name;
- simd = simd_aead_create_compat(algname, drvname, basename);
+ simd = simd_aead_create_compat(algs + i, algname, drvname, basename);
err = PTR_ERR(simd);
if (IS_ERR(simd))
goto err_unregister;
diff --git a/include/crypto/internal/simd.h b/include/crypto/internal/simd.h
index d2316242a9884..be97b97a75dd2 100644
--- a/include/crypto/internal/simd.h
+++ b/include/crypto/internal/simd.h
@@ -14,11 +14,10 @@
struct simd_skcipher_alg;
struct skcipher_alg;
-struct simd_skcipher_alg *simd_skcipher_create_compat(const char *algname,
+struct simd_skcipher_alg *simd_skcipher_create_compat(struct skcipher_alg *ialg,
+ const char *algname,
const char *drvname,
const char *basename);
-struct simd_skcipher_alg *simd_skcipher_create(const char *algname,
- const char *basename);
void simd_skcipher_free(struct simd_skcipher_alg *alg);
int simd_register_skciphers_compat(struct skcipher_alg *algs, int count,
@@ -32,13 +31,6 @@ void simd_unregister_skciphers(struct skcipher_alg *algs, int count,
struct simd_aead_alg;
struct aead_alg;
-struct simd_aead_alg *simd_aead_create_compat(const char *algname,
- const char *drvname,
- const char *basename);
-struct simd_aead_alg *simd_aead_create(const char *algname,
- const char *basename);
-void simd_aead_free(struct simd_aead_alg *alg);
-
int simd_register_aeads_compat(struct aead_alg *algs, int count,
struct simd_aead_alg **simd_algs);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 094/386] netpoll: Ensure clean state on setup failures
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 093/386] crypto: simd - Do not call crypto_alloc_tfm during registration Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 095/386] tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Greg Kroah-Hartman
` (302 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Breno Leitao,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Breno Leitao <leitao@debian.org>
[ Upstream commit ae5a0456e0b4cfd7e61619e55251ffdf1bc7adfb ]
Modify netpoll_setup() and __netpoll_setup() to ensure that the netpoll
structure (np) is left in a clean state if setup fails for any reason.
This prevents carrying over misconfigured fields in case of partial
setup success.
Key changes:
- np->dev is now set only after successful setup, ensuring it's always
NULL if netpoll is not configured or if netpoll_setup() fails.
- np->local_ip is zeroed if netpoll setup doesn't complete successfully.
- Added DEBUG_NET_WARN_ON_ONCE() checks to catch unexpected states.
- Reordered some operations in __netpoll_setup() for better logical flow.
These changes improve the reliability of netpoll configuration, since it
assures that the structure is fully initialized or totally unset.
Suggested-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Breno Leitao <leitao@debian.org>
Link: https://patch.msgid.link/20240822111051.179850-2-leitao@debian.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/netpoll.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/core/netpoll.c b/net/core/netpoll.c
index 55bcacf67df3b..e082139004093 100644
--- a/net/core/netpoll.c
+++ b/net/core/netpoll.c
@@ -626,12 +626,9 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
const struct net_device_ops *ops;
int err;
- np->dev = ndev;
- strscpy(np->dev_name, ndev->name, IFNAMSIZ);
-
if (ndev->priv_flags & IFF_DISABLE_NETPOLL) {
np_err(np, "%s doesn't support polling, aborting\n",
- np->dev_name);
+ ndev->name);
err = -ENOTSUPP;
goto out;
}
@@ -649,7 +646,7 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
refcount_set(&npinfo->refcnt, 1);
- ops = np->dev->netdev_ops;
+ ops = ndev->netdev_ops;
if (ops->ndo_netpoll_setup) {
err = ops->ndo_netpoll_setup(ndev, npinfo);
if (err)
@@ -660,6 +657,8 @@ int __netpoll_setup(struct netpoll *np, struct net_device *ndev)
refcount_inc(&npinfo->refcnt);
}
+ np->dev = ndev;
+ strscpy(np->dev_name, ndev->name, IFNAMSIZ);
npinfo->netpoll = np;
/* last thing to do is link it to the net device structure */
@@ -677,6 +676,7 @@ EXPORT_SYMBOL_GPL(__netpoll_setup);
int netpoll_setup(struct netpoll *np)
{
struct net_device *ndev = NULL;
+ bool ip_overwritten = false;
struct in_device *in_dev;
int err;
@@ -741,6 +741,7 @@ int netpoll_setup(struct netpoll *np)
}
np->local_ip.ip = ifa->ifa_local;
+ ip_overwritten = true;
np_info(np, "local IP %pI4\n", &np->local_ip.ip);
} else {
#if IS_ENABLED(CONFIG_IPV6)
@@ -757,6 +758,7 @@ int netpoll_setup(struct netpoll *np)
!!(ipv6_addr_type(&np->remote_ip.in6) & IPV6_ADDR_LINKLOCAL))
continue;
np->local_ip.in6 = ifp->addr;
+ ip_overwritten = true;
err = 0;
break;
}
@@ -787,6 +789,9 @@ int netpoll_setup(struct netpoll *np)
return 0;
put:
+ DEBUG_NET_WARN_ON_ONCE(np->dev);
+ if (ip_overwritten)
+ memset(&np->local_ip, 0, sizeof(np->local_ip));
netdev_put(ndev, &np->dev_tracker);
unlock:
rtnl_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 095/386] tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 094/386] netpoll: Ensure clean state on setup failures Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 096/386] wifi: iwlwifi: mvm: use correct key iteration Greg Kroah-Hartman
` (301 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jade Dong, Jason Xing, Eric Dumazet,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jason Xing <kernelxing@tencent.com>
[ Upstream commit 0d9e5df4a257afc3a471a82961ace9a22b88295a ]
We found that one close-wait socket was reset by the other side
due to a new connection reusing the same port which is beyond our
expectation, so we have to investigate the underlying reason.
The following experiment is conducted in the test environment. We
limit the port range from 40000 to 40010 and delay the time to close()
after receiving a fin from the active close side, which can help us
easily reproduce like what happened in production.
Here are three connections captured by tcpdump:
127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965525191
127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 2769915070
127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1
127.0.0.1.40002 > 127.0.0.1.9999: Flags [F.], seq 1, ack 1
// a few seconds later, within 60 seconds
127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730
127.0.0.1.9999 > 127.0.0.1.40002: Flags [.], ack 2
127.0.0.1.40002 > 127.0.0.1.9999: Flags [R], seq 2965525193
// later, very quickly
127.0.0.1.40002 > 127.0.0.1.9999: Flags [S], seq 2965590730
127.0.0.1.9999 > 127.0.0.1.40002: Flags [S.], seq 3120990805
127.0.0.1.40002 > 127.0.0.1.9999: Flags [.], ack 1
As we can see, the first flow is reset because:
1) client starts a new connection, I mean, the second one
2) client tries to find a suitable port which is a timewait socket
(its state is timewait, substate is fin_wait2)
3) client occupies that timewait port to send a SYN
4) server finds a corresponding close-wait socket in ehash table,
then replies with a challenge ack
5) client sends an RST to terminate this old close-wait socket.
I don't think the port selection algo can choose a FIN_WAIT2 socket
when we turn on tcp_tw_reuse because on the server side there
remain unread data. In some cases, if one side haven't call close() yet,
we should not consider it as expendable and treat it at will.
Even though, sometimes, the server isn't able to call close() as soon
as possible like what we expect, it can not be terminated easily,
especially due to a second unrelated connection happening.
After this patch, we can see the expected failure if we start a
connection when all the ports are occupied in fin_wait2 state:
"Ncat: Cannot assign requested address."
Reported-by: Jade Dong <jadedong@tencent.com>
Signed-off-by: Jason Xing <kernelxing@tencent.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20240823001152.31004-1-kerneljasonxing@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_ipv4.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 96d235bcf5cb2..df3ddf31f8e67 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -116,6 +116,9 @@ int tcp_twsk_unique(struct sock *sk, struct sock *sktw, void *twp)
const struct tcp_timewait_sock *tcptw = tcp_twsk(sktw);
struct tcp_sock *tp = tcp_sk(sk);
+ if (tw->tw_substate == TCP_FIN_WAIT2)
+ reuse = 0;
+
if (reuse == 2) {
/* Still does not detect *everything* that goes through
* lo, since we require a loopback src or dst address
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 096/386] wifi: iwlwifi: mvm: use correct key iteration
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 095/386] tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 097/386] wifi: iwlwifi: mvm: avoid NULL pointer dereference Greg Kroah-Hartman
` (300 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Miri Korenblit,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 4f1591d292277eec51d027405a92f0d4ef5e299e ]
In the cases changed here, key iteration isn't done from
an RCU critical section, but rather using the wiphy lock
as protection. Therefore, just use ieee80211_iter_keys().
The link switch case can therefore also use sync commands.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240729201718.69a2d18580c1.I2148e04d4b467d0b100beac8f7e449bfaaf775a5@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
index fe4b39b19a612..7c9234929b4f1 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/mld-key.c
@@ -141,7 +141,7 @@ static void iwl_mvm_mld_update_sta_key(struct ieee80211_hw *hw,
if (sta != data->sta || key->link_id >= 0)
return;
- err = iwl_mvm_send_cmd_pdu(mvm, cmd_id, CMD_ASYNC, sizeof(cmd), &cmd);
+ err = iwl_mvm_send_cmd_pdu(mvm, cmd_id, 0, sizeof(cmd), &cmd);
if (err)
data->err = err;
@@ -159,8 +159,8 @@ int iwl_mvm_mld_update_sta_keys(struct iwl_mvm *mvm,
.new_sta_mask = new_sta_mask,
};
- ieee80211_iter_keys_rcu(mvm->hw, vif, iwl_mvm_mld_update_sta_key,
- &data);
+ ieee80211_iter_keys(mvm->hw, vif, iwl_mvm_mld_update_sta_key,
+ &data);
return data.err;
}
@@ -384,7 +384,7 @@ void iwl_mvm_sec_key_remove_ap(struct iwl_mvm *mvm,
if (!sec_key_ver)
return;
- ieee80211_iter_keys_rcu(mvm->hw, vif,
- iwl_mvm_sec_key_remove_ap_iter,
- (void *)(uintptr_t)link_id);
+ ieee80211_iter_keys(mvm->hw, vif,
+ iwl_mvm_sec_key_remove_ap_iter,
+ (void *)(uintptr_t)link_id);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 097/386] wifi: iwlwifi: mvm: avoid NULL pointer dereference
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 096/386] wifi: iwlwifi: mvm: use correct key iteration Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 098/386] wifi: mac80211: fix RCU list iterations Greg Kroah-Hartman
` (299 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miri Korenblit, Johannes Berg,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miri Korenblit <miriam.rachel.korenblit@intel.com>
[ Upstream commit 557a6cd847645e667f3b362560bd7e7c09aac284 ]
iwl_mvm_tx_skb_sta() and iwl_mvm_tx_mpdu() verify that the mvmvsta
pointer is not NULL.
It retrieves this pointer using iwl_mvm_sta_from_mac80211, which is
dereferencing the ieee80211_sta pointer.
If sta is NULL, iwl_mvm_sta_from_mac80211 will dereference a NULL
pointer.
Fix this by checking the sta pointer before retrieving the mvmsta
from it. If sta is not NULL, then mvmsta isn't either.
Signed-off-by: Miri Korenblit <miriam.rachel.korenblit@intel.com>
Reviewed-by: Johannes Berg <johannes.berg@intel.com>
Link: https://patch.msgid.link/20240825191257.880921ce23b7.I340052d70ab6d3410724ce955eb00da10e08188f@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 3adb1acc07191..ce5f2bdde1388 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1145,6 +1145,9 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
bool is_ampdu = false;
int hdrlen;
+ if (WARN_ON_ONCE(!sta))
+ return -1;
+
mvmsta = iwl_mvm_sta_from_mac80211(sta);
fc = hdr->frame_control;
hdrlen = ieee80211_hdrlen(fc);
@@ -1152,9 +1155,6 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
if (IWL_MVM_NON_TRANSMITTING_AP && ieee80211_is_probe_resp(fc))
return -1;
- if (WARN_ON_ONCE(!mvmsta))
- return -1;
-
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
@@ -1285,7 +1285,7 @@ static int iwl_mvm_tx_mpdu(struct iwl_mvm *mvm, struct sk_buff *skb,
int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct ieee80211_sta *sta)
{
- struct iwl_mvm_sta *mvmsta = iwl_mvm_sta_from_mac80211(sta);
+ struct iwl_mvm_sta *mvmsta;
struct ieee80211_tx_info info;
struct sk_buff_head mpdus_skbs;
struct ieee80211_vif *vif;
@@ -1294,9 +1294,11 @@ int iwl_mvm_tx_skb_sta(struct iwl_mvm *mvm, struct sk_buff *skb,
struct sk_buff *orig_skb = skb;
const u8 *addr3;
- if (WARN_ON_ONCE(!mvmsta))
+ if (WARN_ON_ONCE(!sta))
return -1;
+ mvmsta = iwl_mvm_sta_from_mac80211(sta);
+
if (WARN_ON_ONCE(mvmsta->deflink.sta_id == IWL_MVM_INVALID_STA))
return -1;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 098/386] wifi: mac80211: fix RCU list iterations
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 097/386] wifi: iwlwifi: mvm: avoid NULL pointer dereference Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 099/386] ACPICA: iasl: handle empty connection_node Greg Kroah-Hartman
` (298 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miriam Rachel Korenblit,
Johannes Berg, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit ac35180032fbc5d80b29af00ba4881815ceefcb6 ]
There are a number of places where RCU list iteration is
used, but that aren't (always) called with RCU held. Use
just list_for_each_entry() in most, and annotate iface
iteration with the required locks.
Reviewed-by: Miriam Rachel Korenblit <miriam.rachel.korenblit@intel.com>
Link: https://patch.msgid.link/20240827094939.ed8ac0b2f897.I8443c9c3c0f8051841353491dae758021b53115e@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/chan.c | 4 +++-
net/mac80211/mlme.c | 2 +-
net/mac80211/scan.c | 2 +-
net/mac80211/util.c | 4 +++-
4 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/mac80211/chan.c b/net/mac80211/chan.c
index 68952752b5990..c09aed6a3cfcc 100644
--- a/net/mac80211/chan.c
+++ b/net/mac80211/chan.c
@@ -245,7 +245,9 @@ ieee80211_get_max_required_bw(struct ieee80211_sub_if_data *sdata,
enum nl80211_chan_width max_bw = NL80211_CHAN_WIDTH_20_NOHT;
struct sta_info *sta;
- list_for_each_entry_rcu(sta, &sdata->local->sta_list, list) {
+ lockdep_assert_wiphy(sdata->local->hw.wiphy);
+
+ list_for_each_entry(sta, &sdata->local->sta_list, list) {
if (sdata != sta->sdata &&
!(sta->sdata->bss && sta->sdata->bss == sdata->bss))
continue;
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 42e2c84ed2484..b14c809bcdea3 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -732,7 +732,7 @@ static bool ieee80211_add_vht_ie(struct ieee80211_sub_if_data *sdata,
bool disable_mu_mimo = false;
struct ieee80211_sub_if_data *other;
- list_for_each_entry_rcu(other, &local->interfaces, list) {
+ list_for_each_entry(other, &local->interfaces, list) {
if (other->vif.bss_conf.mu_mimo_owner) {
disable_mu_mimo = true;
break;
diff --git a/net/mac80211/scan.c b/net/mac80211/scan.c
index b58d061333c52..933a58895432f 100644
--- a/net/mac80211/scan.c
+++ b/net/mac80211/scan.c
@@ -489,7 +489,7 @@ static void __ieee80211_scan_completed(struct ieee80211_hw *hw, bool aborted)
* the scan was in progress; if there was none this will
* just be a no-op for the particular interface.
*/
- list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ list_for_each_entry(sdata, &local->interfaces, list) {
if (ieee80211_sdata_running(sdata))
wiphy_work_queue(sdata->local->hw.wiphy, &sdata->work);
}
diff --git a/net/mac80211/util.c b/net/mac80211/util.c
index d682c32821a11..02b5aaad2a155 100644
--- a/net/mac80211/util.c
+++ b/net/mac80211/util.c
@@ -745,7 +745,9 @@ static void __iterate_interfaces(struct ieee80211_local *local,
struct ieee80211_sub_if_data *sdata;
bool active_only = iter_flags & IEEE80211_IFACE_ITER_ACTIVE;
- list_for_each_entry_rcu(sdata, &local->interfaces, list) {
+ list_for_each_entry_rcu(sdata, &local->interfaces, list,
+ lockdep_is_held(&local->iflist_mtx) ||
+ lockdep_is_held(&local->hw.wiphy->mtx)) {
switch (sdata->vif.type) {
case NL80211_IFTYPE_MONITOR:
if (!(sdata->u.mntr.flags & MONITOR_FLAG_ACTIVE))
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 099/386] ACPICA: iasl: handle empty connection_node
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 098/386] wifi: mac80211: fix RCU list iterations Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 100/386] proc: add config & param to block forcing mem writes Greg Kroah-Hartman
` (297 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandrs Vinarskis,
Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
[ Upstream commit a0a2459b79414584af6c46dd8c6f866d8f1aa421 ]
ACPICA commit 6c551e2c9487067d4b085333e7fe97e965a11625
Link: https://github.com/acpica/acpica/commit/6c551e2c
Signed-off-by: Aleksandrs Vinarskis <alex.vinarskis@gmail.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/exprep.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/acpica/exprep.c b/drivers/acpi/acpica/exprep.c
index 08196fa17080e..82b1fa2d201fe 100644
--- a/drivers/acpi/acpica/exprep.c
+++ b/drivers/acpi/acpica/exprep.c
@@ -437,6 +437,9 @@ acpi_status acpi_ex_prep_field_value(struct acpi_create_field_info *info)
if (info->connection_node) {
second_desc = info->connection_node->object;
+ if (second_desc == NULL) {
+ break;
+ }
if (!(second_desc->common.flags & AOPOBJ_DATA_VALID)) {
status =
acpi_ds_get_buffer_arguments(second_desc);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 100/386] proc: add config & param to block forcing mem writes
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 099/386] ACPICA: iasl: handle empty connection_node Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 101/386] drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Greg Kroah-Hartman
` (296 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Doug Anderson, Jeff Xu, Jann Horn,
Kees Cook, Ard Biesheuvel, Christian Brauner, Linus Torvalds,
Adrian Ratiu, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Ratiu <adrian.ratiu@collabora.com>
[ Upstream commit 41e8149c8892ed1962bd15350b3c3e6e90cba7f4 ]
This adds a Kconfig option and boot param to allow removing
the FOLL_FORCE flag from /proc/pid/mem write calls because
it can be abused.
The traditional forcing behavior is kept as default because
it can break GDB and some other use cases.
Previously we tried a more sophisticated approach allowing
distributions to fine-tune /proc/pid/mem behavior, however
that got NAK-ed by Linus [1], who prefers this simpler
approach with semantics also easier to understand for users.
Link: https://lore.kernel.org/lkml/CAHk-=wiGWLChxYmUA5HrT5aopZrB7_2VTa0NLZcxORgkUe5tEQ@mail.gmail.com/ [1]
Cc: Doug Anderson <dianders@chromium.org>
Cc: Jeff Xu <jeffxu@google.com>
Cc: Jann Horn <jannh@google.com>
Cc: Kees Cook <kees@kernel.org>
Cc: Ard Biesheuvel <ardb@kernel.org>
Cc: Christian Brauner <brauner@kernel.org>
Suggested-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Adrian Ratiu <adrian.ratiu@collabora.com>
Link: https://lore.kernel.org/r/20240802080225.89408-1-adrian.ratiu@collabora.com
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../admin-guide/kernel-parameters.txt | 10 +++
fs/proc/base.c | 61 ++++++++++++++++++-
security/Kconfig | 32 ++++++++++
3 files changed, 102 insertions(+), 1 deletion(-)
diff --git a/Documentation/admin-guide/kernel-parameters.txt b/Documentation/admin-guide/kernel-parameters.txt
index a7fe113897361..d83a3f47e2007 100644
--- a/Documentation/admin-guide/kernel-parameters.txt
+++ b/Documentation/admin-guide/kernel-parameters.txt
@@ -4639,6 +4639,16 @@
printk.time= Show timing data prefixed to each printk message line
Format: <bool> (1/Y/y=enable, 0/N/n=disable)
+ proc_mem.force_override= [KNL]
+ Format: {always | ptrace | never}
+ Traditionally /proc/pid/mem allows memory permissions to be
+ overridden without restrictions. This option may be set to
+ restrict that. Can be one of:
+ - 'always': traditional behavior always allows mem overrides.
+ - 'ptrace': only allow mem overrides for active ptracers.
+ - 'never': never allow mem overrides.
+ If not specified, default is the CONFIG_PROC_MEM_* choice.
+
processor.max_cstate= [HW,ACPI]
Limit processor to maximum C-state
max_cstate=9 overrides any DMI blacklist limit.
diff --git a/fs/proc/base.c b/fs/proc/base.c
index 6e61d93ffa552..699f085d4de7d 100644
--- a/fs/proc/base.c
+++ b/fs/proc/base.c
@@ -85,6 +85,7 @@
#include <linux/elf.h>
#include <linux/pid_namespace.h>
#include <linux/user_namespace.h>
+#include <linux/fs_parser.h>
#include <linux/fs_struct.h>
#include <linux/slab.h>
#include <linux/sched/autogroup.h>
@@ -116,6 +117,40 @@
static u8 nlink_tid __ro_after_init;
static u8 nlink_tgid __ro_after_init;
+enum proc_mem_force {
+ PROC_MEM_FORCE_ALWAYS,
+ PROC_MEM_FORCE_PTRACE,
+ PROC_MEM_FORCE_NEVER
+};
+
+static enum proc_mem_force proc_mem_force_override __ro_after_init =
+ IS_ENABLED(CONFIG_PROC_MEM_NO_FORCE) ? PROC_MEM_FORCE_NEVER :
+ IS_ENABLED(CONFIG_PROC_MEM_FORCE_PTRACE) ? PROC_MEM_FORCE_PTRACE :
+ PROC_MEM_FORCE_ALWAYS;
+
+static const struct constant_table proc_mem_force_table[] __initconst = {
+ { "always", PROC_MEM_FORCE_ALWAYS },
+ { "ptrace", PROC_MEM_FORCE_PTRACE },
+ { "never", PROC_MEM_FORCE_NEVER },
+ { }
+};
+
+static int __init early_proc_mem_force_override(char *buf)
+{
+ if (!buf)
+ return -EINVAL;
+
+ /*
+ * lookup_constant() defaults to proc_mem_force_override to preseve
+ * the initial Kconfig choice in case an invalid param gets passed.
+ */
+ proc_mem_force_override = lookup_constant(proc_mem_force_table,
+ buf, proc_mem_force_override);
+
+ return 0;
+}
+early_param("proc_mem.force_override", early_proc_mem_force_override);
+
struct pid_entry {
const char *name;
unsigned int len;
@@ -834,6 +869,28 @@ static int mem_open(struct inode *inode, struct file *file)
return ret;
}
+static bool proc_mem_foll_force(struct file *file, struct mm_struct *mm)
+{
+ struct task_struct *task;
+ bool ptrace_active = false;
+
+ switch (proc_mem_force_override) {
+ case PROC_MEM_FORCE_NEVER:
+ return false;
+ case PROC_MEM_FORCE_PTRACE:
+ task = get_proc_task(file_inode(file));
+ if (task) {
+ ptrace_active = READ_ONCE(task->ptrace) &&
+ READ_ONCE(task->mm) == mm &&
+ READ_ONCE(task->parent) == current;
+ put_task_struct(task);
+ }
+ return ptrace_active;
+ default:
+ return true;
+ }
+}
+
static ssize_t mem_rw(struct file *file, char __user *buf,
size_t count, loff_t *ppos, int write)
{
@@ -854,7 +911,9 @@ static ssize_t mem_rw(struct file *file, char __user *buf,
if (!mmget_not_zero(mm))
goto free;
- flags = FOLL_FORCE | (write ? FOLL_WRITE : 0);
+ flags = write ? FOLL_WRITE : 0;
+ if (proc_mem_foll_force(file, mm))
+ flags |= FOLL_FORCE;
while (count > 0) {
size_t this_len = min_t(size_t, count, PAGE_SIZE);
diff --git a/security/Kconfig b/security/Kconfig
index 52c9af08ad35d..39af8b8696efb 100644
--- a/security/Kconfig
+++ b/security/Kconfig
@@ -19,6 +19,38 @@ config SECURITY_DMESG_RESTRICT
If you are unsure how to answer this question, answer N.
+choice
+ prompt "Allow /proc/pid/mem access override"
+ default PROC_MEM_ALWAYS_FORCE
+ help
+ Traditionally /proc/pid/mem allows users to override memory
+ permissions for users like ptrace, assuming they have ptrace
+ capability.
+
+ This allows people to limit that - either never override, or
+ require actual active ptrace attachment.
+
+ Defaults to the traditional behavior (for now)
+
+config PROC_MEM_ALWAYS_FORCE
+ bool "Traditional /proc/pid/mem behavior"
+ help
+ This allows /proc/pid/mem accesses to override memory mapping
+ permissions if you have ptrace access rights.
+
+config PROC_MEM_FORCE_PTRACE
+ bool "Require active ptrace() use for access override"
+ help
+ This allows /proc/pid/mem accesses to override memory mapping
+ permissions for active ptracers like gdb.
+
+config PROC_MEM_NO_FORCE
+ bool "Never"
+ help
+ Never override memory mapping permissions
+
+endchoice
+
config SECURITY
bool "Enable different security models"
depends on SYSFS
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 101/386] drivers/perf: arm_spe: Use perf_allow_kernel() for permissions
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 100/386] proc: add config & param to block forcing mem writes Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 102/386] can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Greg Kroah-Hartman
` (295 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Al Grant, James Clark, Will Deacon,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: James Clark <james.clark@linaro.org>
[ Upstream commit 5e9629d0ae977d6f6916d7e519724804e95f0b07 ]
Use perf_allow_kernel() for 'pa_enable' (physical addresses),
'pct_enable' (physical timestamps) and context IDs. This means that
perf_event_paranoid is now taken into account and LSM hooks can be used,
which is more consistent with other perf_event_open calls. For example
PERF_SAMPLE_PHYS_ADDR uses perf_allow_kernel() rather than just
perfmon_capable().
This also indirectly fixes the following error message which is
misleading because perf_event_paranoid is not taken into account by
perfmon_capable():
$ perf record -e arm_spe/pa_enable/
Error:
Access to performance monitoring and observability operations is
limited. Consider adjusting /proc/sys/kernel/perf_event_paranoid
setting ...
Suggested-by: Al Grant <al.grant@arm.com>
Signed-off-by: James Clark <james.clark@linaro.org>
Link: https://lore.kernel.org/r/20240827145113.1224604-1-james.clark@linaro.org
Link: https://lore.kernel.org/all/20240807120039.GD37996@noisy.programming.kicks-ass.net/
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/perf/arm_spe_pmu.c | 9 ++++-----
include/linux/perf_event.h | 8 +-------
kernel/events/core.c | 9 +++++++++
3 files changed, 14 insertions(+), 12 deletions(-)
diff --git a/drivers/perf/arm_spe_pmu.c b/drivers/perf/arm_spe_pmu.c
index d2b0cbf0e0c41..2bec2e3af0bd6 100644
--- a/drivers/perf/arm_spe_pmu.c
+++ b/drivers/perf/arm_spe_pmu.c
@@ -41,7 +41,7 @@
/*
* Cache if the event is allowed to trace Context information.
- * This allows us to perform the check, i.e, perfmon_capable(),
+ * This allows us to perform the check, i.e, perf_allow_kernel(),
* in the context of the event owner, once, during the event_init().
*/
#define SPE_PMU_HW_FLAGS_CX 0x00001
@@ -50,7 +50,7 @@ static_assert((PERF_EVENT_FLAG_ARCH & SPE_PMU_HW_FLAGS_CX) == SPE_PMU_HW_FLAGS_C
static void set_spe_event_has_cx(struct perf_event *event)
{
- if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && perfmon_capable())
+ if (IS_ENABLED(CONFIG_PID_IN_CONTEXTIDR) && !perf_allow_kernel(&event->attr))
event->hw.flags |= SPE_PMU_HW_FLAGS_CX;
}
@@ -767,9 +767,8 @@ static int arm_spe_pmu_event_init(struct perf_event *event)
set_spe_event_has_cx(event);
reg = arm_spe_event_to_pmscr(event);
- if (!perfmon_capable() &&
- (reg & (PMSCR_EL1_PA | PMSCR_EL1_PCT)))
- return -EACCES;
+ if (reg & (PMSCR_EL1_PA | PMSCR_EL1_PCT))
+ return perf_allow_kernel(&event->attr);
return 0;
}
diff --git a/include/linux/perf_event.h b/include/linux/perf_event.h
index 95d4118ee4a91..7a5563ffe61b5 100644
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -1599,13 +1599,7 @@ static inline int perf_is_paranoid(void)
return sysctl_perf_event_paranoid > -1;
}
-static inline int perf_allow_kernel(struct perf_event_attr *attr)
-{
- if (sysctl_perf_event_paranoid > 1 && !perfmon_capable())
- return -EACCES;
-
- return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
-}
+int perf_allow_kernel(struct perf_event_attr *attr);
static inline int perf_allow_cpu(struct perf_event_attr *attr)
{
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 4d0abdace4e7c..d40809bdf4b30 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -13330,6 +13330,15 @@ const struct perf_event_attr *perf_event_attrs(struct perf_event *event)
return &event->attr;
}
+int perf_allow_kernel(struct perf_event_attr *attr)
+{
+ if (sysctl_perf_event_paranoid > 1 && !perfmon_capable())
+ return -EACCES;
+
+ return security_perf_event_open(attr, PERF_SECURITY_KERNEL);
+}
+EXPORT_SYMBOL_GPL(perf_allow_kernel);
+
/*
* Inherit an event from parent task to child task.
*
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 102/386] can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 101/386] drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 103/386] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Greg Kroah-Hartman
` (294 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Mätje, Marc Kleine-Budde,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stefan Mätje <stefan.maetje@esd.eu>
[ Upstream commit 2423cc20087ae9a7b7af575aa62304ef67cad7b6 ]
This patch moves the evaluation of data[IFLA_CAN_CTRLMODE] in function
can_changelink in front of the evaluation of data[IFLA_CAN_BITTIMING].
This avoids a call to do_set_data_bittiming providing a stale
can_priv::ctrlmode with a CAN_CTRLMODE_FD flag not matching the
requested state when switching between a CAN Classic and CAN-FD bitrate.
In the same manner the evaluation of data[IFLA_CAN_CTRLMODE] in function
can_validate is also moved in front of the evaluation of
data[IFLA_CAN_BITTIMING].
This is a preparation for patches where the nominal and data bittiming
may have interdependencies on the driver side depending on the
CAN_CTRLMODE_FD flag state.
Signed-off-by: Stefan Mätje <stefan.maetje@esd.eu>
Link: https://patch.msgid.link/20240808164224.213522-1-stefan.maetje@esd.eu
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/can/dev/netlink.c | 102 +++++++++++++++++-----------------
1 file changed, 51 insertions(+), 51 deletions(-)
diff --git a/drivers/net/can/dev/netlink.c b/drivers/net/can/dev/netlink.c
index dfdc039d92a6c..01aacdcda2606 100644
--- a/drivers/net/can/dev/netlink.c
+++ b/drivers/net/can/dev/netlink.c
@@ -65,15 +65,6 @@ static int can_validate(struct nlattr *tb[], struct nlattr *data[],
if (!data)
return 0;
- if (data[IFLA_CAN_BITTIMING]) {
- struct can_bittiming bt;
-
- memcpy(&bt, nla_data(data[IFLA_CAN_BITTIMING]), sizeof(bt));
- err = can_validate_bittiming(&bt, extack);
- if (err)
- return err;
- }
-
if (data[IFLA_CAN_CTRLMODE]) {
struct can_ctrlmode *cm = nla_data(data[IFLA_CAN_CTRLMODE]);
u32 tdc_flags = cm->flags & CAN_CTRLMODE_TDC_MASK;
@@ -114,6 +105,15 @@ static int can_validate(struct nlattr *tb[], struct nlattr *data[],
}
}
+ if (data[IFLA_CAN_BITTIMING]) {
+ struct can_bittiming bt;
+
+ memcpy(&bt, nla_data(data[IFLA_CAN_BITTIMING]), sizeof(bt));
+ err = can_validate_bittiming(&bt, extack);
+ if (err)
+ return err;
+ }
+
if (is_can_fd) {
if (!data[IFLA_CAN_BITTIMING] || !data[IFLA_CAN_DATA_BITTIMING])
return -EOPNOTSUPP;
@@ -195,48 +195,6 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
/* We need synchronization with dev->stop() */
ASSERT_RTNL();
- if (data[IFLA_CAN_BITTIMING]) {
- struct can_bittiming bt;
-
- /* Do not allow changing bittiming while running */
- if (dev->flags & IFF_UP)
- return -EBUSY;
-
- /* Calculate bittiming parameters based on
- * bittiming_const if set, otherwise pass bitrate
- * directly via do_set_bitrate(). Bail out if neither
- * is given.
- */
- if (!priv->bittiming_const && !priv->do_set_bittiming &&
- !priv->bitrate_const)
- return -EOPNOTSUPP;
-
- memcpy(&bt, nla_data(data[IFLA_CAN_BITTIMING]), sizeof(bt));
- err = can_get_bittiming(dev, &bt,
- priv->bittiming_const,
- priv->bitrate_const,
- priv->bitrate_const_cnt,
- extack);
- if (err)
- return err;
-
- if (priv->bitrate_max && bt.bitrate > priv->bitrate_max) {
- NL_SET_ERR_MSG_FMT(extack,
- "arbitration bitrate %u bps surpasses transceiver capabilities of %u bps",
- bt.bitrate, priv->bitrate_max);
- return -EINVAL;
- }
-
- memcpy(&priv->bittiming, &bt, sizeof(bt));
-
- if (priv->do_set_bittiming) {
- /* Finally, set the bit-timing registers */
- err = priv->do_set_bittiming(dev);
- if (err)
- return err;
- }
- }
-
if (data[IFLA_CAN_CTRLMODE]) {
struct can_ctrlmode *cm;
u32 ctrlstatic;
@@ -284,6 +242,48 @@ static int can_changelink(struct net_device *dev, struct nlattr *tb[],
priv->ctrlmode &= cm->flags | ~CAN_CTRLMODE_TDC_MASK;
}
+ if (data[IFLA_CAN_BITTIMING]) {
+ struct can_bittiming bt;
+
+ /* Do not allow changing bittiming while running */
+ if (dev->flags & IFF_UP)
+ return -EBUSY;
+
+ /* Calculate bittiming parameters based on
+ * bittiming_const if set, otherwise pass bitrate
+ * directly via do_set_bitrate(). Bail out if neither
+ * is given.
+ */
+ if (!priv->bittiming_const && !priv->do_set_bittiming &&
+ !priv->bitrate_const)
+ return -EOPNOTSUPP;
+
+ memcpy(&bt, nla_data(data[IFLA_CAN_BITTIMING]), sizeof(bt));
+ err = can_get_bittiming(dev, &bt,
+ priv->bittiming_const,
+ priv->bitrate_const,
+ priv->bitrate_const_cnt,
+ extack);
+ if (err)
+ return err;
+
+ if (priv->bitrate_max && bt.bitrate > priv->bitrate_max) {
+ NL_SET_ERR_MSG_FMT(extack,
+ "arbitration bitrate %u bps surpasses transceiver capabilities of %u bps",
+ bt.bitrate, priv->bitrate_max);
+ return -EINVAL;
+ }
+
+ memcpy(&priv->bittiming, &bt, sizeof(bt));
+
+ if (priv->do_set_bittiming) {
+ /* Finally, set the bit-timing registers */
+ err = priv->do_set_bittiming(dev);
+ if (err)
+ return err;
+ }
+ }
+
if (data[IFLA_CAN_RESTART_MS]) {
/* Do not allow changing restart delay while running */
if (dev->flags & IFF_UP)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 103/386] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 102/386] can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 104/386] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Greg Kroah-Hartman
` (293 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Lin, Felix Fietkau,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Lin <benjamin-jw.lin@mediatek.com>
[ Upstream commit f2cc859149240d910fdc6405717673e0b84bfda8 ]
Currently, CONNAC2 series do not support encryption for fragmented Tx frames.
Therefore, add dummy function mt7915_set_frag_threshold() to prevent SW
IEEE 802.11 fragmentation.
Signed-off-by: Benjamin Lin <benjamin-jw.lin@mediatek.com>
Link: https://patch.msgid.link/20240827093011.18621-16-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/init.c | 1 +
drivers/net/wireless/mediatek/mt76/mt7915/main.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/init.c b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
index e6af7318a9e38..5ff260319282c 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/init.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/init.c
@@ -388,6 +388,7 @@ mt7915_init_wiphy(struct mt7915_phy *phy)
ieee80211_hw_set(hw, SUPPORTS_RX_DECAP_OFFLOAD);
ieee80211_hw_set(hw, SUPPORTS_MULTI_BSSID);
ieee80211_hw_set(hw, WANT_MONITOR_VIF);
+ ieee80211_hw_set(hw, SUPPORTS_TX_FRAG);
hw->max_tx_fragments = 4;
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/main.c b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
index 27655dcb79142..4fd5fd555191a 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/main.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/main.c
@@ -1561,6 +1561,12 @@ mt7915_twt_teardown_request(struct ieee80211_hw *hw,
mutex_unlock(&dev->mt76.mutex);
}
+static int
+mt7915_set_frag_threshold(struct ieee80211_hw *hw, u32 val)
+{
+ return 0;
+}
+
static int
mt7915_set_radar_background(struct ieee80211_hw *hw,
struct cfg80211_chan_def *chandef)
@@ -1687,6 +1693,7 @@ const struct ieee80211_ops mt7915_ops = {
.sta_set_decap_offload = mt7915_sta_set_decap_offload,
.add_twt_setup = mt7915_mac_add_twt_setup,
.twt_teardown_request = mt7915_twt_teardown_request,
+ .set_frag_threshold = mt7915_set_frag_threshold,
CFG80211_TESTMODE_CMD(mt76_testmode_cmd)
CFG80211_TESTMODE_DUMP(mt76_testmode_dump)
#ifdef CONFIG_MAC80211_DEBUGFS
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 104/386] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 103/386] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 105/386] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Greg Kroah-Hartman
` (292 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Felix Fietkau, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Fietkau <nbd@nbd.name>
[ Upstream commit 8f7152f10cb434f954aeff85ca1be9cd4d01912b ]
Prevent racing against other functions disabling the same worker
Link: https://patch.msgid.link/20240827093011.18621-17-nbd@nbd.name
Signed-off-by: Felix Fietkau <nbd@nbd.name>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
index 2222fb9aa103e..38d27f8721733 100644
--- a/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
+++ b/drivers/net/wireless/mediatek/mt76/mt7915/mac.c
@@ -1538,12 +1538,14 @@ void mt7915_mac_reset_work(struct work_struct *work)
set_bit(MT76_RESET, &phy2->mt76->state);
cancel_delayed_work_sync(&phy2->mt76->mac_work);
}
+
+ mutex_lock(&dev->mt76.mutex);
+
mt76_worker_disable(&dev->mt76.tx_worker);
mt76_for_each_q_rx(&dev->mt76, i)
napi_disable(&dev->mt76.napi[i]);
napi_disable(&dev->mt76.tx_napi);
- mutex_lock(&dev->mt76.mutex);
mt76_wr(dev, MT_MCU_INT_EVENT, MT_MCU_INT_EVENT_DMA_STOPPED);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 105/386] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 104/386] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 106/386] nfp: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
` (291 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Gustavo A. R. Silva,
Brian Norris, Kalle Valo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit 498365e52bebcbc36a93279fe7e9d6aec8479cee ]
Replace one-element array with a flexible-array member in
`struct host_cmd_ds_802_11_scan_ext`.
With this, fix the following warning:
elo 16 17:51:58 surfacebook kernel: ------------[ cut here ]------------
elo 16 17:51:58 surfacebook kernel: memcpy: detected field-spanning write (size 243) of single field "ext_scan->tlv_buffer" at drivers/net/wireless/marvell/mwifiex/scan.c:2239 (size 1)
elo 16 17:51:58 surfacebook kernel: WARNING: CPU: 0 PID: 498 at drivers/net/wireless/marvell/mwifiex/scan.c:2239 mwifiex_cmd_802_11_scan_ext+0x83/0x90 [mwifiex]
Reported-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Closes: https://lore.kernel.org/linux-hardening/ZsZNgfnEwOcPdCly@black.fi.intel.com/
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Acked-by: Brian Norris <briannorris@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://patch.msgid.link/ZsZa5xRcsLq9D+RX@elsanto
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/marvell/mwifiex/fw.h | 2 +-
drivers/net/wireless/marvell/mwifiex/scan.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/marvell/mwifiex/fw.h b/drivers/net/wireless/marvell/mwifiex/fw.h
index 62f3c9a52a1d5..a3be37526697b 100644
--- a/drivers/net/wireless/marvell/mwifiex/fw.h
+++ b/drivers/net/wireless/marvell/mwifiex/fw.h
@@ -1587,7 +1587,7 @@ struct host_cmd_ds_802_11_scan_rsp {
struct host_cmd_ds_802_11_scan_ext {
u32 reserved;
- u8 tlv_buffer[1];
+ u8 tlv_buffer[];
} __packed;
struct mwifiex_ie_types_bss_mode {
diff --git a/drivers/net/wireless/marvell/mwifiex/scan.c b/drivers/net/wireless/marvell/mwifiex/scan.c
index 72904c275461e..5be817d9854a6 100644
--- a/drivers/net/wireless/marvell/mwifiex/scan.c
+++ b/drivers/net/wireless/marvell/mwifiex/scan.c
@@ -2543,8 +2543,7 @@ int mwifiex_ret_802_11_scan_ext(struct mwifiex_private *priv,
ext_scan_resp = &resp->params.ext_scan;
tlv = (void *)ext_scan_resp->tlv_buffer;
- buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN
- - 1);
+ buf_left = le16_to_cpu(resp->size) - (sizeof(*ext_scan_resp) + S_DS_GEN);
while (buf_left >= sizeof(struct mwifiex_ie_types_header)) {
type = le16_to_cpu(tlv->type);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 106/386] nfp: Use IRQF_NO_AUTOEN flag in request_irq()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 105/386] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 107/386] ALSA: usb-audio: Add input value sanity checks for standard types Greg Kroah-Hartman
` (290 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis Peens, Jinjie Ruan,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit daaba19d357f0900b303a530ced96c78086267ea ]
disable_irq() after request_irq() still has a time gap in which
interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
disable IRQ auto-enable when request IRQ.
Reviewed-by: Louis Peens <louis.peens@corigine.com>
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://patch.msgid.link/20240911094445.1922476-4-ruanjinjie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/netronome/nfp/nfp_net_common.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
index f2085340a1cfe..fceb4abea2365 100644
--- a/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
+++ b/drivers/net/ethernet/netronome/nfp/nfp_net_common.c
@@ -821,14 +821,13 @@ nfp_net_prepare_vector(struct nfp_net *nn, struct nfp_net_r_vector *r_vec,
snprintf(r_vec->name, sizeof(r_vec->name),
"%s-rxtx-%d", nfp_net_name(nn), idx);
- err = request_irq(r_vec->irq_vector, r_vec->handler, 0, r_vec->name,
- r_vec);
+ err = request_irq(r_vec->irq_vector, r_vec->handler, IRQF_NO_AUTOEN,
+ r_vec->name, r_vec);
if (err) {
nfp_net_napi_del(&nn->dp, r_vec);
nn_err(nn, "Error requesting IRQ %d\n", r_vec->irq_vector);
return err;
}
- disable_irq(r_vec->irq_vector);
irq_set_affinity_hint(r_vec->irq_vector, &r_vec->affinity_mask);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 107/386] ALSA: usb-audio: Add input value sanity checks for standard types
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 106/386] nfp: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 108/386] x86/ioapic: Handle allocation failures gracefully Greg Kroah-Hartman
` (289 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 901e85677ec0bb9a69fb9eab1feafe0c4eb7d07e ]
For an invalid input value that is out of the given range, currently
USB-audio driver corrects the value silently and accepts without
errors. This is no wrong behavior, per se, but the recent kselftest
rather wants to have an error in such a case, hence a different
behavior is expected now.
This patch adds a sanity check at each control put for the standard
mixer types and returns an error if an invalid value is given.
Note that this covers only the standard mixer types. The mixer quirks
that have own control callbacks would need different coverage.
Link: https://patch.msgid.link/20240806124651.28203-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/mixer.c | 35 +++++++++++++++++++++++++++--------
sound/usb/mixer.h | 1 +
2 files changed, 28 insertions(+), 8 deletions(-)
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 8cc2d4937f340..197fd07e69edd 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -1377,6 +1377,19 @@ static int get_min_max_with_quirks(struct usb_mixer_elem_info *cval,
#define get_min_max(cval, def) get_min_max_with_quirks(cval, def, NULL)
+/* get the max value advertised via control API */
+static int get_max_exposed(struct usb_mixer_elem_info *cval)
+{
+ if (!cval->max_exposed) {
+ if (cval->res)
+ cval->max_exposed =
+ DIV_ROUND_UP(cval->max - cval->min, cval->res);
+ else
+ cval->max_exposed = cval->max - cval->min;
+ }
+ return cval->max_exposed;
+}
+
/* get a feature/mixer unit info */
static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_info *uinfo)
@@ -1389,11 +1402,8 @@ static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol,
else
uinfo->type = SNDRV_CTL_ELEM_TYPE_INTEGER;
uinfo->count = cval->channels;
- if (cval->val_type == USB_MIXER_BOOLEAN ||
- cval->val_type == USB_MIXER_INV_BOOLEAN) {
- uinfo->value.integer.min = 0;
- uinfo->value.integer.max = 1;
- } else {
+ if (cval->val_type != USB_MIXER_BOOLEAN &&
+ cval->val_type != USB_MIXER_INV_BOOLEAN) {
if (!cval->initialized) {
get_min_max_with_quirks(cval, 0, kcontrol);
if (cval->initialized && cval->dBmin >= cval->dBmax) {
@@ -1405,10 +1415,10 @@ static int mixer_ctl_feature_info(struct snd_kcontrol *kcontrol,
&kcontrol->id);
}
}
- uinfo->value.integer.min = 0;
- uinfo->value.integer.max =
- DIV_ROUND_UP(cval->max - cval->min, cval->res);
}
+
+ uinfo->value.integer.min = 0;
+ uinfo->value.integer.max = get_max_exposed(cval);
return 0;
}
@@ -1449,6 +1459,7 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol,
struct snd_ctl_elem_value *ucontrol)
{
struct usb_mixer_elem_info *cval = kcontrol->private_data;
+ int max_val = get_max_exposed(cval);
int c, cnt, val, oval, err;
int changed = 0;
@@ -1461,6 +1472,8 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol,
if (err < 0)
return filter_error(cval, err);
val = ucontrol->value.integer.value[cnt];
+ if (val < 0 || val > max_val)
+ return -EINVAL;
val = get_abs_value(cval, val);
if (oval != val) {
snd_usb_set_cur_mix_value(cval, c + 1, cnt, val);
@@ -1474,6 +1487,8 @@ static int mixer_ctl_feature_put(struct snd_kcontrol *kcontrol,
if (err < 0)
return filter_error(cval, err);
val = ucontrol->value.integer.value[0];
+ if (val < 0 || val > max_val)
+ return -EINVAL;
val = get_abs_value(cval, val);
if (val != oval) {
snd_usb_set_cur_mix_value(cval, 0, 0, val);
@@ -2337,6 +2352,8 @@ static int mixer_ctl_procunit_put(struct snd_kcontrol *kcontrol,
if (err < 0)
return filter_error(cval, err);
val = ucontrol->value.integer.value[0];
+ if (val < 0 || val > get_max_exposed(cval))
+ return -EINVAL;
val = get_abs_value(cval, val);
if (val != oval) {
set_cur_ctl_value(cval, cval->control << 8, val);
@@ -2699,6 +2716,8 @@ static int mixer_ctl_selector_put(struct snd_kcontrol *kcontrol,
if (err < 0)
return filter_error(cval, err);
val = ucontrol->value.enumerated.item[0];
+ if (val < 0 || val >= cval->max) /* here cval->max = # elements */
+ return -EINVAL;
val = get_abs_value(cval, val);
if (val != oval) {
set_cur_ctl_value(cval, cval->control << 8, val);
diff --git a/sound/usb/mixer.h b/sound/usb/mixer.h
index d43895c1ae5c6..167fbfcf01ace 100644
--- a/sound/usb/mixer.h
+++ b/sound/usb/mixer.h
@@ -88,6 +88,7 @@ struct usb_mixer_elem_info {
int channels;
int val_type;
int min, max, res;
+ int max_exposed; /* control API exposes the value in 0..max_exposed */
int dBmin, dBmax;
int cached;
int cache_val[MAX_CHANNELS];
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 108/386] x86/ioapic: Handle allocation failures gracefully
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 107/386] ALSA: usb-audio: Add input value sanity checks for standard types Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces Greg Kroah-Hartman
` (288 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Breno Leitao, Thomas Gleixner,
Qiuxu Zhuo, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Gleixner <tglx@linutronix.de>
[ Upstream commit 830802a0fea8fb39d3dc9fb7d6b5581e1343eb1f ]
Breno observed panics when using failslab under certain conditions during
runtime:
can not alloc irq_pin_list (-1,0,20)
Kernel panic - not syncing: IO-APIC: failed to add irq-pin. Can not proceed
panic+0x4e9/0x590
mp_irqdomain_alloc+0x9ab/0xa80
irq_domain_alloc_irqs_locked+0x25d/0x8d0
__irq_domain_alloc_irqs+0x80/0x110
mp_map_pin_to_irq+0x645/0x890
acpi_register_gsi_ioapic+0xe6/0x150
hpet_open+0x313/0x480
That's a pointless panic which is a leftover of the historic IO/APIC code
which panic'ed during early boot when the interrupt allocation failed.
The only place which might justify panic is the PIT/HPET timer_check() code
which tries to figure out whether the timer interrupt is delivered through
the IO/APIC. But that code does not require to handle interrupt allocation
failures. If the interrupt cannot be allocated then timer delivery fails
and it either panics due to that or falls back to legacy mode.
Cure this by removing the panic wrapper around __add_pin_to_irq_node() and
making mp_irqdomain_alloc() aware of the failure condition and handle it as
any other failure in this function gracefully.
Reported-by: Breno Leitao <leitao@debian.org>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Breno Leitao <leitao@debian.org>
Tested-by: Qiuxu Zhuo <qiuxu.zhuo@intel.com>
Link: https://lore.kernel.org/all/ZqfJmUF8sXIyuSHN@gmail.com
Link: https://lore.kernel.org/all/20240802155440.275200843@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/apic/io_apic.c | 46 ++++++++++++++++------------------
1 file changed, 22 insertions(+), 24 deletions(-)
diff --git a/arch/x86/kernel/apic/io_apic.c b/arch/x86/kernel/apic/io_apic.c
index 00da6cf6b07dc..d0c5325d17510 100644
--- a/arch/x86/kernel/apic/io_apic.c
+++ b/arch/x86/kernel/apic/io_apic.c
@@ -352,27 +352,26 @@ static void ioapic_mask_entry(int apic, int pin)
* shared ISA-space IRQs, so we have to support them. We are super
* fast in the common case, and fast for shared ISA-space IRQs.
*/
-static int __add_pin_to_irq_node(struct mp_chip_data *data,
- int node, int apic, int pin)
+static bool add_pin_to_irq_node(struct mp_chip_data *data, int node, int apic, int pin)
{
struct irq_pin_list *entry;
- /* don't allow duplicates */
- for_each_irq_pin(entry, data->irq_2_pin)
+ /* Don't allow duplicates */
+ for_each_irq_pin(entry, data->irq_2_pin) {
if (entry->apic == apic && entry->pin == pin)
- return 0;
+ return true;
+ }
entry = kzalloc_node(sizeof(struct irq_pin_list), GFP_ATOMIC, node);
if (!entry) {
- pr_err("can not alloc irq_pin_list (%d,%d,%d)\n",
- node, apic, pin);
- return -ENOMEM;
+ pr_err("Cannot allocate irq_pin_list (%d,%d,%d)\n", node, apic, pin);
+ return false;
}
+
entry->apic = apic;
entry->pin = pin;
list_add_tail(&entry->list, &data->irq_2_pin);
-
- return 0;
+ return true;
}
static void __remove_pin_from_irq(struct mp_chip_data *data, int apic, int pin)
@@ -387,13 +386,6 @@ static void __remove_pin_from_irq(struct mp_chip_data *data, int apic, int pin)
}
}
-static void add_pin_to_irq_node(struct mp_chip_data *data,
- int node, int apic, int pin)
-{
- if (__add_pin_to_irq_node(data, node, apic, pin))
- panic("IO-APIC: failed to add irq-pin. Can not proceed\n");
-}
-
/*
* Reroute an IRQ to a different pin.
*/
@@ -1002,8 +994,7 @@ static int alloc_isa_irq_from_domain(struct irq_domain *domain,
if (irq_data && irq_data->parent_data) {
if (!mp_check_pin_attr(irq, info))
return -EBUSY;
- if (__add_pin_to_irq_node(irq_data->chip_data, node, ioapic,
- info->ioapic.pin))
+ if (!add_pin_to_irq_node(irq_data->chip_data, node, ioapic, info->ioapic.pin))
return -ENOMEM;
} else {
info->flags |= X86_IRQ_ALLOC_LEGACY;
@@ -3037,10 +3028,8 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
return -ENOMEM;
ret = irq_domain_alloc_irqs_parent(domain, virq, nr_irqs, info);
- if (ret < 0) {
- kfree(data);
- return ret;
- }
+ if (ret < 0)
+ goto free_data;
INIT_LIST_HEAD(&data->irq_2_pin);
irq_data->hwirq = info->ioapic.pin;
@@ -3049,7 +3038,10 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
irq_data->chip_data = data;
mp_irqdomain_get_attr(mp_pin_to_gsi(ioapic, pin), data, info);
- add_pin_to_irq_node(data, ioapic_alloc_attr_node(info), ioapic, pin);
+ if (!add_pin_to_irq_node(data, ioapic_alloc_attr_node(info), ioapic, pin)) {
+ ret = -ENOMEM;
+ goto free_irqs;
+ }
mp_preconfigure_entry(data);
mp_register_handler(virq, data->is_level);
@@ -3064,6 +3056,12 @@ int mp_irqdomain_alloc(struct irq_domain *domain, unsigned int virq,
ioapic, mpc_ioapic_id(ioapic), pin, virq,
data->is_level, data->active_low);
return 0;
+
+free_irqs:
+ irq_domain_free_irqs_parent(domain, virq, nr_irqs);
+free_data:
+ kfree(data);
+ return ret;
}
void mp_irqdomain_free(struct irq_domain *domain, unsigned int virq,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 108/386] x86/ioapic: Handle allocation failures gracefully Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-09 7:39 ` Karol Kosik
2024-10-08 12:05 ` [PATCH 6.6 110/386] ALSA: usb-audio: Define macros for quirk table entries Greg Kroah-Hartman
` (287 subsequent siblings)
396 siblings, 1 reply; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Karol Kosik, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karol Kosik <k.kosik@outlook.com>
[ Upstream commit 6aa8700150f7dc62f60b4cf5b1624e2e3d9ed78e ]
Registering Numark Party Mix II fails with error 'bogus bTerminalLink 1'.
The problem stems from the driver not being able to find input/output
terminals required to configure audio streaming. The information about
those terminals is stored in AudioControl Interface. Numark device
contains 2 AudioControl Interfaces and the driver checks only one of them.
According to the USB standard, a device can have multiple audio functions,
each represented by Audio Interface Collection. Every audio function is
considered to be closed box and will contain unique AudioControl Interface
and zero or more AudioStreaming and MIDIStreaming Interfaces.
The Numark device adheres to the standard and defines two audio functions:
- MIDIStreaming function
- AudioStreaming function
It starts with MIDI function, followed by the audio function. The driver
saves the first AudioControl Interface in `snd_usb_audio` structure
associated with the entire device. It then attempts to use this interface
to query for terminals and clocks. However, this fails because the correct
information is stored in the second AudioControl Interface, defined in the
second Audio Interface Collection.
This patch introduces a structure holding association between each
MIDI/Audio Interface and its corresponding AudioControl Interface,
instead of relying on AudioControl Interface defined for the entire
device. This structure is populated during usb probing phase and leveraged
later when querying for terminals and when sending USB requests.
Alternative solutions considered include:
- defining a quirk for Numark where the order of interface is manually
changed, or terminals are hardcoded in the driver. This solution would
have fixed only this model, though it seems that device is USB compliant,
and it also seems that other devices from this company may be affected.
What's more, it looks like products from other manufacturers have similar
problems, i.e. Rane One DJ console
- keeping a list of all AudioControl Interfaces and querying all of them
to find required information. That would have solved my problem and have
low probability of breaking other devices, as we would always start with
the same logic of querying first AudioControl Interface. This solution
would not have followed the standard though.
This patch preserves the `snd_usb_audio.ctrl_intf` variable, which holds
the first AudioControl Interface, and uses it as a fallback when some
interfaces are not parsed correctly and lack an associated AudioControl
Interface, i.e., when configured via quirks.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217865
Signed-off-by: Karol Kosik <k.kosik@outlook.com>
Link: https://patch.msgid.link/AS8P190MB1285893F4735C8B32AD3886BEC852@AS8P190MB1285.EURP190.PROD.OUTLOOK.COM
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/card.c | 2 ++
sound/usb/clock.c | 62 ++++++++++++++++++++++++--------------
sound/usb/format.c | 6 ++--
sound/usb/helper.c | 34 +++++++++++++++++++++
sound/usb/helper.h | 10 ++++--
sound/usb/mixer.c | 2 +-
sound/usb/mixer_quirks.c | 17 ++++++-----
sound/usb/mixer_scarlett.c | 4 +--
sound/usb/power.c | 3 +-
sound/usb/power.h | 1 +
sound/usb/stream.c | 21 ++++++++-----
sound/usb/usbaudio.h | 12 ++++++++
12 files changed, 127 insertions(+), 47 deletions(-)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 1b2edc0fd2e99..7c98cc831b8d9 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -206,6 +206,8 @@ static int snd_usb_create_stream(struct snd_usb_audio *chip, int ctrlif, int int
return -EINVAL;
}
+ snd_usb_add_ctrl_interface_link(chip, interface, ctrlif);
+
if (! snd_usb_parse_audio_interface(chip, interface)) {
usb_set_interface(dev, interface, 0); /* reset the current interface */
return usb_driver_claim_interface(&usb_audio_driver, iface,
diff --git a/sound/usb/clock.c b/sound/usb/clock.c
index a676ad093d189..6f0693c428b0b 100644
--- a/sound/usb/clock.c
+++ b/sound/usb/clock.c
@@ -76,11 +76,14 @@ static bool validate_clock_multiplier(void *p, int id, int proto)
}
#define DEFINE_FIND_HELPER(name, obj, validator, type2, type3) \
-static obj *name(struct snd_usb_audio *chip, int id, int proto) \
+static obj *name(struct snd_usb_audio *chip, int id, \
+ const struct audioformat *fmt) \
{ \
- return find_uac_clock_desc(chip->ctrl_intf, id, validator, \
- proto == UAC_VERSION_3 ? (type3) : (type2), \
- proto); \
+ struct usb_host_interface *ctrl_intf = \
+ snd_usb_find_ctrl_interface(chip, fmt->iface); \
+ return find_uac_clock_desc(ctrl_intf, id, validator, \
+ fmt->protocol == UAC_VERSION_3 ? (type3) : (type2), \
+ fmt->protocol); \
}
DEFINE_FIND_HELPER(snd_usb_find_clock_source,
@@ -93,16 +96,19 @@ DEFINE_FIND_HELPER(snd_usb_find_clock_multiplier,
union uac23_clock_multiplier_desc, validate_clock_multiplier,
UAC2_CLOCK_MULTIPLIER, UAC3_CLOCK_MULTIPLIER);
-static int uac_clock_selector_get_val(struct snd_usb_audio *chip, int selector_id)
+static int uac_clock_selector_get_val(struct snd_usb_audio *chip,
+ int selector_id, int iface_no)
{
+ struct usb_host_interface *ctrl_intf;
unsigned char buf;
int ret;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, iface_no);
ret = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0),
UAC2_CS_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
UAC2_CX_CLOCK_SELECTOR << 8,
- snd_usb_ctrl_intf(chip) | (selector_id << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (selector_id << 8),
&buf, sizeof(buf));
if (ret < 0)
@@ -111,16 +117,18 @@ static int uac_clock_selector_get_val(struct snd_usb_audio *chip, int selector_i
return buf;
}
-static int uac_clock_selector_set_val(struct snd_usb_audio *chip, int selector_id,
- unsigned char pin)
+static int uac_clock_selector_set_val(struct snd_usb_audio *chip,
+ int selector_id, unsigned char pin, int iface_no)
{
+ struct usb_host_interface *ctrl_intf;
int ret;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, iface_no);
ret = snd_usb_ctl_msg(chip->dev, usb_sndctrlpipe(chip->dev, 0),
UAC2_CS_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
UAC2_CX_CLOCK_SELECTOR << 8,
- snd_usb_ctrl_intf(chip) | (selector_id << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (selector_id << 8),
&pin, sizeof(pin));
if (ret < 0)
return ret;
@@ -132,7 +140,7 @@ static int uac_clock_selector_set_val(struct snd_usb_audio *chip, int selector_i
return -EINVAL;
}
- ret = uac_clock_selector_get_val(chip, selector_id);
+ ret = uac_clock_selector_get_val(chip, selector_id, iface_no);
if (ret < 0)
return ret;
@@ -155,8 +163,10 @@ static bool uac_clock_source_is_valid_quirk(struct snd_usb_audio *chip,
unsigned char data;
struct usb_device *dev = chip->dev;
union uac23_clock_source_desc *cs_desc;
+ struct usb_host_interface *ctrl_intf;
- cs_desc = snd_usb_find_clock_source(chip, source_id, fmt->protocol);
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, fmt->iface);
+ cs_desc = snd_usb_find_clock_source(chip, source_id, fmt);
if (!cs_desc)
return false;
@@ -191,7 +201,7 @@ static bool uac_clock_source_is_valid_quirk(struct snd_usb_audio *chip,
err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_CUR,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
UAC2_CS_CONTROL_CLOCK_VALID << 8,
- snd_usb_ctrl_intf(chip) | (source_id << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (source_id << 8),
&data, sizeof(data));
if (err < 0) {
dev_warn(&dev->dev,
@@ -217,8 +227,10 @@ static bool uac_clock_source_is_valid(struct snd_usb_audio *chip,
struct usb_device *dev = chip->dev;
u32 bmControls;
union uac23_clock_source_desc *cs_desc;
+ struct usb_host_interface *ctrl_intf;
- cs_desc = snd_usb_find_clock_source(chip, source_id, fmt->protocol);
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, fmt->iface);
+ cs_desc = snd_usb_find_clock_source(chip, source_id, fmt);
if (!cs_desc)
return false;
@@ -235,7 +247,7 @@ static bool uac_clock_source_is_valid(struct snd_usb_audio *chip,
err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_CUR,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
UAC2_CS_CONTROL_CLOCK_VALID << 8,
- snd_usb_ctrl_intf(chip) | (source_id << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (source_id << 8),
&data, sizeof(data));
if (err < 0) {
@@ -272,7 +284,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
}
/* first, see if the ID we're looking at is a clock source already */
- source = snd_usb_find_clock_source(chip, entity_id, proto);
+ source = snd_usb_find_clock_source(chip, entity_id, fmt);
if (source) {
entity_id = GET_VAL(source, proto, bClockID);
if (validate && !uac_clock_source_is_valid(chip, fmt,
@@ -285,7 +297,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
return entity_id;
}
- selector = snd_usb_find_clock_selector(chip, entity_id, proto);
+ selector = snd_usb_find_clock_selector(chip, entity_id, fmt);
if (selector) {
pins = GET_VAL(selector, proto, bNrInPins);
clock_id = GET_VAL(selector, proto, bClockID);
@@ -299,7 +311,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
/* the entity ID we are looking at is a selector.
* find out what it currently selects */
- ret = uac_clock_selector_get_val(chip, clock_id);
+ ret = uac_clock_selector_get_val(chip, clock_id, fmt->iface);
if (ret < 0) {
if (!chip->autoclock)
return ret;
@@ -327,7 +339,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
/* Skip setting clock selector again for some devices */
if (chip->quirk_flags & QUIRK_FLAG_SKIP_CLOCK_SELECTOR)
return ret;
- err = uac_clock_selector_set_val(chip, entity_id, cur);
+ err = uac_clock_selector_set_val(chip, entity_id, cur, fmt->iface);
if (err < 0) {
if (pins == 1) {
usb_audio_dbg(chip,
@@ -355,7 +367,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
if (ret < 0)
continue;
- err = uac_clock_selector_set_val(chip, entity_id, i);
+ err = uac_clock_selector_set_val(chip, entity_id, i, fmt->iface);
if (err < 0)
continue;
@@ -369,7 +381,7 @@ static int __uac_clock_find_source(struct snd_usb_audio *chip,
}
/* FIXME: multipliers only act as pass-thru element for now */
- multiplier = snd_usb_find_clock_multiplier(chip, entity_id, proto);
+ multiplier = snd_usb_find_clock_multiplier(chip, entity_id, fmt);
if (multiplier)
return __uac_clock_find_source(chip, fmt,
GET_VAL(multiplier, proto, bCSourceID),
@@ -469,11 +481,13 @@ static int get_sample_rate_v2v3(struct snd_usb_audio *chip, int iface,
struct usb_device *dev = chip->dev;
__le32 data;
int err;
+ struct usb_host_interface *ctrl_intf;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, iface);
err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_CUR,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
UAC2_CS_CONTROL_SAM_FREQ << 8,
- snd_usb_ctrl_intf(chip) | (clock << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (clock << 8),
&data, sizeof(data));
if (err < 0) {
dev_warn(&dev->dev, "%d:%d: cannot get freq (v2/v3): err %d\n",
@@ -502,8 +516,10 @@ int snd_usb_set_sample_rate_v2v3(struct snd_usb_audio *chip,
__le32 data;
int err;
union uac23_clock_source_desc *cs_desc;
+ struct usb_host_interface *ctrl_intf;
- cs_desc = snd_usb_find_clock_source(chip, clock, fmt->protocol);
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, fmt->iface);
+ cs_desc = snd_usb_find_clock_source(chip, clock, fmt);
if (!cs_desc)
return 0;
@@ -522,7 +538,7 @@ int snd_usb_set_sample_rate_v2v3(struct snd_usb_audio *chip,
err = snd_usb_ctl_msg(chip->dev, usb_sndctrlpipe(chip->dev, 0), UAC2_CS_CUR,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_OUT,
UAC2_CS_CONTROL_SAM_FREQ << 8,
- snd_usb_ctrl_intf(chip) | (clock << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (clock << 8),
&data, sizeof(data));
if (err < 0)
return err;
diff --git a/sound/usb/format.c b/sound/usb/format.c
index 3b45d0ee76938..61c4aca8be09e 100644
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -548,7 +548,9 @@ static int parse_audio_format_rates_v2v3(struct snd_usb_audio *chip,
unsigned char tmp[2], *data;
int nr_triplets, data_size, ret = 0, ret_l6;
int clock = snd_usb_clock_find_source(chip, fp, false);
+ struct usb_host_interface *ctrl_intf;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, fp->iface);
if (clock < 0) {
dev_err(&dev->dev,
"%s(): unable to find clock source (clock %d)\n",
@@ -560,7 +562,7 @@ static int parse_audio_format_rates_v2v3(struct snd_usb_audio *chip,
ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_RANGE,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
UAC2_CS_CONTROL_SAM_FREQ << 8,
- snd_usb_ctrl_intf(chip) | (clock << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (clock << 8),
tmp, sizeof(tmp));
if (ret < 0) {
@@ -595,7 +597,7 @@ static int parse_audio_format_rates_v2v3(struct snd_usb_audio *chip,
ret = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC2_CS_RANGE,
USB_TYPE_CLASS | USB_RECIP_INTERFACE | USB_DIR_IN,
UAC2_CS_CONTROL_SAM_FREQ << 8,
- snd_usb_ctrl_intf(chip) | (clock << 8),
+ snd_usb_ctrl_intf(ctrl_intf) | (clock << 8),
data, data_size);
if (ret < 0) {
diff --git a/sound/usb/helper.c b/sound/usb/helper.c
index bf80e55d013a8..72b671fb2c84c 100644
--- a/sound/usb/helper.c
+++ b/sound/usb/helper.c
@@ -130,3 +130,37 @@ snd_usb_get_host_interface(struct snd_usb_audio *chip, int ifnum, int altsetting
return NULL;
return usb_altnum_to_altsetting(iface, altsetting);
}
+
+int snd_usb_add_ctrl_interface_link(struct snd_usb_audio *chip, int ifnum,
+ int ctrlif)
+{
+ struct usb_device *dev = chip->dev;
+ struct usb_host_interface *host_iface;
+
+ if (chip->num_intf_to_ctrl >= MAX_CARD_INTERFACES) {
+ dev_info(&dev->dev, "Too many interfaces assigned to the single USB-audio card\n");
+ return -EINVAL;
+ }
+
+ /* find audiocontrol interface */
+ host_iface = &usb_ifnum_to_if(dev, ctrlif)->altsetting[0];
+
+ chip->intf_to_ctrl[chip->num_intf_to_ctrl].interface = ifnum;
+ chip->intf_to_ctrl[chip->num_intf_to_ctrl].ctrl_intf = host_iface;
+ chip->num_intf_to_ctrl++;
+
+ return 0;
+}
+
+struct usb_host_interface *snd_usb_find_ctrl_interface(struct snd_usb_audio *chip,
+ int ifnum)
+{
+ int i;
+
+ for (i = 0; i < chip->num_intf_to_ctrl; ++i)
+ if (chip->intf_to_ctrl[i].interface == ifnum)
+ return chip->intf_to_ctrl[i].ctrl_intf;
+
+ /* Fallback to first audiocontrol interface */
+ return chip->ctrl_intf;
+}
diff --git a/sound/usb/helper.h b/sound/usb/helper.h
index e2b51ec96ec62..0372e050b3dc4 100644
--- a/sound/usb/helper.h
+++ b/sound/usb/helper.h
@@ -17,6 +17,12 @@ unsigned char snd_usb_parse_datainterval(struct snd_usb_audio *chip,
struct usb_host_interface *
snd_usb_get_host_interface(struct snd_usb_audio *chip, int ifnum, int altsetting);
+int snd_usb_add_ctrl_interface_link(struct snd_usb_audio *chip, int ifnum,
+ int ctrlif);
+
+struct usb_host_interface *snd_usb_find_ctrl_interface(struct snd_usb_audio *chip,
+ int ifnum);
+
/*
* retrieve usb_interface descriptor from the host interface
* (conditional for compatibility with the older API)
@@ -28,9 +34,9 @@ snd_usb_get_host_interface(struct snd_usb_audio *chip, int ifnum, int altsetting
#define snd_usb_get_speed(dev) ((dev)->speed)
-static inline int snd_usb_ctrl_intf(struct snd_usb_audio *chip)
+static inline int snd_usb_ctrl_intf(struct usb_host_interface *ctrl_intf)
{
- return get_iface_desc(chip->ctrl_intf)->bInterfaceNumber;
+ return get_iface_desc(ctrl_intf)->bInterfaceNumber;
}
/* in validate.c */
diff --git a/sound/usb/mixer.c b/sound/usb/mixer.c
index 197fd07e69edd..017b50322d88f 100644
--- a/sound/usb/mixer.c
+++ b/sound/usb/mixer.c
@@ -728,7 +728,7 @@ static int get_cluster_channels_v3(struct mixer_build *state, unsigned int clust
UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
cluster_id,
- snd_usb_ctrl_intf(state->chip),
+ snd_usb_ctrl_intf(state->mixer->hostif),
&c_header, sizeof(c_header));
if (err < 0)
goto error;
diff --git a/sound/usb/mixer_quirks.c b/sound/usb/mixer_quirks.c
index c8d48566e1759..2323504339328 100644
--- a/sound/usb/mixer_quirks.c
+++ b/sound/usb/mixer_quirks.c
@@ -1043,7 +1043,7 @@ static int snd_ftu_eff_switch_init(struct usb_mixer_interface *mixer,
err = snd_usb_ctl_msg(dev, usb_rcvctrlpipe(dev, 0), UAC_GET_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
pval & 0xff00,
- snd_usb_ctrl_intf(mixer->chip) | ((pval & 0xff) << 8),
+ snd_usb_ctrl_intf(mixer->hostif) | ((pval & 0xff) << 8),
value, 2);
if (err < 0)
return err;
@@ -1077,7 +1077,7 @@ static int snd_ftu_eff_switch_update(struct usb_mixer_elem_list *list)
UAC_SET_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
pval & 0xff00,
- snd_usb_ctrl_intf(chip) | ((pval & 0xff) << 8),
+ snd_usb_ctrl_intf(list->mixer->hostif) | ((pval & 0xff) << 8),
value, 2);
snd_usb_unlock_shutdown(chip);
return err;
@@ -2115,24 +2115,25 @@ static int dell_dock_mixer_create(struct usb_mixer_interface *mixer)
return 0;
}
-static void dell_dock_init_vol(struct snd_usb_audio *chip, int ch, int id)
+static void dell_dock_init_vol(struct usb_mixer_interface *mixer, int ch, int id)
{
+ struct snd_usb_audio *chip = mixer->chip;
u16 buf = 0;
snd_usb_ctl_msg(chip->dev, usb_sndctrlpipe(chip->dev, 0), UAC_SET_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_OUT,
(UAC_FU_VOLUME << 8) | ch,
- snd_usb_ctrl_intf(chip) | (id << 8),
+ snd_usb_ctrl_intf(mixer->hostif) | (id << 8),
&buf, 2);
}
static int dell_dock_mixer_init(struct usb_mixer_interface *mixer)
{
/* fix to 0dB playback volumes */
- dell_dock_init_vol(mixer->chip, 1, 16);
- dell_dock_init_vol(mixer->chip, 2, 16);
- dell_dock_init_vol(mixer->chip, 1, 19);
- dell_dock_init_vol(mixer->chip, 2, 19);
+ dell_dock_init_vol(mixer, 1, 16);
+ dell_dock_init_vol(mixer, 2, 16);
+ dell_dock_init_vol(mixer, 1, 19);
+ dell_dock_init_vol(mixer, 2, 19);
return 0;
}
diff --git a/sound/usb/mixer_scarlett.c b/sound/usb/mixer_scarlett.c
index 0d6e4f15bf77c..ff548041679bb 100644
--- a/sound/usb/mixer_scarlett.c
+++ b/sound/usb/mixer_scarlett.c
@@ -460,7 +460,7 @@ static int scarlett_ctl_meter_get(struct snd_kcontrol *kctl,
struct snd_usb_audio *chip = elem->head.mixer->chip;
unsigned char buf[2 * MAX_CHANNELS] = {0, };
int wValue = (elem->control << 8) | elem->idx_off;
- int idx = snd_usb_ctrl_intf(chip) | (elem->head.id << 8);
+ int idx = snd_usb_ctrl_intf(elem->head.mixer->hostif) | (elem->head.id << 8);
int err;
err = snd_usb_ctl_msg(chip->dev,
@@ -1002,7 +1002,7 @@ int snd_scarlett_controls_create(struct usb_mixer_interface *mixer)
err = snd_usb_ctl_msg(mixer->chip->dev,
usb_sndctrlpipe(mixer->chip->dev, 0), UAC2_CS_CUR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS |
- USB_DIR_OUT, 0x0100, snd_usb_ctrl_intf(mixer->chip) |
+ USB_DIR_OUT, 0x0100, snd_usb_ctrl_intf(mixer->hostif) |
(0x29 << 8), sample_rate_buffer, 4);
if (err < 0)
return err;
diff --git a/sound/usb/power.c b/sound/usb/power.c
index 606a2cb23eab6..66bd4daa68fd5 100644
--- a/sound/usb/power.c
+++ b/sound/usb/power.c
@@ -40,6 +40,7 @@ snd_usb_find_power_domain(struct usb_host_interface *ctrl_iface,
le16_to_cpu(pd_desc->waRecoveryTime1);
pd->pd_d2d0_rec =
le16_to_cpu(pd_desc->waRecoveryTime2);
+ pd->ctrl_iface = ctrl_iface;
return pd;
}
}
@@ -57,7 +58,7 @@ int snd_usb_power_domain_set(struct snd_usb_audio *chip,
unsigned char current_state;
int err, idx;
- idx = snd_usb_ctrl_intf(chip) | (pd->pd_id << 8);
+ idx = snd_usb_ctrl_intf(pd->ctrl_iface) | (pd->pd_id << 8);
err = snd_usb_ctl_msg(chip->dev, usb_rcvctrlpipe(chip->dev, 0),
UAC2_CS_CUR,
diff --git a/sound/usb/power.h b/sound/usb/power.h
index 396e3e51440a7..1fa92ad0ca925 100644
--- a/sound/usb/power.h
+++ b/sound/usb/power.h
@@ -6,6 +6,7 @@ struct snd_usb_power_domain {
int pd_id; /* UAC3 Power Domain ID */
int pd_d1d0_rec; /* D1 to D0 recovery time */
int pd_d2d0_rec; /* D2 to D0 recovery time */
+ struct usb_host_interface *ctrl_iface; /* Control interface */
};
enum {
diff --git a/sound/usb/stream.c b/sound/usb/stream.c
index e14c725acebf2..d70c140813d68 100644
--- a/sound/usb/stream.c
+++ b/sound/usb/stream.c
@@ -713,10 +713,13 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
struct usb_device *dev = chip->dev;
struct uac_format_type_i_continuous_descriptor *fmt;
unsigned int num_channels = 0, chconfig = 0;
+ struct usb_host_interface *ctrl_intf;
struct audioformat *fp;
int clock = 0;
u64 format;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, iface_no);
+
/* get audio formats */
if (protocol == UAC_VERSION_1) {
struct uac1_as_header_descriptor *as =
@@ -740,7 +743,7 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
format = le16_to_cpu(as->wFormatTag); /* remember the format value */
- iterm = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+ iterm = snd_usb_find_input_terminal_descriptor(ctrl_intf,
as->bTerminalLink,
protocol);
if (iterm) {
@@ -776,7 +779,7 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
* lookup the terminal associated to this interface
* to extract the clock
*/
- input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+ input_term = snd_usb_find_input_terminal_descriptor(ctrl_intf,
as->bTerminalLink,
protocol);
if (input_term) {
@@ -786,7 +789,7 @@ snd_usb_get_audioformat_uac12(struct snd_usb_audio *chip,
goto found_clock;
}
- output_term = snd_usb_find_output_terminal_descriptor(chip->ctrl_intf,
+ output_term = snd_usb_find_output_terminal_descriptor(ctrl_intf,
as->bTerminalLink,
protocol);
if (output_term) {
@@ -870,6 +873,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
struct uac3_cluster_header_descriptor *cluster;
struct uac3_as_header_descriptor *as = NULL;
struct uac3_hc_descriptor_header hc_header;
+ struct usb_host_interface *ctrl_intf;
struct snd_pcm_chmap_elem *chmap;
struct snd_usb_power_domain *pd;
unsigned char badd_profile;
@@ -881,6 +885,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
int err;
badd_profile = chip->badd_profile;
+ ctrl_intf = snd_usb_find_ctrl_interface(chip, iface_no);
if (badd_profile >= UAC3_FUNCTION_SUBCLASS_GENERIC_IO) {
unsigned int maxpacksize =
@@ -966,7 +971,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
cluster_id,
- snd_usb_ctrl_intf(chip),
+ snd_usb_ctrl_intf(ctrl_intf),
&hc_header, sizeof(hc_header));
if (err < 0)
return ERR_PTR(err);
@@ -990,7 +995,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
UAC3_CS_REQ_HIGH_CAPABILITY_DESCRIPTOR,
USB_RECIP_INTERFACE | USB_TYPE_CLASS | USB_DIR_IN,
cluster_id,
- snd_usb_ctrl_intf(chip),
+ snd_usb_ctrl_intf(ctrl_intf),
cluster, wLength);
if (err < 0) {
kfree(cluster);
@@ -1011,7 +1016,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
* lookup the terminal associated to this interface
* to extract the clock
*/
- input_term = snd_usb_find_input_terminal_descriptor(chip->ctrl_intf,
+ input_term = snd_usb_find_input_terminal_descriptor(ctrl_intf,
as->bTerminalLink,
UAC_VERSION_3);
if (input_term) {
@@ -1019,7 +1024,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
goto found_clock;
}
- output_term = snd_usb_find_output_terminal_descriptor(chip->ctrl_intf,
+ output_term = snd_usb_find_output_terminal_descriptor(ctrl_intf,
as->bTerminalLink,
UAC_VERSION_3);
if (output_term) {
@@ -1068,7 +1073,7 @@ snd_usb_get_audioformat_uac3(struct snd_usb_audio *chip,
UAC_VERSION_3,
iface_no);
- pd = snd_usb_find_power_domain(chip->ctrl_intf,
+ pd = snd_usb_find_power_domain(ctrl_intf,
as->bTerminalLink);
/* ok, let's parse further... */
diff --git a/sound/usb/usbaudio.h b/sound/usb/usbaudio.h
index 43d4029edab46..b0f042c996087 100644
--- a/sound/usb/usbaudio.h
+++ b/sound/usb/usbaudio.h
@@ -21,6 +21,15 @@ struct media_intf_devnode;
#define MAX_CARD_INTERFACES 16
+/*
+ * Structure holding assosiation between Audio Control Interface
+ * and given Streaming or Midi Interface.
+ */
+struct snd_intf_to_ctrl {
+ u8 interface;
+ struct usb_host_interface *ctrl_intf;
+};
+
struct snd_usb_audio {
int index;
struct usb_device *dev;
@@ -63,6 +72,9 @@ struct snd_usb_audio {
struct usb_host_interface *ctrl_intf; /* the audio control interface */
struct media_device *media_dev;
struct media_intf_devnode *ctl_intf_media_devnode;
+
+ unsigned int num_intf_to_ctrl;
+ struct snd_intf_to_ctrl intf_to_ctrl[MAX_CARD_INTERFACES];
};
#define USB_AUDIO_IFACE_UNUSED ((void *)-1L)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 110/386] ALSA: usb-audio: Define macros for quirk table entries
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 111/386] ALSA: usb-audio: Replace complex quirk lines with macros Greg Kroah-Hartman
` (286 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 0c3ad39b791c2ecf718afcaca30e5ceafa939d5c ]
Many entries in the USB-audio quirk tables have relatively complex
expressions. For improving the readability, introduce a few macros.
Those are applied in the following patch.
Link: https://patch.msgid.link/20240814134844.2726-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks-table.h | 77 ++++++++++++++++++++++++++++++++++++++++
1 file changed, 77 insertions(+)
diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
index d2aa97a5c438c..a0063caa769c5 100644
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -35,6 +35,83 @@
.bInterfaceClass = USB_CLASS_AUDIO, \
.bInterfaceSubClass = USB_SUBCLASS_AUDIOCONTROL
+/* Quirk .driver_info, followed by the definition of the quirk entry;
+ * put like QUIRK_DRIVER_INFO { ... } in each entry of the quirk table
+ */
+#define QUIRK_DRIVER_INFO \
+ .driver_info = (unsigned long)&(const struct snd_usb_audio_quirk)
+
+/*
+ * Macros for quirk data entries
+ */
+
+/* Quirk data entry for ignoring the interface */
+#define QUIRK_DATA_IGNORE(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_IGNORE_INTERFACE
+/* Quirk data entry for a standard audio interface */
+#define QUIRK_DATA_STANDARD_AUDIO(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_AUDIO_STANDARD_INTERFACE
+/* Quirk data entry for a standard MIDI interface */
+#define QUIRK_DATA_STANDARD_MIDI(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_MIDI_STANDARD_INTERFACE
+/* Quirk data entry for a standard mixer interface */
+#define QUIRK_DATA_STANDARD_MIXER(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_AUDIO_STANDARD_MIXER
+
+/* Quirk data entry for Yamaha MIDI */
+#define QUIRK_DATA_MIDI_YAMAHA(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_MIDI_YAMAHA
+/* Quirk data entry for Edirol UAxx */
+#define QUIRK_DATA_EDIROL_UAXX(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_AUDIO_EDIROL_UAXX
+/* Quirk data entry for raw bytes interface */
+#define QUIRK_DATA_RAW_BYTES(_ifno) \
+ .ifnum = (_ifno), .type = QUIRK_MIDI_RAW_BYTES
+
+/* Quirk composite array terminator */
+#define QUIRK_COMPOSITE_END { .ifnum = -1 }
+
+/* Quirk data entry for composite quirks;
+ * followed by the quirk array that is terminated with QUIRK_COMPOSITE_END
+ * e.g. QUIRK_DATA_COMPOSITE { { quirk1 }, { quirk2 },..., QUIRK_COMPOSITE_END }
+ */
+#define QUIRK_DATA_COMPOSITE \
+ .ifnum = QUIRK_ANY_INTERFACE, \
+ .type = QUIRK_COMPOSITE, \
+ .data = &(const struct snd_usb_audio_quirk[])
+
+/* Quirk data entry for a fixed audio endpoint;
+ * followed by audioformat definition
+ * e.g. QUIRK_DATA_AUDIOFORMAT(n) { .formats = xxx, ... }
+ */
+#define QUIRK_DATA_AUDIOFORMAT(_ifno) \
+ .ifnum = (_ifno), \
+ .type = QUIRK_AUDIO_FIXED_ENDPOINT, \
+ .data = &(const struct audioformat)
+
+/* Quirk data entry for a fixed MIDI endpoint;
+ * followed by snd_usb_midi_endpoint_info definition
+ * e.g. QUIRK_DATA_MIDI_FIXED_ENDPOINT(n) { .out_cables = x, .in_cables = y }
+ */
+#define QUIRK_DATA_MIDI_FIXED_ENDPOINT(_ifno) \
+ .ifnum = (_ifno), \
+ .type = QUIRK_MIDI_FIXED_ENDPOINT, \
+ .data = &(const struct snd_usb_midi_endpoint_info)
+/* Quirk data entry for a MIDIMAN MIDI endpoint */
+#define QUIRK_DATA_MIDI_MIDIMAN(_ifno) \
+ .ifnum = (_ifno), \
+ .type = QUIRK_MIDI_MIDIMAN, \
+ .data = &(const struct snd_usb_midi_endpoint_info)
+/* Quirk data entry for a EMAGIC MIDI endpoint */
+#define QUIRK_DATA_MIDI_EMAGIC(_ifno) \
+ .ifnum = (_ifno), \
+ .type = QUIRK_MIDI_EMAGIC, \
+ .data = &(const struct snd_usb_midi_endpoint_info)
+
+/*
+ * Here we go... the quirk table definition begins:
+ */
+
/* FTDI devices */
{
USB_DEVICE(0x0403, 0xb8d8),
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 111/386] ALSA: usb-audio: Replace complex quirk lines with macros
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 110/386] ALSA: usb-audio: Define macros for quirk table entries Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 112/386] ALSA: usb-audio: Add logitech Audio profile quirk Greg Kroah-Hartman
` (285 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit d79e13f8e8abb5cd3a2a0f9fc9bc3fc750c5b06f ]
Apply the newly introduced macros for reduce the complex expressions
and cast in the quirk table definitions. It results in a significant
code reduction, too.
There should be no functional changes.
Link: https://patch.msgid.link/20240814134844.2726-3-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/quirks-table.h | 2210 ++++++++++----------------------------
1 file changed, 593 insertions(+), 1617 deletions(-)
diff --git a/sound/usb/quirks-table.h b/sound/usb/quirks-table.h
index a0063caa769c5..75cde5779f38d 100644
--- a/sound/usb/quirks-table.h
+++ b/sound/usb/quirks-table.h
@@ -115,7 +115,7 @@
/* FTDI devices */
{
USB_DEVICE(0x0403, 0xb8d8),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "STARR LABS", */
/* .product_name = "Starr Labs MIDI USB device", */
.ifnum = 0,
@@ -126,10 +126,8 @@
{
/* Creative BT-D1 */
USB_DEVICE(0x041e, 0x0005),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 1,
@@ -164,18 +162,11 @@
*/
{
USB_AUDIO_DEVICE(0x041e, 0x4095),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(2) },
{
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.fmt_bits = 16,
@@ -191,9 +182,7 @@
.rate_table = (unsigned int[]) { 48000 },
},
},
- {
- .ifnum = -1
- },
+ QUIRK_COMPOSITE_END
},
},
},
@@ -205,31 +194,18 @@
*/
{
USB_DEVICE(0x0424, 0xb832),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Standard Microsystems Corp.",
.product_name = "HP Wireless Audio",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
/* Mixer */
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE,
- },
+ { QUIRK_DATA_IGNORE(0) },
/* Playback */
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE,
- },
+ { QUIRK_DATA_IGNORE(1) },
/* Capture */
- {
- .ifnum = 2,
- .type = QUIRK_IGNORE_INTERFACE,
- },
+ { QUIRK_DATA_IGNORE(2) },
/* HID Device, .ifnum = 3 */
- {
- .ifnum = -1,
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -252,20 +228,18 @@
#define YAMAHA_DEVICE(id, name) { \
USB_DEVICE(0x0499, id), \
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { \
+ QUIRK_DRIVER_INFO { \
.vendor_name = "Yamaha", \
.product_name = name, \
- .ifnum = QUIRK_ANY_INTERFACE, \
- .type = QUIRK_MIDI_YAMAHA \
+ QUIRK_DATA_MIDI_YAMAHA(QUIRK_ANY_INTERFACE) \
} \
}
#define YAMAHA_INTERFACE(id, intf, name) { \
USB_DEVICE_VENDOR_SPEC(0x0499, id), \
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) { \
+ QUIRK_DRIVER_INFO { \
.vendor_name = "Yamaha", \
.product_name = name, \
- .ifnum = intf, \
- .type = QUIRK_MIDI_YAMAHA \
+ QUIRK_DATA_MIDI_YAMAHA(intf) \
} \
}
YAMAHA_DEVICE(0x1000, "UX256"),
@@ -353,135 +327,67 @@ YAMAHA_DEVICE(0x105d, NULL),
YAMAHA_DEVICE(0x1718, "P-125"),
{
USB_DEVICE(0x0499, 0x1503),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Yamaha", */
/* .product_name = "MOX6/MOX8", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_YAMAHA
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_MIDI_YAMAHA(3) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0499, 0x1507),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Yamaha", */
/* .product_name = "THR10", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_YAMAHA
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_MIDI_YAMAHA(3) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0499, 0x1509),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Yamaha", */
/* .product_name = "Steinberg UR22", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_YAMAHA
- },
- {
- .ifnum = 4,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_MIDI_YAMAHA(3) },
+ { QUIRK_DATA_IGNORE(4) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0499, 0x150a),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Yamaha", */
/* .product_name = "THR5A", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_YAMAHA
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_MIDI_YAMAHA(3) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0499, 0x150c),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Yamaha", */
/* .product_name = "THR10C", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_YAMAHA
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_MIDI_YAMAHA(3) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -515,7 +421,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
USB_DEVICE_ID_MATCH_INT_CLASS,
.idVendor = 0x0499,
.bInterfaceClass = USB_CLASS_VENDOR_SPEC,
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = QUIRK_ANY_INTERFACE,
.type = QUIRK_AUTODETECT
}
@@ -526,16 +432,12 @@ YAMAHA_DEVICE(0x7010, "UB99"),
*/
{
USB_DEVICE(0x0582, 0x0000),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "UA-100",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 4,
.iface = 0,
@@ -550,9 +452,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 1,
@@ -567,106 +467,66 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0007,
.in_cables = 0x0007
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0002),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-4",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x000f,
.in_cables = 0x000f
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0003),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "SC-8850",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x003f,
.in_cables = 0x003f
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0004),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "U-8",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0005,
.in_cables = 0x0005
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -674,152 +534,92 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Has ID 0x0099 when not in "Advanced Driver" mode.
* The UM-2EX has only one input, but we cannot detect this. */
USB_DEVICE(0x0582, 0x0005),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-2",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0003,
.in_cables = 0x0003
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0007),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "SC-8820",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0013,
.in_cables = 0x0013
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0008),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "PC-300",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x009d when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0009),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-1",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x000b),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "SK-500",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0013,
.in_cables = 0x0013
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -827,31 +627,19 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* thanks to Emiliano Grilli <emillo@libero.it>
* for helping researching this data */
USB_DEVICE(0x0582, 0x000c),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "SC-D70",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0007,
.in_cables = 0x0007
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -865,35 +653,23 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* the 96kHz sample rate.
*/
USB_DEVICE(0x0582, 0x0010),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-5",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x0013 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0012),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "XV-5050",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -902,12 +678,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0015 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0014),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-880",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x01ff,
.in_cables = 0x01ff
}
@@ -916,74 +690,48 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0017 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0016),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "SD-90",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x000f,
.in_cables = 0x000f
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x001c when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x001b),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "MMP-2",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x001e when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x001d),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "V-SYNTH",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -992,12 +740,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0024 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0023),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-550",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x003f,
.in_cables = 0x003f
}
@@ -1010,20 +756,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* and no MIDI.
*/
USB_DEVICE(0x0582, 0x0025),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-20",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 2,
.iface = 1,
@@ -1038,9 +777,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 2,
.iface = 2,
@@ -1055,28 +792,22 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 3,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(3) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x0028 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0027),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "SD-20",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0003,
.in_cables = 0x0007
}
@@ -1085,12 +816,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x002a when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0029),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "SD-80",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x000f,
.in_cables = 0x000f
}
@@ -1103,39 +832,24 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* but offers only 16-bit PCM and no MIDI.
*/
USB_DEVICE_VENDOR_SPEC(0x0582, 0x002b),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-700",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 3,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_EDIROL_UAXX(1) },
+ { QUIRK_DATA_EDIROL_UAXX(2) },
+ { QUIRK_DATA_EDIROL_UAXX(3) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x002e when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x002d),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "XV-2020",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1144,12 +858,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0030 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x002f),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "VariOS",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0007,
.in_cables = 0x0007
}
@@ -1158,12 +870,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0034 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0033),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "PCR",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0003,
.in_cables = 0x0007
}
@@ -1175,12 +885,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* later revisions use IDs 0x0054 and 0x00a2.
*/
USB_DEVICE(0x0582, 0x0037),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "Digital Piano",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1193,39 +901,24 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* and no MIDI.
*/
USB_DEVICE_VENDOR_SPEC(0x0582, 0x003b),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "BOSS",
.product_name = "GS-10",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ { QUIRK_DATA_STANDARD_MIDI(3) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x0041 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0040),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "GI-20",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1234,12 +927,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0043 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0042),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "RS-70",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1248,36 +939,24 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0049 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0047),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "EDIROL", */
/* .product_name = "UR-80", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
/* in the 96 kHz modes, only interface 1 is there */
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x004a when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0048),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "EDIROL", */
/* .product_name = "UR-80", */
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0003,
.in_cables = 0x0007
}
@@ -1286,35 +965,23 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x004e when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x004c),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "PCR-A",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x004f when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x004d),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "PCR-A",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0003,
.in_cables = 0x0007
}
@@ -1326,76 +993,52 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* is standard compliant, but has only 16-bit PCM.
*/
USB_DEVICE(0x0582, 0x0050),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-3FX",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0052),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UM-1SX",
- .ifnum = 0,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DATA_STANDARD_MIDI(0)
}
},
{
USB_DEVICE(0x0582, 0x0060),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "EXR Series",
- .ifnum = 0,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DATA_STANDARD_MIDI(0)
}
},
{
/* has ID 0x0066 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0064),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "EDIROL", */
/* .product_name = "PCR-1", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x0067 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0065),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "EDIROL", */
/* .product_name = "PCR-1", */
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0003
}
@@ -1404,12 +1047,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x006e when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x006d),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "FANTOM-X",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1422,39 +1063,24 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* offers only 16-bit PCM at 44.1 kHz and no MIDI.
*/
USB_DEVICE_VENDOR_SPEC(0x0582, 0x0074),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-25",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_EDIROL_UAXX(0) },
+ { QUIRK_DATA_EDIROL_UAXX(1) },
+ { QUIRK_DATA_EDIROL_UAXX(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* has ID 0x0076 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0075),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "BOSS",
.product_name = "DR-880",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1463,12 +1089,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x007b when not in "Advanced Driver" mode */
USB_DEVICE_VENDOR_SPEC(0x0582, 0x007a),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
/* "RD" or "RD-700SX"? */
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0003,
.in_cables = 0x0003
}
@@ -1477,12 +1101,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x0081 when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x0080),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Roland",
.product_name = "G-70",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1491,12 +1113,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* has ID 0x008c when not in "Advanced Driver" mode */
USB_DEVICE(0x0582, 0x008b),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "PC-50",
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1508,56 +1128,31 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* is standard compliant, but has only 16-bit PCM and no MIDI.
*/
USB_DEVICE(0x0582, 0x00a3),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-4FX",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_EDIROL_UAXX(0) },
+ { QUIRK_DATA_EDIROL_UAXX(1) },
+ { QUIRK_DATA_EDIROL_UAXX(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* Edirol M-16DX */
USB_DEVICE(0x0582, 0x00c4),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -1567,37 +1162,22 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* offers only 16-bit PCM at 44.1 kHz and no MIDI.
*/
USB_DEVICE_VENDOR_SPEC(0x0582, 0x00e6),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "EDIROL",
.product_name = "UA-25EX",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_EDIROL_UAXX
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_EDIROL_UAXX(0) },
+ { QUIRK_DATA_EDIROL_UAXX(1) },
+ { QUIRK_DATA_EDIROL_UAXX(2) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* Edirol UM-3G */
USB_DEVICE_VENDOR_SPEC(0x0582, 0x0108),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = 0,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(0) {
.out_cables = 0x0007,
.in_cables = 0x0007
}
@@ -1606,45 +1186,29 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* BOSS ME-25 */
USB_DEVICE(0x0582, 0x0113),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* only 44.1 kHz works at the moment */
USB_DEVICE(0x0582, 0x0120),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Roland", */
/* .product_name = "OCTO-CAPTURE", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 10,
.iface = 0,
@@ -1660,9 +1224,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 12,
.iface = 1,
@@ -1678,40 +1240,26 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = 3,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 4,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_IGNORE(3) },
+ { QUIRK_DATA_IGNORE(4) },
+ QUIRK_COMPOSITE_END
}
}
},
{
/* only 44.1 kHz works at the moment */
USB_DEVICE(0x0582, 0x012f),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Roland", */
/* .product_name = "QUAD-CAPTURE", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 4,
.iface = 0,
@@ -1727,9 +1275,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 6,
.iface = 1,
@@ -1745,54 +1291,32 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = 3,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 4,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_IGNORE(3) },
+ { QUIRK_DATA_IGNORE(4) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0582, 0x0159),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Roland", */
/* .product_name = "UA-22", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(2) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -1800,19 +1324,19 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* UA101 and co are supported by another driver */
{
USB_DEVICE(0x0582, 0x0044), /* UA-1000 high speed */
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = QUIRK_NODEV_INTERFACE
},
},
{
USB_DEVICE(0x0582, 0x007d), /* UA-101 high speed */
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = QUIRK_NODEV_INTERFACE
},
},
{
USB_DEVICE(0x0582, 0x008d), /* UA-101 full speed */
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = QUIRK_NODEV_INTERFACE
},
},
@@ -1823,7 +1347,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
USB_DEVICE_ID_MATCH_INT_CLASS,
.idVendor = 0x0582,
.bInterfaceClass = USB_CLASS_VENDOR_SPEC,
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = QUIRK_ANY_INTERFACE,
.type = QUIRK_AUTODETECT
}
@@ -1838,12 +1362,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* compliant USB MIDI ports for external MIDI and controls.
*/
USB_DEVICE_VENDOR_SPEC(0x06f8, 0xb000),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Hercules",
.product_name = "DJ Console (WE)",
- .ifnum = 4,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(4) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1853,12 +1375,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Midiman/M-Audio devices */
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1002),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 2x2",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x0003,
.in_cables = 0x0003
}
@@ -1866,12 +1386,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1011),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 1x1",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1879,12 +1397,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1015),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "Keystation",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -1892,12 +1408,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1021),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 4x4",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x000f,
.in_cables = 0x000f
}
@@ -1910,12 +1424,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* Thanks to Olaf Giesbrecht <Olaf_Giesbrecht@yahoo.de>
*/
USB_DEVICE_VER(0x0763, 0x1031, 0x0100, 0x0109),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 8x8",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x01ff,
.in_cables = 0x01ff
}
@@ -1923,12 +1435,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1033),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 8x8",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x01ff,
.in_cables = 0x01ff
}
@@ -1936,12 +1446,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x1041),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "MidiSport 2x4",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(QUIRK_ANY_INTERFACE) {
.out_cables = 0x000f,
.in_cables = 0x0003
}
@@ -1949,76 +1457,41 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2001),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "Quattro",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
/*
* Interfaces 0-2 are "Windows-compatible", 16-bit only,
* and share endpoints with the other interfaces.
* Ignore them. The other interfaces can do 24 bits,
* but captured samples are big-endian (see usbaudio.c).
*/
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 4,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 5,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 6,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 7,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 8,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 9,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
+ { QUIRK_DATA_IGNORE(2) },
+ { QUIRK_DATA_IGNORE(3) },
+ { QUIRK_DATA_STANDARD_AUDIO(4) },
+ { QUIRK_DATA_STANDARD_AUDIO(5) },
+ { QUIRK_DATA_IGNORE(6) },
+ { QUIRK_DATA_STANDARD_AUDIO(7) },
+ { QUIRK_DATA_STANDARD_AUDIO(8) },
+ {
+ QUIRK_DATA_MIDI_MIDIMAN(9) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2003),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "AudioPhile",
- .ifnum = 6,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(6) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -2026,12 +1499,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2008),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "Ozone",
- .ifnum = 3,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(3) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
@@ -2039,93 +1510,45 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x200d),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "M-Audio",
.product_name = "OmniStudio",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 4,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 5,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 6,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 7,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 8,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 9,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
+ { QUIRK_DATA_IGNORE(2) },
+ { QUIRK_DATA_IGNORE(3) },
+ { QUIRK_DATA_STANDARD_AUDIO(4) },
+ { QUIRK_DATA_STANDARD_AUDIO(5) },
+ { QUIRK_DATA_IGNORE(6) },
+ { QUIRK_DATA_STANDARD_AUDIO(7) },
+ { QUIRK_DATA_STANDARD_AUDIO(8) },
+ {
+ QUIRK_DATA_MIDI_MIDIMAN(9) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x0763, 0x2019),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "M-Audio", */
/* .product_name = "Ozone Academic", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 3,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(3) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2135,21 +1558,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2030),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "M-Audio", */
/* .product_name = "Fast Track C400", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(1) },
/* Playback */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6,
.iface = 2,
@@ -2173,9 +1589,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
/* Capture */
{
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 3,
@@ -2197,30 +1611,21 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.clock = 0x80,
}
},
- /* MIDI */
- {
- .ifnum = -1 /* Interface = 4 */
- }
+ /* MIDI: Interface = 4*/
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2031),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "M-Audio", */
/* .product_name = "Fast Track C600", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(1) },
/* Playback */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 2,
@@ -2244,9 +1649,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
/* Capture */
{
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6,
.iface = 3,
@@ -2268,29 +1671,20 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.clock = 0x80,
}
},
- /* MIDI */
- {
- .ifnum = -1 /* Interface = 4 */
- }
+ /* MIDI: Interface = 4 */
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2080),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "M-Audio", */
/* .product_name = "Fast Track Ultra", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 1,
@@ -2312,9 +1706,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 2,
@@ -2336,28 +1728,19 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
/* interface 3 (MIDI) is standard compliant */
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0763, 0x2081),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "M-Audio", */
/* .product_name = "Fast Track Ultra 8R", */
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 1,
@@ -2379,9 +1762,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 2,
@@ -2403,9 +1784,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
/* interface 3 (MIDI) is standard compliant */
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2413,21 +1792,19 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Casio devices */
{
USB_DEVICE(0x07cf, 0x6801),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Casio",
.product_name = "PL-40R",
- .ifnum = 0,
- .type = QUIRK_MIDI_YAMAHA
+ QUIRK_DATA_MIDI_YAMAHA(0)
}
},
{
/* this ID is used by several devices without a product ID */
USB_DEVICE(0x07cf, 0x6802),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Casio",
.product_name = "Keyboard",
- .ifnum = 0,
- .type = QUIRK_MIDI_YAMAHA
+ QUIRK_DATA_MIDI_YAMAHA(0)
}
},
@@ -2440,23 +1817,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.idVendor = 0x07fd,
.idProduct = 0x0001,
.bDeviceSubClass = 2,
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "MOTU",
.product_name = "Fastlane",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_MIDI_RAW_BYTES
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_RAW_BYTES(0) },
+ { QUIRK_DATA_IGNORE(1) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2464,12 +1831,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Emagic devices */
{
USB_DEVICE(0x086a, 0x0001),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Emagic",
.product_name = "Unitor8",
- .ifnum = 2,
- .type = QUIRK_MIDI_EMAGIC,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_EMAGIC(2) {
.out_cables = 0x80ff,
.in_cables = 0x80ff
}
@@ -2477,12 +1842,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE(0x086a, 0x0002),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Emagic",
/* .product_name = "AMT8", */
- .ifnum = 2,
- .type = QUIRK_MIDI_EMAGIC,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_EMAGIC(2) {
.out_cables = 0x80ff,
.in_cables = 0x80ff
}
@@ -2490,12 +1853,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE(0x086a, 0x0003),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Emagic",
/* .product_name = "MT4", */
- .ifnum = 2,
- .type = QUIRK_MIDI_EMAGIC,
- .data = & (const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_EMAGIC(2) {
.out_cables = 0x800f,
.in_cables = 0x8003
}
@@ -2505,38 +1866,35 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* KORG devices */
{
USB_DEVICE_VENDOR_SPEC(0x0944, 0x0200),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "KORG, Inc.",
/* .product_name = "PANDORA PX5D", */
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE,
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0944, 0x0201),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "KORG, Inc.",
/* .product_name = "ToneLab ST", */
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE,
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0944, 0x0204),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "KORG, Inc.",
/* .product_name = "ToneLab EX", */
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE,
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
/* AKAI devices */
{
USB_DEVICE(0x09e8, 0x0062),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "AKAI",
.product_name = "MPD16",
.ifnum = 0,
@@ -2547,21 +1905,11 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* Akai MPC Element */
USB_DEVICE(0x09e8, 0x0021),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_STANDARD_MIDI(1) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2570,66 +1918,36 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* Steinberg MI2 */
USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x2040),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
{
- .ifnum = 3,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = &(const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(3) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* Steinberg MI4 */
USB_DEVICE_VENDOR_SPEC(0x0a4e, 0x4040),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = & (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
{
- .ifnum = 3,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = &(const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(3) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2637,34 +1955,31 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* TerraTec devices */
{
USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0012),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "TerraTec",
.product_name = "PHASE 26",
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0013),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "TerraTec",
.product_name = "PHASE 26",
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
{
USB_DEVICE_VENDOR_SPEC(0x0ccd, 0x0014),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "TerraTec",
.product_name = "PHASE 26",
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DATA_STANDARD_MIDI(3)
}
},
{
USB_DEVICE(0x0ccd, 0x0035),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Miditech",
.product_name = "Play'n Roll",
.ifnum = 0,
@@ -2679,7 +1994,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Novation EMS devices */
{
USB_DEVICE_VENDOR_SPEC(0x1235, 0x0001),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Novation",
.product_name = "ReMOTE Audio/XStation",
.ifnum = 4,
@@ -2688,7 +2003,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE_VENDOR_SPEC(0x1235, 0x0002),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Novation",
.product_name = "Speedio",
.ifnum = 3,
@@ -2697,38 +2012,29 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
USB_DEVICE(0x1235, 0x000a),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Novation", */
/* .product_name = "Nocturn", */
- .ifnum = 0,
- .type = QUIRK_MIDI_RAW_BYTES
+ QUIRK_DATA_RAW_BYTES(0)
}
},
{
USB_DEVICE(0x1235, 0x000e),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
/* .vendor_name = "Novation", */
/* .product_name = "Launchpad", */
- .ifnum = 0,
- .type = QUIRK_MIDI_RAW_BYTES
+ QUIRK_DATA_RAW_BYTES(0)
}
},
{
USB_DEVICE(0x1235, 0x0010),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Focusrite",
.product_name = "Saffire 6 USB",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 0,
@@ -2755,9 +2061,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 2,
.iface = 0,
@@ -2779,28 +2083,19 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = 1,
- .type = QUIRK_MIDI_RAW_BYTES
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_RAW_BYTES(1) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE(0x1235, 0x0018),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Novation",
.product_name = "Twitch",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = & (const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 0,
@@ -2819,19 +2114,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = 1,
- .type = QUIRK_MIDI_RAW_BYTES
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_RAW_BYTES(1) },
+ QUIRK_COMPOSITE_END
}
}
},
{
USB_DEVICE_VENDOR_SPEC(0x1235, 0x4661),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Novation",
.product_name = "ReMOTE25",
.ifnum = 0,
@@ -2843,25 +2133,16 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* VirusTI Desktop */
USB_DEVICE_VENDOR_SPEC(0x133e, 0x0815),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 3,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = &(const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(3) {
.out_cables = 0x0003,
.in_cables = 0x0003
}
},
- {
- .ifnum = 4,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_IGNORE(4) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2889,7 +2170,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* QinHeng devices */
{
USB_DEVICE(0x1a86, 0x752d),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "QinHeng",
.product_name = "CH345",
.ifnum = 1,
@@ -2903,7 +2184,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Miditech devices */
{
USB_DEVICE(0x4752, 0x0011),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Miditech",
.product_name = "Midistart-2",
.ifnum = 0,
@@ -2915,7 +2196,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* this ID used by both Miditech MidiStudio-2 and CME UF-x */
USB_DEVICE(0x7104, 0x2202),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.ifnum = 0,
.type = QUIRK_MIDI_CME
}
@@ -2925,20 +2206,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
/* Thanks to Clemens Ladisch <clemens@ladisch.de> */
USB_DEVICE(0x0dba, 0x1000),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Digidesign",
.product_name = "MBox",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]){
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE{
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 2,
.iface = 1,
@@ -2959,9 +2233,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 2,
.iface = 1,
@@ -2982,9 +2254,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -2992,24 +2262,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* DIGIDESIGN MBOX 2 */
{
USB_DEVICE(0x0dba, 0x3000),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Digidesign",
.product_name = "Mbox 2",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 2,
.iface = 2,
@@ -3027,15 +2287,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
+ { QUIRK_DATA_IGNORE(3) },
{
- .ifnum = 3,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 4,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
- .formats = SNDRV_PCM_FMTBIT_S24_3BE,
+ QUIRK_DATA_AUDIOFORMAT(4) {
+ .formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 2,
.iface = 4,
.altsetting = 2,
@@ -3052,14 +2307,9 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
+ { QUIRK_DATA_IGNORE(5) },
{
- .ifnum = 5,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 6,
- .type = QUIRK_MIDI_MIDIMAN,
- .data = &(const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_MIDIMAN(6) {
.out_ep = 0x02,
.out_cables = 0x0001,
.in_ep = 0x81,
@@ -3067,33 +2317,21 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
/* DIGIDESIGN MBOX 3 */
{
USB_DEVICE(0x0dba, 0x5000),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Digidesign",
.product_name = "Mbox 3",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_IGNORE(1) },
{
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 2,
@@ -3113,9 +2351,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 3,
@@ -3136,36 +2372,25 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 4,
- .type = QUIRK_MIDI_FIXED_ENDPOINT,
- .data = &(const struct snd_usb_midi_endpoint_info) {
+ QUIRK_DATA_MIDI_FIXED_ENDPOINT(4) {
.out_cables = 0x0001,
.in_cables = 0x0001
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
{
/* Tascam US122 MKII - playback-only support */
USB_DEVICE_VENDOR_SPEC(0x0644, 0x8021),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "TASCAM",
.product_name = "US122 MKII",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
{
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 2,
.iface = 1,
@@ -3186,9 +2411,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3196,20 +2419,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
/* Denon DN-X1600 */
{
USB_AUDIO_DEVICE(0x154e, 0x500e),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Denon",
.product_name = "DN-X1600",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]){
+ QUIRK_DATA_COMPOSITE{
+ { QUIRK_DATA_IGNORE(0) },
{
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE,
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 1,
@@ -3230,9 +2446,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 2,
@@ -3252,13 +2466,8 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = 4,
- .type = QUIRK_MIDI_STANDARD_INTERFACE,
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_STANDARD_MIDI(4) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3267,17 +2476,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
USB_DEVICE(0x045e, 0x0283),
.bInterfaceClass = USB_CLASS_PER_INTERFACE,
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Microsoft",
.product_name = "XboxLive Headset/Xbox Communicator",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
{
/* playback */
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 1,
.iface = 0,
@@ -3293,9 +2498,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
{
/* capture */
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 1,
.iface = 1,
@@ -3309,9 +2512,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_max = 16000
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3320,18 +2521,11 @@ YAMAHA_DEVICE(0x7010, "UB99"),
{
USB_DEVICE(0x200c, 0x100b),
.bInterfaceClass = USB_CLASS_PER_INTERFACE,
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 1,
@@ -3350,9 +2544,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3365,28 +2557,12 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* enabled in create_standard_audio_quirk().
*/
USB_DEVICE(0x1686, 0x00dd),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- /* Playback */
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE,
- },
- {
- /* Capture */
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE,
- },
- {
- /* Midi */
- .ifnum = 3,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(1) }, /* Playback */
+ { QUIRK_DATA_STANDARD_AUDIO(2) }, /* Capture */
+ { QUIRK_DATA_STANDARD_MIDI(3) }, /* Midi */
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3400,18 +2576,16 @@ YAMAHA_DEVICE(0x7010, "UB99"),
USB_DEVICE_ID_MATCH_INT_SUBCLASS,
.bInterfaceClass = USB_CLASS_AUDIO,
.bInterfaceSubClass = USB_SUBCLASS_MIDISTREAMING,
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_MIDI_STANDARD_INTERFACE
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_STANDARD_MIDI(QUIRK_ANY_INTERFACE)
}
},
/* Rane SL-1 */
{
USB_DEVICE(0x13e5, 0x0001),
- .driver_info = (unsigned long) & (const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_STANDARD_AUDIO(QUIRK_ANY_INTERFACE)
}
},
@@ -3427,24 +2601,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* and only the 48 kHz sample rate works for the playback interface.
*/
USB_DEVICE(0x0a12, 0x1243),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
- /* Capture */
- {
- .ifnum = 1,
- .type = QUIRK_IGNORE_INTERFACE,
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
+ { QUIRK_DATA_IGNORE(1) }, /* Capture */
/* Playback */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 2,
@@ -3463,9 +2626,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3478,19 +2639,12 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* even on windows.
*/
USB_DEVICE(0x19b5, 0x0021),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
/* Playback */
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 1,
@@ -3509,29 +2663,20 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- },
+ QUIRK_COMPOSITE_END
}
}
},
/* MOTU Microbook II */
{
USB_DEVICE_VENDOR_SPEC(0x07fd, 0x0004),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "MOTU",
.product_name = "MicroBookII",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(0) },
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 6,
.iface = 0,
@@ -3552,9 +2697,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3BE,
.channels = 8,
.iface = 0,
@@ -3575,9 +2718,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3589,14 +2730,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* The feedback for the output is the input.
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x0023),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 12,
.iface = 0,
@@ -3613,9 +2750,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 10,
.iface = 0,
@@ -3633,9 +2768,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3678,14 +2811,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* but not for DVS (Digital Vinyl Systems) like in Mixxx.
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x0017),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8, // outputs
.iface = 0,
@@ -3702,9 +2831,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8, // inputs
.iface = 0,
@@ -3722,9 +2849,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 48000 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3735,14 +2860,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* The feedback for the output is the dummy input.
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000e),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 0,
@@ -3759,9 +2880,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 2,
.iface = 0,
@@ -3779,9 +2898,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3792,14 +2909,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* PCM is 6 channels out & 4 channels in @ 44.1 fixed
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000d),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6, //Master, Headphones & Booth
.iface = 0,
@@ -3816,9 +2929,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4, //2x RCA inputs (CH1 & CH2)
.iface = 0,
@@ -3836,9 +2947,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3850,14 +2959,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* The Feedback for the output is the input
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x001e),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 4,
.iface = 0,
@@ -3874,9 +2979,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6,
.iface = 0,
@@ -3894,9 +2997,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3907,14 +3008,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* 10 channels playback & 12 channels capture @ 44.1/48/96kHz S24LE
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x000a),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 10,
.iface = 0,
@@ -3935,9 +3032,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 12,
.iface = 0,
@@ -3959,9 +3054,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -3973,14 +3066,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* The Feedback for the output is the input
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x0029),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6,
.iface = 0,
@@ -3997,9 +3086,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 6,
.iface = 0,
@@ -4017,9 +3104,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4037,20 +3122,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
*/
{
USB_AUDIO_DEVICE(0x534d, 0x0021),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "MacroSilicon",
.product_name = "MS210x",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(2) },
{
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 3,
@@ -4065,9 +3143,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_max = 48000,
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4085,20 +3161,13 @@ YAMAHA_DEVICE(0x7010, "UB99"),
*/
{
USB_AUDIO_DEVICE(0x534d, 0x2109),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "MacroSilicon",
.product_name = "MS2109",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_MIXER(2) },
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_MIXER,
- },
- {
- .ifnum = 3,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(3) {
.formats = SNDRV_PCM_FMTBIT_S16_LE,
.channels = 2,
.iface = 3,
@@ -4113,9 +3182,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_max = 48000,
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4125,14 +3192,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* 8 channels playback & 8 channels capture @ 44.1/48/96kHz S24LE
*/
USB_DEVICE_VENDOR_SPEC(0x08e4, 0x017f),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 0,
@@ -4151,9 +3214,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 0,
@@ -4173,9 +3234,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100, 48000, 96000 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4185,14 +3244,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* 10 channels playback & 12 channels capture @ 48kHz S24LE
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x001b),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 10,
.iface = 0,
@@ -4211,9 +3266,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 12,
.iface = 0,
@@ -4231,9 +3284,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 48000 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4245,14 +3296,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* Capture on EP 0x86
*/
USB_DEVICE_VENDOR_SPEC(0x08e4, 0x0163),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 0,
@@ -4272,9 +3319,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8,
.iface = 0,
@@ -4294,9 +3339,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 44100, 48000, 96000 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4307,14 +3350,10 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* and 8 channels in @ 48 fixed (endpoint 0x82).
*/
USB_DEVICE_VENDOR_SPEC(0x2b73, 0x0013),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8, // outputs
.iface = 0,
@@ -4331,9 +3370,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
}
},
{
- .ifnum = 0,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(0) {
.formats = SNDRV_PCM_FMTBIT_S24_3LE,
.channels = 8, // inputs
.iface = 0,
@@ -4351,9 +3388,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.rate_table = (unsigned int[]) { 48000 }
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4364,28 +3399,15 @@ YAMAHA_DEVICE(0x7010, "UB99"),
*/
USB_DEVICE(0x1395, 0x0300),
.bInterfaceClass = USB_CLASS_PER_INTERFACE,
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
+ QUIRK_DRIVER_INFO {
+ QUIRK_DATA_COMPOSITE {
// Communication
- {
- .ifnum = 3,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ { QUIRK_DATA_STANDARD_AUDIO(3) },
// Recording
- {
- .ifnum = 4,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ { QUIRK_DATA_STANDARD_AUDIO(4) },
// Main
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
- {
- .ifnum = -1
- }
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4394,21 +3416,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* Fiero SC-01 (firmware v1.0.0 @ 48 kHz)
*/
USB_DEVICE(0x2b53, 0x0023),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Fiero",
.product_name = "SC-01",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
/* Playback */
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4428,9 +3443,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
/* Capture */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4449,9 +3462,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.clock = 0x29
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4460,21 +3471,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* Fiero SC-01 (firmware v1.0.0 @ 96 kHz)
*/
USB_DEVICE(0x2b53, 0x0024),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Fiero",
.product_name = "SC-01",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
/* Playback */
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4494,9 +3498,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
/* Capture */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4515,9 +3517,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.clock = 0x29
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4526,21 +3526,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* Fiero SC-01 (firmware v1.1.0)
*/
USB_DEVICE(0x2b53, 0x0031),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Fiero",
.product_name = "SC-01",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = &(const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE
- },
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_STANDARD_AUDIO(0) },
/* Playback */
{
- .ifnum = 1,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(1) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4561,9 +3554,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
},
/* Capture */
{
- .ifnum = 2,
- .type = QUIRK_AUDIO_FIXED_ENDPOINT,
- .data = &(const struct audioformat) {
+ QUIRK_DATA_AUDIOFORMAT(2) {
.formats = SNDRV_PCM_FMTBIT_S32_LE,
.channels = 2,
.fmt_bits = 24,
@@ -4583,9 +3574,7 @@ YAMAHA_DEVICE(0x7010, "UB99"),
.clock = 0x29
}
},
- {
- .ifnum = -1
- }
+ QUIRK_COMPOSITE_END
}
}
},
@@ -4594,27 +3583,14 @@ YAMAHA_DEVICE(0x7010, "UB99"),
* For the standard mode, Mythware XA001AU has ID ffad:a001
*/
USB_DEVICE_VENDOR_SPEC(0xffad, 0xa001),
- .driver_info = (unsigned long) &(const struct snd_usb_audio_quirk) {
+ QUIRK_DRIVER_INFO {
.vendor_name = "Mythware",
.product_name = "XA001AU",
- .ifnum = QUIRK_ANY_INTERFACE,
- .type = QUIRK_COMPOSITE,
- .data = (const struct snd_usb_audio_quirk[]) {
- {
- .ifnum = 0,
- .type = QUIRK_IGNORE_INTERFACE,
- },
- {
- .ifnum = 1,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE,
- },
- {
- .ifnum = 2,
- .type = QUIRK_AUDIO_STANDARD_INTERFACE,
- },
- {
- .ifnum = -1
- }
+ QUIRK_DATA_COMPOSITE {
+ { QUIRK_DATA_IGNORE(0) },
+ { QUIRK_DATA_STANDARD_AUDIO(1) },
+ { QUIRK_DATA_STANDARD_AUDIO(2) },
+ QUIRK_COMPOSITE_END
}
}
},
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 112/386] ALSA: usb-audio: Add logitech Audio profile quirk
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 111/386] ALSA: usb-audio: Replace complex quirk lines with macros Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 113/386] ASoC: codecs: wsa883x: Handle reading version failure Greg Kroah-Hartman
` (284 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Joshua Pius, Takashi Iwai,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joshua Pius <joshuapius@chromium.org>
[ Upstream commit a51c925c11d7b855167e64b63eb4378e5adfc11d ]
Specify shortnames for the following Logitech Devices: Rally bar, Rally
bar mini, Tap, MeetUp and Huddle.
Signed-off-by: Joshua Pius <joshuapius@chromium.org>
Link: https://patch.msgid.link/20240912152635.1859737-1-joshuapius@google.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/usb/card.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/sound/usb/card.c b/sound/usb/card.c
index 7c98cc831b8d9..753fb47d25913 100644
--- a/sound/usb/card.c
+++ b/sound/usb/card.c
@@ -384,6 +384,12 @@ static const struct usb_audio_device_name usb_audio_names[] = {
/* Creative/Toshiba Multimedia Center SB-0500 */
DEVICE_NAME(0x041e, 0x3048, "Toshiba", "SB-0500"),
+ /* Logitech Audio Devices */
+ DEVICE_NAME(0x046d, 0x0867, "Logitech, Inc.", "Logi-MeetUp"),
+ DEVICE_NAME(0x046d, 0x0874, "Logitech, Inc.", "Logi-Tap-Audio"),
+ DEVICE_NAME(0x046d, 0x087c, "Logitech, Inc.", "Logi-Huddle"),
+ DEVICE_NAME(0x046d, 0x0898, "Logitech, Inc.", "Logi-RB-Audio"),
+ DEVICE_NAME(0x046d, 0x08d2, "Logitech, Inc.", "Logi-RBM-Audio"),
DEVICE_NAME(0x046d, 0x0990, "Logitech, Inc.", "QuickCam Pro 9000"),
DEVICE_NAME(0x05e1, 0x0408, "Syntek", "STK1160"),
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 113/386] ASoC: codecs: wsa883x: Handle reading version failure
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 112/386] ALSA: usb-audio: Add logitech Audio profile quirk Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 114/386] tools/x86/kcpuid: Protect against faulty "max subleaf" values Greg Kroah-Hartman
` (283 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
[ Upstream commit 2fbf16992e5aa14acf0441320033a01a32309ded ]
If reading version and variant from registers fails (which is unlikely
but possible, because it is a read over bus), the driver will proceed
and perform device configuration based on uninitialized stack variables.
Handle it a bit better - bail out without doing any init and failing the
update status Soundwire callback.
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://patch.msgid.link/20240710-asoc-wsa88xx-version-v1-2-f1c54966ccde@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/wsa883x.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/sound/soc/codecs/wsa883x.c b/sound/soc/codecs/wsa883x.c
index 2169d93989841..1831d4487ba9d 100644
--- a/sound/soc/codecs/wsa883x.c
+++ b/sound/soc/codecs/wsa883x.c
@@ -998,15 +998,19 @@ static const struct reg_sequence reg_init[] = {
{WSA883X_GMAMP_SUP1, 0xE2},
};
-static void wsa883x_init(struct wsa883x_priv *wsa883x)
+static int wsa883x_init(struct wsa883x_priv *wsa883x)
{
struct regmap *regmap = wsa883x->regmap;
- int variant, version;
+ int variant, version, ret;
- regmap_read(regmap, WSA883X_OTP_REG_0, &variant);
+ ret = regmap_read(regmap, WSA883X_OTP_REG_0, &variant);
+ if (ret)
+ return ret;
wsa883x->variant = variant & WSA883X_ID_MASK;
- regmap_read(regmap, WSA883X_CHIP_ID0, &version);
+ ret = regmap_read(regmap, WSA883X_CHIP_ID0, &version);
+ if (ret)
+ return ret;
wsa883x->version = version;
switch (wsa883x->variant) {
@@ -1041,6 +1045,8 @@ static void wsa883x_init(struct wsa883x_priv *wsa883x)
WSA883X_DRE_OFFSET_MASK,
wsa883x->comp_offset);
}
+
+ return 0;
}
static int wsa883x_update_status(struct sdw_slave *slave,
@@ -1049,7 +1055,7 @@ static int wsa883x_update_status(struct sdw_slave *slave,
struct wsa883x_priv *wsa883x = dev_get_drvdata(&slave->dev);
if (status == SDW_SLAVE_ATTACHED && slave->dev_num > 0)
- wsa883x_init(wsa883x);
+ return wsa883x_init(wsa883x);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 114/386] tools/x86/kcpuid: Protect against faulty "max subleaf" values
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 113/386] ASoC: codecs: wsa883x: Handle reading version failure Greg Kroah-Hartman
@ 2024-10-08 12:05 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 115/386] x86/pkeys: Add PKRU as a parameter in signal handling functions Greg Kroah-Hartman
` (282 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:05 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ahmed S. Darwish, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ahmed S. Darwish <darwi@linutronix.de>
[ Upstream commit cf96ab1a966b87b09fdd9e8cc8357d2d00776a3a ]
Protect against the kcpuid code parsing faulty max subleaf numbers
through a min() expression. Thus, ensuring that max_subleaf will always
be ≤ MAX_SUBLEAF_NUM.
Use "u32" for the subleaf numbers since kcpuid is compiled with -Wextra,
which includes signed/unsigned comparisons warnings.
Signed-off-by: Ahmed S. Darwish <darwi@linutronix.de>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20240718134755.378115-5-darwi@linutronix.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/arch/x86/kcpuid/kcpuid.c | 12 +++++-------
1 file changed, 5 insertions(+), 7 deletions(-)
diff --git a/tools/arch/x86/kcpuid/kcpuid.c b/tools/arch/x86/kcpuid/kcpuid.c
index 24b7d017ec2c1..b7965dfff33a9 100644
--- a/tools/arch/x86/kcpuid/kcpuid.c
+++ b/tools/arch/x86/kcpuid/kcpuid.c
@@ -7,7 +7,8 @@
#include <string.h>
#include <getopt.h>
-#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define ARRAY_SIZE(x) (sizeof(x) / sizeof((x)[0]))
+#define min(a, b) (((a) < (b)) ? (a) : (b))
typedef unsigned int u32;
typedef unsigned long long u64;
@@ -207,12 +208,9 @@ static void raw_dump_range(struct cpuid_range *range)
#define MAX_SUBLEAF_NUM 32
struct cpuid_range *setup_cpuid_range(u32 input_eax)
{
- u32 max_func, idx_func;
- int subleaf;
+ u32 max_func, idx_func, subleaf, max_subleaf;
+ u32 eax, ebx, ecx, edx, f = input_eax;
struct cpuid_range *range;
- u32 eax, ebx, ecx, edx;
- u32 f = input_eax;
- int max_subleaf;
bool allzero;
eax = input_eax;
@@ -258,7 +256,7 @@ struct cpuid_range *setup_cpuid_range(u32 input_eax)
* others have to be tried (0xf)
*/
if (f == 0x7 || f == 0x14 || f == 0x17 || f == 0x18)
- max_subleaf = (eax & 0xff) + 1;
+ max_subleaf = min((eax & 0xff) + 1, max_subleaf);
if (f == 0xb)
max_subleaf = 2;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 115/386] x86/pkeys: Add PKRU as a parameter in signal handling functions
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2024-10-08 12:05 ` [PATCH 6.6 114/386] tools/x86/kcpuid: Protect against faulty "max subleaf" values Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 116/386] x86/pkeys: Restore altstack access in sigreturn() Greg Kroah-Hartman
` (281 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aruna Ramakrishna, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
[ Upstream commit 24cf2bc982ffe02aeffb4a3885c71751a2c7023b ]
Assume there's a multithreaded application that runs untrusted user
code. Each thread has its stack/code protected by a non-zero PKEY, and the
PKRU register is set up such that only that particular non-zero PKEY is
enabled. Each thread also sets up an alternate signal stack to handle
signals, which is protected by PKEY zero. The PKEYs man page documents that
the PKRU will be reset to init_pkru when the signal handler is invoked,
which means that PKEY zero access will be enabled. But this reset happens
after the kernel attempts to push fpu state to the alternate stack, which
is not (yet) accessible by the kernel, which leads to a new SIGSEGV being
sent to the application, terminating it.
Enabling both the non-zero PKEY (for the thread) and PKEY zero in
userspace will not work for this use case. It cannot have the alt stack
writeable by all - the rationale here is that the code running in that
thread (using a non-zero PKEY) is untrusted and should not have access
to the alternate signal stack (that uses PKEY zero), to prevent the
return address of a function from being changed. The expectation is that
kernel should be able to set up the alternate signal stack and deliver
the signal to the application even if PKEY zero is explicitly disabled
by the application. The signal handler accessibility should not be
dictated by whatever PKRU value the thread sets up.
The PKRU register is managed by XSAVE, which means the sigframe contents
must match the register contents - which is not the case here. It's
required that the signal frame contains the user-defined PKRU value (so
that it is restored correctly from sigcontext) but the actual register must
be reset to init_pkru so that the alt stack is accessible and the signal
can be delivered to the application. It seems that the proper fix here
would be to remove PKRU from the XSAVE framework and manage it separately,
which is quite complicated. As a workaround, do this:
orig_pkru = rdpkru();
wrpkru(orig_pkru & init_pkru_value);
xsave_to_user_sigframe();
put_user(pkru_sigframe_addr, orig_pkru)
In preparation for writing PKRU to sigframe, pass PKRU as an additional
parameter down the call chain from get_sigframe().
No functional change.
Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20240802061318.2140081-2-aruna.ramakrishna@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/fpu/signal.h | 2 +-
arch/x86/kernel/fpu/signal.c | 6 +++---
arch/x86/kernel/signal.c | 3 ++-
3 files changed, 6 insertions(+), 5 deletions(-)
diff --git a/arch/x86/include/asm/fpu/signal.h b/arch/x86/include/asm/fpu/signal.h
index 611fa41711aff..eccc75bc9c4f3 100644
--- a/arch/x86/include/asm/fpu/signal.h
+++ b/arch/x86/include/asm/fpu/signal.h
@@ -29,7 +29,7 @@ fpu__alloc_mathframe(unsigned long sp, int ia32_frame,
unsigned long fpu__get_fpstate_size(void);
-extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, int size);
+extern bool copy_fpstate_to_sigframe(void __user *buf, void __user *fp, int size, u32 pkru);
extern void fpu__clear_user_states(struct fpu *fpu);
extern bool fpu__restore_sig(void __user *buf, int ia32_frame);
diff --git a/arch/x86/kernel/fpu/signal.c b/arch/x86/kernel/fpu/signal.c
index 247f2225aa9f3..2b3b9e140dd41 100644
--- a/arch/x86/kernel/fpu/signal.c
+++ b/arch/x86/kernel/fpu/signal.c
@@ -156,7 +156,7 @@ static inline bool save_xstate_epilog(void __user *buf, int ia32_frame,
return !err;
}
-static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
+static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf, u32 pkru)
{
if (use_xsave())
return xsave_to_user_sigframe(buf);
@@ -185,7 +185,7 @@ static inline int copy_fpregs_to_sigframe(struct xregs_state __user *buf)
* For [f]xsave state, update the SW reserved fields in the [f]xsave frame
* indicating the absence/presence of the extended state to the user.
*/
-bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
+bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size, u32 pkru)
{
struct task_struct *tsk = current;
struct fpstate *fpstate = tsk->thread.fpu.fpstate;
@@ -228,7 +228,7 @@ bool copy_fpstate_to_sigframe(void __user *buf, void __user *buf_fx, int size)
fpregs_restore_userregs();
pagefault_disable();
- ret = copy_fpregs_to_sigframe(buf_fx);
+ ret = copy_fpregs_to_sigframe(buf_fx, pkru);
pagefault_enable();
fpregs_unlock();
diff --git a/arch/x86/kernel/signal.c b/arch/x86/kernel/signal.c
index 65fe2094da59b..876d3b30c2c77 100644
--- a/arch/x86/kernel/signal.c
+++ b/arch/x86/kernel/signal.c
@@ -83,6 +83,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
unsigned long math_size = 0;
unsigned long sp = regs->sp;
unsigned long buf_fx = 0;
+ u32 pkru = read_pkru();
/* redzone */
if (!ia32_frame)
@@ -138,7 +139,7 @@ get_sigframe(struct ksignal *ksig, struct pt_regs *regs, size_t frame_size,
}
/* save i387 and extended state */
- if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size))
+ if (!copy_fpstate_to_sigframe(*fpstate, (void __user *)buf_fx, math_size, pkru))
return (void __user *)-1L;
return (void __user *)sp;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 116/386] x86/pkeys: Restore altstack access in sigreturn()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 115/386] x86/pkeys: Add PKRU as a parameter in signal handling functions Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 117/386] x86/kexec: Add EFI config table identity mapping for kexec kernel Greg Kroah-Hartman
` (280 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aruna Ramakrishna, Thomas Gleixner,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
[ Upstream commit d10b554919d4cc8fa8fe2e95b57ad2624728c8e4 ]
A process can disable access to the alternate signal stack by not
enabling the altstack's PKEY in the PKRU register.
Nevertheless, the kernel updates the PKRU temporarily for signal
handling. However, in sigreturn(), restore_sigcontext() will restore the
PKRU to the user-defined PKRU value.
This will cause restore_altstack() to fail with a SIGSEGV as it needs read
access to the altstack which is prohibited by the user-defined PKRU value.
Fix this by restoring altstack before restoring PKRU.
Signed-off-by: Aruna Ramakrishna <aruna.ramakrishna@oracle.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/all/20240802061318.2140081-5-aruna.ramakrishna@oracle.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/signal_64.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/arch/x86/kernel/signal_64.c b/arch/x86/kernel/signal_64.c
index 23d8aaf8d9fd1..449a6ed0b8c98 100644
--- a/arch/x86/kernel/signal_64.c
+++ b/arch/x86/kernel/signal_64.c
@@ -260,13 +260,13 @@ SYSCALL_DEFINE0(rt_sigreturn)
set_current_blocked(&set);
- if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags))
+ if (restore_altstack(&frame->uc.uc_stack))
goto badframe;
- if (restore_signal_shadow_stack())
+ if (!restore_sigcontext(regs, &frame->uc.uc_mcontext, uc_flags))
goto badframe;
- if (restore_altstack(&frame->uc.uc_stack))
+ if (restore_signal_shadow_stack())
goto badframe;
return regs->ax;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 117/386] x86/kexec: Add EFI config table identity mapping for kexec kernel
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 116/386] x86/pkeys: Restore altstack access in sigreturn() Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 118/386] ALSA: asihpi: Fix potential OOB array access Greg Kroah-Hartman
` (279 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tao Liu, Steve Wahl, Thomas Gleixner,
Pavin Joseph, Sarah Brofeldt, Eric Hagberg, Ard Biesheuvel,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tao Liu <ltao@redhat.com>
[ Upstream commit 5760929f6545c651682de3c2c6c6786816b17bb1 ]
A kexec kernel boot failure is sometimes observed on AMD CPUs due to an
unmapped EFI config table array. This can be seen when "nogbpages" is on
the kernel command line, and has been observed as a full BIOS reboot rather
than a successful kexec.
This was also the cause of reported regressions attributed to Commit
7143c5f4cf20 ("x86/mm/ident_map: Use gbpages only where full GB page should
be mapped.") which was subsequently reverted.
To avoid this page fault, explicitly include the EFI config table array in
the kexec identity map.
Further explanation:
The following 2 commits caused the EFI config table array to be
accessed when enabling sev at kernel startup.
commit ec1c66af3a30 ("x86/compressed/64: Detect/setup SEV/SME features
earlier during boot")
commit c01fce9cef84 ("x86/compressed: Add SEV-SNP feature
detection/setup")
This is in the code that examines whether SEV should be enabled or not, so
it can even affect systems that are not SEV capable.
This may result in a page fault if the EFI config table array's address is
unmapped. Since the page fault occurs before the new kernel establishes its
own identity map and page fault routines, it is unrecoverable and kexec
fails.
Most often, this problem is not seen because the EFI config table array
gets included in the map by the luck of being placed at a memory address
close enough to other memory areas that *are* included in the map created
by kexec.
Both the "nogbpages" command line option and the "use gpbages only where
full GB page should be mapped" change greatly reduce the chance of being
included in the map by luck, which is why the problem appears.
Signed-off-by: Tao Liu <ltao@redhat.com>
Signed-off-by: Steve Wahl <steve.wahl@hpe.com>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Tested-by: Pavin Joseph <me@pavinjoseph.com>
Tested-by: Sarah Brofeldt <srhb@dbc.dk>
Tested-by: Eric Hagberg <ehagberg@gmail.com>
Reviewed-by: Ard Biesheuvel <ardb@kernel.org>
Link: https://lore.kernel.org/all/20240717213121.3064030-2-steve.wahl@hpe.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/kernel/machine_kexec_64.c | 27 +++++++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/arch/x86/kernel/machine_kexec_64.c b/arch/x86/kernel/machine_kexec_64.c
index d287fe290c9ab..2fa12d1dc6760 100644
--- a/arch/x86/kernel/machine_kexec_64.c
+++ b/arch/x86/kernel/machine_kexec_64.c
@@ -28,6 +28,7 @@
#include <asm/setup.h>
#include <asm/set_memory.h>
#include <asm/cpu.h>
+#include <asm/efi.h>
#ifdef CONFIG_ACPI
/*
@@ -90,6 +91,8 @@ map_efi_systab(struct x86_mapping_info *info, pgd_t *level4p)
{
#ifdef CONFIG_EFI
unsigned long mstart, mend;
+ void *kaddr;
+ int ret;
if (!efi_enabled(EFI_BOOT))
return 0;
@@ -105,6 +108,30 @@ map_efi_systab(struct x86_mapping_info *info, pgd_t *level4p)
if (!mstart)
return 0;
+ ret = kernel_ident_mapping_init(info, level4p, mstart, mend);
+ if (ret)
+ return ret;
+
+ kaddr = memremap(mstart, mend - mstart, MEMREMAP_WB);
+ if (!kaddr) {
+ pr_err("Could not map UEFI system table\n");
+ return -ENOMEM;
+ }
+
+ mstart = efi_config_table;
+
+ if (efi_enabled(EFI_64BIT)) {
+ efi_system_table_64_t *stbl = (efi_system_table_64_t *)kaddr;
+
+ mend = mstart + sizeof(efi_config_table_64_t) * stbl->nr_tables;
+ } else {
+ efi_system_table_32_t *stbl = (efi_system_table_32_t *)kaddr;
+
+ mend = mstart + sizeof(efi_config_table_32_t) * stbl->nr_tables;
+ }
+
+ memunmap(kaddr);
+
return kernel_ident_mapping_init(info, level4p, mstart, mend);
#endif
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 118/386] ALSA: asihpi: Fix potential OOB array access
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 117/386] x86/kexec: Add EFI config table identity mapping for kexec kernel Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 119/386] ALSA: hdsp: Break infinite MIDI input flush loop Greg Kroah-Hartman
` (278 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit 7b986c7430a6bb68d523dac7bfc74cbd5b44ef96 ]
ASIHPI driver stores some values in the static array upon a response
from the driver, and its index depends on the firmware. We shouldn't
trust it blindly.
This patch adds a sanity check of the array index to fit in the array
size.
Link: https://patch.msgid.link/20240808091454.30846-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/asihpi/hpimsgx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/asihpi/hpimsgx.c b/sound/pci/asihpi/hpimsgx.c
index d0caef2994818..b68e6bfbbfbab 100644
--- a/sound/pci/asihpi/hpimsgx.c
+++ b/sound/pci/asihpi/hpimsgx.c
@@ -708,7 +708,7 @@ static u16 HPIMSGX__init(struct hpi_message *phm,
phr->error = HPI_ERROR_PROCESSING_MESSAGE;
return phr->error;
}
- if (hr.error == 0) {
+ if (hr.error == 0 && hr.u.s.adapter_index < HPI_MAX_ADAPTERS) {
/* the adapter was created successfully
save the mapping for future use */
hpi_entry_points[hr.u.s.adapter_index] = entry_point_func;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 119/386] ALSA: hdsp: Break infinite MIDI input flush loop
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 118/386] ALSA: asihpi: Fix potential OOB array access Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 120/386] tools/nolibc: powerpc: limit stack-protector workaround to GCC Greg Kroah-Hartman
` (277 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Takashi Iwai, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
[ Upstream commit c01f3815453e2d5f699ccd8c8c1f93a5b8669e59 ]
The current MIDI input flush on HDSP and HDSPM drivers relies on the
hardware reporting the right value. If the hardware doesn't give the
proper value but returns -1, it may be stuck at an infinite loop.
Add a counter and break if the loop is unexpectedly too long.
Link: https://patch.msgid.link/20240808091513.31380-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/rme9652/hdsp.c | 6 ++++--
sound/pci/rme9652/hdspm.c | 6 ++++--
2 files changed, 8 insertions(+), 4 deletions(-)
diff --git a/sound/pci/rme9652/hdsp.c b/sound/pci/rme9652/hdsp.c
index e7d1b43471a29..713ca262a0e97 100644
--- a/sound/pci/rme9652/hdsp.c
+++ b/sound/pci/rme9652/hdsp.c
@@ -1298,8 +1298,10 @@ static int snd_hdsp_midi_output_possible (struct hdsp *hdsp, int id)
static void snd_hdsp_flush_midi_input (struct hdsp *hdsp, int id)
{
- while (snd_hdsp_midi_input_available (hdsp, id))
- snd_hdsp_midi_read_byte (hdsp, id);
+ int count = 256;
+
+ while (snd_hdsp_midi_input_available(hdsp, id) && --count)
+ snd_hdsp_midi_read_byte(hdsp, id);
}
static int snd_hdsp_midi_output_write (struct hdsp_midi *hmidi)
diff --git a/sound/pci/rme9652/hdspm.c b/sound/pci/rme9652/hdspm.c
index 267c7848974ae..74215f57f4fc9 100644
--- a/sound/pci/rme9652/hdspm.c
+++ b/sound/pci/rme9652/hdspm.c
@@ -1838,8 +1838,10 @@ static inline int snd_hdspm_midi_output_possible (struct hdspm *hdspm, int id)
static void snd_hdspm_flush_midi_input(struct hdspm *hdspm, int id)
{
- while (snd_hdspm_midi_input_available (hdspm, id))
- snd_hdspm_midi_read_byte (hdspm, id);
+ int count = 256;
+
+ while (snd_hdspm_midi_input_available(hdspm, id) && --count)
+ snd_hdspm_midi_read_byte(hdspm, id);
}
static int snd_hdspm_midi_output_write (struct hdspm_midi *hmidi)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 120/386] tools/nolibc: powerpc: limit stack-protector workaround to GCC
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 119/386] ALSA: hdsp: Break infinite MIDI input flush loop Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 121/386] selftests/nolibc: avoid passing NULL to printf("%s") Greg Kroah-Hartman
` (276 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Willy Tarreau, Thomas Weißschuh,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 1daea158d0aae0770371f3079305a29fdb66829e ]
As mentioned in the comment, the workaround for
__attribute__((no_stack_protector)) is only necessary on GCC.
Avoid applying the workaround on clang, as clang does not recognize
__attribute__((__optimize__)) and would fail.
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://lore.kernel.org/r/20240807-nolibc-llvm-v2-3-c20f2f5fc7c2@weissschuh.net
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/include/nolibc/arch-powerpc.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/tools/include/nolibc/arch-powerpc.h b/tools/include/nolibc/arch-powerpc.h
index ac212e6185b26..41ebd394b90c7 100644
--- a/tools/include/nolibc/arch-powerpc.h
+++ b/tools/include/nolibc/arch-powerpc.h
@@ -172,7 +172,7 @@
_ret; \
})
-#ifndef __powerpc64__
+#if !defined(__powerpc64__) && !defined(__clang__)
/* FIXME: For 32-bit PowerPC, with newer gcc compilers (e.g. gcc 13.1.0),
* "omit-frame-pointer" fails with __attribute__((no_stack_protector)) but
* works with __attribute__((__optimize__("-fno-stack-protector")))
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 121/386] selftests/nolibc: avoid passing NULL to printf("%s")
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 120/386] tools/nolibc: powerpc: limit stack-protector workaround to GCC Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 122/386] x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Greg Kroah-Hartman
` (275 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuah Khan, Willy Tarreau,
Thomas Weißschuh, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit f1a58f61d88642ae1e6e97e9d72d73bc70a93cb8 ]
Clang on higher optimization levels detects that NULL is passed to
printf("%s") and warns about it.
While printf() from nolibc gracefully handles that NULL,
it is undefined behavior as per POSIX, so the warning is reasonable.
Avoid the warning by transforming NULL into a non-NULL placeholder.
Reviewed-by: Shuah Khan <skhan@linuxfoundation.org>
Acked-by: Willy Tarreau <w@1wt.eu>
Link: https://lore.kernel.org/r/20240807-nolibc-llvm-v2-8-c20f2f5fc7c2@weissschuh.net
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/nolibc/nolibc-test.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/nolibc/nolibc-test.c b/tools/testing/selftests/nolibc/nolibc-test.c
index 1fc4998f06bf6..4aaafbfc2f973 100644
--- a/tools/testing/selftests/nolibc/nolibc-test.c
+++ b/tools/testing/selftests/nolibc/nolibc-test.c
@@ -522,7 +522,7 @@ int expect_strzr(const char *expr, int llen)
{
int ret = 0;
- llen += printf(" = <%s> ", expr);
+ llen += printf(" = <%s> ", expr ? expr : "(null)");
if (expr) {
ret = 1;
result(llen, FAIL);
@@ -541,7 +541,7 @@ int expect_strnz(const char *expr, int llen)
{
int ret = 0;
- llen += printf(" = <%s> ", expr);
+ llen += printf(" = <%s> ", expr ? expr : "(null)");
if (!expr) {
ret = 1;
result(llen, FAIL);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 122/386] x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 121/386] selftests/nolibc: avoid passing NULL to printf("%s") Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 123/386] hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Greg Kroah-Hartman
` (274 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mirsad Todorovac, Kees Cook,
Dave Hansen, Gustavo A. R. Silva, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit d19d638b1e6cf746263ef60b7d0dee0204d8216a ]
Modern (fortified) memcpy() prefers to avoid writing (or reading) beyond
the end of the addressed destination (or source) struct member:
In function ‘fortify_memcpy_chk’,
inlined from ‘syscall_get_arguments’ at ./arch/x86/include/asm/syscall.h:85:2,
inlined from ‘populate_seccomp_data’ at kernel/seccomp.c:258:2,
inlined from ‘__seccomp_filter’ at kernel/seccomp.c:1231:3:
./include/linux/fortify-string.h:580:25: error: call to ‘__read_overflow2_field’ declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
580 | __read_overflow2_field(q_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
As already done for x86_64 and compat mode, do not use memcpy() to
extract syscall arguments from struct pt_regs but rather just perform
direct assignments. Binary output differences are negligible, and actually
ends up using less stack space:
- sub $0x84,%esp
+ sub $0x6c,%esp
and less text size:
text data bss dec hex filename
10794 252 0 11046 2b26 gcc-32b/kernel/seccomp.o.stock
10714 252 0 10966 2ad6 gcc-32b/kernel/seccomp.o.after
Closes: https://lore.kernel.org/lkml/9b69fb14-df89-4677-9c82-056ea9e706f5@gmail.com/
Reported-by: Mirsad Todorovac <mtodorovac69@gmail.com>
Signed-off-by: Kees Cook <kees@kernel.org>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Tested-by: Mirsad Todorovac <mtodorovac69@gmail.com>
Link: https://lore.kernel.org/all/20240708202202.work.477-kees%40kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/include/asm/syscall.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
diff --git a/arch/x86/include/asm/syscall.h b/arch/x86/include/asm/syscall.h
index 03bb950eba690..228a42585d5c9 100644
--- a/arch/x86/include/asm/syscall.h
+++ b/arch/x86/include/asm/syscall.h
@@ -82,7 +82,12 @@ static inline void syscall_get_arguments(struct task_struct *task,
struct pt_regs *regs,
unsigned long *args)
{
- memcpy(args, ®s->bx, 6 * sizeof(args[0]));
+ args[0] = regs->bx;
+ args[1] = regs->cx;
+ args[2] = regs->dx;
+ args[3] = regs->si;
+ args[4] = regs->di;
+ args[5] = regs->bp;
}
static inline int syscall_get_arch(struct task_struct *task)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 123/386] hwmon: (nct6775) add G15CF to ASUS WMI monitoring list
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 122/386] x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 124/386] fbdev: efifb: Register sysfs groups through driver core Greg Kroah-Hartman
` (273 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Denis Pauk, Attila, Guenter Roeck,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Denis Pauk <pauk.denis@gmail.com>
[ Upstream commit 1f432e4cf1dd3ecfec5ed80051b4611632a0fd51 ]
Boards G15CF has got a nct6775 chip, but by default there's no use of it
because of resource conflict with WMI method.
Add the board to the WMI monitoring list.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=204807
Signed-off-by: Denis Pauk <pauk.denis@gmail.com>
Tested-by: Attila <attila@fulop.one>
Message-ID: <20240812152652.1303-1-pauk.denis@gmail.com>
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hwmon/nct6775-platform.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/hwmon/nct6775-platform.c b/drivers/hwmon/nct6775-platform.c
index 81bf03dad6bbc..706a662dd077d 100644
--- a/drivers/hwmon/nct6775-platform.c
+++ b/drivers/hwmon/nct6775-platform.c
@@ -1269,6 +1269,7 @@ static const char * const asus_msi_boards[] = {
"EX-B760M-V5 D4",
"EX-H510M-V3",
"EX-H610M-V3 D4",
+ "G15CF",
"PRIME A620M-A",
"PRIME B560-PLUS",
"PRIME B560-PLUS AC-HES",
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 124/386] fbdev: efifb: Register sysfs groups through driver core
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 123/386] hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 125/386] fbdev: pxafb: Fix possible use after free in pxafb_task() Greg Kroah-Hartman
` (272 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Helge Deller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <linux@weissschuh.net>
[ Upstream commit 95cdd538e0e5677efbdf8aade04ec098ab98f457 ]
The driver core can register and cleanup sysfs groups already.
Make use of that functionality to simplify the error handling and
cleanup.
Also avoid a UAF race during unregistering where the sysctl attributes
were usable after the info struct was freed.
Signed-off-by: Thomas Weißschuh <linux@weissschuh.net>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/efifb.c | 11 ++---------
1 file changed, 2 insertions(+), 9 deletions(-)
diff --git a/drivers/video/fbdev/efifb.c b/drivers/video/fbdev/efifb.c
index f9b4ddd592ce4..88ac24202a1ff 100644
--- a/drivers/video/fbdev/efifb.c
+++ b/drivers/video/fbdev/efifb.c
@@ -571,15 +571,10 @@ static int efifb_probe(struct platform_device *dev)
break;
}
- err = sysfs_create_groups(&dev->dev.kobj, efifb_groups);
- if (err) {
- pr_err("efifb: cannot add sysfs attrs\n");
- goto err_unmap;
- }
err = fb_alloc_cmap(&info->cmap, 256, 0);
if (err < 0) {
pr_err("efifb: cannot allocate colormap\n");
- goto err_groups;
+ goto err_unmap;
}
if (efifb_pci_dev)
@@ -603,8 +598,6 @@ static int efifb_probe(struct platform_device *dev)
pm_runtime_put(&efifb_pci_dev->dev);
fb_dealloc_cmap(&info->cmap);
-err_groups:
- sysfs_remove_groups(&dev->dev.kobj, efifb_groups);
err_unmap:
if (mem_flags & (EFI_MEMORY_UC | EFI_MEMORY_WC))
iounmap(info->screen_base);
@@ -624,12 +617,12 @@ static void efifb_remove(struct platform_device *pdev)
/* efifb_destroy takes care of info cleanup */
unregister_framebuffer(info);
- sysfs_remove_groups(&pdev->dev.kobj, efifb_groups);
}
static struct platform_driver efifb_driver = {
.driver = {
.name = "efi-framebuffer",
+ .dev_groups = efifb_groups,
},
.probe = efifb_probe,
.remove_new = efifb_remove,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 125/386] fbdev: pxafb: Fix possible use after free in pxafb_task()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 124/386] fbdev: efifb: Register sysfs groups through driver core Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 126/386] rcuscale: Provide clear error when async specified without primitives Greg Kroah-Hartman
` (271 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kaixin Wang, Helge Deller,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
[ Upstream commit 4a6921095eb04a900e0000da83d9475eb958e61e ]
In the pxafb_probe function, it calls the pxafb_init_fbinfo function,
after which &fbi->task is associated with pxafb_task. Moreover,
within this pxafb_init_fbinfo function, the pxafb_blank function
within the &pxafb_ops struct is capable of scheduling work.
If we remove the module which will call pxafb_remove to make cleanup,
it will call unregister_framebuffer function which can call
do_unregister_framebuffer to free fbi->fb through
put_fb_info(fb_info), while the work mentioned above will be used.
The sequence of operations that may lead to a UAF bug is as follows:
CPU0 CPU1
| pxafb_task
pxafb_remove |
unregister_framebuffer(info) |
do_unregister_framebuffer(fb_info) |
put_fb_info(fb_info) |
// free fbi->fb | set_ctrlr_state(fbi, state)
| __pxafb_lcd_power(fbi, 0)
| fbi->lcd_power(on, &fbi->fb.var)
| //use fbi->fb
Fix it by ensuring that the work is canceled before proceeding
with the cleanup in pxafb_remove.
Note that only root user can remove the driver at runtime.
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/pxafb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/video/fbdev/pxafb.c b/drivers/video/fbdev/pxafb.c
index fa943612c4e2b..3a2427eb29f23 100644
--- a/drivers/video/fbdev/pxafb.c
+++ b/drivers/video/fbdev/pxafb.c
@@ -2403,6 +2403,7 @@ static void pxafb_remove(struct platform_device *dev)
info = &fbi->fb;
pxafb_overlay_exit(fbi);
+ cancel_work_sync(&fbi->task);
unregister_framebuffer(info);
pxafb_disable_controller(fbi);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 126/386] rcuscale: Provide clear error when async specified without primitives
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 125/386] fbdev: pxafb: Fix possible use after free in pxafb_task() Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 127/386] power: reset: brcmstb: Do not go into infinite loop if reset fails Greg Kroah-Hartman
` (270 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Neeraj Upadhyay,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 11377947b5861fa59bf77c827e1dd7c081842cc9 ]
Currently, if the rcuscale module's async module parameter is specified
for RCU implementations that do not have async primitives such as RCU
Tasks Rude (which now lacks a call_rcu_tasks_rude() function), there
will be a series of splats due to calls to a NULL pointer. This commit
therefore warns of this situation, but switches to non-async testing.
Signed-off-by: "Paul E. McKenney" <paulmck@kernel.org>
Signed-off-by: Neeraj Upadhyay <neeraj.upadhyay@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/rcuscale.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kernel/rcu/rcuscale.c b/kernel/rcu/rcuscale.c
index ffdb30495e3cc..ed46d9e8c0e43 100644
--- a/kernel/rcu/rcuscale.c
+++ b/kernel/rcu/rcuscale.c
@@ -498,7 +498,7 @@ rcu_scale_writer(void *arg)
schedule_timeout_idle(torture_random(&tr) % writer_holdoff_jiffies + 1);
wdp = &wdpp[i];
*wdp = ktime_get_mono_fast_ns();
- if (gp_async) {
+ if (gp_async && !WARN_ON_ONCE(!cur_ops->async)) {
retry:
if (!rhp)
rhp = kmalloc(sizeof(*rhp), GFP_KERNEL);
@@ -554,7 +554,7 @@ rcu_scale_writer(void *arg)
i++;
rcu_scale_wait_shutdown();
} while (!torture_must_stop());
- if (gp_async) {
+ if (gp_async && cur_ops->async) {
cur_ops->gp_barrier();
}
writer_n_durations[me] = i_max + 1;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 127/386] power: reset: brcmstb: Do not go into infinite loop if reset fails
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 126/386] rcuscale: Provide clear error when async specified without primitives Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 128/386] iommu/vt-d: Always reserve a domain ID for identity setup Greg Kroah-Hartman
` (269 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Davis, Dhruva Gole,
Florian Fainelli, Sebastian Reichel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Davis <afd@ti.com>
[ Upstream commit cf8c39b00e982fa506b16f9d76657838c09150cb ]
There may be other backup reset methods available, do not halt
here so that other reset methods can be tried.
Signed-off-by: Andrew Davis <afd@ti.com>
Reviewed-by: Dhruva Gole <d-gole@ti.com>
Acked-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20240610142836.168603-5-afd@ti.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/reset/brcmstb-reboot.c | 3 ---
1 file changed, 3 deletions(-)
diff --git a/drivers/power/reset/brcmstb-reboot.c b/drivers/power/reset/brcmstb-reboot.c
index 0f2944dc93551..a04713f191a11 100644
--- a/drivers/power/reset/brcmstb-reboot.c
+++ b/drivers/power/reset/brcmstb-reboot.c
@@ -62,9 +62,6 @@ static int brcmstb_restart_handler(struct notifier_block *this,
return NOTIFY_DONE;
}
- while (1)
- ;
-
return NOTIFY_DONE;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 128/386] iommu/vt-d: Always reserve a domain ID for identity setup
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 127/386] power: reset: brcmstb: Do not go into infinite loop if reset fails Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 129/386] iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Greg Kroah-Hartman
` (268 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lu Baolu, Jason Gunthorpe,
Kevin Tian, Jerry Snitselaar, Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lu Baolu <baolu.lu@linux.intel.com>
[ Upstream commit 2c13012e09190174614fd6901857a1b8c199e17d ]
We will use a global static identity domain. Reserve a static domain ID
for it.
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Reviewed-by: Jason Gunthorpe <jgg@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Reviewed-by: Jerry Snitselaar <jsnitsel@redhat.com>
Link: https://lore.kernel.org/r/20240809055431.36513-4-baolu.lu@linux.intel.com
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/intel/iommu.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/iommu/intel/iommu.c b/drivers/iommu/intel/iommu.c
index 9918af222c516..b7317016834cf 100644
--- a/drivers/iommu/intel/iommu.c
+++ b/drivers/iommu/intel/iommu.c
@@ -1692,10 +1692,10 @@ static int iommu_init_domains(struct intel_iommu *iommu)
* entry for first-level or pass-through translation modes should
* be programmed with a domain id different from those used for
* second-level or nested translation. We reserve a domain id for
- * this purpose.
+ * this purpose. This domain id is also used for identity domain
+ * in legacy mode.
*/
- if (sm_supported(iommu))
- set_bit(FLPT_DEFAULT_DID, iommu->domain_ids);
+ set_bit(FLPT_DEFAULT_DID, iommu->domain_ids);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 129/386] iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 128/386] iommu/vt-d: Always reserve a domain ID for identity setup Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 130/386] cgroup: Disallow mounting v1 hierarchies without controller implementation Greg Kroah-Hartman
` (267 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sanjay K Kumar, Jacob Pan,
Kevin Tian, Lu Baolu, Joerg Roedel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sanjay K Kumar <sanjay.k.kumar@intel.com>
[ Upstream commit 3cf74230c139f208b7fb313ae0054386eee31a81 ]
If qi_submit_sync() is invoked with 0 invalidation descriptors (for
instance, for DMA draining purposes), we can run into a bug where a
submitting thread fails to detect the completion of invalidation_wait.
Subsequently, this led to a soft lockup. Currently, there is no impact
by this bug on the existing users because no callers are submitting
invalidations with 0 descriptors. This fix will enable future users
(such as DMA drain) calling qi_submit_sync() with 0 count.
Suppose thread T1 invokes qi_submit_sync() with non-zero descriptors, while
concurrently, thread T2 calls qi_submit_sync() with zero descriptors. Both
threads then enter a while loop, waiting for their respective descriptors
to complete. T1 detects its completion (i.e., T1's invalidation_wait status
changes to QI_DONE by HW) and proceeds to call reclaim_free_desc() to
reclaim all descriptors, potentially including adjacent ones of other
threads that are also marked as QI_DONE.
During this time, while T2 is waiting to acquire the qi->q_lock, the IOMMU
hardware may complete the invalidation for T2, setting its status to
QI_DONE. However, if T1's execution of reclaim_free_desc() frees T2's
invalidation_wait descriptor and changes its status to QI_FREE, T2 will
not observe the QI_DONE status for its invalidation_wait and will
indefinitely remain stuck.
This soft lockup does not occur when only non-zero descriptors are
submitted.In such cases, invalidation descriptors are interspersed among
wait descriptors with the status QI_IN_USE, acting as barriers. These
barriers prevent the reclaim code from mistakenly freeing descriptors
belonging to other submitters.
Considered the following example timeline:
T1 T2
========================================
ID1
WD1
while(WD1!=QI_DONE)
unlock
lock
WD1=QI_DONE* WD2
while(WD2!=QI_DONE)
unlock
lock
WD1==QI_DONE?
ID1=QI_DONE WD2=DONE*
reclaim()
ID1=FREE
WD1=FREE
WD2=FREE
unlock
soft lockup! T2 never sees QI_DONE in WD2
Where:
ID = invalidation descriptor
WD = wait descriptor
* Written by hardware
The root of the problem is that the descriptor status QI_DONE flag is used
for two conflicting purposes:
1. signal a descriptor is ready for reclaim (to be freed)
2. signal by the hardware that a wait descriptor is complete
The solution (in this patch) is state separation by using QI_FREE flag
for #1.
Once a thread's invalidation descriptors are complete, their status would
be set to QI_FREE. The reclaim_free_desc() function would then only
free descriptors marked as QI_FREE instead of those marked as
QI_DONE. This change ensures that T2 (from the previous example) will
correctly observe the completion of its invalidation_wait (marked as
QI_DONE).
Signed-off-by: Sanjay K Kumar <sanjay.k.kumar@intel.com>
Signed-off-by: Jacob Pan <jacob.jun.pan@linux.intel.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Link: https://lore.kernel.org/r/20240728210059.1964602-1-jacob.jun.pan@linux.intel.com
Signed-off-by: Lu Baolu <baolu.lu@linux.intel.com>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/intel/dmar.c | 16 +++++++++++-----
1 file changed, 11 insertions(+), 5 deletions(-)
diff --git a/drivers/iommu/intel/dmar.c b/drivers/iommu/intel/dmar.c
index 84f0459e503cf..7a38e18b18196 100644
--- a/drivers/iommu/intel/dmar.c
+++ b/drivers/iommu/intel/dmar.c
@@ -1202,9 +1202,7 @@ static void free_iommu(struct intel_iommu *iommu)
*/
static inline void reclaim_free_desc(struct q_inval *qi)
{
- while (qi->desc_status[qi->free_tail] == QI_DONE ||
- qi->desc_status[qi->free_tail] == QI_ABORT) {
- qi->desc_status[qi->free_tail] = QI_FREE;
+ while (qi->desc_status[qi->free_tail] == QI_FREE && qi->free_tail != qi->free_head) {
qi->free_tail = (qi->free_tail + 1) % QI_LENGTH;
qi->free_cnt++;
}
@@ -1439,8 +1437,16 @@ int qi_submit_sync(struct intel_iommu *iommu, struct qi_desc *desc,
raw_spin_lock(&qi->q_lock);
}
- for (i = 0; i < count; i++)
- qi->desc_status[(index + i) % QI_LENGTH] = QI_DONE;
+ /*
+ * The reclaim code can free descriptors from multiple submissions
+ * starting from the tail of the queue. When count == 0, the
+ * status of the standalone wait descriptor at the tail of the queue
+ * must be set to QI_FREE to allow the reclaim code to proceed.
+ * It is also possible that descriptors from one of the previous
+ * submissions has to be reclaimed by a subsequent submission.
+ */
+ for (i = 0; i <= count; i++)
+ qi->desc_status[(index + i) % QI_LENGTH] = QI_FREE;
reclaim_free_desc(qi);
raw_spin_unlock_irqrestore(&qi->q_lock, flags);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 130/386] cgroup: Disallow mounting v1 hierarchies without controller implementation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 129/386] iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 131/386] drm/stm: Avoid use-after-free issues with crtc and plane Greg Kroah-Hartman
` (266 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Koutný, Tejun Heo,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Koutný <mkoutny@suse.com>
[ Upstream commit 3c41382e920f1dd5c9f432948fe799c07af1cced ]
The configs that disable some v1 controllers would still allow mounting
them but with no controller-specific files. (Making such hierarchies
equivalent to named v1 hierarchies.) To achieve behavior consistent with
actual out-compilation of a whole controller, the mounts should treat
respective controllers as non-existent.
Wrap implementation into a helper function, leverage legacy_files to
detect compiled out controllers. The effect is that mounts on v1 would
fail and produce a message like:
[ 1543.999081] cgroup: Unknown subsys name 'memory'
Signed-off-by: Michal Koutný <mkoutny@suse.com>
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/cgroup/cgroup-v1.c | 12 ++++++++++--
1 file changed, 10 insertions(+), 2 deletions(-)
diff --git a/kernel/cgroup/cgroup-v1.c b/kernel/cgroup/cgroup-v1.c
index 9cb00ebe9ac6d..01149e47e1a72 100644
--- a/kernel/cgroup/cgroup-v1.c
+++ b/kernel/cgroup/cgroup-v1.c
@@ -46,6 +46,12 @@ bool cgroup1_ssid_disabled(int ssid)
return cgroup_no_v1_mask & (1 << ssid);
}
+static bool cgroup1_subsys_absent(struct cgroup_subsys *ss)
+{
+ /* Check also dfl_cftypes for file-less controllers, i.e. perf_event */
+ return ss->legacy_cftypes == NULL && ss->dfl_cftypes;
+}
+
/**
* cgroup_attach_task_all - attach task 'tsk' to all cgroups of task 'from'
* @from: attach to all cgroups of a given task
@@ -932,7 +938,8 @@ int cgroup1_parse_param(struct fs_context *fc, struct fs_parameter *param)
if (ret != -ENOPARAM)
return ret;
for_each_subsys(ss, i) {
- if (strcmp(param->key, ss->legacy_name))
+ if (strcmp(param->key, ss->legacy_name) ||
+ cgroup1_subsys_absent(ss))
continue;
if (!cgroup_ssid_enabled(i) || cgroup1_ssid_disabled(i))
return invalfc(fc, "Disabled controller '%s'",
@@ -1024,7 +1031,8 @@ static int check_cgroupfs_options(struct fs_context *fc)
mask = ~((u16)1 << cpuset_cgrp_id);
#endif
for_each_subsys(ss, i)
- if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i))
+ if (cgroup_ssid_enabled(i) && !cgroup1_ssid_disabled(i) &&
+ !cgroup1_subsys_absent(ss))
enabled |= 1 << i;
ctx->subsys_mask &= enabled;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 131/386] drm/stm: Avoid use-after-free issues with crtc and plane
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 130/386] cgroup: Disallow mounting v1 hierarchies without controller implementation Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 132/386] drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Greg Kroah-Hartman
` (265 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Katya Orlova,
Raphaël Gallais-Pou, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Katya Orlova <e.orlova@ispras.ru>
[ Upstream commit 19dd9780b7ac673be95bf6fd6892a184c9db611f ]
ltdc_load() calls functions drm_crtc_init_with_planes(),
drm_universal_plane_init() and drm_encoder_init(). These functions
should not be called with parameters allocated with devm_kzalloc()
to avoid use-after-free issues [1].
Use allocations managed by the DRM framework.
Found by Linux Verification Center (linuxtesting.org).
[1]
https://lore.kernel.org/lkml/u366i76e3qhh3ra5oxrtngjtm2u5lterkekcz6y2jkndhuxzli@diujon4h7qwb/
Signed-off-by: Katya Orlova <e.orlova@ispras.ru>
Acked-by: Raphaël Gallais-Pou <raphael.gallais-pou@foss.st.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240216125040.8968-1-e.orlova@ispras.ru
Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/stm/drv.c | 3 +-
drivers/gpu/drm/stm/ltdc.c | 73 ++++++++++----------------------------
2 files changed, 20 insertions(+), 56 deletions(-)
diff --git a/drivers/gpu/drm/stm/drv.c b/drivers/gpu/drm/stm/drv.c
index 4d2db079ad4ff..e1232f74dfa53 100644
--- a/drivers/gpu/drm/stm/drv.c
+++ b/drivers/gpu/drm/stm/drv.c
@@ -25,6 +25,7 @@
#include <drm/drm_module.h>
#include <drm/drm_probe_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include "ltdc.h"
@@ -75,7 +76,7 @@ static int drv_load(struct drm_device *ddev)
DRM_DEBUG("%s\n", __func__);
- ldev = devm_kzalloc(ddev->dev, sizeof(*ldev), GFP_KERNEL);
+ ldev = drmm_kzalloc(ddev, sizeof(*ldev), GFP_KERNEL);
if (!ldev)
return -ENOMEM;
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 5aec1e58c968c..056642d12265c 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -36,6 +36,7 @@
#include <drm/drm_probe_helper.h>
#include <drm/drm_simple_kms_helper.h>
#include <drm/drm_vblank.h>
+#include <drm/drm_managed.h>
#include <video/videomode.h>
@@ -1199,7 +1200,6 @@ static void ltdc_crtc_atomic_print_state(struct drm_printer *p,
}
static const struct drm_crtc_funcs ltdc_crtc_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1212,7 +1212,6 @@ static const struct drm_crtc_funcs ltdc_crtc_funcs = {
};
static const struct drm_crtc_funcs ltdc_crtc_with_crc_support_funcs = {
- .destroy = drm_crtc_cleanup,
.set_config = drm_atomic_helper_set_config,
.page_flip = drm_atomic_helper_page_flip,
.reset = drm_atomic_helper_crtc_reset,
@@ -1545,7 +1544,6 @@ static void ltdc_plane_atomic_print_state(struct drm_printer *p,
static const struct drm_plane_funcs ltdc_plane_funcs = {
.update_plane = drm_atomic_helper_update_plane,
.disable_plane = drm_atomic_helper_disable_plane,
- .destroy = drm_plane_cleanup,
.reset = drm_atomic_helper_plane_reset,
.atomic_duplicate_state = drm_atomic_helper_plane_duplicate_state,
.atomic_destroy_state = drm_atomic_helper_plane_destroy_state,
@@ -1572,7 +1570,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
const u64 *modifiers = ltdc_format_modifiers;
u32 lofs = index * LAY_OFS;
u32 val;
- int ret;
/* Allocate the biggest size according to supported color formats */
formats = devm_kzalloc(dev, (ldev->caps.pix_fmt_nb +
@@ -1615,14 +1612,10 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
}
}
- plane = devm_kzalloc(dev, sizeof(*plane), GFP_KERNEL);
- if (!plane)
- return NULL;
-
- ret = drm_universal_plane_init(ddev, plane, possible_crtcs,
- <dc_plane_funcs, formats, nb_fmt,
- modifiers, type, NULL);
- if (ret < 0)
+ plane = drmm_universal_plane_alloc(ddev, struct drm_plane, dev,
+ possible_crtcs, <dc_plane_funcs, formats,
+ nb_fmt, modifiers, type, NULL);
+ if (IS_ERR(plane))
return NULL;
if (ldev->caps.ycbcr_input) {
@@ -1645,15 +1638,6 @@ static struct drm_plane *ltdc_plane_create(struct drm_device *ddev,
return plane;
}
-static void ltdc_plane_destroy_all(struct drm_device *ddev)
-{
- struct drm_plane *plane, *plane_temp;
-
- list_for_each_entry_safe(plane, plane_temp,
- &ddev->mode_config.plane_list, head)
- drm_plane_cleanup(plane);
-}
-
static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
{
struct ltdc_device *ldev = ddev->dev_private;
@@ -1679,14 +1663,14 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
/* Init CRTC according to its hardware features */
if (ldev->caps.crc)
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_with_crc_support_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_with_crc_support_funcs, NULL);
else
- ret = drm_crtc_init_with_planes(ddev, crtc, primary, NULL,
- <dc_crtc_funcs, NULL);
+ ret = drmm_crtc_init_with_planes(ddev, crtc, primary, NULL,
+ <dc_crtc_funcs, NULL);
if (ret) {
DRM_ERROR("Can not initialize CRTC\n");
- goto cleanup;
+ return ret;
}
drm_crtc_helper_add(crtc, <dc_crtc_helper_funcs);
@@ -1700,9 +1684,8 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
for (i = 1; i < ldev->caps.nb_layers; i++) {
overlay = ltdc_plane_create(ddev, DRM_PLANE_TYPE_OVERLAY, i);
if (!overlay) {
- ret = -ENOMEM;
DRM_ERROR("Can not create overlay plane %d\n", i);
- goto cleanup;
+ return -ENOMEM;
}
if (ldev->caps.dynamic_zorder)
drm_plane_create_zpos_property(overlay, i, 0, ldev->caps.nb_layers - 1);
@@ -1715,10 +1698,6 @@ static int ltdc_crtc_init(struct drm_device *ddev, struct drm_crtc *crtc)
}
return 0;
-
-cleanup:
- ltdc_plane_destroy_all(ddev);
- return ret;
}
static void ltdc_encoder_disable(struct drm_encoder *encoder)
@@ -1778,23 +1757,19 @@ static int ltdc_encoder_init(struct drm_device *ddev, struct drm_bridge *bridge)
struct drm_encoder *encoder;
int ret;
- encoder = devm_kzalloc(ddev->dev, sizeof(*encoder), GFP_KERNEL);
- if (!encoder)
- return -ENOMEM;
+ encoder = drmm_simple_encoder_alloc(ddev, struct drm_encoder, dev,
+ DRM_MODE_ENCODER_DPI);
+ if (IS_ERR(encoder))
+ return PTR_ERR(encoder);
encoder->possible_crtcs = CRTC_MASK;
encoder->possible_clones = 0; /* No cloning support */
- drm_simple_encoder_init(ddev, encoder, DRM_MODE_ENCODER_DPI);
-
drm_encoder_helper_add(encoder, <dc_encoder_helper_funcs);
ret = drm_bridge_attach(encoder, bridge, NULL, 0);
- if (ret) {
- if (ret != -EPROBE_DEFER)
- drm_encoder_cleanup(encoder);
+ if (ret)
return ret;
- }
DRM_DEBUG_DRIVER("Bridge encoder:%d created\n", encoder->base.id);
@@ -1964,8 +1939,7 @@ int ltdc_load(struct drm_device *ddev)
goto err;
if (panel) {
- bridge = drm_panel_bridge_add_typed(panel,
- DRM_MODE_CONNECTOR_DPI);
+ bridge = drmm_panel_bridge_add(ddev, panel);
if (IS_ERR(bridge)) {
DRM_ERROR("panel-bridge endpoint %d\n", i);
ret = PTR_ERR(bridge);
@@ -2047,7 +2021,7 @@ int ltdc_load(struct drm_device *ddev)
}
}
- crtc = devm_kzalloc(dev, sizeof(*crtc), GFP_KERNEL);
+ crtc = drmm_kzalloc(ddev, sizeof(*crtc), GFP_KERNEL);
if (!crtc) {
DRM_ERROR("Failed to allocate crtc\n");
ret = -ENOMEM;
@@ -2074,9 +2048,6 @@ int ltdc_load(struct drm_device *ddev)
return 0;
err:
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
clk_disable_unprepare(ldev->pixel_clk);
return ret;
@@ -2084,16 +2055,8 @@ int ltdc_load(struct drm_device *ddev)
void ltdc_unload(struct drm_device *ddev)
{
- struct device *dev = ddev->dev;
- int nb_endpoints, i;
-
DRM_DEBUG_DRIVER("\n");
- nb_endpoints = of_graph_get_endpoint_count(dev->of_node);
-
- for (i = 0; i < nb_endpoints; i++)
- drm_of_panel_bridge_remove(ddev->dev->of_node, 0, i);
-
pm_runtime_disable(ddev->dev);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 132/386] drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 131/386] drm/stm: Avoid use-after-free issues with crtc and plane Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 133/386] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Greg Kroah-Hartman
` (264 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pierre-Eric Pelloux-Prayer,
Christian König, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
[ Upstream commit fec5f8e8c6bcf83ed7a392801d7b44c5ecfc1e82 ]
Before this commit, only submits with both a BO_HANDLES chunk and a
'bo_list_handle' would be rejected (by amdgpu_cs_parser_bos).
But if UMD sent multiple BO_HANDLES, what would happen is:
* only the last one would be really used
* all the others would leak memory as amdgpu_cs_p1_bo_handles would
overwrite the previous p->bo_list value
This commit rejects submissions with multiple BO_HANDLES chunks to
match the implementation of the parser.
Signed-off-by: Pierre-Eric Pelloux-Prayer <pierre-eric.pelloux-prayer@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
index e361dc37a0890..7abcd618e70bd 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_cs.c
@@ -263,6 +263,10 @@ static int amdgpu_cs_pass1(struct amdgpu_cs_parser *p,
if (size < sizeof(struct drm_amdgpu_bo_list_in))
goto free_partial_kdata;
+ /* Only a single BO list is allowed to simplify handling. */
+ if (p->bo_list)
+ ret = -EINVAL;
+
ret = amdgpu_cs_p1_bo_handles(p, p->chunks[i].kdata);
if (ret)
goto free_partial_kdata;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 133/386] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 132/386] drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 134/386] drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Greg Kroah-Hartman
` (263 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Philip Yang, Felix Kuehling,
Christian König, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Philip Yang <Philip.Yang@amd.com>
[ Upstream commit c86ad39140bbcb9dc75a10046c2221f657e8083b ]
Pass pointer reference to amdgpu_bo_unref to clear the correct pointer,
otherwise amdgpu_bo_unref clear the local variable, the original pointer
not set to NULL, this could cause use-after-free bug.
Signed-off-by: Philip Yang <Philip.Yang@amd.com>
Reviewed-by: Felix Kuehling <felix.kuehling@amd.com>
Acked-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c | 14 +++++++-------
drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_chardev.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_device.c | 4 ++--
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c | 2 +-
drivers/gpu/drm/amd/amdkfd/kfd_process.c | 2 +-
.../gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 4 ++--
8 files changed, 16 insertions(+), 16 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
index 25d5fda5b243e..af6c6d89e63af 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.c
@@ -335,15 +335,15 @@ int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size,
return r;
}
-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj)
+void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj)
{
- struct amdgpu_bo *bo = (struct amdgpu_bo *) mem_obj;
+ struct amdgpu_bo **bo = (struct amdgpu_bo **) mem_obj;
- amdgpu_bo_reserve(bo, true);
- amdgpu_bo_kunmap(bo);
- amdgpu_bo_unpin(bo);
- amdgpu_bo_unreserve(bo);
- amdgpu_bo_unref(&(bo));
+ amdgpu_bo_reserve(*bo, true);
+ amdgpu_bo_kunmap(*bo);
+ amdgpu_bo_unpin(*bo);
+ amdgpu_bo_unreserve(*bo);
+ amdgpu_bo_unref(bo);
}
int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size,
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
index db5b1c6beba75..3134e6ad81d1d 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_amdkfd.h
@@ -221,7 +221,7 @@ int amdgpu_amdkfd_evict_userptr(struct mmu_interval_notifier *mni,
int amdgpu_amdkfd_alloc_gtt_mem(struct amdgpu_device *adev, size_t size,
void **mem_obj, uint64_t *gpu_addr,
void **cpu_ptr, bool mqd_gfx9);
-void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void *mem_obj);
+void amdgpu_amdkfd_free_gtt_mem(struct amdgpu_device *adev, void **mem_obj);
int amdgpu_amdkfd_alloc_gws(struct amdgpu_device *adev, size_t size,
void **mem_obj);
void amdgpu_amdkfd_free_gws(struct amdgpu_device *adev, void *mem_obj);
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
index 9d10530283705..19d46be639429 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_chardev.c
@@ -417,7 +417,7 @@ static int kfd_ioctl_create_queue(struct file *filep, struct kfd_process *p,
err_create_queue:
if (wptr_bo)
- amdgpu_amdkfd_free_gtt_mem(dev->adev, wptr_bo);
+ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&wptr_bo);
err_wptr_map_gart:
err_bind_process:
err_pdd:
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device.c b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
index 0c94bdfadaabf..9d0b0bf70ad1e 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device.c
@@ -838,7 +838,7 @@ bool kgd2kfd_device_init(struct kfd_dev *kfd,
kfd_doorbell_error:
kfd_gtt_sa_fini(kfd);
kfd_gtt_sa_init_error:
- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem);
+ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem);
alloc_gtt_mem_failure:
dev_err(kfd_device,
"device %x:%x NOT added due to errors\n",
@@ -856,7 +856,7 @@ void kgd2kfd_device_exit(struct kfd_dev *kfd)
kfd_doorbell_fini(kfd);
ida_destroy(&kfd->doorbell_ida);
kfd_gtt_sa_fini(kfd);
- amdgpu_amdkfd_free_gtt_mem(kfd->adev, kfd->gtt_mem);
+ amdgpu_amdkfd_free_gtt_mem(kfd->adev, &kfd->gtt_mem);
}
kfree(kfd);
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
index 60d98301ef041..4d9a406925e18 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_device_queue_manager.c
@@ -2610,7 +2610,7 @@ static void deallocate_hiq_sdma_mqd(struct kfd_node *dev,
{
WARN(!mqd, "No hiq sdma mqd trunk to free");
- amdgpu_amdkfd_free_gtt_mem(dev->adev, mqd->gtt_mem);
+ amdgpu_amdkfd_free_gtt_mem(dev->adev, &mqd->gtt_mem);
}
void device_queue_manager_uninit(struct device_queue_manager *dqm)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
index 447829c22295c..4c3f379803117 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager.c
@@ -223,7 +223,7 @@ void kfd_free_mqd_cp(struct mqd_manager *mm, void *mqd,
struct kfd_mem_obj *mqd_mem_obj)
{
if (mqd_mem_obj->gtt_mem) {
- amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, mqd_mem_obj->gtt_mem);
+ amdgpu_amdkfd_free_gtt_mem(mm->dev->adev, &mqd_mem_obj->gtt_mem);
kfree(mqd_mem_obj);
} else {
kfd_gtt_sa_free(mm->dev, mqd_mem_obj);
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process.c b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
index d98e45aec76b4..43f520b379670 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process.c
@@ -1047,7 +1047,7 @@ static void kfd_process_destroy_pdds(struct kfd_process *p)
if (pdd->dev->kfd->shared_resources.enable_mes)
amdgpu_amdkfd_free_gtt_mem(pdd->dev->adev,
- pdd->proc_ctx_bo);
+ &pdd->proc_ctx_bo);
/*
* before destroying pdd, make sure to report availability
* for auto suspend
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index 8aca92624a77e..dbc75ca84375a 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -199,9 +199,9 @@ static void pqm_clean_queue_resource(struct process_queue_manager *pqm,
}
if (dev->kfd->shared_resources.enable_mes) {
- amdgpu_amdkfd_free_gtt_mem(dev->adev, pqn->q->gang_ctx_bo);
+ amdgpu_amdkfd_free_gtt_mem(dev->adev, &pqn->q->gang_ctx_bo);
if (pqn->q->wptr_bo)
- amdgpu_amdkfd_free_gtt_mem(dev->adev, pqn->q->wptr_bo);
+ amdgpu_amdkfd_free_gtt_mem(dev->adev, (void **)&pqn->q->wptr_bo);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 134/386] drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 133/386] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 135/386] ata: pata_serverworks: Do not use the term blacklist Greg Kroah-Hartman
` (262 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 66d71a72539e173a9b00ca0b1852cbaa5f5bf1ad ]
This commit addresses a null pointer dereference issue in the
`commit_planes_for_stream` function at line 4140. The issue could occur
when `top_pipe_to_program` is null.
The fix adds a check to ensure `top_pipe_to_program` is not null before
accessing its stream_res. This prevents a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc.c:4140 commit_planes_for_stream() error: we previously assumed 'top_pipe_to_program' could be null (see line 3906)
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 50e643bfdfbad..0b2eb2a6c8e14 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -3797,7 +3797,8 @@ static void commit_planes_for_stream(struct dc *dc,
}
if ((update_type != UPDATE_TYPE_FAST) && stream->update_flags.bits.dsc_changed)
- if (top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
+ if (top_pipe_to_program &&
+ top_pipe_to_program->stream_res.tg->funcs->lock_doublebuffer_enable) {
top_pipe_to_program->stream_res.tg->funcs->wait_for_state(
top_pipe_to_program->stream_res.tg,
CRTC_STATE_VACTIVE);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 135/386] ata: pata_serverworks: Do not use the term blacklist
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 134/386] drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 136/386] ata: sata_sil: Rename sil_blacklist to sil_quirks Greg Kroah-Hartman
` (261 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Igor Pylypiv, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 858048568c9e3887d8b19e101ee72f129d65cb15 ]
Let's not use the term blacklist in the function
serverworks_osb4_filter() documentation comment and rather simply refer
to what that function looks at: the list of devices with groken UDMA5.
While at it, also constify the values of the csb_bad_ata100 array.
Of note is that all of this should probably be handled using libata
quirk mechanism but it is unclear if these UDMA5 quirks are specific
to this controller only.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/pata_serverworks.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/drivers/ata/pata_serverworks.c b/drivers/ata/pata_serverworks.c
index 549ff24a98231..4edddf6bcc150 100644
--- a/drivers/ata/pata_serverworks.c
+++ b/drivers/ata/pata_serverworks.c
@@ -46,10 +46,11 @@
#define SVWKS_CSB5_REVISION_NEW 0x92 /* min PCI_REVISION_ID for UDMA5 (A2.0) */
#define SVWKS_CSB6_REVISION 0xa0 /* min PCI_REVISION_ID for UDMA4 (A1.0) */
-/* Seagate Barracuda ATA IV Family drives in UDMA mode 5
- * can overrun their FIFOs when used with the CSB5 */
-
-static const char *csb_bad_ata100[] = {
+/*
+ * Seagate Barracuda ATA IV Family drives in UDMA mode 5
+ * can overrun their FIFOs when used with the CSB5.
+ */
+static const char * const csb_bad_ata100[] = {
"ST320011A",
"ST340016A",
"ST360021A",
@@ -163,10 +164,11 @@ static unsigned int serverworks_osb4_filter(struct ata_device *adev, unsigned in
* @adev: ATA device
* @mask: Mask of proposed modes
*
- * Check the blacklist and disable UDMA5 if matched
+ * Check the list of devices with broken UDMA5 and
+ * disable UDMA5 if matched.
*/
-
-static unsigned int serverworks_csb_filter(struct ata_device *adev, unsigned int mask)
+static unsigned int serverworks_csb_filter(struct ata_device *adev,
+ unsigned int mask)
{
const char *p;
char model_num[ATA_ID_PROD_LEN + 1];
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 136/386] ata: sata_sil: Rename sil_blacklist to sil_quirks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 135/386] ata: pata_serverworks: Do not use the term blacklist Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 137/386] HID: Ignore battery for all ELAN I2C-HID devices Greg Kroah-Hartman
` (260 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Niklas Cassel,
Igor Pylypiv, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 93b0f9e11ce511353c65b7f924cf5f95bd9c3aba ]
Rename the array sil_blacklist to sil_quirks as this name is more
neutral and is also consistent with how this driver define quirks with
the SIL_QUIRK_XXX flags.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Niklas Cassel <cassel@kernel.org>
Reviewed-by: Igor Pylypiv <ipylypiv@google.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/sata_sil.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/drivers/ata/sata_sil.c b/drivers/ata/sata_sil.c
index cc77c02482843..df095659bae0f 100644
--- a/drivers/ata/sata_sil.c
+++ b/drivers/ata/sata_sil.c
@@ -128,7 +128,7 @@ static const struct pci_device_id sil_pci_tbl[] = {
static const struct sil_drivelist {
const char *product;
unsigned int quirk;
-} sil_blacklist [] = {
+} sil_quirks[] = {
{ "ST320012AS", SIL_QUIRK_MOD15WRITE },
{ "ST330013AS", SIL_QUIRK_MOD15WRITE },
{ "ST340017AS", SIL_QUIRK_MOD15WRITE },
@@ -600,8 +600,8 @@ static void sil_thaw(struct ata_port *ap)
* list, and apply the fixups to only the specific
* devices/hosts/firmwares that need it.
*
- * 20040111 - Seagate drives affected by the Mod15Write bug are blacklisted
- * The Maxtor quirk is in the blacklist, but I'm keeping the original
+ * 20040111 - Seagate drives affected by the Mod15Write bug are quirked
+ * The Maxtor quirk is in sil_quirks, but I'm keeping the original
* pessimistic fix for the following reasons...
* - There seems to be less info on it, only one device gleaned off the
* Windows driver, maybe only one is affected. More info would be greatly
@@ -620,9 +620,9 @@ static void sil_dev_config(struct ata_device *dev)
ata_id_c_string(dev->id, model_num, ATA_ID_PROD, sizeof(model_num));
- for (n = 0; sil_blacklist[n].product; n++)
- if (!strcmp(sil_blacklist[n].product, model_num)) {
- quirks = sil_blacklist[n].quirk;
+ for (n = 0; sil_quirks[n].product; n++)
+ if (!strcmp(sil_quirks[n].product, model_num)) {
+ quirks = sil_quirks[n].quirk;
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 137/386] HID: Ignore battery for all ELAN I2C-HID devices
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 136/386] ata: sata_sil: Rename sil_blacklist to sil_quirks Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 138/386] drm/amd/display: Handle null stream_status in planes_changed_for_existing_stream Greg Kroah-Hartman
` (259 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Louis Dalibard, Hans de Goede,
Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit bcc31692a1d1e21f0d06c5f727c03ee299d2264e ]
Before this change there were 16 vid:pid based quirks to ignore the battery
reported by Elan I2C-HID touchscreens on various Asus and HP laptops.
And a report has been received that the 04F3:2A00 I2C touchscreen on
the HP ProBook x360 11 G5 EE/86CF also reports a non present battery.
Since I2C-HID devices are always builtin to laptops they are not battery
owered so it should be safe to just ignore the battery on all Elan I2C-HID
devices, rather then adding a 17th quirk for the 04F3:2A00 touchscreen.
As reported in the changelog of commit a3a5a37efba1 ("HID: Ignore battery
for ELAN touchscreens 2F2C and 4116"), which added 2 new Elan touchscreen
quirks about a month ago, the HID reported battery seems to be related
to a stylus being used. But even when a stylus is in use it does not
properly report the charge of the stylus battery, instead the reported
battery charge jumps from 0% to 1%. So it is best to just ignore the
HID battery.
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=2302776
Cc: Louis Dalibard <ontake@ontake.dev>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 16 ----------------
drivers/hid/hid-input.c | 37 +++++--------------------------------
2 files changed, 5 insertions(+), 48 deletions(-)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index a5987fafbedde..674e03fa5f81f 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -411,24 +411,8 @@
#define USB_DEVICE_ID_TOSHIBA_CLICK_L9W 0x0401
#define USB_DEVICE_ID_HP_X2 0x074d
#define USB_DEVICE_ID_HP_X2_10_COVER 0x0755
-#define I2C_DEVICE_ID_HP_ENVY_X360_15 0x2d05
-#define I2C_DEVICE_ID_HP_ENVY_X360_15T_DR100 0x29CF
-#define I2C_DEVICE_ID_HP_ENVY_X360_EU0009NV 0x2CF9
-#define I2C_DEVICE_ID_HP_SPECTRE_X360_15 0x2817
-#define I2C_DEVICE_ID_HP_SPECTRE_X360_13_AW0020NG 0x29DF
-#define I2C_DEVICE_ID_ASUS_TP420IA_TOUCHSCREEN 0x2BC8
-#define I2C_DEVICE_ID_ASUS_GV301RA_TOUCHSCREEN 0x2C82
-#define I2C_DEVICE_ID_ASUS_UX3402_TOUCHSCREEN 0x2F2C
-#define I2C_DEVICE_ID_ASUS_UX6404_TOUCHSCREEN 0x4116
#define USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN 0x2544
#define USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN 0x2706
-#define I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN 0x261A
-#define I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN 0x2A1C
-#define I2C_DEVICE_ID_LENOVO_YOGA_C630_TOUCHSCREEN 0x279F
-#define I2C_DEVICE_ID_HP_SPECTRE_X360_13T_AW100 0x29F5
-#define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V1 0x2BED
-#define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2 0x2BEE
-#define I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG 0x2D02
#define I2C_DEVICE_ID_CHROMEBOOK_TROGDOR_POMPOM 0x2F81
#define USB_VENDOR_ID_ELECOM 0x056e
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index c9094a4f281e9..fda9dce3da998 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -373,14 +373,6 @@ static const struct hid_device_id hid_battery_quirks[] = {
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH,
USB_DEVICE_ID_LOGITECH_DINOVO_EDGE_KBD),
HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_TP420IA_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_GV301RA_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_UX3402_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_ASUS_UX6404_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ASUS_UX550_TOUCHSCREEN),
HID_BATTERY_QUIRK_IGNORE },
{ HID_USB_DEVICE(USB_VENDOR_ID_ELAN, USB_DEVICE_ID_ASUS_UX550VE_TOUCHSCREEN),
@@ -391,32 +383,13 @@ static const struct hid_device_id hid_battery_quirks[] = {
HID_BATTERY_QUIRK_AVOID_QUERY },
{ HID_USB_DEVICE(USB_VENDOR_ID_UGEE, USB_DEVICE_ID_UGEE_XPPEN_TABLET_DECO_PRO_SW),
HID_BATTERY_QUIRK_AVOID_QUERY },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15T_DR100),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_EU0009NV),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_15),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_13_AW0020NG),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_SURFACE_GO2_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_LENOVO_YOGA_C630_TOUCHSCREEN),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_13T_AW100),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V1),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2),
- HID_BATTERY_QUIRK_IGNORE },
- { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG),
- HID_BATTERY_QUIRK_IGNORE },
{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_CHROMEBOOK_TROGDOR_POMPOM),
HID_BATTERY_QUIRK_AVOID_QUERY },
+ /*
+ * Elan I2C-HID touchscreens seem to all report a non present battery,
+ * set HID_BATTERY_QUIRK_IGNORE for all Elan I2C-HID devices.
+ */
+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, HID_ANY_ID), HID_BATTERY_QUIRK_IGNORE },
{}
};
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 138/386] drm/amd/display: Handle null stream_status in planes_changed_for_existing_stream
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 137/386] HID: Ignore battery for all ELAN I2C-HID devices Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 139/386] drm/amd/display: Check null pointers before using dc->clk_mgr Greg Kroah-Hartman
` (258 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit 8141f21b941710ecebe49220b69822cab3abd23d ]
This commit adds a null check for 'stream_status' in the function
'planes_changed_for_existing_stream'. Previously, the code assumed
'stream_status' could be null, but did not handle the case where it was
actually null. This could lead to a null pointer dereference.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/core/dc_resource.c:3784 planes_changed_for_existing_stream() error: we previously assumed 'stream_status' could be null (see line 3774)
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index 733e445331ea5..4b34bc9d4e4be 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -2877,8 +2877,10 @@ static bool planes_changed_for_existing_stream(struct dc_state *context,
}
}
- if (!stream_status)
+ if (!stream_status) {
ASSERT(0);
+ return false;
+ }
for (i = 0; i < set_count; i++)
if (set[i].stream == stream)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 139/386] drm/amd/display: Check null pointers before using dc->clk_mgr
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 138/386] drm/amd/display: Handle null stream_status in planes_changed_for_existing_stream Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 140/386] drm/amd/display: Add null check for afb in amdgpu_dm_plane_handle_cursor_update (v2) Greg Kroah-Hartman
` (257 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Alex Hung,
Tom Chung, Daniel Wheeler, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 95d9e0803e51d5a24276b7643b244c7477daf463 ]
[WHY & HOW]
dc->clk_mgr is null checked previously in the same function, indicating
it might be null.
Passing "dc" to "dc->hwss.apply_idle_power_optimizations", which
dereferences null "dc->clk_mgr". (The function pointer resolves to
"dcn35_apply_idle_power_optimizations".)
This fixes 1 FORWARD_NULL issue reported by Coverity.
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc.c b/drivers/gpu/drm/amd/display/dc/core/dc.c
index 0b2eb2a6c8e14..a7a6f6c5c7655 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc.c
@@ -4716,7 +4716,8 @@ void dc_allow_idle_optimizations(struct dc *dc, bool allow)
if (allow == dc->idle_optimizations_allowed)
return;
- if (dc->hwss.apply_idle_power_optimizations && dc->hwss.apply_idle_power_optimizations(dc, allow))
+ if (dc->hwss.apply_idle_power_optimizations && dc->clk_mgr != NULL &&
+ dc->hwss.apply_idle_power_optimizations(dc, allow))
dc->idle_optimizations_allowed = allow;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 140/386] drm/amd/display: Add null check for afb in amdgpu_dm_plane_handle_cursor_update (v2)
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 139/386] drm/amd/display: Check null pointers before using dc->clk_mgr Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 141/386] drm/amd/display: fix double free issue during amdgpu module unload Greg Kroah-Hartman
` (256 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit cd9e9e0852d501f169aa3bb34e4b413d2eb48c37 ]
This commit adds a null check for the 'afb' variable in the
amdgpu_dm_plane_handle_cursor_update function. Previously, 'afb' was
assumed to be null, but was used later in the code without a null check.
This could potentially lead to a null pointer dereference.
Changes since v1:
- Moved the null check for 'afb' to the line where 'afb' is used. (Alex)
Fixes the below:
drivers/gpu/drm/amd/amdgpu/../display/amdgpu_dm/amdgpu_dm_plane.c:1298 amdgpu_dm_plane_handle_cursor_update() error: we previously assumed 'afb' could be null (see line 1252)
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Co-developed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
index fa9f53b310793..d1329f20b7bd4 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_plane.c
@@ -1281,7 +1281,8 @@ void amdgpu_dm_plane_handle_cursor_update(struct drm_plane *plane,
adev->dm.dc->caps.color.dpp.gamma_corr)
attributes.attribute_flags.bits.ENABLE_CURSOR_DEGAMMA = 1;
- attributes.pitch = afb->base.pitches[0] / afb->base.format->cpp[0];
+ if (afb)
+ attributes.pitch = afb->base.pitches[0] / afb->base.format->cpp[0];
if (crtc_state->stream) {
mutex_lock(&adev->dm.dc_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 141/386] drm/amd/display: fix double free issue during amdgpu module unload
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 140/386] drm/amd/display: Add null check for afb in amdgpu_dm_plane_handle_cursor_update (v2) Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 142/386] jfs: UBSAN: shift-out-of-bounds in dbFindBits Greg Kroah-Hartman
` (255 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Tim Huang,
Roman Li, Daniel Wheeler, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Huang <tim.huang@amd.com>
[ Upstream commit 20b5a8f9f4670a8503aa9fa95ca632e77c6bf55d ]
Flexible endpoints use DIGs from available inflexible endpoints,
so only the encoders of inflexible links need to be freed.
Otherwise, a double free issue may occur when unloading the
amdgpu module.
[ 279.190523] RIP: 0010:__slab_free+0x152/0x2f0
[ 279.190577] Call Trace:
[ 279.190580] <TASK>
[ 279.190582] ? show_regs+0x69/0x80
[ 279.190590] ? die+0x3b/0x90
[ 279.190595] ? do_trap+0xc8/0xe0
[ 279.190601] ? do_error_trap+0x73/0xa0
[ 279.190605] ? __slab_free+0x152/0x2f0
[ 279.190609] ? exc_invalid_op+0x56/0x70
[ 279.190616] ? __slab_free+0x152/0x2f0
[ 279.190642] ? asm_exc_invalid_op+0x1f/0x30
[ 279.190648] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191096] ? __slab_free+0x152/0x2f0
[ 279.191102] ? dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191469] kfree+0x260/0x2b0
[ 279.191474] dcn10_link_encoder_destroy+0x19/0x30 [amdgpu]
[ 279.191821] link_destroy+0xd7/0x130 [amdgpu]
[ 279.192248] dc_destruct+0x90/0x270 [amdgpu]
[ 279.192666] dc_destroy+0x19/0x40 [amdgpu]
[ 279.193020] amdgpu_dm_fini+0x16e/0x200 [amdgpu]
[ 279.193432] dm_hw_fini+0x26/0x40 [amdgpu]
[ 279.193795] amdgpu_device_fini_hw+0x24c/0x400 [amdgpu]
[ 279.194108] amdgpu_driver_unload_kms+0x4f/0x70 [amdgpu]
[ 279.194436] amdgpu_pci_remove+0x40/0x80 [amdgpu]
[ 279.194632] pci_device_remove+0x3a/0xa0
[ 279.194638] device_remove+0x40/0x70
[ 279.194642] device_release_driver_internal+0x1ad/0x210
[ 279.194647] driver_detach+0x4e/0xa0
[ 279.194650] bus_remove_driver+0x6f/0xf0
[ 279.194653] driver_unregister+0x33/0x60
[ 279.194657] pci_unregister_driver+0x44/0x90
[ 279.194662] amdgpu_exit+0x19/0x1f0 [amdgpu]
[ 279.194939] __do_sys_delete_module.isra.0+0x198/0x2f0
[ 279.194946] __x64_sys_delete_module+0x16/0x20
[ 279.194950] do_syscall_64+0x58/0x120
[ 279.194954] entry_SYSCALL_64_after_hwframe+0x6e/0x76
[ 279.194980] </TASK>
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Tim Huang <tim.huang@amd.com>
Reviewed-by: Roman Li <roman.li@amd.com>
Signed-off-by: Roman Li <roman.li@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/link/link_factory.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/dc/link/link_factory.c b/drivers/gpu/drm/amd/display/dc/link/link_factory.c
index 33bb96f770b86..eb7c9f226af5c 100644
--- a/drivers/gpu/drm/amd/display/dc/link/link_factory.c
+++ b/drivers/gpu/drm/amd/display/dc/link/link_factory.c
@@ -403,7 +403,7 @@ static void link_destruct(struct dc_link *link)
if (link->panel_cntl)
link->panel_cntl->funcs->destroy(&link->panel_cntl);
- if (link->link_enc) {
+ if (link->link_enc && !link->is_dig_mapping_flexible) {
/* Update link encoder resource tracking variables. These are used for
* the dynamic assignment of link encoders to streams. Virtual links
* are not assigned encoder resources on creation.
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 142/386] jfs: UBSAN: shift-out-of-bounds in dbFindBits
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 141/386] drm/amd/display: fix double free issue during amdgpu module unload Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 143/386] jfs: Fix uaf in dbFreeBits Greg Kroah-Hartman
` (254 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e38d703eeb410b17b473,
Remington Brasga, Dave Kleikamp, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Remington Brasga <rbrasga@uci.edu>
[ Upstream commit b0b2fc815e514221f01384f39fbfbff65d897e1c ]
Fix issue with UBSAN throwing shift-out-of-bounds warning.
Reported-by: syzbot+e38d703eeb410b17b473@syzkaller.appspotmail.com
Signed-off-by: Remington Brasga <rbrasga@uci.edu>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 0625d1c0d0649..8847e8c5d5b45 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -3022,7 +3022,7 @@ static int dbFindBits(u32 word, int l2nb)
/* scan the word for nb free bits at nb alignments.
*/
- for (bitno = 0; mask != 0; bitno += nb, mask >>= nb) {
+ for (bitno = 0; mask != 0; bitno += nb, mask = (mask >> nb)) {
if ((mask & word) == mask)
break;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 143/386] jfs: Fix uaf in dbFreeBits
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 142/386] jfs: UBSAN: shift-out-of-bounds in dbFindBits Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 144/386] jfs: check if leafidx greater than num leaves per dmap tree Greg Kroah-Hartman
` (253 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+3c010e21296f33a5dc16
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit d6c1b3599b2feb5c7291f5ac3a36e5fa7cedb234 ]
[syzbot reported]
==================================================================
BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline]
BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216
CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:93 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__mutex_lock_common kernel/locking/mutex.c:587 [inline]
__mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752
dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390
dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline]
dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409
dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650
jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100
jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
Freed by task 5218:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object+0xe0/0x150 mm/kasan/common.c:240
__kasan_slab_free+0x37/0x60 mm/kasan/common.c:256
kasan_slab_free include/linux/kasan.h:184 [inline]
slab_free_hook mm/slub.c:2252 [inline]
slab_free mm/slub.c:4473 [inline]
kfree+0x149/0x360 mm/slub.c:4594
dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278
jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247
jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454
reconfigure_super+0x445/0x880 fs/super.c:1083
vfs_cmd_reconfigure fs/fsopen.c:263 [inline]
vfs_fsconfig_locked fs/fsopen.c:292 [inline]
__do_sys_fsconfig fs/fsopen.c:473 [inline]
__se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[Analysis]
There are two paths (dbUnmount and jfs_ioc_trim) that generate race
condition when accessing bmap, which leads to the occurrence of uaf.
Use the lock s_umount to synchronize them, in order to avoid uaf caused
by race condition.
Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_discard.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
diff --git a/fs/jfs/jfs_discard.c b/fs/jfs/jfs_discard.c
index 575cb2ba74fc8..5f4b305030ad5 100644
--- a/fs/jfs/jfs_discard.c
+++ b/fs/jfs/jfs_discard.c
@@ -65,7 +65,7 @@ void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks)
int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)
{
struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap;
- struct bmap *bmp = JFS_SBI(ip->i_sb)->bmap;
+ struct bmap *bmp;
struct super_block *sb = ipbmap->i_sb;
int agno, agno_end;
u64 start, end, minlen;
@@ -83,10 +83,15 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)
if (minlen == 0)
minlen = 1;
+ down_read(&sb->s_umount);
+ bmp = JFS_SBI(ip->i_sb)->bmap;
+
if (minlen > bmp->db_agsize ||
start >= bmp->db_mapsize ||
- range->len < sb->s_blocksize)
+ range->len < sb->s_blocksize) {
+ up_read(&sb->s_umount);
return -EINVAL;
+ }
if (end >= bmp->db_mapsize)
end = bmp->db_mapsize - 1;
@@ -100,6 +105,8 @@ int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)
trimmed += dbDiscardAG(ip, agno, minlen);
agno++;
}
+
+ up_read(&sb->s_umount);
range->len = trimmed << sb->s_blocksize_bits;
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 144/386] jfs: check if leafidx greater than num leaves per dmap tree
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 143/386] jfs: Fix uaf in dbFreeBits Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 145/386] scsi: smartpqi: correct stream detection Greg Kroah-Hartman
` (252 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Edward Adam Davis, Dave Kleikamp,
Sasha Levin, syzbot+dca05492eff41f604890
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
[ Upstream commit d64ff0d2306713ff084d4b09f84ed1a8c75ecc32 ]
syzbot report a out of bounds in dbSplit, it because dmt_leafidx greater
than num leaves per dmap tree, add a checking for dmt_leafidx in dbFindLeaf.
Shaggy:
Modified sanity check to apply to control pages as well as leaf pages.
Reported-and-tested-by: syzbot+dca05492eff41f604890@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=dca05492eff41f604890
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/jfs_dmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/fs/jfs/jfs_dmap.c b/fs/jfs/jfs_dmap.c
index 8847e8c5d5b45..974ecf5e0d952 100644
--- a/fs/jfs/jfs_dmap.c
+++ b/fs/jfs/jfs_dmap.c
@@ -2944,9 +2944,10 @@ static void dbAdjTree(dmtree_t *tp, int leafno, int newval, bool is_ctl)
static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
{
int ti, n = 0, k, x = 0;
- int max_size;
+ int max_size, max_idx;
max_size = is_ctl ? CTLTREESIZE : TREESIZE;
+ max_idx = is_ctl ? LPERCTL : LPERDMAP;
/* first check the root of the tree to see if there is
* sufficient free space.
@@ -2978,6 +2979,8 @@ static int dbFindLeaf(dmtree_t *tp, int l2nb, int *leafidx, bool is_ctl)
*/
assert(n < 4);
}
+ if (le32_to_cpu(tp->dmt_leafidx) >= max_idx)
+ return -ENOSPC;
/* set the return to the leftmost leaf describing sufficient
* free space.
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 145/386] scsi: smartpqi: correct stream detection
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 144/386] jfs: check if leafidx greater than num leaves per dmap tree Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 146/386] drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Greg Kroah-Hartman
` (251 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Benesh, Scott Teel,
Mike McGowen, Mahesh Rajashekhara, Don Brace, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mahesh Rajashekhara <mahesh.rajashekhara@microchip.com>
[ Upstream commit 4c76114932d1d6fad2e72823e7898a3c960cf2a7 ]
Correct stream detection by initializing the structure
pqi_scsi_dev_raid_map_data to 0s.
When the OS issues SCSI READ commands, the driver erroneously considers
them as SCSI WRITES. If they are identified as sequential IOs, the driver
then submits those requests via the RAID path instead of the AIO path.
The 'is_write' flag might be set for SCSI READ commands also. The driver
may interpret SCSI READ commands as SCSI WRITE commands, resulting in IOs
being submitted through the RAID path.
Note: This does not cause data corruption.
Reviewed-by: Scott Benesh <scott.benesh@microchip.com>
Reviewed-by: Scott Teel <scott.teel@microchip.com>
Reviewed-by: Mike McGowen <mike.mcgowen@microchip.com>
Signed-off-by: Mahesh Rajashekhara <mahesh.rajashekhara@microchip.com>
Signed-off-by: Don Brace <don.brace@microchip.com>
Link: https://lore.kernel.org/r/20240827185501.692804-3-don.brace@microchip.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/smartpqi/smartpqi_init.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/smartpqi/smartpqi_init.c b/drivers/scsi/smartpqi/smartpqi_init.c
index 2ae64cda8bc9e..0af2d366c85f9 100644
--- a/drivers/scsi/smartpqi/smartpqi_init.c
+++ b/drivers/scsi/smartpqi/smartpqi_init.c
@@ -5918,7 +5918,7 @@ static bool pqi_is_parity_write_stream(struct pqi_ctrl_info *ctrl_info,
int rc;
struct pqi_scsi_dev *device;
struct pqi_stream_data *pqi_stream_data;
- struct pqi_scsi_dev_raid_map_data rmd;
+ struct pqi_scsi_dev_raid_map_data rmd = { 0 };
if (!ctrl_info->enable_stream_detection)
return false;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 146/386] drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 145/386] scsi: smartpqi: correct stream detection Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 147/386] jfs: Fix uninit-value access of new_ea in ea_buffer Greg Kroah-Hartman
` (250 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Rob Clark,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit 16007768551d5bfe53426645401435ca8d2ef54f ]
There are some cases, such as the one uncovered by Commit 46d4efcccc68
("drm/msm/a6xx: Avoid a nullptr dereference when speedbin setting fails")
where
msm_gpu_cleanup() : platform_set_drvdata(gpu->pdev, NULL);
is called on gpu->pdev == NULL, as the GPU device has not been fully
initialized yet.
Turns out that there's more than just the aforementioned path that
causes this to happen (e.g. the case when there's speedbin data in the
catalog, but opp-supported-hw is missing in DT).
Assigning msm_gpu->pdev earlier seems like the least painful solution
to this, therefore do so.
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Patchwork: https://patchwork.freedesktop.org/patch/602742/
Signed-off-by: Rob Clark <robdclark@chromium.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/adreno/adreno_gpu.c | 1 +
drivers/gpu/drm/msm/msm_gpu.c | 1 -
2 files changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/msm/adreno/adreno_gpu.c b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
index 4127e2762dcd1..a2df8bd7aa940 100644
--- a/drivers/gpu/drm/msm/adreno/adreno_gpu.c
+++ b/drivers/gpu/drm/msm/adreno/adreno_gpu.c
@@ -1071,6 +1071,7 @@ int adreno_gpu_init(struct drm_device *drm, struct platform_device *pdev,
adreno_gpu->chip_id = config->chip_id;
gpu->allow_relocs = config->info->family < ADRENO_6XX_GEN1;
+ gpu->pdev = pdev;
/* Only handle the core clock when GMU is not in use (or is absent). */
if (adreno_has_gmu_wrapper(adreno_gpu) ||
diff --git a/drivers/gpu/drm/msm/msm_gpu.c b/drivers/gpu/drm/msm/msm_gpu.c
index 5c10b559a5957..5a7541597d0ce 100644
--- a/drivers/gpu/drm/msm/msm_gpu.c
+++ b/drivers/gpu/drm/msm/msm_gpu.c
@@ -927,7 +927,6 @@ int msm_gpu_init(struct drm_device *drm, struct platform_device *pdev,
if (IS_ERR(gpu->gpu_cx))
gpu->gpu_cx = NULL;
- gpu->pdev = pdev;
platform_set_drvdata(pdev, &gpu->adreno_smmu);
msm_devfreq_init(gpu);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 147/386] jfs: Fix uninit-value access of new_ea in ea_buffer
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 146/386] drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 148/386] drm/amdgpu: add raven1 gfxoff quirk Greg Kroah-Hartman
` (249 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+02341e0daa42a15ce130,
Zhao Mengmeng, Dave Kleikamp, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
[ Upstream commit 2b59ffad47db1c46af25ccad157bb3b25147c35c ]
syzbot reports that lzo1x_1_do_compress is using uninit-value:
=====================================================
BUG: KMSAN: uninit-value in lzo1x_1_do_compress+0x19f9/0x2510 lib/lzo/lzo1x_compress.c:178
...
Uninit was stored to memory at:
ea_put fs/jfs/xattr.c:639 [inline]
...
Local variable ea_buf created at:
__jfs_setxattr+0x5d/0x1ae0 fs/jfs/xattr.c:662
__jfs_xattr_set+0xe6/0x1f0 fs/jfs/xattr.c:934
=====================================================
The reason is ea_buf->new_ea is not initialized properly.
Fix this by using memset to empty its content at the beginning
in ea_get().
Reported-by: syzbot+02341e0daa42a15ce130@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=02341e0daa42a15ce130
Signed-off-by: Zhao Mengmeng <zhaomengmeng@kylinos.cn>
Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/jfs/xattr.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/fs/jfs/xattr.c b/fs/jfs/xattr.c
index 17faf8d355290..49e064c1f5517 100644
--- a/fs/jfs/xattr.c
+++ b/fs/jfs/xattr.c
@@ -434,6 +434,8 @@ static int ea_get(struct inode *inode, struct ea_buffer *ea_buf, int min_size)
int rc;
int quota_allocation = 0;
+ memset(&ea_buf->new_ea, 0, sizeof(ea_buf->new_ea));
+
/* When fsck.jfs clears a bad ea, it doesn't clear the size */
if (ji->ea.flag == 0)
ea_size = 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 148/386] drm/amdgpu: add raven1 gfxoff quirk
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 147/386] jfs: Fix uninit-value access of new_ea in ea_buffer Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 149/386] drm/amdgpu: enable gfxoff quirk on HP 705G4 Greg Kroah-Hartman
` (248 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Liu, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Liu <liupeng01@kylinos.cn>
[ Upstream commit 0126c0ae11e8b52ecfde9d1b174ee2f32d6c3a5d ]
Fix screen corruption with openkylin.
Link: https://bbs.openkylin.top/t/topic/171497
Signed-off-by: Peng Liu <liupeng01@kylinos.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
index 8168836a08d2e..c28e7ff6ede26 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -1172,6 +1172,8 @@ static const struct amdgpu_gfxoff_quirk amdgpu_gfxoff_quirk_list[] = {
{ 0x1002, 0x15dd, 0x1002, 0x15dd, 0xc6 },
/* Apple MacBook Pro (15-inch, 2019) Radeon Pro Vega 20 4 GB */
{ 0x1002, 0x69af, 0x106b, 0x019a, 0xc0 },
+ /* https://bbs.openkylin.top/t/topic/171497 */
+ { 0x1002, 0x15d8, 0x19e5, 0x3e14, 0xc2 },
{ 0, 0, 0, 0, 0 },
};
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 149/386] drm/amdgpu: enable gfxoff quirk on HP 705G4
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 148/386] drm/amdgpu: add raven1 gfxoff quirk Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 150/386] drm/amdkfd: Fix resource leak in criu restore queue Greg Kroah-Hartman
` (247 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Peng Liu, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peng Liu <liupeng01@kylinos.cn>
[ Upstream commit 2c7795e245d993bcba2f716a8c93a5891ef910c9 ]
Enabling gfxoff quirk results in perfectly usable
graphical user interface on HP 705G4 DM with R5 2400G.
Without the quirk, X server is completely unusable as
every few seconds there is gpu reset due to ring gfx timeout.
Signed-off-by: Peng Liu <liupeng01@kylinos.cn>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
index c28e7ff6ede26..00e693c47f3cc 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -1174,6 +1174,8 @@ static const struct amdgpu_gfxoff_quirk amdgpu_gfxoff_quirk_list[] = {
{ 0x1002, 0x69af, 0x106b, 0x019a, 0xc0 },
/* https://bbs.openkylin.top/t/topic/171497 */
{ 0x1002, 0x15d8, 0x19e5, 0x3e14, 0xc2 },
+ /* HP 705G4 DM with R5 2400G */
+ { 0x1002, 0x15dd, 0x103c, 0x8464, 0xd6 },
{ 0, 0, 0, 0, 0 },
};
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 150/386] drm/amdkfd: Fix resource leak in criu restore queue
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 149/386] drm/amdgpu: enable gfxoff quirk on HP 705G4 Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 151/386] HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Greg Kroah-Hartman
` (246 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jesse Zhang, Tim Huang, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Zhang <jesse.zhang@amd.com>
[ Upstream commit aa47fe8d3595365a935921a90d00bc33ee374728 ]
To avoid memory leaks, release q_extra_data when exiting the restore queue.
v2: Correct the proto (Alex)
Signed-off-by: Jesse Zhang <jesse.zhang@amd.com>
Reviewed-by: Tim Huang <tim.huang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
index dbc75ca84375a..0583af4e84fa3 100644
--- a/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
+++ b/drivers/gpu/drm/amd/amdkfd/kfd_process_queue_manager.c
@@ -982,6 +982,7 @@ int kfd_criu_restore_queue(struct kfd_process *p,
pr_debug("Queue id %d was restored successfully\n", queue_id);
kfree(q_data);
+ kfree(q_extra_data);
return ret;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 151/386] HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 150/386] drm/amdkfd: Fix resource leak in criu restore queue Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 152/386] platform/x86: touchscreen_dmi: add nanote-next quirk Greg Kroah-Hartman
` (245 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vishnu Sankar, Mark Pearson,
Jiri Kosina, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vishnu Sankar <vishnuocv@gmail.com>
[ Upstream commit 65b72ea91a257a5f0cb5a26b01194d3dd4b85298 ]
This applies similar quirks used by previous generation device, so that
Trackpoint and buttons on the touchpad works. New USB KBD PID 0x61AE for
Thinkpad X12 Tab is added.
Signed-off-by: Vishnu Sankar <vishnuocv@gmail.com>
Reviewed-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Signed-off-by: Jiri Kosina <jkosina@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-multitouch.c | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 674e03fa5f81f..f2e8fb357590f 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -788,6 +788,7 @@
#define USB_DEVICE_ID_LENOVO_X1_TAB 0x60a3
#define USB_DEVICE_ID_LENOVO_X1_TAB3 0x60b5
#define USB_DEVICE_ID_LENOVO_X12_TAB 0x60fe
+#define USB_DEVICE_ID_LENOVO_X12_TAB2 0x61ae
#define USB_DEVICE_ID_LENOVO_OPTICAL_USB_MOUSE_600E 0x600e
#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_608D 0x608d
#define USB_DEVICE_ID_LENOVO_PIXART_USB_MOUSE_6019 0x6019
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 8ef41d6e71d42..6d76463f5896f 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -2116,6 +2116,12 @@ static const struct hid_device_id mt_devices[] = {
USB_VENDOR_ID_LENOVO,
USB_DEVICE_ID_LENOVO_X12_TAB) },
+ /* Lenovo X12 TAB Gen 2 */
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT_NSMU,
+ HID_DEVICE(BUS_USB, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_LENOVO,
+ USB_DEVICE_ID_LENOVO_X12_TAB2) },
+
/* Logitech devices */
{ .driver_data = MT_CLS_NSMU,
HID_DEVICE(BUS_BLUETOOTH, HID_GROUP_MULTITOUCH_WIN_8,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 152/386] platform/x86: touchscreen_dmi: add nanote-next quirk
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 151/386] HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 153/386] drm/stm: ltdc: reset plane transparency after plane disable Greg Kroah-Hartman
` (244 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ckath, Hans de Goede, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ckath <ckath@yandex.ru>
[ Upstream commit c11619af35bae5884029bd14170c3e4b55ddf6f3 ]
Add touschscreen info for the nanote next (UMPC-03-SR).
After checking with multiple owners the DMI info really is this generic.
Signed-off-by: Ckath <ckath@yandex.ru>
Link: https://lore.kernel.org/r/e8dda83a-10ae-42cf-a061-5d29be0d193a@yandex.ru
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/touchscreen_dmi.c | 26 ++++++++++++++++++++++++++
1 file changed, 26 insertions(+)
diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index 06ebab520f271..30c05a9948319 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -885,6 +885,21 @@ static const struct ts_dmi_data rwc_nanote_p8_data = {
.properties = rwc_nanote_p8_props,
};
+static const struct property_entry rwc_nanote_next_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-min-x", 5),
+ PROPERTY_ENTRY_U32("touchscreen-min-y", 5),
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1785),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1145),
+ PROPERTY_ENTRY_BOOL("touchscreen-inverted-y"),
+ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-rwc-nanote-next.fw"),
+ { }
+};
+
+static const struct ts_dmi_data rwc_nanote_next_data = {
+ .acpi_name = "MSSL1680:00",
+ .properties = rwc_nanote_next_props,
+};
+
static const struct property_entry schneider_sct101ctm_props[] = {
PROPERTY_ENTRY_U32("touchscreen-size-x", 1715),
PROPERTY_ENTRY_U32("touchscreen-size-y", 1140),
@@ -1648,6 +1663,17 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_SKU, "0001")
},
},
+ {
+ /* RWC NANOTE NEXT */
+ .driver_data = (void *)&rwc_nanote_next_data,
+ .matches = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "To be filled by O.E.M."),
+ DMI_MATCH(DMI_BOARD_NAME, "To be filled by O.E.M."),
+ DMI_MATCH(DMI_BOARD_VENDOR, "To be filled by O.E.M."),
+ /* Above matches are too generic, add bios-version match */
+ DMI_MATCH(DMI_BIOS_VERSION, "S8A70R100-V005"),
+ },
+ },
{
/* Schneider SCT101CTM */
.driver_data = (void *)&schneider_sct101ctm_data,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 153/386] drm/stm: ltdc: reset plane transparency after plane disable
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 152/386] platform/x86: touchscreen_dmi: add nanote-next quirk Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 154/386] drm/amd/display: Check stream before comparing them Greg Kroah-Hartman
` (243 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yannick Fertre, Raphael Gallais-Pou,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yannick Fertre <yannick.fertre@foss.st.com>
[ Upstream commit 02fa62d41c8abff945bae5bfc3ddcf4721496aca ]
The plane's opacity should be reseted while the plane
is disabled. It prevents from seeing a possible global
or layer background color set earlier.
Signed-off-by: Yannick Fertre <yannick.fertre@foss.st.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240712131344.98113-1-yannick.fertre@foss.st.com
Signed-off-by: Raphael Gallais-Pou <raphael.gallais-pou@foss.st.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/stm/ltdc.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/stm/ltdc.c b/drivers/gpu/drm/stm/ltdc.c
index 056642d12265c..0832b749b66e7 100644
--- a/drivers/gpu/drm/stm/ltdc.c
+++ b/drivers/gpu/drm/stm/ltdc.c
@@ -1513,6 +1513,9 @@ static void ltdc_plane_atomic_disable(struct drm_plane *plane,
/* Disable layer */
regmap_write_bits(ldev->regmap, LTDC_L1CR + lofs, LXCR_LEN | LXCR_CLUTEN | LXCR_HMEN, 0);
+ /* Reset the layer transparency to hide any related background color */
+ regmap_write_bits(ldev->regmap, LTDC_L1CACR + lofs, LXCACR_CONSTA, 0x00);
+
/* Commit shadow registers = update plane at next vblank */
if (ldev->caps.plane_reg_shadow)
regmap_write_bits(ldev->regmap, LTDC_L1RCR + lofs,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 154/386] drm/amd/display: Check stream before comparing them
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 153/386] drm/stm: ltdc: reset plane transparency after plane disable Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 155/386] drm/amd/display: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
` (242 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Jerry Zuo,
Alex Hung, Daniel Wheeler, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 35ff747c86767937ee1e0ca987545b7eed7a0810 ]
[WHAT & HOW]
amdgpu_dm can pass a null stream to dc_is_stream_unchanged. It is
necessary to check for null before dereferencing them.
This fixes 1 FORWARD_NULL issue reported by Coverity.
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/core/dc_resource.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
index 4b34bc9d4e4be..99fcd39bb15e0 100644
--- a/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
+++ b/drivers/gpu/drm/amd/display/dc/core/dc_resource.c
@@ -2154,6 +2154,8 @@ static bool are_stream_backends_same(
bool dc_is_stream_unchanged(
struct dc_stream_state *old_stream, struct dc_stream_state *stream)
{
+ if (!old_stream || !stream)
+ return false;
if (!are_stream_backends_same(old_stream, stream))
return false;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 155/386] drm/amd/display: Check link_res->hpo_dp_link_enc before using it
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 154/386] drm/amd/display: Check stream before comparing them Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 156/386] drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Greg Kroah-Hartman
` (241 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Jerry Zuo,
Alex Hung, Daniel Wheeler, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 0beca868cde8742240cd0038141c30482d2b7eb8 ]
[WHAT & HOW]
Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res
without initializing hpo_dp_link_enc and it is necessary to check for
null before dereferencing.
This fixes 2 FORWARD_NULL issues reported by Coverity.
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Jerry Zuo <jerry.zuo@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
index e1257404357b1..d0148f10dfc0a 100644
--- a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
+++ b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
@@ -28,6 +28,8 @@
#include "dccg.h"
#include "clk_mgr.h"
+#define DC_LOGGER link->ctx->logger
+
void set_hpo_dp_throttled_vcp_size(struct pipe_ctx *pipe_ctx,
struct fixed31_32 throttled_vcp_size)
{
@@ -124,6 +126,11 @@ void disable_hpo_dp_link_output(struct dc_link *link,
const struct link_resource *link_res,
enum signal_type signal)
{
+ if (!link_res->hpo_dp_link_enc) {
+ DC_LOG_ERROR("%s: invalid hpo_dp_link_enc\n", __func__);
+ return;
+ }
+
link_res->hpo_dp_link_enc->funcs->link_disable(link_res->hpo_dp_link_enc);
link_res->hpo_dp_link_enc->funcs->disable_link_phy(
link_res->hpo_dp_link_enc, signal);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 156/386] drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 155/386] drm/amd/display: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 157/386] drm/amd/display: Fix index out of bounds in " Greg Kroah-Hartman
` (240 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit bc50b614d59990747dd5aeced9ec22f9258991ff ]
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_degamma_hw_format` function in the DCN30
color management module. The issue could occur when the index 'i'
exceeds the number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:338 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:339 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:340 cm3_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
index e0df9b0065f9c..e0b1fc92ed186 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
@@ -355,6 +355,8 @@ bool cm3_helper_translate_curve_to_degamma_hw_format(
i += increment) {
if (j == hw_points - 1)
break;
+ if (i >= TRANSFER_FUNC_POINTS)
+ return false;
rgb_resulted[j].red = output_tf->tf_pts.red[i];
rgb_resulted[j].green = output_tf->tf_pts.green[i];
rgb_resulted[j].blue = output_tf->tf_pts.blue[i];
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 157/386] drm/amd/display: Fix index out of bounds in degamma hardware format translation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 156/386] drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 158/386] drm/amd/display: Fix index out of bounds in DCN30 color transformation Greg Kroah-Hartman
` (239 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit b7e99058eb2e86aabd7a10761e76cae33d22b49f ]
Fixes index out of bounds issue in
`cm_helper_translate_curve_to_degamma_hw_format` function. The issue
could occur when the index 'i' exceeds the number of transfer function
points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds the function returns
false to indicate an error.
Reported by smatch:
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:594 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:595 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn10/dcn10_cm_common.c:596 cm_helper_translate_curve_to_degamma_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
index c0372aa4ec838..684e30f9cf898 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn10/dcn10_cm_common.c
@@ -571,6 +571,8 @@ bool cm_helper_translate_curve_to_degamma_hw_format(
i += increment) {
if (j == hw_points - 1)
break;
+ if (i >= TRANSFER_FUNC_POINTS)
+ return false;
rgb_resulted[j].red = output_tf->tf_pts.red[i];
rgb_resulted[j].green = output_tf->tf_pts.green[i];
rgb_resulted[j].blue = output_tf->tf_pts.blue[i];
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 158/386] drm/amd/display: Fix index out of bounds in DCN30 color transformation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 157/386] drm/amd/display: Fix index out of bounds in " Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 159/386] drm/amd/display: Avoid overflow assignment in link_dp_cts Greg Kroah-Hartman
` (238 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Chung, Rodrigo Siqueira,
Roman Li, Alex Hung, Aurabindo Pillai, Harry Wentland,
Hamza Mahfooz, Srinivasan Shanmugam, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
[ Upstream commit d81873f9e715b72d4f8d391c8eb243946f784dfc ]
This commit addresses a potential index out of bounds issue in the
`cm3_helper_translate_curve_to_hw_format` function in the DCN30 color
management module. The issue could occur when the index 'i' exceeds the
number of transfer function points (TRANSFER_FUNC_POINTS).
The fix adds a check to ensure 'i' is within bounds before accessing the
transfer function points. If 'i' is out of bounds, the function returns
false to indicate an error.
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:180 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.red' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:181 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.green' 1025 <= s32max
drivers/gpu/drm/amd/amdgpu/../display/dc/dcn30/dcn30_cm_common.c:182 cm3_helper_translate_curve_to_hw_format() error: buffer overflow 'output_tf->tf_pts.blue' 1025 <= s32max
Cc: Tom Chung <chiahsuan.chung@amd.com>
Cc: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Cc: Roman Li <roman.li@amd.com>
Cc: Alex Hung <alex.hung@amd.com>
Cc: Aurabindo Pillai <aurabindo.pillai@amd.com>
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Hamza Mahfooz <hamza.mahfooz@amd.com>
Signed-off-by: Srinivasan Shanmugam <srinivasan.shanmugam@amd.com>
Reviewed-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
index e0b1fc92ed186..62c02adae7e76 100644
--- a/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
+++ b/drivers/gpu/drm/amd/display/dc/dcn30/dcn30_cm_common.c
@@ -178,6 +178,8 @@ bool cm3_helper_translate_curve_to_hw_format(
i += increment) {
if (j == hw_points - 1)
break;
+ if (i >= TRANSFER_FUNC_POINTS)
+ return false;
rgb_resulted[j].red = output_tf->tf_pts.red[i];
rgb_resulted[j].green = output_tf->tf_pts.green[i];
rgb_resulted[j].blue = output_tf->tf_pts.blue[i];
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 159/386] drm/amd/display: Avoid overflow assignment in link_dp_cts
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 158/386] drm/amd/display: Fix index out of bounds in DCN30 color transformation Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 160/386] drm/amd/display: Initialize get_bytes_per_elements default to 1 Greg Kroah-Hartman
` (237 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Wenjing Liu,
Daniel Wheeler, Rodrigo Siqueira, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit a15268787b79fd183dd526cc16bec9af4f4e49a1 ]
sampling_rate is an uint8_t but is assigned an unsigned int, and thus it
can overflow. As a result, sampling_rate is changed to uint32_t.
Similarly, LINK_QUAL_PATTERN_SET has a size of 2 bits, and it should
only be assigned to a value less or equal than 4.
This fixes 2 INTEGER_OVERFLOW issues reported by Coverity.
Signed-off-by: Alex Hung <alex.hung@amd.com>
Reviewed-by: Wenjing Liu <wenjing.liu@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +-
drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 3 ++-
drivers/gpu/drm/amd/display/include/dpcd_defs.h | 1 +
3 files changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
index 83719f5bea495..8df52f9ba0b7c 100644
--- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
@@ -721,7 +721,7 @@ struct dp_audio_test_data_flags {
struct dp_audio_test_data {
struct dp_audio_test_data_flags flags;
- uint8_t sampling_rate;
+ uint32_t sampling_rate;
uint8_t channel_count;
uint8_t pattern_type;
uint8_t pattern_period[8];
diff --git a/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c b/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c
index fe4282771cd07..8a97d96f7d8bb 100644
--- a/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c
+++ b/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c
@@ -849,7 +849,8 @@ bool dp_set_test_pattern(
core_link_read_dpcd(link, DP_TRAINING_PATTERN_SET,
&training_pattern.raw,
sizeof(training_pattern));
- training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern;
+ if (pattern <= PHY_TEST_PATTERN_END_DP11)
+ training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern;
core_link_write_dpcd(link, DP_TRAINING_PATTERN_SET,
&training_pattern.raw,
sizeof(training_pattern));
diff --git a/drivers/gpu/drm/amd/display/include/dpcd_defs.h b/drivers/gpu/drm/amd/display/include/dpcd_defs.h
index aee5170f5fb23..c246235e4afec 100644
--- a/drivers/gpu/drm/amd/display/include/dpcd_defs.h
+++ b/drivers/gpu/drm/amd/display/include/dpcd_defs.h
@@ -76,6 +76,7 @@ enum dpcd_phy_test_patterns {
PHY_TEST_PATTERN_D10_2,
PHY_TEST_PATTERN_SYMBOL_ERROR,
PHY_TEST_PATTERN_PRBS7,
+ PHY_TEST_PATTERN_END_DP11 = PHY_TEST_PATTERN_PRBS7,
PHY_TEST_PATTERN_80BIT_CUSTOM,/* For DP1.2 only */
PHY_TEST_PATTERN_CP2520_1,
PHY_TEST_PATTERN_CP2520_2,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 160/386] drm/amd/display: Initialize get_bytes_per_elements default to 1
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 159/386] drm/amd/display: Avoid overflow assignment in link_dp_cts Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 161/386] drm/printer: Allow NULL data in devcoredump printer Greg Kroah-Hartman
` (236 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Aurabindo Pillai,
Daniel Wheeler, Rodrigo Siqueira, Alex Deucher, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
[ Upstream commit 4067f4fa0423a89fb19a30b57231b384d77d2610 ]
Variables, used as denominators and maybe not assigned to other values,
should not be 0. bytes_per_element_y & bytes_per_element_c are
initialized by get_bytes_per_element() which should never return 0.
This fixes 10 DIVIDE_BY_ZERO issues reported by Coverity.
Signed-off-by: Alex Hung <alex.hung@amd.com>
Reviewed-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c | 2 +-
.../gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
index 0fc9f3e3ffaef..f603486af6e30 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn20/display_rq_dlg_calc_20v2.c
@@ -78,7 +78,7 @@ static void calculate_ttu_cursor(struct display_mode_lib *mode_lib,
static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma)
{
- unsigned int ret_val = 0;
+ unsigned int ret_val = 1;
if (source_format == dm_444_16) {
if (!is_chroma)
diff --git a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c
index 618f4b682ab1b..9f28e4d3c664c 100644
--- a/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c
+++ b/drivers/gpu/drm/amd/display/dc/dml/dcn21/display_rq_dlg_calc_21.c
@@ -53,7 +53,7 @@ static void calculate_ttu_cursor(
static unsigned int get_bytes_per_element(enum source_format_class source_format, bool is_chroma)
{
- unsigned int ret_val = 0;
+ unsigned int ret_val = 1;
if (source_format == dm_444_16) {
if (!is_chroma)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 161/386] drm/printer: Allow NULL data in devcoredump printer
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 160/386] drm/amd/display: Initialize get_bytes_per_elements default to 1 Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 162/386] perf,x86: avoid missing caller address in stack traces captured in uprobe Greg Kroah-Hartman
` (235 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maarten Lankhorst, Matthew Brost,
Jonathan Cavitt, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthew Brost <matthew.brost@intel.com>
[ Upstream commit 53369581dc0c68a5700ed51e1660f44c4b2bb524 ]
We want to determine the size of the devcoredump before writing it out.
To that end, we will run the devcoredump printer with NULL data to get
the size, alloc data based on the generated offset, then run the
devcorecump again with a valid data pointer to print. This necessitates
not writing data to the data pointer on the initial pass, when it is
NULL.
v5:
- Better commit message (Jonathan)
- Add kerenl doc with examples (Jani)
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Acked-by: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Signed-off-by: Matthew Brost <matthew.brost@intel.com>
Reviewed-by: Jonathan Cavitt <jonathan.cavitt@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240801154118.2547543-3-matthew.brost@intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_print.c | 13 +++++----
include/drm/drm_print.h | 54 ++++++++++++++++++++++++++++++++++++-
2 files changed, 61 insertions(+), 6 deletions(-)
diff --git a/drivers/gpu/drm/drm_print.c b/drivers/gpu/drm/drm_print.c
index 5b93c11895bb1..aab76334083e8 100644
--- a/drivers/gpu/drm/drm_print.c
+++ b/drivers/gpu/drm/drm_print.c
@@ -100,8 +100,9 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str)
copy = iterator->remain;
/* Copy out the bit of the string that we need */
- memcpy(iterator->data,
- str + (iterator->start - iterator->offset), copy);
+ if (iterator->data)
+ memcpy(iterator->data,
+ str + (iterator->start - iterator->offset), copy);
iterator->offset = iterator->start + copy;
iterator->remain -= copy;
@@ -110,7 +111,8 @@ void __drm_puts_coredump(struct drm_printer *p, const char *str)
len = min_t(ssize_t, strlen(str), iterator->remain);
- memcpy(iterator->data + pos, str, len);
+ if (iterator->data)
+ memcpy(iterator->data + pos, str, len);
iterator->offset += len;
iterator->remain -= len;
@@ -140,8 +142,9 @@ void __drm_printfn_coredump(struct drm_printer *p, struct va_format *vaf)
if ((iterator->offset >= iterator->start) && (len < iterator->remain)) {
ssize_t pos = iterator->offset - iterator->start;
- snprintf(((char *) iterator->data) + pos,
- iterator->remain, "%pV", vaf);
+ if (iterator->data)
+ snprintf(((char *) iterator->data) + pos,
+ iterator->remain, "%pV", vaf);
iterator->offset += len;
iterator->remain -= len;
diff --git a/include/drm/drm_print.h b/include/drm/drm_print.h
index a93a387f8a1a1..2ad9c9f9e90ff 100644
--- a/include/drm/drm_print.h
+++ b/include/drm/drm_print.h
@@ -122,7 +122,8 @@ drm_vprintf(struct drm_printer *p, const char *fmt, va_list *va)
/**
* struct drm_print_iterator - local struct used with drm_printer_coredump
- * @data: Pointer to the devcoredump output buffer
+ * @data: Pointer to the devcoredump output buffer, can be NULL if using
+ * drm_printer_coredump to determine size of devcoredump
* @start: The offset within the buffer to start writing
* @remain: The number of bytes to write for this iteration
*/
@@ -167,6 +168,57 @@ struct drm_print_iterator {
* coredump_read, ...)
* }
*
+ * The above example has a time complexity of O(N^2), where N is the size of the
+ * devcoredump. This is acceptable for small devcoredumps but scales poorly for
+ * larger ones.
+ *
+ * Another use case for drm_coredump_printer is to capture the devcoredump into
+ * a saved buffer before the dev_coredump() callback. This involves two passes:
+ * one to determine the size of the devcoredump and another to print it to a
+ * buffer. Then, in dev_coredump(), copy from the saved buffer into the
+ * devcoredump read buffer.
+ *
+ * For example::
+ *
+ * char *devcoredump_saved_buffer;
+ *
+ * ssize_t __coredump_print(char *buffer, ssize_t count, ...)
+ * {
+ * struct drm_print_iterator iter;
+ * struct drm_printer p;
+ *
+ * iter.data = buffer;
+ * iter.start = 0;
+ * iter.remain = count;
+ *
+ * p = drm_coredump_printer(&iter);
+ *
+ * drm_printf(p, "foo=%d\n", foo);
+ * ...
+ * return count - iter.remain;
+ * }
+ *
+ * void coredump_print(...)
+ * {
+ * ssize_t count;
+ *
+ * count = __coredump_print(NULL, INT_MAX, ...);
+ * devcoredump_saved_buffer = kvmalloc(count, GFP_KERNEL);
+ * __coredump_print(devcoredump_saved_buffer, count, ...);
+ * }
+ *
+ * void coredump_read(char *buffer, loff_t offset, size_t count,
+ * void *data, size_t datalen)
+ * {
+ * ...
+ * memcpy(buffer, devcoredump_saved_buffer + offset, count);
+ * ...
+ * }
+ *
+ * The above example has a time complexity of O(N*2), where N is the size of the
+ * devcoredump. This scales better than the previous example for larger
+ * devcoredumps.
+ *
* RETURNS:
* The &drm_printer object
*/
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 162/386] perf,x86: avoid missing caller address in stack traces captured in uprobe
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 161/386] drm/printer: Allow NULL data in devcoredump printer Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 163/386] scsi: aacraid: Rearrange order of struct aac_srb_unit Greg Kroah-Hartman
` (234 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrii Nakryiko,
Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit cfa7f3d2c526c224a6271cc78a4a27a0de06f4f0 ]
When tracing user functions with uprobe functionality, it's common to
install the probe (e.g., a BPF program) at the first instruction of the
function. This is often going to be `push %rbp` instruction in function
preamble, which means that within that function frame pointer hasn't
been established yet. This leads to consistently missing an actual
caller of the traced function, because perf_callchain_user() only
records current IP (capturing traced function) and then following frame
pointer chain (which would be caller's frame, containing the address of
caller's caller).
So when we have target_1 -> target_2 -> target_3 call chain and we are
tracing an entry to target_3, captured stack trace will report
target_1 -> target_3 call chain, which is wrong and confusing.
This patch proposes a x86-64-specific heuristic to detect `push %rbp`
(`push %ebp` on 32-bit architecture) instruction being traced. Given
entire kernel implementation of user space stack trace capturing works
under assumption that user space code was compiled with frame pointer
register (%rbp/%ebp) preservation, it seems pretty reasonable to use
this instruction as a strong indicator that this is the entry to the
function. In that case, return address is still pointed to by %rsp/%esp,
so we fetch it and add to stack trace before proceeding to unwind the
rest using frame pointer-based logic.
We also check for `endbr64` (for 64-bit modes) as another common pattern
for function entry, as suggested by Josh Poimboeuf. Even if we get this
wrong sometimes for uprobes attached not at the function entry, it's OK
because stack trace will still be overall meaningful, just with one
extra bogus entry. If we don't detect this, we end up with guaranteed to
be missing caller function entry in the stack trace, which is worse
overall.
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20240729175223.23914-1-andrii@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/x86/events/core.c | 63 +++++++++++++++++++++++++++++++++++++++++
include/linux/uprobes.h | 2 ++
kernel/events/uprobes.c | 2 ++
3 files changed, 67 insertions(+)
diff --git a/arch/x86/events/core.c b/arch/x86/events/core.c
index 8811fedc9776a..150a365b4fbc8 100644
--- a/arch/x86/events/core.c
+++ b/arch/x86/events/core.c
@@ -41,6 +41,8 @@
#include <asm/desc.h>
#include <asm/ldt.h>
#include <asm/unwind.h>
+#include <asm/uprobes.h>
+#include <asm/ibt.h>
#include "perf_event.h"
@@ -2816,6 +2818,46 @@ static unsigned long get_segment_base(unsigned int segment)
return get_desc_base(desc);
}
+#ifdef CONFIG_UPROBES
+/*
+ * Heuristic-based check if uprobe is installed at the function entry.
+ *
+ * Under assumption of user code being compiled with frame pointers,
+ * `push %rbp/%ebp` is a good indicator that we indeed are.
+ *
+ * Similarly, `endbr64` (assuming 64-bit mode) is also a common pattern.
+ * If we get this wrong, captured stack trace might have one extra bogus
+ * entry, but the rest of stack trace will still be meaningful.
+ */
+static bool is_uprobe_at_func_entry(struct pt_regs *regs)
+{
+ struct arch_uprobe *auprobe;
+
+ if (!current->utask)
+ return false;
+
+ auprobe = current->utask->auprobe;
+ if (!auprobe)
+ return false;
+
+ /* push %rbp/%ebp */
+ if (auprobe->insn[0] == 0x55)
+ return true;
+
+ /* endbr64 (64-bit only) */
+ if (user_64bit_mode(regs) && is_endbr(*(u32 *)auprobe->insn))
+ return true;
+
+ return false;
+}
+
+#else
+static bool is_uprobe_at_func_entry(struct pt_regs *regs)
+{
+ return false;
+}
+#endif /* CONFIG_UPROBES */
+
#ifdef CONFIG_IA32_EMULATION
#include <linux/compat.h>
@@ -2827,6 +2869,7 @@ perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry_ctx *ent
unsigned long ss_base, cs_base;
struct stack_frame_ia32 frame;
const struct stack_frame_ia32 __user *fp;
+ u32 ret_addr;
if (user_64bit_mode(regs))
return 0;
@@ -2836,6 +2879,12 @@ perf_callchain_user32(struct pt_regs *regs, struct perf_callchain_entry_ctx *ent
fp = compat_ptr(ss_base + regs->bp);
pagefault_disable();
+
+ /* see perf_callchain_user() below for why we do this */
+ if (is_uprobe_at_func_entry(regs) &&
+ !get_user(ret_addr, (const u32 __user *)regs->sp))
+ perf_callchain_store(entry, ret_addr);
+
while (entry->nr < entry->max_stack) {
if (!valid_user_frame(fp, sizeof(frame)))
break;
@@ -2864,6 +2913,7 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
{
struct stack_frame frame;
const struct stack_frame __user *fp;
+ unsigned long ret_addr;
if (perf_guest_state()) {
/* TODO: We don't support guest os callchain now */
@@ -2887,6 +2937,19 @@ perf_callchain_user(struct perf_callchain_entry_ctx *entry, struct pt_regs *regs
return;
pagefault_disable();
+
+ /*
+ * If we are called from uprobe handler, and we are indeed at the very
+ * entry to user function (which is normally a `push %rbp` instruction,
+ * under assumption of application being compiled with frame pointers),
+ * we should read return address from *regs->sp before proceeding
+ * to follow frame pointers, otherwise we'll skip immediate caller
+ * as %rbp is not yet setup.
+ */
+ if (is_uprobe_at_func_entry(regs) &&
+ !get_user(ret_addr, (const unsigned long __user *)regs->sp))
+ perf_callchain_store(entry, ret_addr);
+
while (entry->nr < entry->max_stack) {
if (!valid_user_frame(fp, sizeof(frame)))
break;
diff --git a/include/linux/uprobes.h b/include/linux/uprobes.h
index f46e0ca0169c7..d91e32aff5a13 100644
--- a/include/linux/uprobes.h
+++ b/include/linux/uprobes.h
@@ -76,6 +76,8 @@ struct uprobe_task {
struct uprobe *active_uprobe;
unsigned long xol_vaddr;
+ struct arch_uprobe *auprobe;
+
struct return_instance *return_instances;
unsigned int depth;
};
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 4705571f80345..6876b7f152b10 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -2071,6 +2071,7 @@ static void handler_chain(struct uprobe *uprobe, struct pt_regs *regs)
bool need_prep = false; /* prepare return uprobe, when needed */
down_read(&uprobe->register_rwsem);
+ current->utask->auprobe = &uprobe->arch;
for (uc = uprobe->consumers; uc; uc = uc->next) {
int rc = 0;
@@ -2085,6 +2086,7 @@ static void handler_chain(struct uprobe *uprobe, struct pt_regs *regs)
remove &= rc;
}
+ current->utask->auprobe = NULL;
if (need_prep && !remove)
prepare_uretprobe(uprobe, regs); /* put bp at return */
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 163/386] scsi: aacraid: Rearrange order of struct aac_srb_unit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 162/386] perf,x86: avoid missing caller address in stack traces captured in uprobe Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 164/386] scsi: lpfc: Update PRLO handling in direct attached topology Greg Kroah-Hartman
` (233 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <kees@kernel.org>
[ Upstream commit 6e5860b0ad4934baee8c7a202c02033b2631bb44 ]
struct aac_srb_unit contains struct aac_srb, which contains struct sgmap,
which ends in a (currently) "fake" (1-element) flexible array. Converting
this to a flexible array is needed so that runtime bounds checking won't
think the array is fixed size (i.e. under CONFIG_FORTIFY_SOURCE=y and/or
CONFIG_UBSAN_BOUNDS=y), as other parts of aacraid use struct sgmap as a
flexible array.
It is not legal to have a flexible array in the middle of a structure, so
it either needs to be split up or rearranged so that it is at the end of
the structure. Luckily, struct aac_srb_unit, which is exclusively
consumed/updated by aac_send_safw_bmic_cmd(), does not depend on member
ordering.
The values set in the on-stack struct aac_srb_unit instance "srbu" by the
only two callers, aac_issue_safw_bmic_identify() and
aac_get_safw_ciss_luns(), do not contain anything in srbu.srb.sgmap.sg, and
they both implicitly initialize srbu.srb.sgmap.count to 0 during
memset(). For example:
memset(&srbu, 0, sizeof(struct aac_srb_unit));
srbcmd = &srbu.srb;
srbcmd->flags = cpu_to_le32(SRB_DataIn);
srbcmd->cdb[0] = CISS_REPORT_PHYSICAL_LUNS;
srbcmd->cdb[1] = 2; /* extended reporting */
srbcmd->cdb[8] = (u8)(datasize >> 8);
srbcmd->cdb[9] = (u8)(datasize);
rcode = aac_send_safw_bmic_cmd(dev, &srbu, phys_luns, datasize);
During aac_send_safw_bmic_cmd(), a separate srb is mapped into DMA, and has
srbu.srb copied into it:
srb = fib_data(fibptr);
memcpy(srb, &srbu->srb, sizeof(struct aac_srb));
Only then is srb.sgmap.count written and srb->sg populated:
srb->count = cpu_to_le32(xfer_len);
sg64 = (struct sgmap64 *)&srb->sg;
sg64->count = cpu_to_le32(1);
sg64->sg[0].addr[1] = cpu_to_le32(upper_32_bits(addr));
sg64->sg[0].addr[0] = cpu_to_le32(lower_32_bits(addr));
sg64->sg[0].count = cpu_to_le32(xfer_len);
But this is happening in the DMA memory, not in srbu.srb. An attempt to
copy the changes back to srbu does happen:
/*
* Copy the updated data for other dumping or other usage if
* needed
*/
memcpy(&srbu->srb, srb, sizeof(struct aac_srb));
But this was never correct: the sg64 (3 u32s) overlap of srb.sg (2 u32s)
always meant that srbu.srb would have held truncated information and any
attempt to walk srbu.srb.sg.sg based on the value of srbu.srb.sg.count
would result in attempting to parse past the end of srbu.srb.sg.sg[0] into
srbu.srb_reply.
After getting a reply from hardware, the reply is copied into
srbu.srb_reply:
srb_reply = (struct aac_srb_reply *)fib_data(fibptr);
memcpy(&srbu->srb_reply, srb_reply, sizeof(struct aac_srb_reply));
This has always been fixed-size, so there's no issue here. It is worth
noting that the two callers _never check_ srbu contents -- neither
srbu.srb nor srbu.srb_reply is examined. (They depend on the mapped
xfer_buf instead.)
Therefore, the ordering of members in struct aac_srb_unit does not matter,
and the flexible array member can moved to the end.
(Additionally, the two memcpy()s that update srbu could be entirely
removed as they are never consumed, but I left that as-is.)
Signed-off-by: Kees Cook <kees@kernel.org>
Link: https://lore.kernel.org/r/20240711215739.208776-1-kees@kernel.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/aacraid/aacraid.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/scsi/aacraid/aacraid.h b/drivers/scsi/aacraid/aacraid.h
index 7d5a155073c62..9b66fa29fb05c 100644
--- a/drivers/scsi/aacraid/aacraid.h
+++ b/drivers/scsi/aacraid/aacraid.h
@@ -2029,8 +2029,8 @@ struct aac_srb_reply
};
struct aac_srb_unit {
- struct aac_srb srb;
struct aac_srb_reply srb_reply;
+ struct aac_srb srb;
};
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 164/386] scsi: lpfc: Update PRLO handling in direct attached topology
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 163/386] scsi: aacraid: Rearrange order of struct aac_srb_unit Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 165/386] drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Greg Kroah-Hartman
` (232 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Martin K. Petersen,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit 1f0f7679ad8942f810b0f19ee9cf098c3502d66a ]
A kref imbalance occurs when handling an unsolicited PRLO in direct
attached topology.
Rework PRLO rcv handling when in MAPPED state. Save the state that we were
handling a PRLO by setting nlp_last_elscmd to ELS_CMD_PRLO. Then in the
lpfc_cmpl_els_logo_acc() completion routine, manually restart discovery.
By issuing the PLOGI, which nlp_gets, before nlp_put at the end of the
lpfc_cmpl_els_logo_acc() routine, we are saving us from a final nlp_put.
And, we are still allowing the unreg_rpi to happen.
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Link: https://lore.kernel.org/r/20240726231512.92867-7-justintee8345@gmail.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_els.c | 27 ++++++++++++++++-----------
drivers/scsi/lpfc/lpfc_nportdisc.c | 22 ++++++++++++++++++++--
2 files changed, 36 insertions(+), 13 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_els.c b/drivers/scsi/lpfc/lpfc_els.c
index 44d3ada9fbbcb..f67d72160d36e 100644
--- a/drivers/scsi/lpfc/lpfc_els.c
+++ b/drivers/scsi/lpfc/lpfc_els.c
@@ -5228,9 +5228,10 @@ lpfc_cmpl_els_logo_acc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
/* ACC to LOGO completes to NPort <nlp_DID> */
lpfc_printf_vlog(vport, KERN_INFO, LOG_ELS,
"0109 ACC to LOGO completes to NPort x%x refcnt %d "
- "Data: x%x x%x x%x\n",
- ndlp->nlp_DID, kref_read(&ndlp->kref), ndlp->nlp_flag,
- ndlp->nlp_state, ndlp->nlp_rpi);
+ "last els x%x Data: x%x x%x x%x\n",
+ ndlp->nlp_DID, kref_read(&ndlp->kref),
+ ndlp->nlp_last_elscmd, ndlp->nlp_flag, ndlp->nlp_state,
+ ndlp->nlp_rpi);
/* This clause allows the LOGO ACC to complete and free resources
* for the Fabric Domain Controller. It does deliberately skip
@@ -5242,18 +5243,22 @@ lpfc_cmpl_els_logo_acc(struct lpfc_hba *phba, struct lpfc_iocbq *cmdiocb,
goto out;
if (ndlp->nlp_state == NLP_STE_NPR_NODE) {
- /* If PLOGI is being retried, PLOGI completion will cleanup the
- * node. The NLP_NPR_2B_DISC flag needs to be retained to make
- * progress on nodes discovered from last RSCN.
- */
- if ((ndlp->nlp_flag & NLP_DELAY_TMO) &&
- (ndlp->nlp_last_elscmd == ELS_CMD_PLOGI))
- goto out;
-
if (ndlp->nlp_flag & NLP_RPI_REGISTERED)
lpfc_unreg_rpi(vport, ndlp);
+ /* If came from PRLO, then PRLO_ACC is done.
+ * Start rediscovery now.
+ */
+ if (ndlp->nlp_last_elscmd == ELS_CMD_PRLO) {
+ spin_lock_irq(&ndlp->lock);
+ ndlp->nlp_flag |= NLP_NPR_2B_DISC;
+ spin_unlock_irq(&ndlp->lock);
+ ndlp->nlp_prev_state = ndlp->nlp_state;
+ lpfc_nlp_set_state(vport, ndlp, NLP_STE_PLOGI_ISSUE);
+ lpfc_issue_els_plogi(vport, ndlp->nlp_DID, 0);
+ }
}
+
out:
/*
* The driver received a LOGO from the rport and has ACK'd it.
diff --git a/drivers/scsi/lpfc/lpfc_nportdisc.c b/drivers/scsi/lpfc/lpfc_nportdisc.c
index 3ed211d093dd1..fe174062e4946 100644
--- a/drivers/scsi/lpfc/lpfc_nportdisc.c
+++ b/drivers/scsi/lpfc/lpfc_nportdisc.c
@@ -2635,8 +2635,26 @@ lpfc_rcv_prlo_mapped_node(struct lpfc_vport *vport, struct lpfc_nodelist *ndlp,
/* flush the target */
lpfc_sli_abort_iocb(vport, ndlp->nlp_sid, 0, LPFC_CTX_TGT);
- /* Treat like rcv logo */
- lpfc_rcv_logo(vport, ndlp, cmdiocb, ELS_CMD_PRLO);
+ /* Send PRLO_ACC */
+ spin_lock_irq(&ndlp->lock);
+ ndlp->nlp_flag |= NLP_LOGO_ACC;
+ spin_unlock_irq(&ndlp->lock);
+ lpfc_els_rsp_acc(vport, ELS_CMD_PRLO, cmdiocb, ndlp, NULL);
+
+ /* Save ELS_CMD_PRLO as the last elscmd and then set to NPR.
+ * lpfc_cmpl_els_logo_acc is expected to restart discovery.
+ */
+ ndlp->nlp_last_elscmd = ELS_CMD_PRLO;
+ ndlp->nlp_prev_state = ndlp->nlp_state;
+
+ lpfc_printf_vlog(vport, KERN_INFO, LOG_NODE | LOG_ELS | LOG_DISCOVERY,
+ "3422 DID x%06x nflag x%x lastels x%x ref cnt %u\n",
+ ndlp->nlp_DID, ndlp->nlp_flag,
+ ndlp->nlp_last_elscmd,
+ kref_read(&ndlp->kref));
+
+ lpfc_nlp_set_state(vport, ndlp, NLP_STE_NPR_NODE);
+
return ndlp->nlp_state;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 165/386] drm/amdgpu: fix unchecked return value warning for amdgpu_gfx
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 164/386] scsi: lpfc: Update PRLO handling in direct attached topology Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 166/386] perf: Fix event_function_call() locking Greg Kroah-Hartman
` (231 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Huang, Jesse Zhang, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Huang <tim.huang@amd.com>
[ Upstream commit c0277b9d7c2ee9ee5dbc948548984f0fbb861301 ]
This resolves the unchecded return value warning reported by Coverity.
Signed-off-by: Tim Huang <tim.huang@amd.com>
Reviewed-by: Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
index 0ca51df46cc0d..e7b053898f9e9 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_gfx.c
@@ -793,8 +793,11 @@ int amdgpu_gfx_ras_late_init(struct amdgpu_device *adev, struct ras_common_if *r
int r;
if (amdgpu_ras_is_supported(adev, ras_block->block)) {
- if (!amdgpu_persistent_edc_harvesting_supported(adev))
- amdgpu_ras_reset_error_status(adev, AMDGPU_RAS_BLOCK__GFX);
+ if (!amdgpu_persistent_edc_harvesting_supported(adev)) {
+ r = amdgpu_ras_reset_error_status(adev, AMDGPU_RAS_BLOCK__GFX);
+ if (r)
+ return r;
+ }
r = amdgpu_ras_block_late_init(adev, ras_block);
if (r)
@@ -938,7 +941,10 @@ uint32_t amdgpu_kiq_rreg(struct amdgpu_device *adev, uint32_t reg)
pr_err("critical bug! too many kiq readers\n");
goto failed_unlock;
}
- amdgpu_ring_alloc(ring, 32);
+ r = amdgpu_ring_alloc(ring, 32);
+ if (r)
+ goto failed_unlock;
+
amdgpu_ring_emit_rreg(ring, reg, reg_val_offs);
r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT);
if (r)
@@ -1004,7 +1010,10 @@ void amdgpu_kiq_wreg(struct amdgpu_device *adev, uint32_t reg, uint32_t v)
}
spin_lock_irqsave(&kiq->ring_lock, flags);
- amdgpu_ring_alloc(ring, 32);
+ r = amdgpu_ring_alloc(ring, 32);
+ if (r)
+ goto failed_unlock;
+
amdgpu_ring_emit_wreg(ring, reg, v);
r = amdgpu_fence_emit_polling(ring, &seq, MAX_KIQ_REG_WAIT);
if (r)
@@ -1040,6 +1049,7 @@ void amdgpu_kiq_wreg(struct amdgpu_device *adev, uint32_t reg, uint32_t v)
failed_undo:
amdgpu_ring_undo(ring);
+failed_unlock:
spin_unlock_irqrestore(&kiq->ring_lock, flags);
failed_kiq_write:
dev_err(adev->dev, "failed to write reg:%x\n", reg);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 166/386] perf: Fix event_function_call() locking
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 165/386] drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 167/386] scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Greg Kroah-Hartman
` (230 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Peter Zijlstra (Intel), Kan Liang,
Namhyung Kim, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
[ Upstream commit 558abc7e3f895049faa46b08656be4c60dc6e9fd ]
All the event_function/@func call context already uses perf_ctx_lock()
except for the !ctx->is_active case. Make it all consistent.
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Reviewed-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20240807115550.138301094@infradead.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index d40809bdf4b30..18eab7f50ecce 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -263,6 +263,7 @@ static int event_function(void *info)
static void event_function_call(struct perf_event *event, event_f func, void *data)
{
struct perf_event_context *ctx = event->ctx;
+ struct perf_cpu_context *cpuctx = this_cpu_ptr(&perf_cpu_context);
struct task_struct *task = READ_ONCE(ctx->task); /* verified in event_function */
struct event_function_struct efs = {
.event = event,
@@ -291,22 +292,22 @@ static void event_function_call(struct perf_event *event, event_f func, void *da
if (!task_function_call(task, event_function, &efs))
return;
- raw_spin_lock_irq(&ctx->lock);
+ perf_ctx_lock(cpuctx, ctx);
/*
* Reload the task pointer, it might have been changed by
* a concurrent perf_event_context_sched_out().
*/
task = ctx->task;
if (task == TASK_TOMBSTONE) {
- raw_spin_unlock_irq(&ctx->lock);
+ perf_ctx_unlock(cpuctx, ctx);
return;
}
if (ctx->is_active) {
- raw_spin_unlock_irq(&ctx->lock);
+ perf_ctx_unlock(cpuctx, ctx);
goto again;
}
func(event, NULL, ctx, data);
- raw_spin_unlock_irq(&ctx->lock);
+ perf_ctx_unlock(cpuctx, ctx);
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 167/386] scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 166/386] perf: Fix event_function_call() locking Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 168/386] drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Greg Kroah-Hartman
` (229 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stan Johnson, Finn Thain,
Martin K. Petersen, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Finn Thain <fthain@linux-m68k.org>
[ Upstream commit 1c71065df2df693d208dd32758171c1dece66341 ]
Following an incomplete transfer in MSG IN phase, the driver would not
notice the problem and would make use of invalid data. Initialize 'tmp'
appropriately and bail out if no message was received. For STATUS phase,
preserve the existing status code unless a new value was transferred.
Tested-by: Stan Johnson <userm57@yahoo.com>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Link: https://lore.kernel.org/r/52e02a8812ae1a2d810d7f9f7fd800c3ccc320c4.1723001788.git.fthain@linux-m68k.org
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/NCR5380.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/scsi/NCR5380.c b/drivers/scsi/NCR5380.c
index 00e245173320c..4fcb73b727aa5 100644
--- a/drivers/scsi/NCR5380.c
+++ b/drivers/scsi/NCR5380.c
@@ -1807,8 +1807,11 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance)
return;
case PHASE_MSGIN:
len = 1;
+ tmp = 0xff;
data = &tmp;
NCR5380_transfer_pio(instance, &phase, &len, &data, 0);
+ if (tmp == 0xff)
+ break;
ncmd->message = tmp;
switch (tmp) {
@@ -1996,6 +1999,7 @@ static void NCR5380_information_transfer(struct Scsi_Host *instance)
break;
case PHASE_STATIN:
len = 1;
+ tmp = ncmd->status;
data = &tmp;
NCR5380_transfer_pio(instance, &phase, &len, &data, 0);
ncmd->status = tmp;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 168/386] drm/radeon/r100: Handle unknown family in r100_cp_init_microcode()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 167/386] scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 169/386] drm/amdgpu: Block MMR_READ IOCTL in reset Greg Kroah-Hartman
` (228 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit c6dbab46324b1742b50dc2fb5c1fee2c28129439 ]
With -Werror:
In function ‘r100_cp_init_microcode’,
inlined from ‘r100_cp_init’ at drivers/gpu/drm/radeon/r100.c:1136:7:
include/linux/printk.h:465:44: error: ‘%s’ directive argument is null [-Werror=format-overflow=]
465 | #define printk(fmt, ...) printk_index_wrap(_printk, fmt, ##__VA_ARGS__)
| ^
include/linux/printk.h:437:17: note: in definition of macro ‘printk_index_wrap’
437 | _p_func(_fmt, ##__VA_ARGS__); \
| ^~~~~~~
include/linux/printk.h:508:9: note: in expansion of macro ‘printk’
508 | printk(KERN_ERR pr_fmt(fmt), ##__VA_ARGS__)
| ^~~~~~
drivers/gpu/drm/radeon/r100.c:1062:17: note: in expansion of macro ‘pr_err’
1062 | pr_err("radeon_cp: Failed to load firmware \"%s\"\n", fw_name);
| ^~~~~~
Fix this by converting the if/else if/... construct into a proper
switch() statement with a default to handle the error case.
As a bonus, the generated code is ca. 100 bytes smaller (with gcc 11.4.0
targeting arm32).
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/radeon/r100.c | 70 ++++++++++++++++++++++-------------
1 file changed, 45 insertions(+), 25 deletions(-)
diff --git a/drivers/gpu/drm/radeon/r100.c b/drivers/gpu/drm/radeon/r100.c
index cfeca2694d5f9..b63b6b4e9b281 100644
--- a/drivers/gpu/drm/radeon/r100.c
+++ b/drivers/gpu/drm/radeon/r100.c
@@ -1015,45 +1015,65 @@ static int r100_cp_init_microcode(struct radeon_device *rdev)
DRM_DEBUG_KMS("\n");
- if ((rdev->family == CHIP_R100) || (rdev->family == CHIP_RV100) ||
- (rdev->family == CHIP_RV200) || (rdev->family == CHIP_RS100) ||
- (rdev->family == CHIP_RS200)) {
+ switch (rdev->family) {
+ case CHIP_R100:
+ case CHIP_RV100:
+ case CHIP_RV200:
+ case CHIP_RS100:
+ case CHIP_RS200:
DRM_INFO("Loading R100 Microcode\n");
fw_name = FIRMWARE_R100;
- } else if ((rdev->family == CHIP_R200) ||
- (rdev->family == CHIP_RV250) ||
- (rdev->family == CHIP_RV280) ||
- (rdev->family == CHIP_RS300)) {
+ break;
+
+ case CHIP_R200:
+ case CHIP_RV250:
+ case CHIP_RV280:
+ case CHIP_RS300:
DRM_INFO("Loading R200 Microcode\n");
fw_name = FIRMWARE_R200;
- } else if ((rdev->family == CHIP_R300) ||
- (rdev->family == CHIP_R350) ||
- (rdev->family == CHIP_RV350) ||
- (rdev->family == CHIP_RV380) ||
- (rdev->family == CHIP_RS400) ||
- (rdev->family == CHIP_RS480)) {
+ break;
+
+ case CHIP_R300:
+ case CHIP_R350:
+ case CHIP_RV350:
+ case CHIP_RV380:
+ case CHIP_RS400:
+ case CHIP_RS480:
DRM_INFO("Loading R300 Microcode\n");
fw_name = FIRMWARE_R300;
- } else if ((rdev->family == CHIP_R420) ||
- (rdev->family == CHIP_R423) ||
- (rdev->family == CHIP_RV410)) {
+ break;
+
+ case CHIP_R420:
+ case CHIP_R423:
+ case CHIP_RV410:
DRM_INFO("Loading R400 Microcode\n");
fw_name = FIRMWARE_R420;
- } else if ((rdev->family == CHIP_RS690) ||
- (rdev->family == CHIP_RS740)) {
+ break;
+
+ case CHIP_RS690:
+ case CHIP_RS740:
DRM_INFO("Loading RS690/RS740 Microcode\n");
fw_name = FIRMWARE_RS690;
- } else if (rdev->family == CHIP_RS600) {
+ break;
+
+ case CHIP_RS600:
DRM_INFO("Loading RS600 Microcode\n");
fw_name = FIRMWARE_RS600;
- } else if ((rdev->family == CHIP_RV515) ||
- (rdev->family == CHIP_R520) ||
- (rdev->family == CHIP_RV530) ||
- (rdev->family == CHIP_R580) ||
- (rdev->family == CHIP_RV560) ||
- (rdev->family == CHIP_RV570)) {
+ break;
+
+ case CHIP_RV515:
+ case CHIP_R520:
+ case CHIP_RV530:
+ case CHIP_R580:
+ case CHIP_RV560:
+ case CHIP_RV570:
DRM_INFO("Loading R500 Microcode\n");
fw_name = FIRMWARE_R520;
+ break;
+
+ default:
+ DRM_ERROR("Unsupported Radeon family %u\n", rdev->family);
+ return -EINVAL;
}
err = request_firmware(&rdev->me_fw, fw_name, rdev->dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 169/386] drm/amdgpu: Block MMR_READ IOCTL in reset
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 168/386] drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 170/386] drm/amdgpu/gfx9: use rlc safe mode for soft recovery Greg Kroah-Hartman
` (227 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Victor Skvortsov, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Victor Skvortsov <victor.skvortsov@amd.com>
[ Upstream commit 9e823f307074c0f82b5f6044943b0086e3079bed ]
Register access from userspace should be blocked until
reset is complete.
Signed-off-by: Victor Skvortsov <victor.skvortsov@amd.com>
Reviewed-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c | 43 ++++++++++++++++++-------
1 file changed, 31 insertions(+), 12 deletions(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
index 58dab4f73a9a2..5797055b1148f 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_kms.c
@@ -43,6 +43,7 @@
#include "amdgpu_gem.h"
#include "amdgpu_display.h"
#include "amdgpu_ras.h"
+#include "amdgpu_reset.h"
#include "amd_pcie.h"
void amdgpu_unregister_gpu_instance(struct amdgpu_device *adev)
@@ -722,6 +723,7 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp)
? -EFAULT : 0;
}
case AMDGPU_INFO_READ_MMR_REG: {
+ int ret = 0;
unsigned int n, alloc_size;
uint32_t *regs;
unsigned int se_num = (info->read_mmr_reg.instance >>
@@ -731,24 +733,37 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp)
AMDGPU_INFO_MMR_SH_INDEX_SHIFT) &
AMDGPU_INFO_MMR_SH_INDEX_MASK;
+ if (!down_read_trylock(&adev->reset_domain->sem))
+ return -ENOENT;
+
/* set full masks if the userspace set all bits
* in the bitfields
*/
- if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK)
+ if (se_num == AMDGPU_INFO_MMR_SE_INDEX_MASK) {
se_num = 0xffffffff;
- else if (se_num >= AMDGPU_GFX_MAX_SE)
- return -EINVAL;
- if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK)
+ } else if (se_num >= AMDGPU_GFX_MAX_SE) {
+ ret = -EINVAL;
+ goto out;
+ }
+
+ if (sh_num == AMDGPU_INFO_MMR_SH_INDEX_MASK) {
sh_num = 0xffffffff;
- else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE)
- return -EINVAL;
+ } else if (sh_num >= AMDGPU_GFX_MAX_SH_PER_SE) {
+ ret = -EINVAL;
+ goto out;
+ }
- if (info->read_mmr_reg.count > 128)
- return -EINVAL;
+ if (info->read_mmr_reg.count > 128) {
+ ret = -EINVAL;
+ goto out;
+ }
regs = kmalloc_array(info->read_mmr_reg.count, sizeof(*regs), GFP_KERNEL);
- if (!regs)
- return -ENOMEM;
+ if (!regs) {
+ ret = -ENOMEM;
+ goto out;
+ }
+
alloc_size = info->read_mmr_reg.count * sizeof(*regs);
amdgpu_gfx_off_ctrl(adev, false);
@@ -760,13 +775,17 @@ int amdgpu_info_ioctl(struct drm_device *dev, void *data, struct drm_file *filp)
info->read_mmr_reg.dword_offset + i);
kfree(regs);
amdgpu_gfx_off_ctrl(adev, true);
- return -EFAULT;
+ ret = -EFAULT;
+ goto out;
}
}
amdgpu_gfx_off_ctrl(adev, true);
n = copy_to_user(out, regs, min(size, alloc_size));
kfree(regs);
- return n ? -EFAULT : 0;
+ ret = (n ? -EFAULT : 0);
+out:
+ up_read(&adev->reset_domain->sem);
+ return ret;
}
case AMDGPU_INFO_DEV_INFO: {
struct drm_amdgpu_info_device *dev_info;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 170/386] drm/amdgpu/gfx9: use rlc safe mode for soft recovery
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 169/386] drm/amdgpu: Block MMR_READ IOCTL in reset Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 171/386] drm/amd/pm: ensure the fw_info is not null before using it Greg Kroah-Hartman
` (226 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaly Prosyak, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 3ec2ad7c34c412bd9264cd1ff235d0812be90e82 ]
Protect the MMIO access with safe mode.
Acked-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
index 00e693c47f3cc..895060f6948f3 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v9_0.c
@@ -5709,7 +5709,9 @@ static void gfx_v9_0_ring_soft_recovery(struct amdgpu_ring *ring, unsigned vmid)
value = REG_SET_FIELD(value, SQ_CMD, MODE, 0x01);
value = REG_SET_FIELD(value, SQ_CMD, CHECK_VMID, 1);
value = REG_SET_FIELD(value, SQ_CMD, VM_ID, vmid);
+ amdgpu_gfx_rlc_enter_safe_mode(adev, 0);
WREG32_SOC15(GC, 0, mmSQ_CMD, value);
+ amdgpu_gfx_rlc_exit_safe_mode(adev, 0);
}
static void gfx_v9_0_set_gfx_eop_interrupt_state(struct amdgpu_device *adev,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 171/386] drm/amd/pm: ensure the fw_info is not null before using it
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 170/386] drm/amdgpu/gfx9: use rlc safe mode for soft recovery Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 172/386] of/irq: Refer to actual buffer size in of_irq_parse_one() Greg Kroah-Hartman
` (225 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tim Huang, Jesse Zhang, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tim Huang <tim.huang@amd.com>
[ Upstream commit 186fb12e7a7b038c2710ceb2fb74068f1b5d55a4 ]
This resolves the dereference null return value warning
reported by Coverity.
Signed-off-by: Tim Huang <tim.huang@amd.com>
Reviewed-by: Jesse Zhang <jesse.zhang@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c
index 5794b64507bf9..56a2257525806 100644
--- a/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c
+++ b/drivers/gpu/drm/amd/pm/powerplay/hwmgr/processpptables.c
@@ -1185,6 +1185,8 @@ static int init_overdrive_limits(struct pp_hwmgr *hwmgr,
fw_info = smu_atom_get_data_table(hwmgr->adev,
GetIndexIntoMasterTable(DATA, FirmwareInfo),
&size, &frev, &crev);
+ PP_ASSERT_WITH_CODE(fw_info != NULL,
+ "Missing firmware info!", return -EINVAL);
if ((fw_info->ucTableFormatRevision == 1)
&& (le16_to_cpu(fw_info->usStructureSize) >= sizeof(ATOM_FIRMWARE_INFO_V1_4)))
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 172/386] of/irq: Refer to actual buffer size in of_irq_parse_one()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 171/386] drm/amd/pm: ensure the fw_info is not null before using it Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 173/386] powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Greg Kroah-Hartman
` (224 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven,
Rob Herring (Arm), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
[ Upstream commit 39ab331ab5d377a18fbf5a0e0b228205edfcc7f4 ]
Replace two open-coded calculations of the buffer size by invocations of
sizeof() on the buffer itself, to make sure the code will always use the
actual buffer size.
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://lore.kernel.org/r/817c0b9626fd30790fc488c472a3398324cfcc0c.1724156125.git.geert+renesas@glider.be
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/of/irq.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/of/irq.c b/drivers/of/irq.c
index 8fd63100ba8f0..d67b69cb84bfe 100644
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -357,8 +357,8 @@ int of_irq_parse_one(struct device_node *device, int index, struct of_phandle_ar
addr = of_get_property(device, "reg", &addr_len);
/* Prevent out-of-bounds read in case of longer interrupt parent address size */
- if (addr_len > (3 * sizeof(__be32)))
- addr_len = 3 * sizeof(__be32);
+ if (addr_len > sizeof(addr_buf))
+ addr_len = sizeof(addr_buf);
if (addr)
memcpy(addr_buf, addr, addr_len);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 173/386] powerpc/pseries: Use correct data types from pseries_hp_errorlog struct
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 172/386] of/irq: Refer to actual buffer size in of_irq_parse_one() Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 174/386] drm/amdgpu/gfx11: use rlc safe mode for soft recovery Greg Kroah-Hartman
` (223 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, kernel test robot, Haren Myneni,
Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haren Myneni <haren@linux.ibm.com>
[ Upstream commit b76e0d4215b6b622127ebcceaa7f603313ceaec4 ]
_be32 type is defined for some elements in pseries_hp_errorlog
struct but also used them u32 after be32_to_cpu() conversion.
Example: In handle_dlpar_errorlog()
hp_elog->_drc_u.drc_index = be32_to_cpu(hp_elog->_drc_u.drc_index);
And later assigned to u32 type
dlpar_cpu() - u32 drc_index = hp_elog->_drc_u.drc_index;
This incorrect usage is giving the following warnings and the
patch resolve these warnings with the correct assignment.
arch/powerpc/platforms/pseries/dlpar.c:398:53: sparse: sparse:
incorrect type in argument 1 (different base types) @@
expected unsigned int [usertype] drc_index @@
got restricted __be32 [usertype] drc_index @@
...
arch/powerpc/platforms/pseries/dlpar.c:418:43: sparse: sparse:
incorrect type in assignment (different base types) @@
expected restricted __be32 [usertype] drc_count @@
got unsigned int [usertype] @@
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202408182142.wuIKqYae-lkp@intel.com/
Closes: https://lore.kernel.org/oe-kbuild-all/202408182302.o7QRO45S-lkp@intel.com/
Signed-off-by: Haren Myneni <haren@linux.ibm.com>
v3:
- Fix warnings from using incorrect data types in pseries_hp_errorlog
struct
v2:
- Remove pr_info() and TODO comments
- Update more information in the commit logs
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20240822025028.938332-1-haren@linux.ibm.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/platforms/pseries/dlpar.c | 17 -----------------
arch/powerpc/platforms/pseries/hotplug-cpu.c | 2 +-
arch/powerpc/platforms/pseries/hotplug-memory.c | 16 ++++++++--------
arch/powerpc/platforms/pseries/pmem.c | 2 +-
4 files changed, 10 insertions(+), 27 deletions(-)
diff --git a/arch/powerpc/platforms/pseries/dlpar.c b/arch/powerpc/platforms/pseries/dlpar.c
index 47f8eabd1bee3..9873b916b2370 100644
--- a/arch/powerpc/platforms/pseries/dlpar.c
+++ b/arch/powerpc/platforms/pseries/dlpar.c
@@ -334,23 +334,6 @@ int handle_dlpar_errorlog(struct pseries_hp_errorlog *hp_elog)
{
int rc;
- /* pseries error logs are in BE format, convert to cpu type */
- switch (hp_elog->id_type) {
- case PSERIES_HP_ELOG_ID_DRC_COUNT:
- hp_elog->_drc_u.drc_count =
- be32_to_cpu(hp_elog->_drc_u.drc_count);
- break;
- case PSERIES_HP_ELOG_ID_DRC_INDEX:
- hp_elog->_drc_u.drc_index =
- be32_to_cpu(hp_elog->_drc_u.drc_index);
- break;
- case PSERIES_HP_ELOG_ID_DRC_IC:
- hp_elog->_drc_u.ic.count =
- be32_to_cpu(hp_elog->_drc_u.ic.count);
- hp_elog->_drc_u.ic.index =
- be32_to_cpu(hp_elog->_drc_u.ic.index);
- }
-
switch (hp_elog->resource) {
case PSERIES_HP_ELOG_RESOURCE_MEM:
rc = dlpar_memory(hp_elog);
diff --git a/arch/powerpc/platforms/pseries/hotplug-cpu.c b/arch/powerpc/platforms/pseries/hotplug-cpu.c
index e62835a12d73f..6838a0fcda296 100644
--- a/arch/powerpc/platforms/pseries/hotplug-cpu.c
+++ b/arch/powerpc/platforms/pseries/hotplug-cpu.c
@@ -757,7 +757,7 @@ int dlpar_cpu(struct pseries_hp_errorlog *hp_elog)
u32 drc_index;
int rc;
- drc_index = hp_elog->_drc_u.drc_index;
+ drc_index = be32_to_cpu(hp_elog->_drc_u.drc_index);
lock_device_hotplug();
diff --git a/arch/powerpc/platforms/pseries/hotplug-memory.c b/arch/powerpc/platforms/pseries/hotplug-memory.c
index 4adca5b61daba..95ff84c55cb14 100644
--- a/arch/powerpc/platforms/pseries/hotplug-memory.c
+++ b/arch/powerpc/platforms/pseries/hotplug-memory.c
@@ -811,16 +811,16 @@ int dlpar_memory(struct pseries_hp_errorlog *hp_elog)
case PSERIES_HP_ELOG_ACTION_ADD:
switch (hp_elog->id_type) {
case PSERIES_HP_ELOG_ID_DRC_COUNT:
- count = hp_elog->_drc_u.drc_count;
+ count = be32_to_cpu(hp_elog->_drc_u.drc_count);
rc = dlpar_memory_add_by_count(count);
break;
case PSERIES_HP_ELOG_ID_DRC_INDEX:
- drc_index = hp_elog->_drc_u.drc_index;
+ drc_index = be32_to_cpu(hp_elog->_drc_u.drc_index);
rc = dlpar_memory_add_by_index(drc_index);
break;
case PSERIES_HP_ELOG_ID_DRC_IC:
- count = hp_elog->_drc_u.ic.count;
- drc_index = hp_elog->_drc_u.ic.index;
+ count = be32_to_cpu(hp_elog->_drc_u.ic.count);
+ drc_index = be32_to_cpu(hp_elog->_drc_u.ic.index);
rc = dlpar_memory_add_by_ic(count, drc_index);
break;
default:
@@ -832,16 +832,16 @@ int dlpar_memory(struct pseries_hp_errorlog *hp_elog)
case PSERIES_HP_ELOG_ACTION_REMOVE:
switch (hp_elog->id_type) {
case PSERIES_HP_ELOG_ID_DRC_COUNT:
- count = hp_elog->_drc_u.drc_count;
+ count = be32_to_cpu(hp_elog->_drc_u.drc_count);
rc = dlpar_memory_remove_by_count(count);
break;
case PSERIES_HP_ELOG_ID_DRC_INDEX:
- drc_index = hp_elog->_drc_u.drc_index;
+ drc_index = be32_to_cpu(hp_elog->_drc_u.drc_index);
rc = dlpar_memory_remove_by_index(drc_index);
break;
case PSERIES_HP_ELOG_ID_DRC_IC:
- count = hp_elog->_drc_u.ic.count;
- drc_index = hp_elog->_drc_u.ic.index;
+ count = be32_to_cpu(hp_elog->_drc_u.ic.count);
+ drc_index = be32_to_cpu(hp_elog->_drc_u.ic.index);
rc = dlpar_memory_remove_by_ic(count, drc_index);
break;
default:
diff --git a/arch/powerpc/platforms/pseries/pmem.c b/arch/powerpc/platforms/pseries/pmem.c
index 3c290b9ed01b3..0f1d45f32e4a4 100644
--- a/arch/powerpc/platforms/pseries/pmem.c
+++ b/arch/powerpc/platforms/pseries/pmem.c
@@ -121,7 +121,7 @@ int dlpar_hp_pmem(struct pseries_hp_errorlog *hp_elog)
return -EINVAL;
}
- drc_index = hp_elog->_drc_u.drc_index;
+ drc_index = be32_to_cpu(hp_elog->_drc_u.drc_index);
lock_device_hotplug();
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 174/386] drm/amdgpu/gfx11: use rlc safe mode for soft recovery
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 173/386] powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Greg Kroah-Hartman
@ 2024-10-08 12:06 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 175/386] drm/amdgpu/gfx10: " Greg Kroah-Hartman
` (222 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:06 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaly Prosyak, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit 3f2d35c325534c1b7ac5072173f0dc7ca969dec2 ]
Protect the MMIO access with safe mode.
Acked-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
index c813cd7b015e1..54ec9b32562c2 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v11_0.c
@@ -5701,7 +5701,9 @@ static void gfx_v11_0_ring_soft_recovery(struct amdgpu_ring *ring,
value = REG_SET_FIELD(value, SQ_CMD, MODE, 0x01);
value = REG_SET_FIELD(value, SQ_CMD, CHECK_VMID, 1);
value = REG_SET_FIELD(value, SQ_CMD, VM_ID, vmid);
+ amdgpu_gfx_rlc_enter_safe_mode(adev, 0);
WREG32_SOC15(GC, 0, regSQ_CMD, value);
+ amdgpu_gfx_rlc_exit_safe_mode(adev, 0);
}
static void
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 175/386] drm/amdgpu/gfx10: use rlc safe mode for soft recovery
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2024-10-08 12:06 ` [PATCH 6.6 174/386] drm/amdgpu/gfx11: use rlc safe mode for soft recovery Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 176/386] platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman
` (221 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vitaly Prosyak, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Deucher <alexander.deucher@amd.com>
[ Upstream commit ead60e9c4e29c8574cae1be4fe3af1d9a978fb0f ]
Protect the MMIO access with safe mode.
Acked-by: Vitaly Prosyak <vitaly.prosyak@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
index cd594b92c6129..53c99bc6abb33 100644
--- a/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
+++ b/drivers/gpu/drm/amd/amdgpu/gfx_v10_0.c
@@ -8748,7 +8748,9 @@ static void gfx_v10_0_ring_soft_recovery(struct amdgpu_ring *ring,
value = REG_SET_FIELD(value, SQ_CMD, MODE, 0x01);
value = REG_SET_FIELD(value, SQ_CMD, CHECK_VMID, 1);
value = REG_SET_FIELD(value, SQ_CMD, VM_ID, vmid);
+ amdgpu_gfx_rlc_enter_safe_mode(adev, 0);
WREG32_SOC15(GC, 0, mmSQ_CMD, value);
+ amdgpu_gfx_rlc_exit_safe_mode(adev, 0);
}
static void
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 176/386] platform/x86: lenovo-ymc: Ignore the 0x0 state
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 175/386] drm/amdgpu/gfx10: " Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 177/386] ksmbd: add refcnt to ksmbd_conn struct Greg Kroah-Hartman
` (220 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gergo Koteles, Hans de Goede,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gergo Koteles <soyer@irl.hu>
[ Upstream commit d9dca215708d32e7f88ac0591fbb187cbf368adb ]
While booting, Lenovo 14ARB7 reports 'lenovo-ymc: Unknown key 0 pressed'
warning. This is caused by lenovo_ymc_probe() calling lenovo_ymc_notify()
at probe time to get the initial tablet-mode-switch state and the key-code
lenovo_ymc_notify() reads from the firmware is not initialized at probe
time yet on the Lenovo 14ARB7.
The hardware/firmware does an ACPI notify on the WMI device itself when
it initializes the tablet-mode-switch state later on.
Add 0x0 YMC state to the sparse keymap to silence the warning.
Signed-off-by: Gergo Koteles <soyer@irl.hu>
Link: https://lore.kernel.org/r/08ab73bb74c4ad448409f2ce707b1148874a05ce.1724340562.git.soyer@irl.hu
[hdegoede@redhat.com: Reword commit message]
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/lenovo-ymc.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/platform/x86/lenovo-ymc.c b/drivers/platform/x86/lenovo-ymc.c
index e1fbc35504d49..ef2c267ab485c 100644
--- a/drivers/platform/x86/lenovo-ymc.c
+++ b/drivers/platform/x86/lenovo-ymc.c
@@ -78,6 +78,8 @@ static void lenovo_ymc_trigger_ec(struct wmi_device *wdev, struct lenovo_ymc_pri
}
static const struct key_entry lenovo_ymc_keymap[] = {
+ /* Ignore the uninitialized state */
+ { KE_IGNORE, 0x00 },
/* Laptop */
{ KE_SW, 0x01, { .sw = { SW_TABLET_MODE, 0 } } },
/* Tablet */
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 177/386] ksmbd: add refcnt to ksmbd_conn struct
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 176/386] platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 178/386] ext4: dont set SB_RDONLY after filesystem errors Greg Kroah-Hartman
` (219 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Namjae Jeon, Steve French,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namjae Jeon <linkinjeon@kernel.org>
[ Upstream commit ee426bfb9d09b29987369b897fe9b6485ac2be27 ]
When sending an oplock break request, opinfo->conn is used,
But freed ->conn can be used on multichannel.
This patch add a reference count to the ksmbd_conn struct
so that it can be freed when it is no longer used.
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/smb/server/connection.c | 4 ++-
fs/smb/server/connection.h | 1 +
fs/smb/server/oplock.c | 55 +++++++++++---------------------------
fs/smb/server/vfs_cache.c | 3 +++
4 files changed, 23 insertions(+), 40 deletions(-)
diff --git a/fs/smb/server/connection.c b/fs/smb/server/connection.c
index 7889df8112b4e..cac80e7bfefc7 100644
--- a/fs/smb/server/connection.c
+++ b/fs/smb/server/connection.c
@@ -39,7 +39,8 @@ void ksmbd_conn_free(struct ksmbd_conn *conn)
xa_destroy(&conn->sessions);
kvfree(conn->request_buf);
kfree(conn->preauth_info);
- kfree(conn);
+ if (atomic_dec_and_test(&conn->refcnt))
+ kfree(conn);
}
/**
@@ -68,6 +69,7 @@ struct ksmbd_conn *ksmbd_conn_alloc(void)
conn->um = NULL;
atomic_set(&conn->req_running, 0);
atomic_set(&conn->r_count, 0);
+ atomic_set(&conn->refcnt, 1);
conn->total_credits = 1;
conn->outstanding_credits = 0;
diff --git a/fs/smb/server/connection.h b/fs/smb/server/connection.h
index b93e5437793e0..82343afc8d049 100644
--- a/fs/smb/server/connection.h
+++ b/fs/smb/server/connection.h
@@ -106,6 +106,7 @@ struct ksmbd_conn {
bool signing_negotiated;
__le16 signing_algorithm;
bool binding;
+ atomic_t refcnt;
};
struct ksmbd_conn_ops {
diff --git a/fs/smb/server/oplock.c b/fs/smb/server/oplock.c
index e546ffa57b55a..8ee86478287f9 100644
--- a/fs/smb/server/oplock.c
+++ b/fs/smb/server/oplock.c
@@ -51,6 +51,7 @@ static struct oplock_info *alloc_opinfo(struct ksmbd_work *work,
init_waitqueue_head(&opinfo->oplock_brk);
atomic_set(&opinfo->refcount, 1);
atomic_set(&opinfo->breaking_cnt, 0);
+ atomic_inc(&opinfo->conn->refcnt);
return opinfo;
}
@@ -124,6 +125,8 @@ static void free_opinfo(struct oplock_info *opinfo)
{
if (opinfo->is_lease)
free_lease(opinfo);
+ if (opinfo->conn && atomic_dec_and_test(&opinfo->conn->refcnt))
+ kfree(opinfo->conn);
kfree(opinfo);
}
@@ -163,9 +166,7 @@ static struct oplock_info *opinfo_get_list(struct ksmbd_inode *ci)
!atomic_inc_not_zero(&opinfo->refcount))
opinfo = NULL;
else {
- atomic_inc(&opinfo->conn->r_count);
if (ksmbd_conn_releasing(opinfo->conn)) {
- atomic_dec(&opinfo->conn->r_count);
atomic_dec(&opinfo->refcount);
opinfo = NULL;
}
@@ -177,26 +178,11 @@ static struct oplock_info *opinfo_get_list(struct ksmbd_inode *ci)
return opinfo;
}
-static void opinfo_conn_put(struct oplock_info *opinfo)
+void opinfo_put(struct oplock_info *opinfo)
{
- struct ksmbd_conn *conn;
-
if (!opinfo)
return;
- conn = opinfo->conn;
- /*
- * Checking waitqueue to dropping pending requests on
- * disconnection. waitqueue_active is safe because it
- * uses atomic operation for condition.
- */
- if (!atomic_dec_return(&conn->r_count) && waitqueue_active(&conn->r_count_q))
- wake_up(&conn->r_count_q);
- opinfo_put(opinfo);
-}
-
-void opinfo_put(struct oplock_info *opinfo)
-{
if (!atomic_dec_and_test(&opinfo->refcount))
return;
@@ -1127,14 +1113,11 @@ void smb_send_parent_lease_break_noti(struct ksmbd_file *fp,
if (!atomic_inc_not_zero(&opinfo->refcount))
continue;
- atomic_inc(&opinfo->conn->r_count);
- if (ksmbd_conn_releasing(opinfo->conn)) {
- atomic_dec(&opinfo->conn->r_count);
+ if (ksmbd_conn_releasing(opinfo->conn))
continue;
- }
oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE);
- opinfo_conn_put(opinfo);
+ opinfo_put(opinfo);
}
}
up_read(&p_ci->m_lock);
@@ -1167,13 +1150,10 @@ void smb_lazy_parent_lease_break_close(struct ksmbd_file *fp)
if (!atomic_inc_not_zero(&opinfo->refcount))
continue;
- atomic_inc(&opinfo->conn->r_count);
- if (ksmbd_conn_releasing(opinfo->conn)) {
- atomic_dec(&opinfo->conn->r_count);
+ if (ksmbd_conn_releasing(opinfo->conn))
continue;
- }
oplock_break(opinfo, SMB2_OPLOCK_LEVEL_NONE);
- opinfo_conn_put(opinfo);
+ opinfo_put(opinfo);
}
}
up_read(&p_ci->m_lock);
@@ -1252,7 +1232,7 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid,
prev_opinfo = opinfo_get_list(ci);
if (!prev_opinfo ||
(prev_opinfo->level == SMB2_OPLOCK_LEVEL_NONE && lctx)) {
- opinfo_conn_put(prev_opinfo);
+ opinfo_put(prev_opinfo);
goto set_lev;
}
prev_op_has_lease = prev_opinfo->is_lease;
@@ -1262,19 +1242,19 @@ int smb_grant_oplock(struct ksmbd_work *work, int req_op_level, u64 pid,
if (share_ret < 0 &&
prev_opinfo->level == SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
err = share_ret;
- opinfo_conn_put(prev_opinfo);
+ opinfo_put(prev_opinfo);
goto err_out;
}
if (prev_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH &&
prev_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
- opinfo_conn_put(prev_opinfo);
+ opinfo_put(prev_opinfo);
goto op_break_not_needed;
}
list_add(&work->interim_entry, &prev_opinfo->interim_list);
err = oplock_break(prev_opinfo, SMB2_OPLOCK_LEVEL_II);
- opinfo_conn_put(prev_opinfo);
+ opinfo_put(prev_opinfo);
if (err == -ENOENT)
goto set_lev;
/* Check all oplock was freed by close */
@@ -1337,14 +1317,14 @@ static void smb_break_all_write_oplock(struct ksmbd_work *work,
return;
if (brk_opinfo->level != SMB2_OPLOCK_LEVEL_BATCH &&
brk_opinfo->level != SMB2_OPLOCK_LEVEL_EXCLUSIVE) {
- opinfo_conn_put(brk_opinfo);
+ opinfo_put(brk_opinfo);
return;
}
brk_opinfo->open_trunc = is_trunc;
list_add(&work->interim_entry, &brk_opinfo->interim_list);
oplock_break(brk_opinfo, SMB2_OPLOCK_LEVEL_II);
- opinfo_conn_put(brk_opinfo);
+ opinfo_put(brk_opinfo);
}
/**
@@ -1376,11 +1356,8 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp,
if (!atomic_inc_not_zero(&brk_op->refcount))
continue;
- atomic_inc(&brk_op->conn->r_count);
- if (ksmbd_conn_releasing(brk_op->conn)) {
- atomic_dec(&brk_op->conn->r_count);
+ if (ksmbd_conn_releasing(brk_op->conn))
continue;
- }
rcu_read_unlock();
if (brk_op->is_lease && (brk_op->o_lease->state &
@@ -1411,7 +1388,7 @@ void smb_break_all_levII_oplock(struct ksmbd_work *work, struct ksmbd_file *fp,
brk_op->open_trunc = is_trunc;
oplock_break(brk_op, SMB2_OPLOCK_LEVEL_NONE);
next:
- opinfo_conn_put(brk_op);
+ opinfo_put(brk_op);
rcu_read_lock();
}
rcu_read_unlock();
diff --git a/fs/smb/server/vfs_cache.c b/fs/smb/server/vfs_cache.c
index 8b2e37c8716ed..271a23abc82fd 100644
--- a/fs/smb/server/vfs_cache.c
+++ b/fs/smb/server/vfs_cache.c
@@ -710,6 +710,8 @@ static bool session_fd_check(struct ksmbd_tree_connect *tcon,
list_for_each_entry_rcu(op, &ci->m_op_list, op_entry) {
if (op->conn != conn)
continue;
+ if (op->conn && atomic_dec_and_test(&op->conn->refcnt))
+ kfree(op->conn);
op->conn = NULL;
}
up_write(&ci->m_lock);
@@ -807,6 +809,7 @@ int ksmbd_reopen_durable_fd(struct ksmbd_work *work, struct ksmbd_file *fp)
if (op->conn)
continue;
op->conn = fp->conn;
+ atomic_inc(&op->conn->refcnt);
}
up_write(&ci->m_lock);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 178/386] ext4: dont set SB_RDONLY after filesystem errors
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 177/386] ksmbd: add refcnt to ksmbd_conn struct Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 179/386] bpf: Make the pointer returned by iter next method valid Greg Kroah-Hartman
` (218 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Brauner, Jan Kara,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kara <jack@suse.cz>
[ Upstream commit d3476f3dad4ad68ae5f6b008ea6591d1520da5d8 ]
When the filesystem is mounted with errors=remount-ro, we were setting
SB_RDONLY flag to stop all filesystem modifications. We knew this misses
proper locking (sb->s_umount) and does not go through proper filesystem
remount procedure but it has been the way this worked since early ext2
days and it was good enough for catastrophic situation damage
mitigation. Recently, syzbot has found a way (see link) to trigger
warnings in filesystem freezing because the code got confused by
SB_RDONLY changing under its hands. Since these days we set
EXT4_FLAGS_SHUTDOWN on the superblock which is enough to stop all
filesystem modifications, modifying SB_RDONLY shouldn't be needed. So
stop doing that.
Link: https://lore.kernel.org/all/000000000000b90a8e061e21d12f@google.com
Reported-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Link: https://patch.msgid.link/20240805201241.27286-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 46c4f75049791..53ead0650fc8a 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -744,11 +744,12 @@ static void ext4_handle_error(struct super_block *sb, bool force_ro, int error,
ext4_msg(sb, KERN_CRIT, "Remounting filesystem read-only");
/*
- * Make sure updated value of ->s_mount_flags will be visible before
- * ->s_flags update
+ * EXT4_FLAGS_SHUTDOWN was set which stops all filesystem
+ * modifications. We don't set SB_RDONLY because that requires
+ * sb->s_umount semaphore and setting it without proper remount
+ * procedure is confusing code such as freeze_super() leading to
+ * deadlocks and other problems.
*/
- smp_wmb();
- sb->s_flags |= SB_RDONLY;
}
static void update_super_work(struct work_struct *work)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 179/386] bpf: Make the pointer returned by iter next method valid
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 178/386] ext4: dont set SB_RDONLY after filesystem errors Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 180/386] ext4: ext4_search_dir should return a proper error Greg Kroah-Hartman
` (217 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Juntong Deng, Alexei Starovoitov,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Juntong Deng <juntong.deng@outlook.com>
[ Upstream commit 4cc8c50c9abcb2646a7a4fcef3cea5dcb30c06cf ]
Currently we cannot pass the pointer returned by iter next method as
argument to KF_TRUSTED_ARGS or KF_RCU kfuncs, because the pointer
returned by iter next method is not "valid".
This patch sets the pointer returned by iter next method to be valid.
This is based on the fact that if the iterator is implemented correctly,
then the pointer returned from the iter next method should be valid.
This does not make NULL pointer valid. If the iter next method has
KF_RET_NULL flag, then the verifier will ask the ebpf program to
check NULL pointer.
KF_RCU_PROTECTED iterator is a special case, the pointer returned by
iter next method should only be valid within RCU critical section,
so it should be with MEM_RCU, not PTR_TRUSTED.
Another special case is bpf_iter_num_next, which returns a pointer with
base type PTR_TO_MEM. PTR_TO_MEM should not be combined with type flag
PTR_TRUSTED (PTR_TO_MEM already means the pointer is valid).
The pointer returned by iter next method of other types of iterators
is with PTR_TRUSTED.
In addition, this patch adds get_iter_from_state to help us get the
current iterator from the current state.
Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
Link: https://lore.kernel.org/r/AM6PR03MB584869F8B448EA1C87B7CDA399962@AM6PR03MB5848.eurprd03.prod.outlook.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/verifier.c | 26 ++++++++++++++++++++++----
1 file changed, 22 insertions(+), 4 deletions(-)
diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c
index 834394faf2af3..3032a464d31bb 100644
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -7846,6 +7846,15 @@ static int widen_imprecise_scalars(struct bpf_verifier_env *env,
return 0;
}
+static struct bpf_reg_state *get_iter_from_state(struct bpf_verifier_state *cur_st,
+ struct bpf_kfunc_call_arg_meta *meta)
+{
+ int iter_frameno = meta->iter.frameno;
+ int iter_spi = meta->iter.spi;
+
+ return &cur_st->frame[iter_frameno]->stack[iter_spi].spilled_ptr;
+}
+
/* process_iter_next_call() is called when verifier gets to iterator's next
* "method" (e.g., bpf_iter_num_next() for numbers iterator) call. We'll refer
* to it as just "iter_next()" in comments below.
@@ -7930,12 +7939,10 @@ static int process_iter_next_call(struct bpf_verifier_env *env, int insn_idx,
struct bpf_verifier_state *cur_st = env->cur_state, *queued_st, *prev_st;
struct bpf_func_state *cur_fr = cur_st->frame[cur_st->curframe], *queued_fr;
struct bpf_reg_state *cur_iter, *queued_iter;
- int iter_frameno = meta->iter.frameno;
- int iter_spi = meta->iter.spi;
BTF_TYPE_EMIT(struct bpf_iter);
- cur_iter = &env->cur_state->frame[iter_frameno]->stack[iter_spi].spilled_ptr;
+ cur_iter = get_iter_from_state(cur_st, meta);
if (cur_iter->iter.state != BPF_ITER_STATE_ACTIVE &&
cur_iter->iter.state != BPF_ITER_STATE_DRAINED) {
@@ -7963,7 +7970,7 @@ static int process_iter_next_call(struct bpf_verifier_env *env, int insn_idx,
if (!queued_st)
return -ENOMEM;
- queued_iter = &queued_st->frame[iter_frameno]->stack[iter_spi].spilled_ptr;
+ queued_iter = get_iter_from_state(queued_st, meta);
queued_iter->iter.state = BPF_ITER_STATE_ACTIVE;
queued_iter->iter.depth++;
if (prev_st)
@@ -11995,6 +12002,17 @@ static int check_kfunc_call(struct bpf_verifier_env *env, struct bpf_insn *insn,
regs[BPF_REG_0].btf = desc_btf;
regs[BPF_REG_0].type = PTR_TO_BTF_ID;
regs[BPF_REG_0].btf_id = ptr_type_id;
+
+ if (is_iter_next_kfunc(&meta)) {
+ struct bpf_reg_state *cur_iter;
+
+ cur_iter = get_iter_from_state(env->cur_state, &meta);
+
+ if (cur_iter->type & MEM_RCU) /* KF_RCU_PROTECTED */
+ regs[BPF_REG_0].type |= MEM_RCU;
+ else
+ regs[BPF_REG_0].type |= PTR_TRUSTED;
+ }
}
if (is_kfunc_ret_null(&meta)) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 180/386] ext4: ext4_search_dir should return a proper error
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 179/386] bpf: Make the pointer returned by iter next method valid Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 181/386] ext4: avoid use-after-free in ext4_ext_show_leaf() Greg Kroah-Hartman
` (216 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thadeu Lima de Souza Cascardo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
[ Upstream commit cd69f8f9de280e331c9e6ff689ced0a688a9ce8f ]
ext4_search_dir currently returns -1 in case of a failure, while it returns
0 when the name is not found. In such failure cases, it should return an
error code instead.
This becomes even more important when ext4_find_inline_entry returns an
error code as well in the next commit.
-EFSCORRUPTED seems appropriate as such error code as these failures would
be caused by unexpected record lengths and is in line with other instances
of ext4_check_dir_entry failures.
In the case of ext4_dx_find_entry, the current use of ERR_BAD_DX_DIR was
left as is to reduce the risk of regressions.
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@igalia.com>
Link: https://patch.msgid.link/20240821152324.3621860-2-cascardo@igalia.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/namei.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c
index 3bd2301cb48e7..9913aa37e697c 100644
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -1526,7 +1526,7 @@ static bool ext4_match(struct inode *parent,
}
/*
- * Returns 0 if not found, -1 on failure, and 1 on success
+ * Returns 0 if not found, -EFSCORRUPTED on failure, and 1 on success
*/
int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,
struct inode *dir, struct ext4_filename *fname,
@@ -1547,7 +1547,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,
* a full check */
if (ext4_check_dir_entry(dir, NULL, de, bh, search_buf,
buf_size, offset))
- return -1;
+ return -EFSCORRUPTED;
*res_dir = de;
return 1;
}
@@ -1555,7 +1555,7 @@ int ext4_search_dir(struct buffer_head *bh, char *search_buf, int buf_size,
de_len = ext4_rec_len_from_disk(de->rec_len,
dir->i_sb->s_blocksize);
if (de_len <= 0)
- return -1;
+ return -EFSCORRUPTED;
offset += de_len;
de = (struct ext4_dir_entry_2 *) ((char *) de + de_len);
}
@@ -1707,8 +1707,10 @@ static struct buffer_head *__ext4_find_entry(struct inode *dir,
goto cleanup_and_exit;
} else {
brelse(bh);
- if (i < 0)
+ if (i < 0) {
+ ret = ERR_PTR(i);
goto cleanup_and_exit;
+ }
}
next:
if (++block >= nblocks)
@@ -1803,7 +1805,7 @@ static struct buffer_head * ext4_dx_find_entry(struct inode *dir,
if (retval == 1)
goto success;
brelse(bh);
- if (retval == -1) {
+ if (retval < 0) {
bh = ERR_PTR(ERR_BAD_DX_DIR);
goto errout;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 181/386] ext4: avoid use-after-free in ext4_ext_show_leaf()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 180/386] ext4: ext4_search_dir should return a proper error Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 182/386] ext4: fix i_data_sem unlock order in ext4_ind_migrate() Greg Kroah-Hartman
` (215 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Baokun Li, Jan Kara, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
[ Upstream commit 4e2524ba2ca5f54bdbb9e5153bea00421ef653f5 ]
In ext4_find_extent(), path may be freed by error or be reallocated, so
using a previously saved *ppath may have been freed and thus may trigger
use-after-free, as follows:
ext4_split_extent
path = *ppath;
ext4_split_extent_at(ppath)
path = ext4_find_extent(ppath)
ext4_split_extent_at(ppath)
// ext4_find_extent fails to free path
// but zeroout succeeds
ext4_ext_show_leaf(inode, path)
eh = path[depth].p_hdr
// path use-after-free !!!
Similar to ext4_split_extent_at(), we use *ppath directly as an input to
ext4_ext_show_leaf(). Fix a spelling error by the way.
Same problem in ext4_ext_handle_unwritten_extents(). Since 'path' is only
used in ext4_ext_show_leaf(), remove 'path' and use *ppath directly.
This issue is triggered only when EXT_DEBUG is defined and therefore does
not affect functionality.
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-5-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/extents.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c
index 448e0ea49b31d..7fead53255fcb 100644
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3287,7 +3287,7 @@ static int ext4_split_extent_at(handle_t *handle,
}
/*
- * ext4_split_extents() splits an extent and mark extent which is covered
+ * ext4_split_extent() splits an extent and mark extent which is covered
* by @map as split_flags indicates
*
* It may result in splitting the extent into multiple extents (up to three)
@@ -3363,7 +3363,7 @@ static int ext4_split_extent(handle_t *handle,
goto out;
}
- ext4_ext_show_leaf(inode, path);
+ ext4_ext_show_leaf(inode, *ppath);
out:
return err ? err : allocated;
}
@@ -3828,14 +3828,13 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
struct ext4_ext_path **ppath, int flags,
unsigned int allocated, ext4_fsblk_t newblock)
{
- struct ext4_ext_path __maybe_unused *path = *ppath;
int ret = 0;
int err = 0;
ext_debug(inode, "logical block %llu, max_blocks %u, flags 0x%x, allocated %u\n",
(unsigned long long)map->m_lblk, map->m_len, flags,
allocated);
- ext4_ext_show_leaf(inode, path);
+ ext4_ext_show_leaf(inode, *ppath);
/*
* When writing into unwritten space, we should not fail to
@@ -3932,7 +3931,7 @@ ext4_ext_handle_unwritten_extents(handle_t *handle, struct inode *inode,
if (allocated > map->m_len)
allocated = map->m_len;
map->m_len = allocated;
- ext4_ext_show_leaf(inode, path);
+ ext4_ext_show_leaf(inode, *ppath);
out2:
return err ? err : allocated;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 182/386] ext4: fix i_data_sem unlock order in ext4_ind_migrate()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 181/386] ext4: avoid use-after-free in ext4_ext_show_leaf() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 183/386] bpftool: Fix undefined behavior caused by shifting into the sign bit Greg Kroah-Hartman
` (214 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ritesh Harjani (IBM), Mikhail Ukhin,
Artem Sadovnikov, Theodore Tso, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Sadovnikov <ancowi69@gmail.com>
[ Upstream commit cc749e61c011c255d81b192a822db650c68b313f ]
Fuzzing reports a possible deadlock in jbd2_log_wait_commit.
This issue is triggered when an EXT4_IOC_MIGRATE ioctl is set to require
synchronous updates because the file descriptor is opened with O_SYNC.
This can lead to the jbd2_journal_stop() function calling
jbd2_might_wait_for_commit(), potentially causing a deadlock if the
EXT4_IOC_MIGRATE call races with a write(2) system call.
This problem only arises when CONFIG_PROVE_LOCKING is enabled. In this
case, the jbd2_might_wait_for_commit macro locks jbd2_handle in the
jbd2_journal_stop function while i_data_sem is locked. This triggers
lockdep because the jbd2_journal_start function might also lock the same
jbd2_handle simultaneously.
Found by Linux Verification Center (linuxtesting.org) with syzkaller.
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Co-developed-by: Mikhail Ukhin <mish.uxin2012@yandex.ru>
Signed-off-by: Mikhail Ukhin <mish.uxin2012@yandex.ru>
Signed-off-by: Artem Sadovnikov <ancowi69@gmail.com>
Rule: add
Link: https://lore.kernel.org/stable/20240404095000.5872-1-mish.uxin2012%40yandex.ru
Link: https://patch.msgid.link/20240829152210.2754-1-ancowi69@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/migrate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/migrate.c b/fs/ext4/migrate.c
index d98ac2af8199f..a5e1492bbaaa5 100644
--- a/fs/ext4/migrate.c
+++ b/fs/ext4/migrate.c
@@ -663,8 +663,8 @@ int ext4_ind_migrate(struct inode *inode)
if (unlikely(ret2 && !ret))
ret = ret2;
errout:
- ext4_journal_stop(handle);
up_write(&EXT4_I(inode)->i_data_sem);
+ ext4_journal_stop(handle);
out_unlock:
ext4_writepages_up_write(inode->i_sb, alloc_ctx);
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 183/386] bpftool: Fix undefined behavior caused by shifting into the sign bit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 182/386] ext4: fix i_data_sem unlock order in ext4_ind_migrate() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 184/386] iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Greg Kroah-Hartman
` (213 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Andrii Nakryiko,
Quentin Monnet, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit 4cdc0e4ce5e893bc92255f5f734d983012f2bc2e ]
Replace shifts of '1' with '1U' in bitwise operations within
__show_dev_tc_bpf() to prevent undefined behavior caused by shifting
into the sign bit of a signed integer. By using '1U', the operations
are explicitly performed on unsigned integers, avoiding potential
integer overflow or sign-related issues.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Acked-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/bpf/20240908140009.3149781-1-visitorckw@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bpf/bpftool/net.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
index 66a8ce8ae0127..fd54ff436493f 100644
--- a/tools/bpf/bpftool/net.c
+++ b/tools/bpf/bpftool/net.c
@@ -480,9 +480,9 @@ static void __show_dev_tc_bpf(const struct ip_devname_ifindex *dev,
if (prog_flags[i] || json_output) {
NET_START_ARRAY("prog_flags", "%s ");
for (j = 0; prog_flags[i] && j < 32; j++) {
- if (!(prog_flags[i] & (1 << j)))
+ if (!(prog_flags[i] & (1U << j)))
continue;
- NET_DUMP_UINT_ONLY(1 << j);
+ NET_DUMP_UINT_ONLY(1U << j);
}
NET_END_ARRAY("");
}
@@ -491,9 +491,9 @@ static void __show_dev_tc_bpf(const struct ip_devname_ifindex *dev,
if (link_flags[i] || json_output) {
NET_START_ARRAY("link_flags", "%s ");
for (j = 0; link_flags[i] && j < 32; j++) {
- if (!(link_flags[i] & (1 << j)))
+ if (!(link_flags[i] & (1U << j)))
continue;
- NET_DUMP_UINT_ONLY(1 << j);
+ NET_DUMP_UINT_ONLY(1U << j);
}
NET_END_ARRAY("");
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 184/386] iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 183/386] bpftool: Fix undefined behavior caused by shifting into the sign bit Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 185/386] bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Greg Kroah-Hartman
` (212 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Hellwig, Darrick J. Wong,
Christian Brauner, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Hellwig <hch@lst.de>
[ Upstream commit 7a9d43eace888a0ee6095035997bb138425844d3 ]
When direct I/O completions invalidates the page cache it holds neither the
i_rwsem nor the invalidate_lock so it can be racing with
iomap_write_delalloc_release. If the search for the end of the region that
contains data returns the start offset we hit such a race and just need to
look for the end of the newly created hole instead.
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20240910043949.3481298-2-hch@lst.de
Reviewed-by: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/iomap/buffered-io.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
diff --git a/fs/iomap/buffered-io.c b/fs/iomap/buffered-io.c
index 5371b16341fff..aedaad4c37d75 100644
--- a/fs/iomap/buffered-io.c
+++ b/fs/iomap/buffered-io.c
@@ -1177,7 +1177,15 @@ static int iomap_write_delalloc_release(struct inode *inode,
error = data_end;
goto out_unlock;
}
- WARN_ON_ONCE(data_end <= start_byte);
+
+ /*
+ * If we race with post-direct I/O invalidation of the page cache,
+ * there might be no data left at start_byte.
+ */
+ if (data_end == start_byte)
+ continue;
+
+ WARN_ON_ONCE(data_end < start_byte);
WARN_ON_ONCE(data_end > scan_end_byte);
error = iomap_write_delalloc_scan(inode, &punch_start_byte,
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 185/386] bpftool: Fix undefined behavior in qsort(NULL, 0, ...)
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 184/386] iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 186/386] spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
` (211 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kuan-Wei Chiu, Andrii Nakryiko,
Quentin Monnet, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuan-Wei Chiu <visitorckw@gmail.com>
[ Upstream commit f04e2ad394e2755d0bb2d858ecb5598718bf00d5 ]
When netfilter has no entry to display, qsort is called with
qsort(NULL, 0, ...). This results in undefined behavior, as UBSan
reports:
net.c:827:2: runtime error: null pointer passed as argument 1, which is declared to never be null
Although the C standard does not explicitly state whether calling qsort
with a NULL pointer when the size is 0 constitutes undefined behavior,
Section 7.1.4 of the C standard (Use of library functions) mentions:
"Each of the following statements applies unless explicitly stated
otherwise in the detailed descriptions that follow: If an argument to a
function has an invalid value (such as a value outside the domain of
the function, or a pointer outside the address space of the program, or
a null pointer, or a pointer to non-modifiable storage when the
corresponding parameter is not const-qualified) or a type (after
promotion) not expected by a function with variable number of
arguments, the behavior is undefined."
To avoid this, add an early return when nf_link_info is NULL to prevent
calling qsort with a NULL pointer.
Signed-off-by: Kuan-Wei Chiu <visitorckw@gmail.com>
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Quentin Monnet <qmo@kernel.org>
Link: https://lore.kernel.org/bpf/20240910150207.3179306-1-visitorckw@gmail.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/bpf/bpftool/net.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/tools/bpf/bpftool/net.c b/tools/bpf/bpftool/net.c
index fd54ff436493f..28e9417a5c2e3 100644
--- a/tools/bpf/bpftool/net.c
+++ b/tools/bpf/bpftool/net.c
@@ -819,6 +819,9 @@ static void show_link_netfilter(void)
nf_link_count++;
}
+ if (!nf_link_info)
+ return;
+
qsort(nf_link_info, nf_link_count, sizeof(*nf_link_info), netfilter_link_compar);
for (id = 0; id < nf_link_count; id++) {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 186/386] spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 185/386] bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 187/386] spi: spi-cadence: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
` (210 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit b6e05ba0844139dde138625906015c974c86aa93 ]
It is not valid to call pm_runtime_set_suspended() for devices
with runtime PM enabled because it returns -EAGAIN if it is enabled
already and working. So, call pm_runtime_disable() before to fix it.
Fixes: 43b6bf406cd0 ("spi: imx: fix runtime pm support for !CONFIG_PM")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://patch.msgid.link/20240923040015.3009329-2-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-imx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index 006860ee03ca0..daa32bde61556 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -1870,8 +1870,8 @@ static int spi_imx_probe(struct platform_device *pdev)
spi_imx_sdma_exit(spi_imx);
out_runtime_pm_put:
pm_runtime_dont_use_autosuspend(spi_imx->dev);
- pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(spi_imx->dev);
+ pm_runtime_set_suspended(&pdev->dev);
clk_disable_unprepare(spi_imx->clk_ipg);
out_put_per:
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 187/386] spi: spi-cadence: Use helper function devm_clk_get_enabled()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 186/386] spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 188/386] spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
` (209 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jonathan Cameron, Li Zetao,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Zetao <lizetao1@huawei.com>
[ Upstream commit f64b1600f92e786e502cc30d31d9e3c5f2f6d682 ]
Since commit 7ef9651e9792 ("clk: Provide new devm_clk helpers for prepared
and enabled clocks"), devm_clk_get() and clk_prepare_enable() can now be
replaced by devm_clk_get_enabled() when driver enables (and possibly
prepares) the clocks for the whole lifetime of the device. Moreover, it is
no longer necessary to unprepare and disable the clocks explicitly.
Reviewed-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Li Zetao <lizetao1@huawei.com>
Link: https://lore.kernel.org/r/20230823133938.1359106-9-lizetao1@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Stable-dep-of: 67d4a70faa66 ("spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence.c | 23 +++--------------------
1 file changed, 3 insertions(+), 20 deletions(-)
diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
index 5cab7caf46586..e5140532071d2 100644
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -581,31 +581,19 @@ static int cdns_spi_probe(struct platform_device *pdev)
goto remove_ctlr;
}
- xspi->pclk = devm_clk_get(&pdev->dev, "pclk");
+ xspi->pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
if (IS_ERR(xspi->pclk)) {
dev_err(&pdev->dev, "pclk clock not found.\n");
ret = PTR_ERR(xspi->pclk);
goto remove_ctlr;
}
- ret = clk_prepare_enable(xspi->pclk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable APB clock.\n");
- goto remove_ctlr;
- }
-
if (!spi_controller_is_target(ctlr)) {
- xspi->ref_clk = devm_clk_get(&pdev->dev, "ref_clk");
+ xspi->ref_clk = devm_clk_get_enabled(&pdev->dev, "ref_clk");
if (IS_ERR(xspi->ref_clk)) {
dev_err(&pdev->dev, "ref_clk clock not found.\n");
ret = PTR_ERR(xspi->ref_clk);
- goto clk_dis_apb;
- }
-
- ret = clk_prepare_enable(xspi->ref_clk);
- if (ret) {
- dev_err(&pdev->dev, "Unable to enable device clock.\n");
- goto clk_dis_apb;
+ goto remove_ctlr;
}
pm_runtime_use_autosuspend(&pdev->dev);
@@ -679,10 +667,7 @@ static int cdns_spi_probe(struct platform_device *pdev)
if (!spi_controller_is_target(ctlr)) {
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(&pdev->dev);
- clk_disable_unprepare(xspi->ref_clk);
}
-clk_dis_apb:
- clk_disable_unprepare(xspi->pclk);
remove_ctlr:
spi_controller_put(ctlr);
return ret;
@@ -703,8 +688,6 @@ static void cdns_spi_remove(struct platform_device *pdev)
cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
- clk_disable_unprepare(xspi->ref_clk);
- clk_disable_unprepare(xspi->pclk);
pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(&pdev->dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 188/386] spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 187/386] spi: spi-cadence: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 189/386] spi: spi-cadence: Fix missing spi_controller_is_target() check Greg Kroah-Hartman
` (208 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit 67d4a70faa662df07451e83db1546d3ca0695e08 ]
It is not valid to call pm_runtime_set_suspended() for devices
with runtime PM enabled because it returns -EAGAIN if it is enabled
already and working. So, call pm_runtime_disable() before to fix it.
Fixes: d36ccd9f7ea4 ("spi: cadence: Runtime pm adaptation")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://patch.msgid.link/20240923040015.3009329-3-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
index e5140532071d2..316da99f798c8 100644
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -665,8 +665,8 @@ static int cdns_spi_probe(struct platform_device *pdev)
clk_dis_all:
if (!spi_controller_is_target(ctlr)) {
- pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
}
remove_ctlr:
spi_controller_put(ctlr);
@@ -688,8 +688,8 @@ static void cdns_spi_remove(struct platform_device *pdev)
cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
- pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
spi_unregister_controller(ctlr);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 189/386] spi: spi-cadence: Fix missing spi_controller_is_target() check
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 188/386] spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 190/386] selftest: hid: add missing run-hid-tools-tests.sh Greg Kroah-Hartman
` (207 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
[ Upstream commit 3eae4a916fc0eb6f85b5d399e10335dbd24dd765 ]
The spi_controller_is_target() check is missing for pm_runtime_disable()
in cdns_spi_remove(), add it.
Fixes: b1b90514eaa3 ("spi: spi-cadence: Add support for Slave mode")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Link: https://patch.msgid.link/20240923040015.3009329-4-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-cadence.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-cadence.c b/drivers/spi/spi-cadence.c
index 316da99f798c8..81edf0a3ddf84 100644
--- a/drivers/spi/spi-cadence.c
+++ b/drivers/spi/spi-cadence.c
@@ -688,8 +688,10 @@ static void cdns_spi_remove(struct platform_device *pdev)
cdns_spi_write(xspi, CDNS_SPI_ER, CDNS_SPI_ER_DISABLE);
- pm_runtime_disable(&pdev->dev);
- pm_runtime_set_suspended(&pdev->dev);
+ if (!spi_controller_is_target(ctlr)) {
+ pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
+ }
spi_unregister_controller(ctlr);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 190/386] selftest: hid: add missing run-hid-tools-tests.sh
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 189/386] spi: spi-cadence: Fix missing spi_controller_is_target() check Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 191/386] spi: s3c64xx: fix timeout counters in flush_fifo Greg Kroah-Hartman
` (206 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yun Lu, Benjamin Tissoires,
Shuah Khan, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yun Lu <luyun@kylinos.cn>
[ Upstream commit 160c826b4dd0d570f0f51cf002cb49bda807e9f5 ]
HID test cases run tests using the run-hid-tools-tests.sh script.
When installed with "make install", the run-hid-tools-tests.sh
script will not be copied over, resulting in the following error message.
make -C tools/testing/selftests/ TARGETS=hid install \
INSTALL_PATH=$KSFT_INSTALL_PATH
cd $KSFT_INSTALL_PATH
./run_kselftest.sh -c hid
selftests: hid: hid-core.sh
bash: ./run-hid-tools-tests.sh: No such file or directory
Add the run-hid-tools-tests.sh script to the TEST_FILES in the Makefile
for it to be installed.
Fixes: ffb85d5c9e80 ("selftests: hid: import hid-tools hid-core tests")
Signed-off-by: Yun Lu <luyun@kylinos.cn>
Acked-by: Benjamin Tissoires <bentiss@kernel.org>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/hid/Makefile | 2 ++
1 file changed, 2 insertions(+)
diff --git a/tools/testing/selftests/hid/Makefile b/tools/testing/selftests/hid/Makefile
index 2e986cbf1a463..87b6f5f83d7e0 100644
--- a/tools/testing/selftests/hid/Makefile
+++ b/tools/testing/selftests/hid/Makefile
@@ -17,6 +17,8 @@ TEST_PROGS += hid-tablet.sh
TEST_PROGS += hid-usb_crash.sh
TEST_PROGS += hid-wacom.sh
+TEST_FILES := run-hid-tools-tests.sh
+
CXX ?= $(CROSS_COMPILE)g++
HOSTPKG_CONFIG := pkg-config
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 191/386] spi: s3c64xx: fix timeout counters in flush_fifo
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 190/386] selftest: hid: add missing run-hid-tools-tests.sh Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 192/386] selftests: breakpoints: use remaining time to check if suspend succeed Greg Kroah-Hartman
` (205 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Dooks, Andi Shyti, Mark Brown,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Dooks <ben.dooks@codethink.co.uk>
[ Upstream commit 68a16708d2503b6303d67abd43801e2ca40c208d ]
In the s3c64xx_flush_fifo() code, the loops counter is post-decremented
in the do { } while(test && loops--) condition. This means the loops is
left at the unsigned equivalent of -1 if the loop times out. The test
after will never pass as if tests for loops == 0.
Signed-off-by: Ben Dooks <ben.dooks@codethink.co.uk>
Fixes: 230d42d422e7 ("spi: Add s3c64xx SPI Controller driver")
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Link: https://patch.msgid.link/20240924134009.116247-2-ben.dooks@codethink.co.uk
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-s3c64xx.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/spi/spi-s3c64xx.c b/drivers/spi/spi-s3c64xx.c
index 652eadbefe24c..f699ce1b40253 100644
--- a/drivers/spi/spi-s3c64xx.c
+++ b/drivers/spi/spi-s3c64xx.c
@@ -239,7 +239,7 @@ static void s3c64xx_flush_fifo(struct s3c64xx_spi_driver_data *sdd)
loops = msecs_to_loops(1);
do {
val = readl(regs + S3C64XX_SPI_STATUS);
- } while (TX_FIFO_LVL(val, sdd) && loops--);
+ } while (TX_FIFO_LVL(val, sdd) && --loops);
if (loops == 0)
dev_warn(&sdd->pdev->dev, "Timed out flushing TX FIFO\n");
@@ -252,7 +252,7 @@ static void s3c64xx_flush_fifo(struct s3c64xx_spi_driver_data *sdd)
readl(regs + S3C64XX_SPI_RX_DATA);
else
break;
- } while (loops--);
+ } while (--loops);
if (loops == 0)
dev_warn(&sdd->pdev->dev, "Timed out flushing RX FIFO\n");
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 192/386] selftests: breakpoints: use remaining time to check if suspend succeed
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 191/386] spi: s3c64xx: fix timeout counters in flush_fifo Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 193/386] accel/ivpu: Add missing MODULE_FIRMWARE metadata Greg Kroah-Hartman
` (204 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sinadin Shan, Yifei Liu, Shuah Khan,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yifei Liu <yifei.l.liu@oracle.com>
[ Upstream commit c66be905cda24fb782b91053b196bd2e966f95b7 ]
step_after_suspend_test fails with device busy error while
writing to /sys/power/state to start suspend. The test believes
it failed to enter suspend state with
$ sudo ./step_after_suspend_test
TAP version 13
Bail out! Failed to enter Suspend state
However, in the kernel message, I indeed see the system get
suspended and then wake up later.
[611172.033108] PM: suspend entry (s2idle)
[611172.044940] Filesystems sync: 0.006 seconds
[611172.052254] Freezing user space processes
[611172.059319] Freezing user space processes completed (elapsed 0.001 seconds)
[611172.067920] OOM killer disabled.
[611172.072465] Freezing remaining freezable tasks
[611172.080332] Freezing remaining freezable tasks completed (elapsed 0.001 seconds)
[611172.089724] printk: Suspending console(s) (use no_console_suspend to debug)
[611172.117126] serial 00:03: disabled
some other hardware get reconnected
[611203.136277] OOM killer enabled.
[611203.140637] Restarting tasks ...
[611203.141135] usb 1-8.1: USB disconnect, device number 7
[611203.141755] done.
[611203.155268] random: crng reseeded on system resumption
[611203.162059] PM: suspend exit
After investigation, I noticed that for the code block
if (write(power_state_fd, "mem", strlen("mem")) != strlen("mem"))
ksft_exit_fail_msg("Failed to enter Suspend state\n");
The write will return -1 and errno is set to 16 (device busy).
It should be caused by the write function is not successfully returned
before the system suspend and the return value get messed when waking up.
As a result, It may be better to check the time passed of those few
instructions to determine whether the suspend is executed correctly for
it is pretty hard to execute those few lines for 5 seconds.
The timer to wake up the system is set to expire after 5 seconds and
no re-arm. If the timer remaining time is 0 second and 0 nano secomd,
it means the timer expired and wake the system up. Otherwise, the system
could be considered to enter the suspend state failed if there is any
remaining time.
After appling this patch, the test would not fail for it believes the
system does not go to suspend by mistake. It now could continue to the
rest part of the test after suspend.
Fixes: bfd092b8c272 ("selftests: breakpoint: add step_after_suspend_test")
Reported-by: Sinadin Shan <sinadin.shan@oracle.com>
Signed-off-by: Yifei Liu <yifei.l.liu@oracle.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../testing/selftests/breakpoints/step_after_suspend_test.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/breakpoints/step_after_suspend_test.c b/tools/testing/selftests/breakpoints/step_after_suspend_test.c
index 2cf6f10ab7c4a..fc02918962c75 100644
--- a/tools/testing/selftests/breakpoints/step_after_suspend_test.c
+++ b/tools/testing/selftests/breakpoints/step_after_suspend_test.c
@@ -153,7 +153,10 @@ void suspend(void)
if (err < 0)
ksft_exit_fail_msg("timerfd_settime() failed\n");
- if (write(power_state_fd, "mem", strlen("mem")) != strlen("mem"))
+ system("(echo mem > /sys/power/state) 2> /dev/null");
+
+ timerfd_gettime(timerfd, &spec);
+ if (spec.it_value.tv_sec != 0 || spec.it_value.tv_nsec != 0)
ksft_exit_fail_msg("Failed to enter Suspend state\n");
close(timerfd);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 193/386] accel/ivpu: Add missing MODULE_FIRMWARE metadata
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 192/386] selftests: breakpoints: use remaining time to check if suspend succeed Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 194/386] spi: rpc-if: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
` (203 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander F. Lent, Jacek Lawrynowicz,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander F. Lent <lx@xanderlent.com>
[ Upstream commit 58b5618ba80a5e5a8d531a70eae12070e5bd713f ]
Modules that load firmware from various paths at runtime must declare
those paths at compile time, via the MODULE_FIRMWARE macro, so that the
firmware paths are included in the module's metadata.
The accel/ivpu driver loads firmware but lacks this metadata,
preventing dracut from correctly locating firmware files. Fix it.
Fixes: 9ab43e95f922 ("accel/ivpu: Switch to generation based FW names")
Fixes: 02d5b0aacd05 ("accel/ivpu: Implement firmware parsing and booting")
Signed-off-by: Alexander F. Lent <lx@xanderlent.com>
Reviewed-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240709-fix-ivpu-firmware-metadata-v3-1-55f70bba055b@xanderlent.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/ivpu/ivpu_fw.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/accel/ivpu/ivpu_fw.c b/drivers/accel/ivpu/ivpu_fw.c
index a277bbae78fc4..3b35d262ddd43 100644
--- a/drivers/accel/ivpu/ivpu_fw.c
+++ b/drivers/accel/ivpu/ivpu_fw.c
@@ -55,6 +55,10 @@ static struct {
{ IVPU_HW_40XX, "intel/vpu/vpu_40xx_v0.0.bin" },
};
+/* Production fw_names from the table above */
+MODULE_FIRMWARE("intel/vpu/vpu_37xx_v0.0.bin");
+MODULE_FIRMWARE("intel/vpu/vpu_40xx_v0.0.bin");
+
static int ivpu_fw_request(struct ivpu_device *vdev)
{
int ret = -ENOENT;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 194/386] spi: rpc-if: Add missing MODULE_DEVICE_TABLE
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 193/386] accel/ivpu: Add missing MODULE_FIRMWARE metadata Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 195/386] perf callchain: Fix stitch LBR memory leaks Greg Kroah-Hartman
` (202 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Biju Das, Geert Uytterhoeven,
Mark Brown, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Biju Das <biju.das.jz@bp.renesas.com>
[ Upstream commit 0880f669436028c5499901e5acd8f4b4ea0e0c6a ]
Add missing MODULE_DEVICE_TABLE definition for automatic loading of the
driver when it is built as a module.
Fixes: eb8d6d464a27 ("spi: add Renesas RPC-IF driver")
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Link: https://patch.msgid.link/20240731072955.224125-1-biju.das.jz@bp.renesas.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-rpc-if.c | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/drivers/spi/spi-rpc-if.c b/drivers/spi/spi-rpc-if.c
index e11146932828a..7cce2d2ab9ca6 100644
--- a/drivers/spi/spi-rpc-if.c
+++ b/drivers/spi/spi-rpc-if.c
@@ -198,9 +198,16 @@ static int __maybe_unused rpcif_spi_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(rpcif_spi_pm_ops, rpcif_spi_suspend, rpcif_spi_resume);
+static const struct platform_device_id rpc_if_spi_id_table[] = {
+ { .name = "rpc-if-spi" },
+ { /* sentinel */ }
+};
+MODULE_DEVICE_TABLE(platform, rpc_if_spi_id_table);
+
static struct platform_driver rpcif_spi_driver = {
.probe = rpcif_spi_probe,
.remove_new = rpcif_spi_remove,
+ .id_table = rpc_if_spi_id_table,
.driver = {
.name = "rpc-if-spi",
#ifdef CONFIG_PM_SLEEP
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 195/386] perf callchain: Fix stitch LBR memory leaks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 194/386] spi: rpc-if: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 196/386] perf: Really fix event_function_call() locking Greg Kroah-Hartman
` (201 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kan Liang, Ian Rogers,
Arnaldo Carvalho de Melo, Adrian Hunter, Alexander Shishkin,
Andi Kleen, Anne Macedo, Changbin Du, Ingo Molnar, Jiri Olsa,
Mark Rutland, Namhyung Kim, Peter Zijlstra, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ian Rogers <irogers@google.com>
[ Upstream commit 599c19397b17d197fc1184bbc950f163a292efc9 ]
The 'struct callchain_cursor_node' has a 'struct map_symbol' whose maps
and map members are reference counted. Ensure these values use a _get
routine to increment the reference counts and use map_symbol__exit() to
release the reference counts.
Do similar for 'struct thread's prev_lbr_cursor, but save the size of
the prev_lbr_cursor array so that it may be iterated.
Ensure that when stitch_nodes are placed on the free list the
map_symbols are exited.
Fix resolve_lbr_callchain_sample() by replacing list_replace_init() to
list_splice_init(), so the whole list is moved and nodes aren't leaked.
A reproduction of the memory leaks is possible with a leak sanitizer
build in the perf report command of:
```
$ perf record -e cycles --call-graph lbr perf test -w thloop
$ perf report --stitch-lbr
```
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Fixes: ff165628d72644e3 ("perf callchain: Stitch LBR call stack")
Signed-off-by: Ian Rogers <irogers@google.com>
[ Basic tests after applying the patch, repeating the example above ]
Tested-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Alexander Shishkin <alexander.shishkin@linux.intel.com>
Cc: Andi Kleen <ak@linux.intel.com>
Cc: Anne Macedo <retpolanne@posteo.net>
Cc: Changbin Du <changbin.du@huawei.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Link: https://lore.kernel.org/r/20240808054644.1286065-1-irogers@google.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/perf/util/machine.c | 17 +++++++++++++++--
tools/perf/util/thread.c | 4 ++++
tools/perf/util/thread.h | 1 +
3 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/tools/perf/util/machine.c b/tools/perf/util/machine.c
index 7c6874804660e..24dead4e30656 100644
--- a/tools/perf/util/machine.c
+++ b/tools/perf/util/machine.c
@@ -2536,8 +2536,12 @@ static void save_lbr_cursor_node(struct thread *thread,
cursor->curr = cursor->first;
else
cursor->curr = cursor->curr->next;
+
+ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
memcpy(&lbr_stitch->prev_lbr_cursor[idx], cursor->curr,
sizeof(struct callchain_cursor_node));
+ lbr_stitch->prev_lbr_cursor[idx].ms.maps = maps__get(cursor->curr->ms.maps);
+ lbr_stitch->prev_lbr_cursor[idx].ms.map = map__get(cursor->curr->ms.map);
lbr_stitch->prev_lbr_cursor[idx].valid = true;
cursor->pos++;
@@ -2748,6 +2752,9 @@ static bool has_stitched_lbr(struct thread *thread,
memcpy(&stitch_node->cursor, &lbr_stitch->prev_lbr_cursor[i],
sizeof(struct callchain_cursor_node));
+ stitch_node->cursor.ms.maps = maps__get(lbr_stitch->prev_lbr_cursor[i].ms.maps);
+ stitch_node->cursor.ms.map = map__get(lbr_stitch->prev_lbr_cursor[i].ms.map);
+
if (callee)
list_add(&stitch_node->node, &lbr_stitch->lists);
else
@@ -2771,6 +2778,8 @@ static bool alloc_lbr_stitch(struct thread *thread, unsigned int max_lbr)
if (!thread__lbr_stitch(thread)->prev_lbr_cursor)
goto free_lbr_stitch;
+ thread__lbr_stitch(thread)->prev_lbr_cursor_size = max_lbr + 1;
+
INIT_LIST_HEAD(&thread__lbr_stitch(thread)->lists);
INIT_LIST_HEAD(&thread__lbr_stitch(thread)->free_lists);
@@ -2826,8 +2835,12 @@ static int resolve_lbr_callchain_sample(struct thread *thread,
max_lbr, callee);
if (!stitched_lbr && !list_empty(&lbr_stitch->lists)) {
- list_replace_init(&lbr_stitch->lists,
- &lbr_stitch->free_lists);
+ struct stitch_list *stitch_node;
+
+ list_for_each_entry(stitch_node, &lbr_stitch->lists, node)
+ map_symbol__exit(&stitch_node->cursor.ms);
+
+ list_splice_init(&lbr_stitch->lists, &lbr_stitch->free_lists);
}
memcpy(&lbr_stitch->prev_sample, sample, sizeof(*sample));
}
diff --git a/tools/perf/util/thread.c b/tools/perf/util/thread.c
index 61e9f449c7258..6817b99e550ba 100644
--- a/tools/perf/util/thread.c
+++ b/tools/perf/util/thread.c
@@ -478,6 +478,7 @@ void thread__free_stitch_list(struct thread *thread)
return;
list_for_each_entry_safe(pos, tmp, &lbr_stitch->lists, node) {
+ map_symbol__exit(&pos->cursor.ms);
list_del_init(&pos->node);
free(pos);
}
@@ -487,6 +488,9 @@ void thread__free_stitch_list(struct thread *thread)
free(pos);
}
+ for (unsigned int i = 0 ; i < lbr_stitch->prev_lbr_cursor_size; i++)
+ map_symbol__exit(&lbr_stitch->prev_lbr_cursor[i].ms);
+
zfree(&lbr_stitch->prev_lbr_cursor);
free(thread__lbr_stitch(thread));
thread__set_lbr_stitch(thread, NULL);
diff --git a/tools/perf/util/thread.h b/tools/perf/util/thread.h
index 0df775b5c1105..a5423f834dc9d 100644
--- a/tools/perf/util/thread.h
+++ b/tools/perf/util/thread.h
@@ -28,6 +28,7 @@ struct lbr_stitch {
struct list_head free_lists;
struct perf_sample prev_sample;
struct callchain_cursor_node *prev_lbr_cursor;
+ unsigned int prev_lbr_cursor_size;
};
struct thread_rb_node {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 196/386] perf: Really fix event_function_call() locking
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 195/386] perf callchain: Fix stitch LBR memory leaks Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 197/386] selftests: vDSO: fix vDSO name for powerpc Greg Kroah-Hartman
` (200 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pengfei Xu, Naresh Kamboju,
Namhyung Kim, Peter Zijlstra (Intel), Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
[ Upstream commit fe826cc2654e8561b64246325e6a51b62bf2488c ]
Commit 558abc7e3f89 ("perf: Fix event_function_call() locking") lost
IRQ disabling by mistake.
Fixes: 558abc7e3f89 ("perf: Fix event_function_call() locking")
Reported-by: Pengfei Xu <pengfei.xu@intel.com>
Reported-by: Naresh Kamboju <naresh.kamboju@linaro.org>
Tested-by: Pengfei Xu <pengfei.xu@intel.com>
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/core.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/kernel/events/core.c b/kernel/events/core.c
index 18eab7f50ecce..0ff381fa2f588 100644
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -263,8 +263,8 @@ static int event_function(void *info)
static void event_function_call(struct perf_event *event, event_f func, void *data)
{
struct perf_event_context *ctx = event->ctx;
- struct perf_cpu_context *cpuctx = this_cpu_ptr(&perf_cpu_context);
struct task_struct *task = READ_ONCE(ctx->task); /* verified in event_function */
+ struct perf_cpu_context *cpuctx;
struct event_function_struct efs = {
.event = event,
.func = func,
@@ -292,22 +292,25 @@ static void event_function_call(struct perf_event *event, event_f func, void *da
if (!task_function_call(task, event_function, &efs))
return;
+ local_irq_disable();
+ cpuctx = this_cpu_ptr(&perf_cpu_context);
perf_ctx_lock(cpuctx, ctx);
/*
* Reload the task pointer, it might have been changed by
* a concurrent perf_event_context_sched_out().
*/
task = ctx->task;
- if (task == TASK_TOMBSTONE) {
- perf_ctx_unlock(cpuctx, ctx);
- return;
- }
+ if (task == TASK_TOMBSTONE)
+ goto unlock;
if (ctx->is_active) {
perf_ctx_unlock(cpuctx, ctx);
+ local_irq_enable();
goto again;
}
func(event, NULL, ctx, data);
+unlock:
perf_ctx_unlock(cpuctx, ctx);
+ local_irq_enable();
}
/*
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 197/386] selftests: vDSO: fix vDSO name for powerpc
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 196/386] perf: Really fix event_function_call() locking Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 198/386] selftests: vDSO: fix vdso_config " Greg Kroah-Hartman
` (199 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Shuah Khan,
Jason A. Donenfeld, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 59eb856c3ed9b3552befd240c0c339f22eed3fa1 ]
Following error occurs when running vdso_test_correctness on powerpc:
~ # ./vdso_test_correctness
[WARN] failed to find vDSO
[SKIP] No vDSO, so skipping clock_gettime() tests
[SKIP] No vDSO, so skipping clock_gettime64() tests
[RUN] Testing getcpu...
[OK] CPU 0: syscall: cpu 0, node 0
On powerpc, vDSO is neither called linux-vdso.so.1 nor linux-gate.so.1
but linux-vdso32.so.1 or linux-vdso64.so.1.
Also search those two names before giving up.
Fixes: c7e5789b24d3 ("kselftest: Move test_vdso to the vDSO test suite")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vDSO/vdso_test_correctness.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/tools/testing/selftests/vDSO/vdso_test_correctness.c b/tools/testing/selftests/vDSO/vdso_test_correctness.c
index e691a3cf14911..cdb697ae8343c 100644
--- a/tools/testing/selftests/vDSO/vdso_test_correctness.c
+++ b/tools/testing/selftests/vDSO/vdso_test_correctness.c
@@ -114,6 +114,12 @@ static void fill_function_pointers()
if (!vdso)
vdso = dlopen("linux-gate.so.1",
RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+ if (!vdso)
+ vdso = dlopen("linux-vdso32.so.1",
+ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
+ if (!vdso)
+ vdso = dlopen("linux-vdso64.so.1",
+ RTLD_LAZY | RTLD_LOCAL | RTLD_NOLOAD);
if (!vdso) {
printf("[WARN]\tfailed to find vDSO\n");
return;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 198/386] selftests: vDSO: fix vdso_config for powerpc
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 197/386] selftests: vDSO: fix vDSO name for powerpc Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 199/386] selftests: vDSO: fix vDSO symbols lookup for powerpc64 Greg Kroah-Hartman
` (198 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Shuah Khan,
Jason A. Donenfeld, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit 7d297c419b08eafa69ce27243ee9bbecab4fcaa4 ]
Running vdso_test_correctness on powerpc64 gives the following warning:
~ # ./vdso_test_correctness
Warning: failed to find clock_gettime64 in vDSO
This is because vdso_test_correctness was built with VDSO_32BIT defined.
__powerpc__ macro is defined on both powerpc32 and powerpc64 so
__powerpc64__ needs to be checked first in vdso_config.h
Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vDSO/vdso_config.h | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
index cdfed403ba13f..f9890584f6fb4 100644
--- a/tools/testing/selftests/vDSO/vdso_config.h
+++ b/tools/testing/selftests/vDSO/vdso_config.h
@@ -18,13 +18,13 @@
#elif defined(__aarch64__)
#define VDSO_VERSION 3
#define VDSO_NAMES 0
-#elif defined(__powerpc__)
+#elif defined(__powerpc64__)
#define VDSO_VERSION 1
#define VDSO_NAMES 0
-#define VDSO_32BIT 1
-#elif defined(__powerpc64__)
+#elif defined(__powerpc__)
#define VDSO_VERSION 1
#define VDSO_NAMES 0
+#define VDSO_32BIT 1
#elif defined (__s390__)
#define VDSO_VERSION 2
#define VDSO_NAMES 0
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 199/386] selftests: vDSO: fix vDSO symbols lookup for powerpc64
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 198/386] selftests: vDSO: fix vdso_config " Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 200/386] selftests/mm: fix charge_reserved_hugetlb.sh test Greg Kroah-Hartman
` (197 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Shuah Khan,
Jason A. Donenfeld, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit ba83b3239e657469709d15dcea5f9b65bf9dbf34 ]
On powerpc64, following tests fail locating vDSO functions:
~ # ./vdso_test_abi
TAP version 13
1..16
# [vDSO kselftest] VDSO_VERSION: LINUX_2.6.15
# Couldn't find __kernel_gettimeofday
ok 1 # SKIP __kernel_gettimeofday
# clock_id: CLOCK_REALTIME
# Couldn't find __kernel_clock_gettime
ok 2 # SKIP __kernel_clock_gettime CLOCK_REALTIME
# Couldn't find __kernel_clock_getres
ok 3 # SKIP __kernel_clock_getres CLOCK_REALTIME
...
# Couldn't find __kernel_time
ok 16 # SKIP __kernel_time
# Totals: pass:0 fail:0 xfail:0 xpass:0 skip:16 error:0
~ # ./vdso_test_getrandom
__kernel_getrandom is missing!
~ # ./vdso_test_gettimeofday
Could not find __kernel_gettimeofday
~ # ./vdso_test_getcpu
Could not find __kernel_getcpu
On powerpc64, as shown below by readelf, vDSO functions symbols have
type NOTYPE, so also accept that type when looking for symbols.
$ powerpc64-linux-gnu-readelf -a arch/powerpc/kernel/vdso/vdso64.so.dbg
ELF Header:
Magic: 7f 45 4c 46 02 02 01 00 00 00 00 00 00 00 00 00
Class: ELF64
Data: 2's complement, big endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: DYN (Shared object file)
Machine: PowerPC64
Version: 0x1
...
Symbol table '.dynsym' contains 12 entries:
Num: Value Size Type Bind Vis Ndx Name
0: 0000000000000000 0 NOTYPE LOCAL DEFAULT UND
1: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
2: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
3: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
4: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
5: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
6: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
7: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
8: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
9: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
10: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
11: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __[...]@@LINUX_2.6.15
Symbol table '.symtab' contains 56 entries:
Num: Value Size Type Bind Vis Ndx Name
...
45: 0000000000000000 0 OBJECT GLOBAL DEFAULT ABS LINUX_2.6.15
46: 00000000000006c0 48 NOTYPE GLOBAL DEFAULT 8 __kernel_getcpu
47: 0000000000000524 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_getres
48: 00000000000005f0 36 NOTYPE GLOBAL DEFAULT 8 __kernel_get_tbfreq
49: 000000000000047c 84 NOTYPE GLOBAL DEFAULT 8 __kernel_gettimeofday
50: 0000000000000614 172 NOTYPE GLOBAL DEFAULT 8 __kernel_sync_dicache
51: 00000000000006f0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_getrandom
52: 0000000000000454 12 NOTYPE GLOBAL DEFAULT 8 __kernel_sigtram[...]
53: 0000000000000578 68 NOTYPE GLOBAL DEFAULT 8 __kernel_time
54: 00000000000004d0 84 NOTYPE GLOBAL DEFAULT 8 __kernel_clock_g[...]
55: 00000000000005bc 52 NOTYPE GLOBAL DEFAULT 8 __kernel_get_sys[...]
Fixes: 98eedc3a9dbf ("Document the vDSO and add a reference parser")
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vDSO/parse_vdso.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
index 4ae417372e9eb..d9ccc5acac182 100644
--- a/tools/testing/selftests/vDSO/parse_vdso.c
+++ b/tools/testing/selftests/vDSO/parse_vdso.c
@@ -216,7 +216,8 @@ void *vdso_sym(const char *version, const char *name)
ELF(Sym) *sym = &vdso_info.symtab[chain];
/* Check for a defined global or weak function w/ right name. */
- if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC)
+ if (ELF64_ST_TYPE(sym->st_info) != STT_FUNC &&
+ ELF64_ST_TYPE(sym->st_info) != STT_NOTYPE)
continue;
if (ELF64_ST_BIND(sym->st_info) != STB_GLOBAL &&
ELF64_ST_BIND(sym->st_info) != STB_WEAK)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 200/386] selftests/mm: fix charge_reserved_hugetlb.sh test
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 199/386] selftests: vDSO: fix vDSO symbols lookup for powerpc64 Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 201/386] powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Greg Kroah-Hartman
` (196 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Hildenbrand, Mario Casquero,
Mina Almasry, Shuah Khan, Muchun Song, Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Hildenbrand <david@redhat.com>
[ Upstream commit c41a701d18efe6b8aa402efab16edbaba50c9548 ]
Currently, running the charge_reserved_hugetlb.sh selftest we can
sometimes observe something like:
$ ./charge_reserved_hugetlb.sh -cgroup-v2
...
write_result is 0
After write:
hugetlb_usage=0
reserved_usage=10485760
killing write_to_hugetlbfs
Received 2.
Deleting the memory
Detach failure: Invalid argument
umount: /mnt/huge: target is busy.
Both cases are issues in the test.
While the unmount error seems to be racy, it will make the test fail:
$ ./run_vmtests.sh -t hugetlb
...
# [FAIL]
not ok 10 charge_reserved_hugetlb.sh -cgroup-v2 # exit=32
The issue is that we are not waiting for the write_to_hugetlbfs process to
quit. So it might still have a hugetlbfs file open, about which umount is
not happy. Fix that by making "killall" wait for the process to quit.
The other error ("Detach failure: Invalid argument") does not seem to
result in a test error, but is misleading. Turns out write_to_hugetlbfs.c
unconditionally tries to cleanup using shmdt(), even when we only
mmap()'ed a hugetlb file. Even worse, shmaddr is never even set for the
SHM case. Fix that as well.
With this change it seems to work as expected.
Link: https://lkml.kernel.org/r/20240821123115.2068812-1-david@redhat.com
Fixes: 29750f71a9b4 ("hugetlb_cgroup: add hugetlb_cgroup reservation tests")
Signed-off-by: David Hildenbrand <david@redhat.com>
Reported-by: Mario Casquero <mcasquer@redhat.com>
Reviewed-by: Mina Almasry <almasrymina@google.com>
Tested-by: Mario Casquero <mcasquer@redhat.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Muchun Song <muchun.song@linux.dev>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../selftests/mm/charge_reserved_hugetlb.sh | 2 +-
.../testing/selftests/mm/write_to_hugetlbfs.c | 21 +++++++++++--------
2 files changed, 13 insertions(+), 10 deletions(-)
diff --git a/tools/testing/selftests/mm/charge_reserved_hugetlb.sh b/tools/testing/selftests/mm/charge_reserved_hugetlb.sh
index e14bdd4455f2d..8e00276b4e69b 100755
--- a/tools/testing/selftests/mm/charge_reserved_hugetlb.sh
+++ b/tools/testing/selftests/mm/charge_reserved_hugetlb.sh
@@ -252,7 +252,7 @@ function cleanup_hugetlb_memory() {
local cgroup="$1"
if [[ "$(pgrep -f write_to_hugetlbfs)" != "" ]]; then
echo killing write_to_hugetlbfs
- killall -2 write_to_hugetlbfs
+ killall -2 --wait write_to_hugetlbfs
wait_for_hugetlb_memory_to_get_depleted $cgroup
fi
set -e
diff --git a/tools/testing/selftests/mm/write_to_hugetlbfs.c b/tools/testing/selftests/mm/write_to_hugetlbfs.c
index 6a2caba19ee1d..1289d311efd70 100644
--- a/tools/testing/selftests/mm/write_to_hugetlbfs.c
+++ b/tools/testing/selftests/mm/write_to_hugetlbfs.c
@@ -28,7 +28,7 @@ enum method {
/* Global variables. */
static const char *self;
-static char *shmaddr;
+static int *shmaddr;
static int shmid;
/*
@@ -47,15 +47,17 @@ void sig_handler(int signo)
{
printf("Received %d.\n", signo);
if (signo == SIGINT) {
- printf("Deleting the memory\n");
- if (shmdt((const void *)shmaddr) != 0) {
- perror("Detach failure");
+ if (shmaddr) {
+ printf("Deleting the memory\n");
+ if (shmdt((const void *)shmaddr) != 0) {
+ perror("Detach failure");
+ shmctl(shmid, IPC_RMID, NULL);
+ exit(4);
+ }
+
shmctl(shmid, IPC_RMID, NULL);
- exit(4);
+ printf("Done deleting the memory\n");
}
-
- shmctl(shmid, IPC_RMID, NULL);
- printf("Done deleting the memory\n");
}
exit(2);
}
@@ -211,7 +213,8 @@ int main(int argc, char **argv)
shmctl(shmid, IPC_RMID, NULL);
exit(2);
}
- printf("shmaddr: %p\n", ptr);
+ shmaddr = ptr;
+ printf("shmaddr: %p\n", shmaddr);
break;
default:
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 201/386] powerpc/vdso: Fix VDSO data access when running in a non-root time namespace
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 200/386] selftests/mm: fix charge_reserved_hugetlb.sh test Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 202/386] selftests: vDSO: fix ELF hash table entry size for s390x Greg Kroah-Hartman
` (195 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason A. Donenfeld, Christophe Leroy,
Michael Ellerman, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe Leroy <christophe.leroy@csgroup.eu>
[ Upstream commit c73049389e58c01e2e3bbfae900c8daeee177191 ]
When running in a non-root time namespace, the global VDSO data page
is replaced by a dedicated namespace data page and the global data
page is mapped next to it. Detailed explanations can be found at
commit 660fd04f9317 ("lib/vdso: Prepare for time namespace support").
When it happens, __kernel_get_syscall_map and __kernel_get_tbfreq
and __kernel_sync_dicache don't work anymore because they read 0
instead of the data they need.
To address that, clock_mode has to be read. When it is set to
VDSO_CLOCKMODE_TIMENS, it means it is a dedicated namespace data page
and the global data is located on the following page.
Add a macro called get_realdatapage which reads clock_mode and add
PAGE_SIZE to the pointer provided by get_datapage macro when
clock_mode is equal to VDSO_CLOCKMODE_TIMENS. Use this new macro
instead of get_datapage macro except for time functions as they handle
it internally.
Fixes: 74205b3fc2ef ("powerpc/vdso: Add support for time namespaces")
Reported-by: Jason A. Donenfeld <Jason@zx2c4.com>
Closes: https://lore.kernel.org/all/ZtnYqZI-nrsNslwy@zx2c4.com/
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Acked-by: Michael Ellerman <mpe@ellerman.id.au>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/include/asm/vdso_datapage.h | 15 +++++++++++++++
arch/powerpc/kernel/asm-offsets.c | 2 ++
arch/powerpc/kernel/vdso/cacheflush.S | 2 +-
arch/powerpc/kernel/vdso/datapage.S | 4 ++--
4 files changed, 20 insertions(+), 3 deletions(-)
diff --git a/arch/powerpc/include/asm/vdso_datapage.h b/arch/powerpc/include/asm/vdso_datapage.h
index a585c8e538ff0..939daf6b695ef 100644
--- a/arch/powerpc/include/asm/vdso_datapage.h
+++ b/arch/powerpc/include/asm/vdso_datapage.h
@@ -111,6 +111,21 @@ extern struct vdso_arch_data *vdso_data;
addi \ptr, \ptr, (_vdso_datapage - 999b)@l
.endm
+#include <asm/asm-offsets.h>
+#include <asm/page.h>
+
+.macro get_realdatapage ptr scratch
+ get_datapage \ptr
+#ifdef CONFIG_TIME_NS
+ lwz \scratch, VDSO_CLOCKMODE_OFFSET(\ptr)
+ xoris \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@h
+ xori \scratch, \scratch, VDSO_CLOCKMODE_TIMENS@l
+ cntlzw \scratch, \scratch
+ rlwinm \scratch, \scratch, PAGE_SHIFT - 5, 1 << PAGE_SHIFT
+ add \ptr, \ptr, \scratch
+#endif
+.endm
+
#endif /* __ASSEMBLY__ */
#endif /* __KERNEL__ */
diff --git a/arch/powerpc/kernel/asm-offsets.c b/arch/powerpc/kernel/asm-offsets.c
index 9f14d95b8b32f..2affd30468bc4 100644
--- a/arch/powerpc/kernel/asm-offsets.c
+++ b/arch/powerpc/kernel/asm-offsets.c
@@ -348,6 +348,8 @@ int main(void)
#else
OFFSET(CFG_SYSCALL_MAP32, vdso_arch_data, syscall_map);
#endif
+ OFFSET(VDSO_CLOCKMODE_OFFSET, vdso_arch_data, data[0].clock_mode);
+ DEFINE(VDSO_CLOCKMODE_TIMENS, VDSO_CLOCKMODE_TIMENS);
#ifdef CONFIG_BUG
DEFINE(BUG_ENTRY_SIZE, sizeof(struct bug_entry));
diff --git a/arch/powerpc/kernel/vdso/cacheflush.S b/arch/powerpc/kernel/vdso/cacheflush.S
index 0085ae464dac9..3b2479bd2f9a1 100644
--- a/arch/powerpc/kernel/vdso/cacheflush.S
+++ b/arch/powerpc/kernel/vdso/cacheflush.S
@@ -30,7 +30,7 @@ END_FTR_SECTION_IFSET(CPU_FTR_COHERENT_ICACHE)
#ifdef CONFIG_PPC64
mflr r12
.cfi_register lr,r12
- get_datapage r10
+ get_realdatapage r10, r11
mtlr r12
.cfi_restore lr
#endif
diff --git a/arch/powerpc/kernel/vdso/datapage.S b/arch/powerpc/kernel/vdso/datapage.S
index db8e167f01667..2b19b6201a33a 100644
--- a/arch/powerpc/kernel/vdso/datapage.S
+++ b/arch/powerpc/kernel/vdso/datapage.S
@@ -28,7 +28,7 @@ V_FUNCTION_BEGIN(__kernel_get_syscall_map)
mflr r12
.cfi_register lr,r12
mr. r4,r3
- get_datapage r3
+ get_realdatapage r3, r11
mtlr r12
#ifdef __powerpc64__
addi r3,r3,CFG_SYSCALL_MAP64
@@ -52,7 +52,7 @@ V_FUNCTION_BEGIN(__kernel_get_tbfreq)
.cfi_startproc
mflr r12
.cfi_register lr,r12
- get_datapage r3
+ get_realdatapage r3, r11
#ifndef __powerpc64__
lwz r4,(CFG_TB_TICKS_PER_SEC + 4)(r3)
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 202/386] selftests: vDSO: fix ELF hash table entry size for s390x
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 201/386] powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 203/386] selftests: vDSO: fix vdso_config for s390 Greg Kroah-Hartman
` (194 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Jens Remus,
Jason A. Donenfeld, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Remus <jremus@linux.ibm.com>
[ Upstream commit 14be4e6f35221c4731b004553ecf7cbc6dc1d2d8 ]
The vDSO self tests fail on s390x for a vDSO linked with the GNU linker
ld as follows:
# ./vdso_test_gettimeofday
Floating point exception (core dumped)
On s390x the ELF hash table entries are 64 bits instead of 32 bits in
size (see Glibc sysdeps/unix/sysv/linux/s390/bits/elfclass.h).
Fixes: 40723419f407 ("kselftest: Enable vDSO test on non x86 platforms")
Reported-by: Heiko Carstens <hca@linux.ibm.com>
Tested-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Jens Remus <jremus@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vDSO/parse_vdso.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
diff --git a/tools/testing/selftests/vDSO/parse_vdso.c b/tools/testing/selftests/vDSO/parse_vdso.c
index d9ccc5acac182..7dd5668ea8a6e 100644
--- a/tools/testing/selftests/vDSO/parse_vdso.c
+++ b/tools/testing/selftests/vDSO/parse_vdso.c
@@ -36,6 +36,12 @@
#define ELF_BITS_XFORM(bits, x) ELF_BITS_XFORM2(bits, x)
#define ELF(x) ELF_BITS_XFORM(ELF_BITS, x)
+#ifdef __s390x__
+#define ELF_HASH_ENTRY ELF(Xword)
+#else
+#define ELF_HASH_ENTRY ELF(Word)
+#endif
+
static struct vdso_info
{
bool valid;
@@ -47,8 +53,8 @@ static struct vdso_info
/* Symbol table */
ELF(Sym) *symtab;
const char *symstrings;
- ELF(Word) *bucket, *chain;
- ELF(Word) nbucket, nchain;
+ ELF_HASH_ENTRY *bucket, *chain;
+ ELF_HASH_ENTRY nbucket, nchain;
/* Version table */
ELF(Versym) *versym;
@@ -115,7 +121,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
/*
* Fish out the useful bits of the dynamic table.
*/
- ELF(Word) *hash = 0;
+ ELF_HASH_ENTRY *hash = 0;
vdso_info.symstrings = 0;
vdso_info.symtab = 0;
vdso_info.versym = 0;
@@ -133,7 +139,7 @@ void vdso_init_from_sysinfo_ehdr(uintptr_t base)
+ vdso_info.load_offset);
break;
case DT_HASH:
- hash = (ELF(Word) *)
+ hash = (ELF_HASH_ENTRY *)
((uintptr_t)dyn[i].d_un.d_ptr
+ vdso_info.load_offset);
break;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 203/386] selftests: vDSO: fix vdso_config for s390
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 202/386] selftests: vDSO: fix ELF hash table entry size for s390x Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 204/386] Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Greg Kroah-Hartman
` (193 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Jason A. Donenfeld,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit a6e23fb8d3c0e3904da70beaf5d7e840a983c97f ]
Running vdso_test_correctness on s390x (aka s390 64 bit) emits a warning:
Warning: failed to find clock_gettime64 in vDSO
This is caused by the "#elif defined (__s390__)" check in vdso_config.h
which the defines VDSO_32BIT.
If __s390x__ is defined also __s390__ is defined. Therefore the correct
check must make sure that only __s390__ is defined.
Therefore add the missing !defined(__s390x__). Also use common
__s390x__ define instead of __s390X__.
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Fixes: 693f5ca08ca0 ("kselftest: Extend vDSO selftest")
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
tools/testing/selftests/vDSO/vdso_config.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/tools/testing/selftests/vDSO/vdso_config.h b/tools/testing/selftests/vDSO/vdso_config.h
index f9890584f6fb4..72de45f587b2c 100644
--- a/tools/testing/selftests/vDSO/vdso_config.h
+++ b/tools/testing/selftests/vDSO/vdso_config.h
@@ -25,11 +25,11 @@
#define VDSO_VERSION 1
#define VDSO_NAMES 0
#define VDSO_32BIT 1
-#elif defined (__s390__)
+#elif defined (__s390__) && !defined(__s390x__)
#define VDSO_VERSION 2
#define VDSO_NAMES 0
#define VDSO_32BIT 1
-#elif defined (__s390X__)
+#elif defined (__s390x__)
#define VDSO_VERSION 2
#define VDSO_NAMES 0
#elif defined(__mips__)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 204/386] Revert "ALSA: hda: Conditionally use snooping for AMD HDMI"
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 203/386] selftests: vDSO: fix vdso_config for s390 Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 205/386] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Greg Kroah-Hartman
` (192 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Salvatore Bonaccorso, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Takashi Iwai <tiwai@suse.de>
commit 3f7f36a4559ef78a6418c5f0447fbfbdcf671956 upstream.
This reverts commit 478689b5990deb626a0b3f1ebf165979914d6be4.
The fix seems leading to regressions for other systems.
Also, the way to check the presence of IOMMU via get_dma_ops() isn't
reliable and it's no longer applicable for 6.12. After all, it's no
right fix, so let's revert it at first.
To be noted, the PCM buffer allocation has been changed to try the
continuous pages at first since 6.12, so the problem could be already
addressed without this hackish workaround.
Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Closes: https://lore.kernel.org/ZvgCdYfKgwHpJXGE@eldamar.lan
Link: https://patch.msgid.link/20241002155948.4859-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/hda_controller.h | 2 +-
sound/pci/hda/hda_intel.c | 10 +---------
2 files changed, 2 insertions(+), 10 deletions(-)
--- a/sound/pci/hda/hda_controller.h
+++ b/sound/pci/hda/hda_controller.h
@@ -28,7 +28,7 @@
#else
#define AZX_DCAPS_I915_COMPONENT 0 /* NOP */
#endif
-#define AZX_DCAPS_AMD_ALLOC_FIX (1 << 14) /* AMD allocation workaround */
+/* 14 unused */
#define AZX_DCAPS_CTX_WORKAROUND (1 << 15) /* X-Fi workaround */
#define AZX_DCAPS_POSFIX_LPIB (1 << 16) /* Use LPIB as default */
#define AZX_DCAPS_AMD_WORKAROUND (1 << 17) /* AMD-specific workaround */
--- a/sound/pci/hda/hda_intel.c
+++ b/sound/pci/hda/hda_intel.c
@@ -40,7 +40,6 @@
#ifdef CONFIG_X86
/* for snoop control */
-#include <linux/dma-map-ops.h>
#include <asm/set_memory.h>
#include <asm/cpufeature.h>
#endif
@@ -302,7 +301,7 @@ enum {
/* quirks for ATI HDMI with snoop off */
#define AZX_DCAPS_PRESET_ATI_HDMI_NS \
- (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_AMD_ALLOC_FIX)
+ (AZX_DCAPS_PRESET_ATI_HDMI | AZX_DCAPS_SNOOP_OFF)
/* quirks for AMD SB */
#define AZX_DCAPS_PRESET_AMD_SB \
@@ -1716,13 +1715,6 @@ static void azx_check_snoop_available(st
if (chip->driver_caps & AZX_DCAPS_SNOOP_OFF)
snoop = false;
-#ifdef CONFIG_X86
- /* check the presence of DMA ops (i.e. IOMMU), disable snoop conditionally */
- if ((chip->driver_caps & AZX_DCAPS_AMD_ALLOC_FIX) &&
- !get_dma_ops(chip->card->dev))
- snoop = false;
-#endif
-
chip->snoop = snoop;
if (!snoop) {
dev_info(chip->card->dev, "Force to non-snoop mode\n");
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 205/386] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 204/386] Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 206/386] i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Greg Kroah-Hartman
` (191 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada, Zach Wade,
Hans de Goede
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zach Wade <zachwade.k@gmail.com>
commit 7d59ac07ccb58f8f604f8057db63b8efcebeb3de upstream.
Attaching SST PCI device to VM causes "BUG: KASAN: slab-out-of-bounds".
kasan report:
[ 19.411889] ==================================================================
[ 19.413702] BUG: KASAN: slab-out-of-bounds in _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.415634] Read of size 8 at addr ffff888829e65200 by task cpuhp/16/113
[ 19.417368]
[ 19.418627] CPU: 16 PID: 113 Comm: cpuhp/16 Tainted: G E 6.9.0 #10
[ 19.420435] Hardware name: VMware, Inc. VMware20,1/440BX Desktop Reference Platform, BIOS VMW201.00V.20192059.B64.2207280713 07/28/2022
[ 19.422687] Call Trace:
[ 19.424091] <TASK>
[ 19.425448] dump_stack_lvl+0x5d/0x80
[ 19.426963] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.428694] print_report+0x19d/0x52e
[ 19.430206] ? __pfx__raw_spin_lock_irqsave+0x10/0x10
[ 19.431837] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.433539] kasan_report+0xf0/0x170
[ 19.435019] ? _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.436709] _isst_if_get_pci_dev+0x3d5/0x400 [isst_if_common]
[ 19.438379] ? __pfx_sched_clock_cpu+0x10/0x10
[ 19.439910] isst_if_cpu_online+0x406/0x58f [isst_if_common]
[ 19.441573] ? __pfx_isst_if_cpu_online+0x10/0x10 [isst_if_common]
[ 19.443263] ? ttwu_queue_wakelist+0x2c1/0x360
[ 19.444797] cpuhp_invoke_callback+0x221/0xec0
[ 19.446337] cpuhp_thread_fun+0x21b/0x610
[ 19.447814] ? __pfx_cpuhp_thread_fun+0x10/0x10
[ 19.449354] smpboot_thread_fn+0x2e7/0x6e0
[ 19.450859] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 19.452405] kthread+0x29c/0x350
[ 19.453817] ? __pfx_kthread+0x10/0x10
[ 19.455253] ret_from_fork+0x31/0x70
[ 19.456685] ? __pfx_kthread+0x10/0x10
[ 19.458114] ret_from_fork_asm+0x1a/0x30
[ 19.459573] </TASK>
[ 19.460853]
[ 19.462055] Allocated by task 1198:
[ 19.463410] kasan_save_stack+0x30/0x50
[ 19.464788] kasan_save_track+0x14/0x30
[ 19.466139] __kasan_kmalloc+0xaa/0xb0
[ 19.467465] __kmalloc+0x1cd/0x470
[ 19.468748] isst_if_cdev_register+0x1da/0x350 [isst_if_common]
[ 19.470233] isst_if_mbox_init+0x108/0xff0 [isst_if_mbox_msr]
[ 19.471670] do_one_initcall+0xa4/0x380
[ 19.472903] do_init_module+0x238/0x760
[ 19.474105] load_module+0x5239/0x6f00
[ 19.475285] init_module_from_file+0xd1/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.476506] idempotent_init_module+0x23b/0x650
[ 19.477725] __x64_sys_finit_module+0xbe/0x130
[ 19.478920] do_syscall_64+0x82/0x160
[ 19.480036] entry_SYSCALL_64_after_hwframe+0x76/0x7e
[ 19.481292]
[ 19.482205] The buggy address belongs to the object at ffff888829e65000
which belongs to the cache kmalloc-512 of size 512
[ 19.484818] The buggy address is located 0 bytes to the right of
allocated 512-byte region [ffff888829e65000, ffff888829e65200)
[ 19.487447]
[ 19.488328] The buggy address belongs to the physical page:
[ 19.489569] page: refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888829e60c00 pfn:0x829e60
[ 19.491140] head: order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
[ 19.492466] anon flags: 0x57ffffc0000840(slab|head|node=1|zone=2|lastcpupid=0x1fffff)
[ 19.493914] page_type: 0xffffffff()
[ 19.494988] raw: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.496451] raw: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.497906] head: 0057ffffc0000840 ffff88810004cc80 0000000000000000 0000000000000001
[ 19.499379] head: ffff888829e60c00 0000000080200018 00000001ffffffff 0000000000000000
[ 19.500844] head: 0057ffffc0000003 ffffea0020a79801 ffffea0020a79848 00000000ffffffff
[ 19.502316] head: 0000000800000000 0000000000000000 00000000ffffffff 0000000000000000
[ 19.503784] page dumped because: kasan: bad access detected
[ 19.505058]
[ 19.505970] Memory state around the buggy address:
[ 19.507172] ffff888829e65100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.508599] ffff888829e65180: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
[ 19.510013] >ffff888829e65200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510014] ^
[ 19.510016] ffff888829e65280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.510018] ffff888829e65300: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 19.515367] ==================================================================
The reason for this error is physical_package_ids assigned by VMware VMM
are not continuous and have gaps. This will cause value returned by
topology_physical_package_id() to be more than topology_max_packages().
Here the allocation uses topology_max_packages(). The call to
topology_max_packages() returns maximum logical package ID not physical
ID. Hence use topology_logical_package_id() instead of
topology_physical_package_id().
Fixes: 9a1aac8a96dc ("platform/x86: ISST: PUNIT device mapping with Sub-NUMA clustering")
Cc: stable@vger.kernel.org
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Signed-off-by: Zach Wade <zachwade.k@gmail.com>
Link: https://lore.kernel.org/r/20240923144508.1764-1-zachwade.k@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/speed_select_if/isst_if_common.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
+++ b/drivers/platform/x86/intel/speed_select_if/isst_if_common.c
@@ -316,7 +316,9 @@ static struct pci_dev *_isst_if_get_pci_
cpu >= nr_cpu_ids || cpu >= num_possible_cpus())
return NULL;
- pkg_id = topology_physical_package_id(cpu);
+ pkg_id = topology_logical_package_id(cpu);
+ if (pkg_id >= topology_max_packages())
+ return NULL;
bus_number = isst_cpu_info[cpu].bus_info[bus_no];
if (bus_number < 0)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 206/386] i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 205/386] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 207/386] i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
` (190 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alain Volmat, Marek Vasut,
Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Marek Vasut <marex@denx.de>
commit 048bbbdbf85e5e00258dfb12f5e368f908801d7b upstream.
In case there is any sort of clock controller attached to this I2C bus
controller, for example Versaclock or even an AIC32x4 I2C codec, then
an I2C transfer triggered from the clock controller clk_ops .prepare
callback may trigger a deadlock on drivers/clk/clk.c prepare_lock mutex.
This is because the clock controller first grabs the prepare_lock mutex
and then performs the prepare operation, including its I2C access. The
I2C access resumes this I2C bus controller via .runtime_resume callback,
which calls clk_prepare_enable(), which attempts to grab the prepare_lock
mutex again and deadlocks.
Since the clock are already prepared since probe() and unprepared in
remove(), use simple clk_enable()/clk_disable() calls to enable and
disable the clock on runtime suspend and resume, to avoid hitting the
prepare_lock mutex.
Acked-by: Alain Volmat <alain.volmat@foss.st.com>
Signed-off-by: Marek Vasut <marex@denx.de>
Fixes: 4e7bca6fc07b ("i2c: i2c-stm32f7: add PM Runtime support")
Cc: <stable@vger.kernel.org> # v5.0+
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-stm32f7.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-stm32f7.c
+++ b/drivers/i2c/busses/i2c-stm32f7.c
@@ -2394,7 +2394,7 @@ static int __maybe_unused stm32f7_i2c_ru
struct stm32f7_i2c_dev *i2c_dev = dev_get_drvdata(dev);
if (!stm32f7_i2c_is_slave_registered(i2c_dev))
- clk_disable_unprepare(i2c_dev->clk);
+ clk_disable(i2c_dev->clk);
return 0;
}
@@ -2405,9 +2405,9 @@ static int __maybe_unused stm32f7_i2c_ru
int ret;
if (!stm32f7_i2c_is_slave_registered(i2c_dev)) {
- ret = clk_prepare_enable(i2c_dev->clk);
+ ret = clk_enable(i2c_dev->clk);
if (ret) {
- dev_err(dev, "failed to prepare_enable clock\n");
+ dev_err(dev, "failed to enable clock\n");
return ret;
}
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 207/386] i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 206/386] i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 208/386] i2c: xiic: Wait for TX empty to avoid missed TX NAKs Greg Kroah-Hartman
` (189 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Mukesh Kumar Savaliya,
Vladimir Zapolskiy, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit e2c85d85a05f16af2223fcc0195ff50a7938b372 upstream.
disable_irq() after request_irq() still has a time gap in which
interrupts can come. request_irq() with IRQF_NO_AUTOEN flag will
disable IRQ auto-enable when request IRQ.
Fixes: 37692de5d523 ("i2c: i2c-qcom-geni: Add bus driver for the Qualcomm GENI I2C controller")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Cc: <stable@vger.kernel.org> # v4.19+
Acked-by: Mukesh Kumar Savaliya <quic_msavaliy@quicinc.com>
Reviewed-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-qcom-geni.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/i2c/busses/i2c-qcom-geni.c
+++ b/drivers/i2c/busses/i2c-qcom-geni.c
@@ -819,15 +819,13 @@ static int geni_i2c_probe(struct platfor
init_completion(&gi2c->done);
spin_lock_init(&gi2c->lock);
platform_set_drvdata(pdev, gi2c);
- ret = devm_request_irq(dev, gi2c->irq, geni_i2c_irq, 0,
+ ret = devm_request_irq(dev, gi2c->irq, geni_i2c_irq, IRQF_NO_AUTOEN,
dev_name(dev), gi2c);
if (ret) {
dev_err(dev, "Request_irq failed:%d: err:%d\n",
gi2c->irq, ret);
return ret;
}
- /* Disable the interrupt so that the system can enter low-power mode */
- disable_irq(gi2c->irq);
i2c_set_adapdata(&gi2c->adap, gi2c);
gi2c->adap.dev.parent = dev;
gi2c->adap.dev.of_node = dev->of_node;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 208/386] i2c: xiic: Wait for TX empty to avoid missed TX NAKs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 207/386] i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 209/386] media: i2c: ar0521: Use cansleep version of gpiod_set_value() Greg Kroah-Hartman
` (188 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Robert Hancock, Manikanta Guntupalli,
Michal Simek, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Robert Hancock <robert.hancock@calian.com>
commit 521da1e9225450bd323db5fa5bca942b1dc485b7 upstream.
Frequently an I2C write will be followed by a read, such as a register
address write followed by a read of the register value. In this driver,
when the TX FIFO half empty interrupt was raised and it was determined
that there was enough space in the TX FIFO to send the following read
command, it would do so without waiting for the TX FIFO to actually
empty.
Unfortunately it appears that in some cases this can result in a NAK
that was raised by the target device on the write, such as due to an
unsupported register address, being ignored and the subsequent read
being done anyway. This can potentially put the I2C bus into an
invalid state and/or result in invalid read data being processed.
To avoid this, once a message has been fully written to the TX FIFO,
wait for the TX FIFO empty interrupt before moving on to the next
message, to ensure NAKs are handled properly.
Fixes: e1d5b6598cdc ("i2c: Add support for Xilinx XPS IIC Bus Interface")
Signed-off-by: Robert Hancock <robert.hancock@calian.com>
Cc: <stable@vger.kernel.org> # v2.6.34+
Reviewed-by: Manikanta Guntupalli <manikanta.guntupalli@amd.com>
Acked-by: Michal Simek <michal.simek@amd.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-xiic.c | 19 +++++++++----------
1 file changed, 9 insertions(+), 10 deletions(-)
--- a/drivers/i2c/busses/i2c-xiic.c
+++ b/drivers/i2c/busses/i2c-xiic.c
@@ -772,14 +772,17 @@ static irqreturn_t xiic_process(int irq,
goto out;
}
- xiic_fill_tx_fifo(i2c);
-
- /* current message sent and there is space in the fifo */
- if (!xiic_tx_space(i2c) && xiic_tx_fifo_space(i2c) >= 2) {
+ if (xiic_tx_space(i2c)) {
+ xiic_fill_tx_fifo(i2c);
+ } else {
+ /* current message fully written */
dev_dbg(i2c->adap.dev.parent,
"%s end of message sent, nmsgs: %d\n",
__func__, i2c->nmsgs);
- if (i2c->nmsgs > 1) {
+ /* Don't move onto the next message until the TX FIFO empties,
+ * to ensure that a NAK is not missed.
+ */
+ if (i2c->nmsgs > 1 && (pend & XIIC_INTR_TX_EMPTY_MASK)) {
i2c->nmsgs--;
i2c->tx_msg++;
xfer_more = 1;
@@ -790,11 +793,7 @@ static irqreturn_t xiic_process(int irq,
"%s Got TX IRQ but no more to do...\n",
__func__);
}
- } else if (!xiic_tx_space(i2c) && (i2c->nmsgs == 1))
- /* current frame is sent and is last,
- * make sure to disable tx half
- */
- xiic_irq_dis(i2c, XIIC_INTR_TX_HALF_MASK);
+ }
}
if (pend & XIIC_INTR_BNB_MASK) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 209/386] media: i2c: ar0521: Use cansleep version of gpiod_set_value()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 208/386] i2c: xiic: Wait for TX empty to avoid missed TX NAKs Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 210/386] i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
` (187 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Shiyan,
Krzysztof Hałasa, Sakari Ailus, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexander Shiyan <eagle.alexander923@gmail.com>
commit bee1aed819a8cda47927436685d216906ed17f62 upstream.
If we use GPIO reset from I2C port expander, we must use *_cansleep()
variant of GPIO functions.
This was not done in ar0521_power_on()/ar0521_power_off() functions.
Let's fix that.
------------[ cut here ]------------
WARNING: CPU: 0 PID: 11 at drivers/gpio/gpiolib.c:3496 gpiod_set_value+0x74/0x7c
Modules linked in:
CPU: 0 PID: 11 Comm: kworker/u16:0 Not tainted 6.10.0 #53
Hardware name: Diasom DS-RK3568-SOM-EVB (DT)
Workqueue: events_unbound deferred_probe_work_func
pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : gpiod_set_value+0x74/0x7c
lr : ar0521_power_on+0xcc/0x290
sp : ffffff8001d7ab70
x29: ffffff8001d7ab70 x28: ffffff80027dcc90 x27: ffffff8003c82000
x26: ffffff8003ca9250 x25: ffffffc080a39c60 x24: ffffff8003ca9088
x23: ffffff8002402720 x22: ffffff8003ca9080 x21: ffffff8003ca9088
x20: 0000000000000000 x19: ffffff8001eb2a00 x18: ffffff80efeeac80
x17: 756d2d6332692f30 x16: 0000000000000000 x15: 0000000000000000
x14: ffffff8001d91d40 x13: 0000000000000016 x12: ffffffc080e98930
x11: ffffff8001eb2880 x10: 0000000000000890 x9 : ffffff8001d7a9f0
x8 : ffffff8001d92570 x7 : ffffff80efeeac80 x6 : 000000003fc6e780
x5 : ffffff8001d91c80 x4 : 0000000000000002 x3 : 0000000000000000
x2 : 0000000000000000 x1 : 0000000000000000 x0 : 0000000000000001
Call trace:
gpiod_set_value+0x74/0x7c
ar0521_power_on+0xcc/0x290
...
Signed-off-by: Alexander Shiyan <eagle.alexander923@gmail.com>
Fixes: 852b50aeed15 ("media: On Semi AR0521 sensor driver")
Cc: stable@vger.kernel.org
Acked-by: Krzysztof Hałasa <khalasa@piap.pl>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ar0521.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/media/i2c/ar0521.c
+++ b/drivers/media/i2c/ar0521.c
@@ -847,7 +847,8 @@ static int ar0521_power_off(struct devic
clk_disable_unprepare(sensor->extclk);
if (sensor->reset_gpio)
- gpiod_set_value(sensor->reset_gpio, 1); /* assert RESET signal */
+ /* assert RESET signal */
+ gpiod_set_value_cansleep(sensor->reset_gpio, 1);
for (i = ARRAY_SIZE(ar0521_supply_names) - 1; i >= 0; i--) {
if (sensor->supplies[i])
@@ -881,7 +882,7 @@ static int ar0521_power_on(struct device
if (sensor->reset_gpio)
/* deassert RESET signal */
- gpiod_set_value(sensor->reset_gpio, 0);
+ gpiod_set_value_cansleep(sensor->reset_gpio, 0);
usleep_range(4500, 5000); /* min 45000 clocks */
for (cnt = 0; cnt < ARRAY_SIZE(initial_regs); cnt++) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 210/386] i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 209/386] media: i2c: ar0521: Use cansleep version of gpiod_set_value() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 211/386] i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Greg Kroah-Hartman
` (186 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 0c8d604dea437b69a861479b413d629bc9b3da70 upstream.
It is not valid to call pm_runtime_set_suspended() for devices
with runtime PM enabled because it returns -EAGAIN if it is enabled
already and working. So, call pm_runtime_disable() before to fix it.
Fixes: 36ecbcab84d0 ("i2c: xiic: Implement power management")
Cc: <stable@vger.kernel.org> # v4.6+
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-xiic.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/i2c/busses/i2c-xiic.c
+++ b/drivers/i2c/busses/i2c-xiic.c
@@ -1337,8 +1337,8 @@ static int xiic_i2c_probe(struct platfor
return 0;
err_pm_disable:
- pm_runtime_set_suspended(&pdev->dev);
pm_runtime_disable(&pdev->dev);
+ pm_runtime_set_suspended(&pdev->dev);
return ret;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 211/386] i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 210/386] i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 212/386] rust: sync: require `T: Sync` for `LockedBy::access` Greg Kroah-Hartman
` (185 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kimriver Liu, Mika Westerberg,
Jarkko Nikula, Andy Shevchenko, Andi Shyti
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kimriver Liu <kimriver.liu@siengine.com>
commit 5d69d5a00f80488ddcb4dee7d1374a0709398178 upstream.
It was observed that issuing the ABORT bit (IC_ENABLE[1]) will not
work when IC_ENABLE is already disabled.
Check if the ENABLE bit (IC_ENABLE[0]) is disabled when the controller
is holding SCL low. If the ENABLE bit is disabled, the software needs
to enable it before trying to issue the ABORT bit. otherwise,
the controller ignores any write to ABORT bit.
These kernel logs show up whenever an I2C transaction is
attempted after this failure.
i2c_designware e95e0000.i2c: timeout waiting for bus ready
i2c_designware e95e0000.i2c: timeout in disabling adapter
The patch fixes the issue where the controller cannot be disabled
while SCL is held low if the ENABLE bit is already disabled.
Fixes: 2409205acd3c ("i2c: designware: fix __i2c_dw_disable() in case master is holding SCL low")
Signed-off-by: Kimriver Liu <kimriver.liu@siengine.com>
Cc: <stable@vger.kernel.org> # v6.6+
Reviewed-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Acked-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-designware-common.c | 14 ++++++++++
drivers/i2c/busses/i2c-designware-core.h | 1
drivers/i2c/busses/i2c-designware-master.c | 38 +++++++++++++++++++++++++++++
3 files changed, 53 insertions(+)
--- a/drivers/i2c/busses/i2c-designware-common.c
+++ b/drivers/i2c/busses/i2c-designware-common.c
@@ -441,6 +441,7 @@ err_release_lock:
void __i2c_dw_disable(struct dw_i2c_dev *dev)
{
+ struct i2c_timings *t = &dev->timings;
unsigned int raw_intr_stats;
unsigned int enable;
int timeout = 100;
@@ -453,6 +454,19 @@ void __i2c_dw_disable(struct dw_i2c_dev
abort_needed = raw_intr_stats & DW_IC_INTR_MST_ON_HOLD;
if (abort_needed) {
+ if (!(enable & DW_IC_ENABLE_ENABLE)) {
+ regmap_write(dev->map, DW_IC_ENABLE, DW_IC_ENABLE_ENABLE);
+ /*
+ * Wait 10 times the signaling period of the highest I2C
+ * transfer supported by the driver (for 400KHz this is
+ * 25us) to ensure the I2C ENABLE bit is already set
+ * as described in the DesignWare I2C databook.
+ */
+ fsleep(DIV_ROUND_CLOSEST_ULL(10 * MICRO, t->bus_freq_hz));
+ /* Set ENABLE bit before setting ABORT */
+ enable |= DW_IC_ENABLE_ENABLE;
+ }
+
regmap_write(dev->map, DW_IC_ENABLE, enable | DW_IC_ENABLE_ABORT);
ret = regmap_read_poll_timeout(dev->map, DW_IC_ENABLE, enable,
!(enable & DW_IC_ENABLE_ABORT), 10,
--- a/drivers/i2c/busses/i2c-designware-core.h
+++ b/drivers/i2c/busses/i2c-designware-core.h
@@ -109,6 +109,7 @@
DW_IC_INTR_RX_UNDER | \
DW_IC_INTR_RD_REQ)
+#define DW_IC_ENABLE_ENABLE BIT(0)
#define DW_IC_ENABLE_ABORT BIT(1)
#define DW_IC_STATUS_ACTIVITY BIT(0)
--- a/drivers/i2c/busses/i2c-designware-master.c
+++ b/drivers/i2c/busses/i2c-designware-master.c
@@ -253,6 +253,34 @@ static void i2c_dw_xfer_init(struct dw_i
regmap_write(dev->map, DW_IC_INTR_MASK, DW_IC_INTR_MASTER_MASK);
}
+/*
+ * This function waits for the controller to be idle before disabling I2C
+ * When the controller is not in the IDLE state, the MST_ACTIVITY bit
+ * (IC_STATUS[5]) is set.
+ *
+ * Values:
+ * 0x1 (ACTIVE): Controller not idle
+ * 0x0 (IDLE): Controller is idle
+ *
+ * The function is called after completing the current transfer.
+ *
+ * Returns:
+ * False when the controller is in the IDLE state.
+ * True when the controller is in the ACTIVE state.
+ */
+static bool i2c_dw_is_controller_active(struct dw_i2c_dev *dev)
+{
+ u32 status;
+
+ regmap_read(dev->map, DW_IC_STATUS, &status);
+ if (!(status & DW_IC_STATUS_MASTER_ACTIVITY))
+ return false;
+
+ return regmap_read_poll_timeout(dev->map, DW_IC_STATUS, status,
+ !(status & DW_IC_STATUS_MASTER_ACTIVITY),
+ 1100, 20000) != 0;
+}
+
static int i2c_dw_check_stopbit(struct dw_i2c_dev *dev)
{
u32 val;
@@ -695,6 +723,16 @@ i2c_dw_xfer(struct i2c_adapter *adap, st
}
/*
+ * This happens rarely (~1:500) and is hard to reproduce. Debug trace
+ * showed that IC_STATUS had value of 0x23 when STOP_DET occurred,
+ * if disable IC_ENABLE.ENABLE immediately that can result in
+ * IC_RAW_INTR_STAT.MASTER_ON_HOLD holding SCL low. Check if
+ * controller is still ACTIVE before disabling I2C.
+ */
+ if (i2c_dw_is_controller_active(dev))
+ dev_err(dev->dev, "controller active\n");
+
+ /*
* We must disable the adapter before returning and signaling the end
* of the current transfer. Otherwise the hardware might continue
* generating interrupts which in turn causes a race condition with
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 212/386] rust: sync: require `T: Sync` for `LockedBy::access`
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 211/386] i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 213/386] ovl: fail if trusted xattrs are needed but caller lacks permission Greg Kroah-Hartman
` (184 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alice Ryhl, Boqun Feng, Gary Guo,
Miguel Ojeda
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alice Ryhl <aliceryhl@google.com>
commit a8ee30f45d5d57467ddb7877ed6914d0eba0af7f upstream.
The `LockedBy::access` method only requires a shared reference to the
owner, so if we have shared access to the `LockedBy` from several
threads at once, then two threads could call `access` in parallel and
both obtain a shared reference to the inner value. Thus, require that
`T: Sync` when calling the `access` method.
An alternative is to require `T: Sync` in the `impl Sync for LockedBy`.
This patch does not choose that approach as it gives up the ability to
use `LockedBy` with `!Sync` types, which is okay as long as you only use
`access_mut`.
Cc: stable@vger.kernel.org
Fixes: 7b1f55e3a984 ("rust: sync: introduce `LockedBy`")
Signed-off-by: Alice Ryhl <aliceryhl@google.com>
Suggested-by: Boqun Feng <boqun.feng@gmail.com>
Reviewed-by: Gary Guo <gary@garyguo.net>
Link: https://lore.kernel.org/r/20240915-locked-by-sync-fix-v2-1-1a8d89710392@google.com
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/sync/locked_by.rs | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/rust/kernel/sync/locked_by.rs
+++ b/rust/kernel/sync/locked_by.rs
@@ -80,8 +80,12 @@ pub struct LockedBy<T: ?Sized, U: ?Sized
// SAFETY: `LockedBy` can be transferred across thread boundaries iff the data it protects can.
unsafe impl<T: ?Sized + Send, U: ?Sized> Send for LockedBy<T, U> {}
-// SAFETY: `LockedBy` serialises the interior mutability it provides, so it is `Sync` as long as the
-// data it protects is `Send`.
+// SAFETY: If `T` is not `Sync`, then parallel shared access to this `LockedBy` allows you to use
+// `access_mut` to hand out `&mut T` on one thread at the time. The requirement that `T: Send` is
+// sufficient to allow that.
+//
+// If `T` is `Sync`, then the `access` method also becomes available, which allows you to obtain
+// several `&T` from several threads at once. However, this is okay as `T` is `Sync`.
unsafe impl<T: ?Sized + Send, U: ?Sized> Sync for LockedBy<T, U> {}
impl<T, U> LockedBy<T, U> {
@@ -115,7 +119,10 @@ impl<T: ?Sized, U> LockedBy<T, U> {
///
/// Panics if `owner` is different from the data protected by the lock used in
/// [`new`](LockedBy::new).
- pub fn access<'a>(&'a self, owner: &'a U) -> &'a T {
+ pub fn access<'a>(&'a self, owner: &'a U) -> &'a T
+ where
+ T: Sync,
+ {
build_assert!(
size_of::<U>() > 0,
"`U` cannot be a ZST because `owner` wouldn't be unique"
@@ -124,7 +131,10 @@ impl<T: ?Sized, U> LockedBy<T, U> {
panic!("mismatched owners");
}
- // SAFETY: `owner` is evidence that the owner is locked.
+ // SAFETY: `owner` is evidence that there are only shared references to the owner for the
+ // duration of 'a, so it's not possible to use `Self::access_mut` to obtain a mutable
+ // reference to the inner value that aliases with this shared reference. The type is `Sync`
+ // so there are no other requirements.
unsafe { &*self.data.get() }
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 213/386] ovl: fail if trusted xattrs are needed but caller lacks permission
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 212/386] rust: sync: require `T: Sync` for `LockedBy::access` Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 214/386] firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Greg Kroah-Hartman
` (183 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Mike Baynton, Amir Goldstein
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Baynton <mike@mbaynton.com>
commit 6c4a5f96450415735c31ed70ff354f0ee5cbf67b upstream.
Some overlayfs features require permission to read/write trusted.*
xattrs. These include redirect_dir, verity, metacopy, and data-only
layers. This patch adds additional validations at mount time to stop
overlays from mounting in certain cases where the resulting mount would
not function according to the user's expectations because they lack
permission to access trusted.* xattrs (for example, not global root.)
Similar checks in ovl_make_workdir() that disable features instead of
failing are still relevant and used in cases where the resulting mount
can still work "reasonably well." Generally, if the feature was enabled
through kernel config or module option, any mount that worked before
will still work the same; this applies to redirect_dir and metacopy. The
user must explicitly request these features in order to generate a mount
failure. Verity and data-only layers on the other hand must be explictly
requested and have no "reasonable" disabled or degraded alternative, so
mounts attempting either always fail.
"lower data-only dirs require metacopy support" moved down in case
userxattr is set, which disables metacopy.
Cc: stable@vger.kernel.org # v6.6+
Signed-off-by: Mike Baynton <mike@mbaynton.com>
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/overlayfs/params.c | 38 +++++++++++++++++++++++++++++++++-----
1 file changed, 33 insertions(+), 5 deletions(-)
--- a/fs/overlayfs/params.c
+++ b/fs/overlayfs/params.c
@@ -761,11 +761,6 @@ int ovl_fs_params_verify(const struct ov
{
struct ovl_opt_set set = ctx->set;
- if (ctx->nr_data > 0 && !config->metacopy) {
- pr_err("lower data-only dirs require metacopy support.\n");
- return -EINVAL;
- }
-
/* Workdir/index are useless in non-upper mount */
if (!config->upperdir) {
if (config->workdir) {
@@ -917,6 +912,39 @@ int ovl_fs_params_verify(const struct ov
config->metacopy = false;
}
+ /*
+ * Fail if we don't have trusted xattr capability and a feature was
+ * explicitly requested that requires them.
+ */
+ if (!config->userxattr && !capable(CAP_SYS_ADMIN)) {
+ if (set.redirect &&
+ config->redirect_mode != OVL_REDIRECT_NOFOLLOW) {
+ pr_err("redirect_dir requires permission to access trusted xattrs\n");
+ return -EPERM;
+ }
+ if (config->metacopy && set.metacopy) {
+ pr_err("metacopy requires permission to access trusted xattrs\n");
+ return -EPERM;
+ }
+ if (config->verity_mode) {
+ pr_err("verity requires permission to access trusted xattrs\n");
+ return -EPERM;
+ }
+ if (ctx->nr_data > 0) {
+ pr_err("lower data-only dirs require permission to access trusted xattrs\n");
+ return -EPERM;
+ }
+ /*
+ * Other xattr-dependent features should be disabled without
+ * great disturbance to the user in ovl_make_workdir().
+ */
+ }
+
+ if (ctx->nr_data > 0 && !config->metacopy) {
+ pr_err("lower data-only dirs require metacopy support.\n");
+ return -EINVAL;
+ }
+
return 0;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 214/386] firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 213/386] ovl: fail if trusted xattrs are needed but caller lacks permission Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 215/386] memory: tegra186-emc: drop unused to_tegra186_emc() Greg Kroah-Hartman
` (182 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Thierry Reding
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 9c3a62c20f7fb00294a4237e287254456ba8a48b upstream.
mbox_client_to_bpmp() is not used, W=1 builds:
drivers/firmware/tegra/bpmp.c:28:1: error: unused function 'mbox_client_to_bpmp' [-Werror,-Wunused-function]
Fixes: cdfa358b248e ("firmware: tegra: Refactor BPMP driver")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/tegra/bpmp.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/firmware/tegra/bpmp.c
+++ b/drivers/firmware/tegra/bpmp.c
@@ -24,12 +24,6 @@
#define MSG_RING BIT(1)
#define TAG_SZ 32
-static inline struct tegra_bpmp *
-mbox_client_to_bpmp(struct mbox_client *client)
-{
- return container_of(client, struct tegra_bpmp, mbox.client);
-}
-
static inline const struct tegra_bpmp_ops *
channel_to_ops(struct tegra_bpmp_channel *channel)
{
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 215/386] memory: tegra186-emc: drop unused to_tegra186_emc()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 214/386] firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 216/386] dt-bindings: clock: exynos7885: Fix duplicated binding Greg Kroah-Hartman
` (181 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 67dd9e861add38755a7c5d29e25dd0f6cb4116ab upstream.
to_tegra186_emc() is not used, W=1 builds:
tegra186-emc.c:38:36: error: unused function 'to_tegra186_emc' [-Werror,-Wunused-function]
Fixes: 9a38cb27668e ("memory: tegra: Add interconnect support for DRAM scaling in Tegra234")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240812123055.124123-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/memory/tegra/tegra186-emc.c | 5 -----
1 file changed, 5 deletions(-)
--- a/drivers/memory/tegra/tegra186-emc.c
+++ b/drivers/memory/tegra/tegra186-emc.c
@@ -35,11 +35,6 @@ struct tegra186_emc {
struct icc_provider provider;
};
-static inline struct tegra186_emc *to_tegra186_emc(struct icc_provider *provider)
-{
- return container_of(provider, struct tegra186_emc, provider);
-}
-
/*
* debugfs interface
*
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 216/386] dt-bindings: clock: exynos7885: Fix duplicated binding
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 215/386] memory: tegra186-emc: drop unused to_tegra186_emc() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 217/386] spi: bcm63xx: Fix module autoloading Greg Kroah-Hartman
` (180 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Virag, Krzysztof Kozlowski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Virag <virag.david003@gmail.com>
commit abf3a3ea9acb5c886c8729191a670744ecd42024 upstream.
The numbering in Exynos7885's FSYS CMU bindings has 4 duplicated by
accident, with the rest of the bindings continuing with 5.
Fix this by moving CLK_MOUT_FSYS_USB30DRD_USER to the end as 11.
Since CLK_MOUT_FSYS_USB30DRD_USER is not used in any device tree as of
now, and there are no other clocks affected (maybe apart from
CLK_MOUT_FSYS_MMC_SDIO_USER which the number was shared with, also not
used in a device tree), this is the least impactful way to solve this
problem.
Fixes: cd268e309c29 ("dt-bindings: clock: Add bindings for Exynos7885 CMU_FSYS")
Cc: stable@vger.kernel.org
Signed-off-by: David Virag <virag.david003@gmail.com>
Link: https://lore.kernel.org/r/20240806121157.479212-2-virag.david003@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/dt-bindings/clock/exynos7885.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/include/dt-bindings/clock/exynos7885.h
+++ b/include/dt-bindings/clock/exynos7885.h
@@ -136,12 +136,12 @@
#define CLK_MOUT_FSYS_MMC_CARD_USER 2
#define CLK_MOUT_FSYS_MMC_EMBD_USER 3
#define CLK_MOUT_FSYS_MMC_SDIO_USER 4
-#define CLK_MOUT_FSYS_USB30DRD_USER 4
#define CLK_GOUT_MMC_CARD_ACLK 5
#define CLK_GOUT_MMC_CARD_SDCLKIN 6
#define CLK_GOUT_MMC_EMBD_ACLK 7
#define CLK_GOUT_MMC_EMBD_SDCLKIN 8
#define CLK_GOUT_MMC_SDIO_ACLK 9
#define CLK_GOUT_MMC_SDIO_SDCLKIN 10
+#define CLK_MOUT_FSYS_USB30DRD_USER 11
#endif /* _DT_BINDINGS_CLOCK_EXYNOS_7885_H */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 217/386] spi: bcm63xx: Fix module autoloading
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 216/386] dt-bindings: clock: exynos7885: Fix duplicated binding Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 218/386] spi: bcm63xx: Fix missing pm_runtime_disable() Greg Kroah-Hartman
` (179 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Jonas Gorski,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 909f34f2462a99bf876f64c5c61c653213e32fce upstream.
Add MODULE_DEVICE_TABLE(), so modules could be properly autoloaded
based on the alias from platform_device_id table.
Fixes: 44d8fb30941d ("spi/bcm63xx: move register definitions into the driver")
Cc: stable@vger.kernel.org
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Reviewed-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://patch.msgid.link/20240819123349.4020472-2-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcm63xx.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -466,6 +466,7 @@ static const struct platform_device_id b
{
},
};
+MODULE_DEVICE_TABLE(platform, bcm63xx_spi_dev_match);
static const struct of_device_id bcm63xx_spi_of_match[] = {
{ .compatible = "brcm,bcm6348-spi", .data = &bcm6348_spi_reg_offsets },
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 218/386] spi: bcm63xx: Fix missing pm_runtime_disable()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 217/386] spi: bcm63xx: Fix module autoloading Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 219/386] power: supply: hwmon: Fix missing temp1_max_alarm attribute Greg Kroah-Hartman
` (178 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Jonas Gorski,
Mark Brown
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 265697288ec2160ca84707565d6641d46f69b0ff upstream.
The pm_runtime_disable() is missing in the remove function, fix it
by using devm_pm_runtime_enable(), so the pm_runtime_disable() in
the probe error path can also be removed.
Fixes: 2d13f2ff6073 ("spi: bcm63xx-spi: fix pm_runtime")
Cc: stable@vger.kernel.org # v5.13+
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Suggested-by: Jonas Gorski <jonas.gorski@gmail.com>
Link: https://patch.msgid.link/20240819123349.4020472-3-ruanjinjie@huawei.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-bcm63xx.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/spi/spi-bcm63xx.c
+++ b/drivers/spi/spi-bcm63xx.c
@@ -584,13 +584,15 @@ static int bcm63xx_spi_probe(struct plat
bcm_spi_writeb(bs, SPI_INTR_CLEAR_ALL, SPI_INT_STATUS);
- pm_runtime_enable(&pdev->dev);
+ ret = devm_pm_runtime_enable(&pdev->dev);
+ if (ret)
+ goto out_clk_disable;
/* register and we are done */
ret = devm_spi_register_controller(dev, host);
if (ret) {
dev_err(dev, "spi register failed\n");
- goto out_pm_disable;
+ goto out_clk_disable;
}
dev_info(dev, "at %pr (irq %d, FIFOs size %d)\n",
@@ -598,8 +600,6 @@ static int bcm63xx_spi_probe(struct plat
return 0;
-out_pm_disable:
- pm_runtime_disable(&pdev->dev);
out_clk_disable:
clk_disable_unprepare(clk);
out_err:
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 219/386] power: supply: hwmon: Fix missing temp1_max_alarm attribute
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 218/386] spi: bcm63xx: Fix missing pm_runtime_disable() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 220/386] perf/core: Fix small negative period being ignored Greg Kroah-Hartman
` (177 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit e50a57d16f897e45de1112eb6478577b197fab52 upstream.
Temp channel 0 aka temp1 can have a temp1_max_alarm attribute for
power_supply devices which have a POWER_SUPPLY_PROP_TEMP_ALERT_MAX
property.
HWMON_T_MAX_ALARM was missing from power_supply_hwmon_info for
temp channel 0, causing the hwmon temp1_max_alarm attribute to be
missing from such power_supply devices.
Add this to power_supply_hwmon_info to fix this.
Fixes: f1d33ae806ec ("power: supply: remove duplicated argument in power_supply_hwmon_info")
Cc: stable@vger.kernel.org
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20240908185337.103696-2-hdegoede@redhat.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/power_supply_hwmon.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/power/supply/power_supply_hwmon.c
+++ b/drivers/power/supply/power_supply_hwmon.c
@@ -299,7 +299,8 @@ static const struct hwmon_channel_info *
HWMON_T_INPUT |
HWMON_T_MAX |
HWMON_T_MIN |
- HWMON_T_MIN_ALARM,
+ HWMON_T_MIN_ALARM |
+ HWMON_T_MAX_ALARM,
HWMON_T_LABEL |
HWMON_T_INPUT |
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 220/386] perf/core: Fix small negative period being ignored
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 219/386] power: supply: hwmon: Fix missing temp1_max_alarm attribute Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 221/386] parisc: Fix itlb miss handler for 64-bit programs Greg Kroah-Hartman
` (176 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luo Gengkun, Peter Zijlstra (Intel),
Adrian Hunter, Kan Liang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luo Gengkun <luogengkun@huaweicloud.com>
commit 62c0b1061593d7012292f781f11145b2d46f43ab upstream.
In perf_adjust_period, we will first calculate period, and then use
this period to calculate delta. However, when delta is less than 0,
there will be a deviation compared to when delta is greater than or
equal to 0. For example, when delta is in the range of [-14,-1], the
range of delta = delta + 7 is between [-7,6], so the final value of
delta/8 is 0. Therefore, the impact of -1 and -2 will be ignored.
This is unacceptable when the target period is very short, because
we will lose a lot of samples.
Here are some tests and analyzes:
before:
# perf record -e cs -F 1000 ./a.out
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.022 MB perf.data (518 samples) ]
# perf script
...
a.out 396 257.956048: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.957891: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.959730: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.961545: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.963355: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.965163: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.966973: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.968785: 23 cs: ffffffff81f4eeec schedul>
a.out 396 257.970593: 23 cs: ffffffff81f4eeec schedul>
...
after:
# perf record -e cs -F 1000 ./a.out
[ perf record: Woken up 1 times to write data ]
[ perf record: Captured and wrote 0.058 MB perf.data (1466 samples) ]
# perf script
...
a.out 395 59.338813: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.339707: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.340682: 13 cs: ffffffff81f4eeec schedul>
a.out 395 59.341751: 13 cs: ffffffff81f4eeec schedul>
a.out 395 59.342799: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.343765: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.344651: 11 cs: ffffffff81f4eeec schedul>
a.out 395 59.345539: 12 cs: ffffffff81f4eeec schedul>
a.out 395 59.346502: 13 cs: ffffffff81f4eeec schedul>
...
test.c
int main() {
for (int i = 0; i < 20000; i++)
usleep(10);
return 0;
}
# time ./a.out
real 0m1.583s
user 0m0.040s
sys 0m0.298s
The above results were tested on x86-64 qemu with KVM enabled using
test.c as test program. Ideally, we should have around 1500 samples,
but the previous algorithm had only about 500, whereas the modified
algorithm now has about 1400. Further more, the new version shows 1
sample per 0.001s, while the previous one is 1 sample per 0.002s.This
indicates that the new algorithm is more sensitive to small negative
values compared to old algorithm.
Fixes: bd2b5b12849a ("perf_counter: More aggressive frequency adjustment")
Signed-off-by: Luo Gengkun <luogengkun@huaweicloud.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Reviewed-by: Adrian Hunter <adrian.hunter@intel.com>
Reviewed-by: Kan Liang <kan.liang@linux.intel.com>
Cc: stable@vger.kernel.org
Link: https://lkml.kernel.org/r/20240831074316.2106159-2-luogengkun@huaweicloud.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/events/core.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -4104,7 +4104,11 @@ static void perf_adjust_period(struct pe
period = perf_calculate_period(event, nsec, count);
delta = (s64)(period - hwc->sample_period);
- delta = (delta + 7) / 8; /* low pass filter */
+ if (delta >= 0)
+ delta += 7;
+ else
+ delta -= 7;
+ delta /= 8; /* low pass filter */
sample_period = hwc->sample_period + delta;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 221/386] parisc: Fix itlb miss handler for 64-bit programs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 220/386] perf/core: Fix small negative period being ignored Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 222/386] drm/mediatek: ovl_adaptor: Add missing of_node_put() Greg Kroah-Hartman
` (175 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit 9542130937e9dc707dd7c6b7af73326437da2d50 upstream.
For an itlb miss when executing code above 4 Gb on ILP64 adjust the
iasq/iaoq in the same way isr/ior was adjusted. This fixes signal
delivery for the 64-bit static test program from
http://ftp.parisc-linux.org/src/64bit.tar.gz. Note that signals are
handled by the signal trampoline code in the 64-bit VDSO which is mapped
into high userspace memory region above 4GB for 64-bit processes.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/entry.S | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -1051,8 +1051,7 @@ ENTRY_CFI(intr_save) /* for os_hpmc */
STREG %r16, PT_ISR(%r29)
STREG %r17, PT_IOR(%r29)
-#if 0 && defined(CONFIG_64BIT)
- /* Revisit when we have 64-bit code above 4Gb */
+#if defined(CONFIG_64BIT)
b,n intr_save2
skip_save_ior:
@@ -1060,8 +1059,7 @@ skip_save_ior:
* need to adjust iasq/iaoq here in the same way we adjusted isr/ior
* above.
*/
- extrd,u,* %r8,PSW_W_BIT,1,%r1
- cmpib,COND(=),n 1,%r1,intr_save2
+ bb,COND(>=),n %r8,PSW_W_BIT,intr_save2
LDREG PT_IASQ0(%r29), %r16
LDREG PT_IAOQ0(%r29), %r17
/* adjust iasq/iaoq */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 222/386] drm/mediatek: ovl_adaptor: Add missing of_node_put()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 221/386] parisc: Fix itlb miss handler for 64-bit programs Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 223/386] drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Greg Kroah-Hartman
` (174 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Javier Carrasco, CK Hu,
Chun-Kuang Hu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Javier Carrasco <javier.carrasco.cruz@gmail.com>
commit 5beb6fba25db235b52eab34bde8112f07bb31d75 upstream.
Error paths that exit for_each_child_of_node() need to call
of_node_put() to decerement the child refcount and avoid memory leaks.
Add the missing of_node_put().
Cc: stable@vger.kernel.org
Fixes: 453c3364632a ("drm/mediatek: Add ovl_adaptor support for MT8195")
Signed-off-by: Javier Carrasco <javier.carrasco.cruz@gmail.com>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20240624-mtk_disp_ovl_adaptor_scoped-v1-2-9fa1e074d881@gmail.com/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c
+++ b/drivers/gpu/drm/mediatek/mtk_disp_ovl_adaptor.c
@@ -436,8 +436,10 @@ static int ovl_adaptor_comp_init(struct
}
comp_pdev = of_find_device_by_node(node);
- if (!comp_pdev)
+ if (!comp_pdev) {
+ of_node_put(node);
return -EPROBE_DEFER;
+ }
priv->ovl_adaptor_comp[id] = &comp_pdev->dev;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 223/386] drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 222/386] drm/mediatek: ovl_adaptor: Add missing of_node_put() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 224/386] ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Greg Kroah-Hartman
` (173 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Thomas Zimmermann, Lukasz Spintzyk, Deepak Rawat, Daniel Vetter,
Thomas Hellstrom, David Airlie, Simona Vetter, Maarten Lankhorst,
Maxime Ripard, dri-devel, Dmitry Baryshkov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Zimmermann <tzimmermann@suse.de>
commit 8b0d2f61545545ab5eef923ed6e59fc3be2385e0 upstream.
FB_DAMAGE_CLIPS is a plane property for damage handling. Its UAPI
should only use UAPI types. Hence replace struct drm_rect with
struct drm_mode_rect in drm_atomic_plane_set_property(). Both types
are identical in practice, so there's no change in behavior.
Reported-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Closes: https://lore.kernel.org/dri-devel/Zu1Ke1TuThbtz15E@intel.com/
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Fixes: d3b21767821e ("drm: Add a new plane property to send damage during plane update")
Cc: Lukasz Spintzyk <lukasz.spintzyk@displaylink.com>
Cc: Deepak Rawat <drawat@vmware.com>
Cc: Daniel Vetter <daniel.vetter@ffwll.ch>
Cc: Thomas Hellstrom <thellstrom@vmware.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Simona Vetter <simona@ffwll.ch>
Cc: Maarten Lankhorst <maarten.lankhorst@linux.intel.com>
Cc: Maxime Ripard <mripard@kernel.org>
Cc: Thomas Zimmermann <tzimmermann@suse.de>
Cc: dri-devel@lists.freedesktop.org
Cc: <stable@vger.kernel.org> # v5.0+
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240923075841.16231-1-tzimmermann@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_atomic_uapi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/drm_atomic_uapi.c
+++ b/drivers/gpu/drm/drm_atomic_uapi.c
@@ -585,7 +585,7 @@ static int drm_atomic_plane_set_property
&state->fb_damage_clips,
val,
-1,
- sizeof(struct drm_rect),
+ sizeof(struct drm_mode_rect),
&replaced);
return ret;
} else if (property == plane->scaling_filter_property) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 224/386] ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 223/386] drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 225/386] ALSA: core: add isascii() check to card ID generator Greg Kroah-Hartman
` (172 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Baojun Xu, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baojun Xu <baojun.xu@ti.com>
commit 49f5ee951f11f4d6a124f00f71b2590507811a55 upstream.
Add new vendor_id and subsystem_id in quirk for Lenovo Y990 Laptop.
Signed-off-by: Baojun Xu <baojun.xu@ti.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240919075743.259-1-baojun.xu@ti.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10330,6 +10330,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x17aa, 0x38cd, "Y790 VECO DUAL", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x17aa, 0x38d2, "Lenovo Yoga 9 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN),
SND_PCI_QUIRK(0x17aa, 0x38d7, "Lenovo Yoga 9 14IMH9", ALC287_FIXUP_YOGA9_14IMH9_BASS_SPK_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x38df, "Y990 YG DUAL", ALC287_FIXUP_TAS2781_I2C),
SND_PCI_QUIRK(0x17aa, 0x38f9, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x17aa, 0x38fa, "Thinkbook 16P Gen5", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x17aa, 0x3902, "Lenovo E50-80", ALC269_FIXUP_DMIC_THINKPAD_ACPI),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 225/386] ALSA: core: add isascii() check to card ID generator
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 224/386] ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 226/386] ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Greg Kroah-Hartman
` (171 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Pőcze,
Jaroslav Kysela, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jaroslav Kysela <perex@perex.cz>
commit d278a9de5e1837edbe57b2f1f95a104ff6c84846 upstream.
The card identifier should contain only safe ASCII characters. The isalnum()
returns true also for characters for non-ASCII characters.
Link: https://gitlab.freedesktop.org/pipewire/pipewire/-/issues/4135
Link: https://lore.kernel.org/linux-sound/yk3WTvKkwheOon_LzZlJ43PPInz6byYfBzpKkbasww1yzuiMRqn7n6Y8vZcXB-xwFCu_vb8hoNjv7DTNwH5TWjpEuiVsyn9HPCEXqwF4120=@protonmail.com/
Cc: stable@vger.kernel.org
Reported-by: Barnabás Pőcze <pobrn@protonmail.com>
Signed-off-by: Jaroslav Kysela <perex@perex.cz>
Link: https://patch.msgid.link/20241002194649.1944696-1-perex@perex.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/init.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/sound/core/init.c
+++ b/sound/core/init.c
@@ -666,13 +666,19 @@ void snd_card_free(struct snd_card *card
}
EXPORT_SYMBOL(snd_card_free);
+/* check, if the character is in the valid ASCII range */
+static inline bool safe_ascii_char(char c)
+{
+ return isascii(c) && isalnum(c);
+}
+
/* retrieve the last word of shortname or longname */
static const char *retrieve_id_from_card_name(const char *name)
{
const char *spos = name;
while (*name) {
- if (isspace(*name) && isalnum(name[1]))
+ if (isspace(*name) && safe_ascii_char(name[1]))
spos = name + 1;
name++;
}
@@ -699,12 +705,12 @@ static void copy_valid_id_string(struct
{
char *id = card->id;
- while (*nid && !isalnum(*nid))
+ while (*nid && !safe_ascii_char(*nid))
nid++;
if (isdigit(*nid))
*id++ = isalpha(*src) ? *src : 'D';
while (*nid && (size_t)(id - card->id) < sizeof(card->id) - 1) {
- if (isalnum(*nid))
+ if (safe_ascii_char(*nid))
*id++ = *nid;
nid++;
}
@@ -800,7 +806,7 @@ static ssize_t id_store(struct device *d
for (idx = 0; idx < copy; idx++) {
c = buf[idx];
- if (!isalnum(c) && c != '_' && c != '-')
+ if (!safe_ascii_char(c) && c != '_' && c != '-')
return -EINVAL;
}
memcpy(buf1, buf, copy);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 226/386] ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 225/386] ALSA: core: add isascii() check to card ID generator Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 227/386] ALSA: usb-audio: Add native DSD support for Luxman D-08u Greg Kroah-Hartman
` (170 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lianqin Hu, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lianqin Hu <hulianqin@vivo.com>
commit 73385f3e0d8088b715ae8f3f66d533c482a376ab upstream.
Audio control requests that sets sampling frequency sometimes fail on
this card. Adding delay between control messages eliminates that problem.
Signed-off-by: Lianqin Hu <hulianqin@vivo.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/TYUPR06MB62177E629E9DEF2401333BF7D2692@TYUPR06MB6217.apcprd06.prod.outlook.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2181,6 +2181,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
DEVICE_FLG(0x2b53, 0x0031, /* Fiero SC-01 (firmware v1.1.0) */
QUIRK_FLAG_GENERIC_IMPLICIT_FB),
+ DEVICE_FLG(0x2d95, 0x8011, /* VIVO USB-C HEADSET */
+ QUIRK_FLAG_CTL_MSG_DELAY_1M),
DEVICE_FLG(0x2d95, 0x8021, /* VIVO USB-C-XE710 HEADSET */
QUIRK_FLAG_CTL_MSG_DELAY_1M),
DEVICE_FLG(0x30be, 0x0101, /* Schiit Hel */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 227/386] ALSA: usb-audio: Add native DSD support for Luxman D-08u
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 226/386] ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 228/386] ALSA: line6: add hw monitor volume control to POD HD500X Greg Kroah-Hartman
` (169 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jan Lalinsky, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Lalinsky <lalinsky@c4.cz>
commit 6b0bde5d8d4078ca5feec72fd2d828f0e5cf115d upstream.
Add native DSD support for Luxman D-08u DAC, by adding the PID/VID 1852:5062.
This makes DSD playback work, and also sound quality when playing PCM files
is improved, crackling sounds are gone.
Signed-off-by: Jan Lalinsky <lalinsky@c4.cz>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20241003030811.2655735-1-lalinsky@c4.cz
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/quirks.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/usb/quirks.c
+++ b/sound/usb/quirks.c
@@ -2123,6 +2123,8 @@ static const struct usb_audio_quirk_flag
QUIRK_FLAG_DISABLE_AUTOSUSPEND),
DEVICE_FLG(0x17aa, 0x104d, /* Lenovo ThinkStation P620 Internal Speaker + Front Headset */
QUIRK_FLAG_DISABLE_AUTOSUSPEND),
+ DEVICE_FLG(0x1852, 0x5062, /* Luxman D-08u */
+ QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
DEVICE_FLG(0x1852, 0x5065, /* Luxman DA-06 */
QUIRK_FLAG_ITF_USB_DSD_DAC | QUIRK_FLAG_CTL_MSG_DELAY),
DEVICE_FLG(0x1901, 0x0191, /* GE B850V3 CP2114 audio interface */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 228/386] ALSA: line6: add hw monitor volume control to POD HD500X
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 227/386] ALSA: usb-audio: Add native DSD support for Luxman D-08u Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 229/386] ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Greg Kroah-Hartman
` (168 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans P. Moller, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans P. Moller <hmoller@uc.cl>
commit 703235a244e533652346844cfa42623afb36eed1 upstream.
Add hw monitor volume control for POD HD500X. This is done adding
LINE6_CAP_HWMON_CTL to the capabilities
Signed-off-by: Hans P. Moller <hmoller@uc.cl>
Cc: <stable@vger.kernel.org>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Link: https://patch.msgid.link/20241003232828.5819-1-hmoller@uc.cl
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/line6/podhd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/usb/line6/podhd.c
+++ b/sound/usb/line6/podhd.c
@@ -507,7 +507,7 @@ static const struct line6_properties pod
[LINE6_PODHD500X] = {
.id = "PODHD500X",
.name = "POD HD500X",
- .capabilities = LINE6_CAP_CONTROL
+ .capabilities = LINE6_CAP_CONTROL | LINE6_CAP_HWMON_CTL
| LINE6_CAP_PCM | LINE6_CAP_HWMON,
.altsetting = 1,
.ep_ctrl_r = 0x81,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 229/386] ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 228/386] ALSA: line6: add hw monitor volume control to POD HD500X Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 230/386] ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Greg Kroah-Hartman
` (167 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ai Chao, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ai Chao <aichao@kylinos.cn>
commit dee476950cbd83125655a3f49e00d63b79f6114e upstream.
The headset mic requires a fixup to be properly detected/used.
Signed-off-by: Ai Chao <aichao@kylinos.cn>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240926060252.25630-1-aichao@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -10363,6 +10363,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1849, 0xa233, "Positivo Master C6300", ALC269_FIXUP_HEADSET_MIC),
SND_PCI_QUIRK(0x19e5, 0x3204, "Huawei MACH-WX9", ALC256_FIXUP_HUAWEI_MACH_WX9_PINS),
SND_PCI_QUIRK(0x19e5, 0x320f, "Huawei WRT-WX9 ", ALC256_FIXUP_ASUS_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x19e5, 0x3212, "Huawei KLV-WX9 ", ALC256_FIXUP_ACER_HEADSET_MIC),
SND_PCI_QUIRK(0x1b35, 0x1235, "CZC B20", ALC269_FIXUP_CZC_B20),
SND_PCI_QUIRK(0x1b35, 0x1236, "CZC TMI", ALC269_FIXUP_CZC_TMI),
SND_PCI_QUIRK(0x1b35, 0x1237, "CZC L101", ALC269_FIXUP_CZC_L101),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 230/386] ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 229/386] ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 231/386] ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman
` (166 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Abhishek Tamboli, Takashi Iwai
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Abhishek Tamboli <abhishektamboli9@gmail.com>
commit d75dba49744478c32f6ce1c16b5f391c2d5cef5f upstream.
Add the quirk for HP Pavilion Gaming laptop 15z-ec200 for
enabling the mute led. The fix apply the ALC285_FIXUP_HP_MUTE_LED
quirk for this model.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219303
Signed-off-by: Abhishek Tamboli <abhishektamboli9@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://patch.msgid.link/20240930145300.4604-1-abhishektamboli9@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9923,6 +9923,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x8896, "HP EliteBook 855 G8 Notebook PC", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x8898, "HP EliteBook 845 G8 Notebook PC", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x103c, 0x88d0, "HP Pavilion 15-eh1xxx (mainboard 88D0)", ALC287_FIXUP_HP_GPIO_LED),
+ SND_PCI_QUIRK(0x103c, 0x88dd, "HP Pavilion 15z-ec200", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x8902, "HP OMEN 16", ALC285_FIXUP_HP_MUTE_LED),
SND_PCI_QUIRK(0x103c, 0x890e, "HP 255 G8 Notebook PC", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x8919, "HP Pavilion Aero Laptop 13-be0xxx", ALC287_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 231/386] ext4: no need to continue when the number of entries is 1
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 230/386] ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 232/386] ext4: correct encrypted dentry name hash when not casefolded Greg Kroah-Hartman
` (165 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ae688d469e36fb5138d0,
Edward Adam Davis, Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward Adam Davis <eadavis@qq.com>
commit 1a00a393d6a7fb1e745a41edd09019bd6a0ad64c upstream.
Fixes: ac27a0ec112a ("[PATCH] ext4: initial copy of files from ext3")
Reported-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ae688d469e36fb5138d0
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
Reported-and-tested-by: syzbot+ae688d469e36fb5138d0@syzkaller.appspotmail.com
Link: https://patch.msgid.link/tencent_BE7AEE6C7C2D216CB8949CE8E6EE7ECC2C0A@qq.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -2047,7 +2047,7 @@ static struct ext4_dir_entry_2 *do_split
split = count/2;
hash2 = map[split].hash;
- continued = hash2 == map[split - 1].hash;
+ continued = split > 0 ? hash2 == map[split - 1].hash : 0;
dxtrace(printk(KERN_INFO "Split block %lu at %x, %i/%i\n",
(unsigned long)dx_get_block(frame->at),
hash2, split, count-split));
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 232/386] ext4: correct encrypted dentry name hash when not casefolded
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 231/386] ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 233/386] ext4: fix slab-use-after-free in ext4_split_extent_at() Greg Kroah-Hartman
` (164 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, yao.ly, Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: yao.ly <yao.ly@linux.alibaba.com>
commit 70dd7b573afeba9b8f8a33f2ae1e4a9a2ec8c1ec upstream.
EXT4_DIRENT_HASH and EXT4_DIRENT_MINOR_HASH will access struct
ext4_dir_entry_hash followed ext4_dir_entry. But there is no ext4_dir_entry_hash
followed when inode is encrypted and not casefolded
Signed-off-by: yao.ly <yao.ly@linux.alibaba.com>
Link: https://patch.msgid.link/1719816219-128287-1-git-send-email-yao.ly@linux.alibaba.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/dir.c | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
--- a/fs/ext4/dir.c
+++ b/fs/ext4/dir.c
@@ -279,12 +279,20 @@ static int ext4_readdir(struct file *fil
struct fscrypt_str de_name =
FSTR_INIT(de->name,
de->name_len);
+ u32 hash;
+ u32 minor_hash;
+
+ if (IS_CASEFOLDED(inode)) {
+ hash = EXT4_DIRENT_HASH(de);
+ minor_hash = EXT4_DIRENT_MINOR_HASH(de);
+ } else {
+ hash = 0;
+ minor_hash = 0;
+ }
/* Directory is encrypted */
err = fscrypt_fname_disk_to_usr(inode,
- EXT4_DIRENT_HASH(de),
- EXT4_DIRENT_MINOR_HASH(de),
- &de_name, &fstr);
+ hash, minor_hash, &de_name, &fstr);
de_name = fstr;
fstr.len = save_len;
if (err)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 233/386] ext4: fix slab-use-after-free in ext4_split_extent_at()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 232/386] ext4: correct encrypted dentry name hash when not casefolded Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 234/386] ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Greg Kroah-Hartman
` (163 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Ojaswin Mujoo, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit c26ab35702f8cd0cdc78f96aa5856bfb77be798f upstream.
We hit the following use-after-free:
==================================================================
BUG: KASAN: slab-use-after-free in ext4_split_extent_at+0xba8/0xcc0
Read of size 2 at addr ffff88810548ed08 by task kworker/u20:0/40
CPU: 0 PID: 40 Comm: kworker/u20:0 Not tainted 6.9.0-dirty #724
Call Trace:
<TASK>
kasan_report+0x93/0xc0
ext4_split_extent_at+0xba8/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Allocated by task 40:
__kmalloc_noprof+0x1ac/0x480
ext4_find_extent+0xf3b/0x1e70
ext4_ext_map_blocks+0x188/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
Freed by task 40:
kfree+0xf1/0x2b0
ext4_find_extent+0xa71/0x1e70
ext4_ext_insert_extent+0xa22/0x3260
ext4_split_extent_at+0x3ef/0xcc0
ext4_split_extent.isra.0+0x18f/0x500
ext4_split_convert_extents+0x275/0x750
ext4_ext_handle_unwritten_extents+0x73e/0x1580
ext4_ext_map_blocks+0xe20/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
==================================================================
The flow of issue triggering is as follows:
ext4_split_extent_at
path = *ppath
ext4_ext_insert_extent(ppath)
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(orig_path)
path = *orig_path
read_extent_tree_block
// return -ENOMEM or -EIO
ext4_free_ext_path(path)
kfree(path)
*orig_path = NULL
a. If err is -ENOMEM:
ext4_ext_dirty(path + path->p_depth)
// path use-after-free !!!
b. If err is -EIO and we have EXT_DEBUG defined:
ext4_ext_show_leaf(path)
eh = path[depth].p_hdr
// path also use-after-free !!!
So when trying to zeroout or fix the extent length, call ext4_find_extent()
to update the path.
In addition we use *ppath directly as an ext4_ext_show_leaf() input to
avoid possible use-after-free when EXT_DEBUG is defined, and to avoid
unnecessary path updates.
Fixes: dfe5080939ea ("ext4: drop EXT4_EX_NOFREE_ON_ERR from rest of extents handling code")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-4-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 21 ++++++++++++++++++++-
1 file changed, 20 insertions(+), 1 deletion(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -3230,6 +3230,25 @@ static int ext4_split_extent_at(handle_t
if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)
goto out;
+ /*
+ * Update path is required because previous ext4_ext_insert_extent()
+ * may have freed or reallocated the path. Using EXT4_EX_NOFAIL
+ * guarantees that ext4_find_extent() will not return -ENOMEM,
+ * otherwise -ENOMEM will cause a retry in do_writepages(), and a
+ * WARN_ON may be triggered in ext4_da_update_reserve_space() due to
+ * an incorrect ee_len causing the i_reserved_data_blocks exception.
+ */
+ path = ext4_find_extent(inode, ee_block, ppath,
+ flags | EXT4_EX_NOFAIL);
+ if (IS_ERR(path)) {
+ EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",
+ split, PTR_ERR(path));
+ return PTR_ERR(path);
+ }
+ depth = ext_depth(inode);
+ ex = path[depth].p_ext;
+ *ppath = path;
+
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
if (split_flag & EXT4_EXT_DATA_VALID1) {
@@ -3282,7 +3301,7 @@ fix_extent_len:
ext4_ext_dirty(handle, inode, path + path->p_depth);
return err;
out:
- ext4_ext_show_leaf(inode, path);
+ ext4_ext_show_leaf(inode, *ppath);
return err;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 234/386] ext4: propagate errors from ext4_find_extent() in ext4_insert_range()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 233/386] ext4: fix slab-use-after-free in ext4_split_extent_at() Greg Kroah-Hartman
@ 2024-10-08 12:07 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 235/386] ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Greg Kroah-Hartman
` (162 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:07 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Ojaswin Mujoo, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 369c944ed1d7c3fb7b35f24e4735761153afe7b3 upstream.
Even though ext4_find_extent() returns an error, ext4_insert_range() still
returns 0. This may confuse the user as to why fallocate returns success,
but the contents of the file are not as expected. So propagate the error
returned by ext4_find_extent() to avoid inconsistencies.
Fixes: 331573febb6a ("ext4: Add support FALLOC_FL_INSERT_RANGE for fallocate")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-11-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5549,6 +5549,7 @@ static int ext4_insert_range(struct file
path = ext4_find_extent(inode, offset_lblk, NULL, 0);
if (IS_ERR(path)) {
up_write(&EXT4_I(inode)->i_data_sem);
+ ret = PTR_ERR(path);
goto out_stop;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 235/386] ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2024-10-08 12:07 ` [PATCH 6.6 234/386] ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 236/386] ext4: dax: fix overflowing extents beyond inode size when partially writing Greg Kroah-Hartman
` (161 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luis Henriques (SUSE), Jan Kara,
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit ebc4b2c1ac92fc0f8bf3f5a9c285a871d5084a6b upstream.
Function jbd2_journal_shrink_checkpoint_list() assumes that '0' is not a
valid value for transaction IDs, which is incorrect.
Furthermore, the sbi->s_fc_ineligible_tid handling also makes the same
assumption by being initialised to '0'. Fortunately, the sb flag
EXT4_MF_FC_INELIGIBLE can be used to check whether sbi->s_fc_ineligible_tid
has been previously set instead of comparing it with '0'.
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240724161119.13448-5-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -339,22 +339,29 @@ void ext4_fc_mark_ineligible(struct supe
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
tid_t tid;
+ bool has_transaction = true;
+ bool is_ineligible;
if (ext4_fc_disabled(sb))
return;
- ext4_set_mount_flag(sb, EXT4_MF_FC_INELIGIBLE);
if (handle && !IS_ERR(handle))
tid = handle->h_transaction->t_tid;
else {
read_lock(&sbi->s_journal->j_state_lock);
- tid = sbi->s_journal->j_running_transaction ?
- sbi->s_journal->j_running_transaction->t_tid : 0;
+ if (sbi->s_journal->j_running_transaction)
+ tid = sbi->s_journal->j_running_transaction->t_tid;
+ else
+ has_transaction = false;
read_unlock(&sbi->s_journal->j_state_lock);
}
spin_lock(&sbi->s_fc_lock);
- if (tid_gt(tid, sbi->s_fc_ineligible_tid))
+ is_ineligible = ext4_test_mount_flag(sb, EXT4_MF_FC_INELIGIBLE);
+ if (has_transaction &&
+ (!is_ineligible ||
+ (is_ineligible && tid_gt(tid, sbi->s_fc_ineligible_tid))))
sbi->s_fc_ineligible_tid = tid;
+ ext4_set_mount_flag(sb, EXT4_MF_FC_INELIGIBLE);
spin_unlock(&sbi->s_fc_lock);
WARN_ON(reason >= EXT4_FC_REASON_MAX);
sbi->s_fc_stats.fc_ineligible_reason_count[reason]++;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 236/386] ext4: dax: fix overflowing extents beyond inode size when partially writing
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 235/386] ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 237/386] ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Greg Kroah-Hartman
` (160 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Jan Kara, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit dda898d7ffe85931f9cca6d702a51f33717c501e upstream.
The dax_iomap_rw() does two things in each iteration: map written blocks
and copy user data to blocks. If the process is killed by user(See signal
handling in dax_iomap_iter()), the copied data will be returned and added
on inode size, which means that the length of written extents may exceed
the inode size, then fsck will fail. An example is given as:
dd if=/dev/urandom of=file bs=4M count=1
dax_iomap_rw
iomap_iter // round 1
ext4_iomap_begin
ext4_iomap_alloc // allocate 0~2M extents(written flag)
dax_iomap_iter // copy 2M data
iomap_iter // round 2
iomap_iter_advance
iter->pos += iter->processed // iter->pos = 2M
ext4_iomap_begin
ext4_iomap_alloc // allocate 2~4M extents(written flag)
dax_iomap_iter
fatal_signal_pending
done = iter->pos - iocb->ki_pos // done = 2M
ext4_handle_inode_extension
ext4_update_inode_size // inode size = 2M
fsck reports: Inode 13, i_size is 2097152, should be 4194304. Fix?
Fix the problem by truncating extents if the written length is smaller
than expected.
Fixes: 776722e85d3b ("ext4: DAX iomap write support")
CC: stable@vger.kernel.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219136
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://patch.msgid.link/20240809121532.2105494-1-chengzhihao@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/file.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -334,10 +334,10 @@ static ssize_t ext4_handle_inode_extensi
* Clean up the inode after DIO or DAX extending write has completed and the
* inode size has been updated using ext4_handle_inode_extension().
*/
-static void ext4_inode_extension_cleanup(struct inode *inode, ssize_t count)
+static void ext4_inode_extension_cleanup(struct inode *inode, bool need_trunc)
{
lockdep_assert_held_write(&inode->i_rwsem);
- if (count < 0) {
+ if (need_trunc) {
ext4_truncate_failed_write(inode);
/*
* If the truncate operation failed early, then the inode may
@@ -586,7 +586,7 @@ static ssize_t ext4_dio_write_iter(struc
* writeback of delalloc blocks.
*/
WARN_ON_ONCE(ret == -EIOCBQUEUED);
- ext4_inode_extension_cleanup(inode, ret);
+ ext4_inode_extension_cleanup(inode, ret < 0);
}
out:
@@ -670,7 +670,7 @@ ext4_dax_write_iter(struct kiocb *iocb,
if (extend) {
ret = ext4_handle_inode_extension(inode, offset, ret);
- ext4_inode_extension_cleanup(inode, ret);
+ ext4_inode_extension_cleanup(inode, ret < (ssize_t)count);
}
out:
inode_unlock(inode);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 237/386] ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 236/386] ext4: dax: fix overflowing extents beyond inode size when partially writing Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 238/386] ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Greg Kroah-Hartman
` (159 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luis Henriques (SUSE), Jan Kara,
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit 972090651ee15e51abfb2160e986fa050cfc7a40 upstream.
Function __jbd2_log_wait_for_space() assumes that '0' is not a valid value
for transaction IDs, which is incorrect. Don't assume that and invoke
jbd2_log_wait_commit() if the journal had a committing transaction instead.
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240724161119.13448-3-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -79,9 +79,12 @@ __releases(&journal->j_state_lock)
if (space_left < nblocks) {
int chkpt = journal->j_checkpoint_transactions != NULL;
tid_t tid = 0;
+ bool has_transaction = false;
- if (journal->j_committing_transaction)
+ if (journal->j_committing_transaction) {
tid = journal->j_committing_transaction->t_tid;
+ has_transaction = true;
+ }
spin_unlock(&journal->j_list_lock);
write_unlock(&journal->j_state_lock);
if (chkpt) {
@@ -89,7 +92,7 @@ __releases(&journal->j_state_lock)
} else if (jbd2_cleanup_journal_tail(journal) == 0) {
/* We were able to recover space; yay! */
;
- } else if (tid) {
+ } else if (has_transaction) {
/*
* jbd2_journal_commit_transaction() may want
* to take the checkpoint_mutex if JBD2_FLUSHED
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 238/386] ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 237/386] ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 239/386] ext4: aovid use-after-free in ext4_ext_insert_extent() Greg Kroah-Hartman
` (158 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Ojaswin Mujoo, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 5c0f4cc84d3a601c99bc5e6e6eb1cbda542cce95 upstream.
When calling ext4_force_split_extent_at() in ext4_ext_replay_update_ex(),
the 'ppath' is updated but it is the 'path' that is freed, thus potentially
triggering a double-free in the following process:
ext4_ext_replay_update_ex
ppath = path
ext4_force_split_extent_at(&ppath)
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path) ---> path First freed
*orig_path = path = NULL ---> null ppath
kfree(path) ---> path double-free !!!
So drop the unnecessary ppath and use path directly to avoid this problem.
And use ext4_find_extent() directly to update path, avoiding unnecessary
memory allocation and freeing. Also, propagate the error returned by
ext4_find_extent() instead of using strange error codes.
Fixes: 8016e29f4362 ("ext4: fast commit recovery path")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-8-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 21 ++++++++++-----------
1 file changed, 10 insertions(+), 11 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -5895,7 +5895,7 @@ out:
int ext4_ext_replay_update_ex(struct inode *inode, ext4_lblk_t start,
int len, int unwritten, ext4_fsblk_t pblk)
{
- struct ext4_ext_path *path = NULL, *ppath;
+ struct ext4_ext_path *path;
struct ext4_extent *ex;
int ret;
@@ -5911,30 +5911,29 @@ int ext4_ext_replay_update_ex(struct ino
if (le32_to_cpu(ex->ee_block) != start ||
ext4_ext_get_actual_len(ex) != len) {
/* We need to split this extent to match our extent first */
- ppath = path;
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_force_split_extent_at(NULL, inode, &ppath, start, 1);
+ ret = ext4_force_split_extent_at(NULL, inode, &path, start, 1);
up_write(&EXT4_I(inode)->i_data_sem);
if (ret)
goto out;
- kfree(path);
- path = ext4_find_extent(inode, start, NULL, 0);
+
+ path = ext4_find_extent(inode, start, &path, 0);
if (IS_ERR(path))
- return -1;
- ppath = path;
+ return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
WARN_ON(le32_to_cpu(ex->ee_block) != start);
+
if (ext4_ext_get_actual_len(ex) != len) {
down_write(&EXT4_I(inode)->i_data_sem);
- ret = ext4_force_split_extent_at(NULL, inode, &ppath,
+ ret = ext4_force_split_extent_at(NULL, inode, &path,
start + len, 1);
up_write(&EXT4_I(inode)->i_data_sem);
if (ret)
goto out;
- kfree(path);
- path = ext4_find_extent(inode, start, NULL, 0);
+
+ path = ext4_find_extent(inode, start, &path, 0);
if (IS_ERR(path))
- return -EINVAL;
+ return PTR_ERR(path);
ex = path[path->p_depth].p_ext;
}
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 239/386] ext4: aovid use-after-free in ext4_ext_insert_extent()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 238/386] ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 240/386] ext4: fix double brelse() the buffer of the extents path Greg Kroah-Hartman
` (157 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ojaswin Mujoo, stable, Baokun Li,
Jan Kara, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit a164f3a432aae62ca23d03e6d926b122ee5b860d upstream.
As Ojaswin mentioned in Link, in ext4_ext_insert_extent(), if the path is
reallocated in ext4_ext_create_new_leaf(), we'll use the stale path and
cause UAF. Below is a sample trace with dummy values:
ext4_ext_insert_extent
path = *ppath = 2000
ext4_ext_create_new_leaf(ppath)
ext4_find_extent(ppath)
path = *ppath = 2000
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*ppath = path = NULL;
path = kcalloc() = 3000
*ppath = 3000;
return path;
/* here path is still 2000, UAF! */
eh = path[depth].p_hdr
==================================================================
BUG: KASAN: slab-use-after-free in ext4_ext_insert_extent+0x26d4/0x3330
Read of size 8 at addr ffff8881027bf7d0 by task kworker/u36:1/179
CPU: 3 UID: 0 PID: 179 Comm: kworker/u6:1 Not tainted 6.11.0-rc2-dirty #866
Call Trace:
<TASK>
ext4_ext_insert_extent+0x26d4/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
[...]
Allocated by task 179:
ext4_find_extent+0x81c/0x1f70
ext4_ext_map_blocks+0x146/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
Freed by task 179:
kfree+0xcb/0x240
ext4_find_extent+0x7c0/0x1f70
ext4_ext_insert_extent+0xa26/0x3330
ext4_ext_map_blocks+0xe22/0x2d40
ext4_map_blocks+0x71e/0x1700
ext4_do_writepages+0x1290/0x2800
ext4_writepages+0x26d/0x4e0
do_writepages+0x175/0x700
[...]
==================================================================
So use *ppath to update the path to avoid the above problem.
Reported-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Closes: https://lore.kernel.org/r/ZqyL6rmtwl6N4MWR@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com
Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240822023545.1994557-7-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -2103,6 +2103,7 @@ prepend:
ppath, newext);
if (err)
goto cleanup;
+ path = *ppath;
depth = ext_depth(inode);
eh = path[depth].p_hdr;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 240/386] ext4: fix double brelse() the buffer of the extents path
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 239/386] ext4: aovid use-after-free in ext4_ext_insert_extent() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 241/386] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
` (156 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Ojaswin Mujoo, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit dcaa6c31134c0f515600111c38ed7750003e1b9c upstream.
In ext4_ext_try_to_merge_up(), set path[1].p_bh to NULL after it has been
released, otherwise it may be released twice. An example of what triggers
this is as follows:
split2 map split1
|--------|-------|--------|
ext4_ext_map_blocks
ext4_ext_handle_unwritten_extents
ext4_split_convert_extents
// path->p_depth == 0
ext4_split_extent
// 1. do split1
ext4_split_extent_at
|ext4_ext_insert_extent
| ext4_ext_create_new_leaf
| ext4_ext_grow_indepth
| le16_add_cpu(&neh->eh_depth, 1)
| ext4_find_extent
| // return -ENOMEM
|// get error and try zeroout
|path = ext4_find_extent
| path->p_depth = 1
|ext4_ext_try_to_merge
| ext4_ext_try_to_merge_up
| path->p_depth = 0
| brelse(path[1].p_bh) ---> not set to NULL here
|// zeroout success
// 2. update path
ext4_find_extent
// 3. do split2
ext4_split_extent_at
ext4_ext_insert_extent
ext4_ext_create_new_leaf
ext4_ext_grow_indepth
le16_add_cpu(&neh->eh_depth, 1)
ext4_find_extent
path[0].p_bh = NULL;
path->p_depth = 1
read_extent_tree_block ---> return err
// path[1].p_bh is still the old value
ext4_free_ext_path
ext4_ext_drop_refs
// path->p_depth == 1
brelse(path[1].p_bh) ---> brelse a buffer twice
Finally got the following WARRNING when removing the buffer from lru:
============================================
VFS: brelse: Trying to free free buffer
WARNING: CPU: 2 PID: 72 at fs/buffer.c:1241 __brelse+0x58/0x90
CPU: 2 PID: 72 Comm: kworker/u19:1 Not tainted 6.9.0-dirty #716
RIP: 0010:__brelse+0x58/0x90
Call Trace:
<TASK>
__find_get_block+0x6e7/0x810
bdev_getblk+0x2b/0x480
__ext4_get_inode_loc+0x48a/0x1240
ext4_get_inode_loc+0xb2/0x150
ext4_reserve_inode_write+0xb7/0x230
__ext4_mark_inode_dirty+0x144/0x6a0
ext4_ext_insert_extent+0x9c8/0x3230
ext4_ext_map_blocks+0xf45/0x2dc0
ext4_map_blocks+0x724/0x1700
ext4_do_writepages+0x12d6/0x2a70
[...]
============================================
Fixes: ecb94f5fdf4b ("ext4: collapse a single extent tree block into the inode if possible")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Tested-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://patch.msgid.link/20240822023545.1994557-9-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -1877,6 +1877,7 @@ static void ext4_ext_try_to_merge_up(han
path[0].p_hdr->eh_max = cpu_to_le16(max_root);
brelse(path[1].p_bh);
+ path[1].p_bh = NULL;
ext4_free_blocks(handle, inode, NULL, blk, 1,
EXT4_FREE_BLOCKS_METADATA | EXT4_FREE_BLOCKS_FORGET);
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 241/386] ext4: fix timer use-after-free on failed mount
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 240/386] ext4: fix double brelse() the buffer of the extents path Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 242/386] ext4: update orig_path in ext4_find_extent() Greg Kroah-Hartman
` (155 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaxi Shen, Theodore Tso, stable,
syzbot+59e0101c430934bc9a36
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaxi Shen <shenxiaxi26@gmail.com>
commit 0ce160c5bdb67081a62293028dc85758a8efb22a upstream.
Syzbot has found an ODEBUG bug in ext4_fill_super
The del_timer_sync function cancels the s_err_report timer,
which reminds about filesystem errors daily. We should
guarantee the timer is no longer active before kfree(sbi).
When filesystem mounting fails, the flow goes to failed_mount3,
where an error occurs when ext4_stop_mmpd is called, causing
a read I/O failure. This triggers the ext4_handle_error function
that ultimately re-arms the timer,
leaving the s_err_report timer active before kfree(sbi) is called.
Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd.
Signed-off-by: Xiaxi Shen <shenxiaxi26@gmail.com>
Reported-and-tested-by: syzbot+59e0101c430934bc9a36@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=59e0101c430934bc9a36
Link: https://patch.msgid.link/20240715043336.98097-1-shenxiaxi26@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5659,8 +5659,8 @@ failed_mount3a:
failed_mount3:
/* flush s_sb_upd_work before sbi destroy */
flush_work(&sbi->s_sb_upd_work);
- del_timer_sync(&sbi->s_err_report);
ext4_stop_mmpd(sbi);
+ del_timer_sync(&sbi->s_err_report);
ext4_group_desc_free(sbi);
failed_mount:
if (sbi->s_chksum_driver)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 242/386] ext4: update orig_path in ext4_find_extent()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 241/386] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 243/386] ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Greg Kroah-Hartman
` (154 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit 5b4b2dcace35f618fe361a87bae6f0d13af31bc1 upstream.
In ext4_find_extent(), if the path is not big enough, we free it and set
*orig_path to NULL. But after reallocating and successfully initializing
the path, we don't update *orig_path, in which case the caller gets a
valid path but a NULL ppath, and this may cause a NULL pointer dereference
or a path memory leak. For example:
ext4_split_extent
path = *ppath = 2000
ext4_find_extent
if (depth > path[0].p_maxdepth)
kfree(path = 2000);
*orig_path = path = NULL;
path = kcalloc() = 3000
ext4_split_extent_at(*ppath = NULL)
path = *ppath;
ex = path[depth].p_ext;
// NULL pointer dereference!
==================================================================
BUG: kernel NULL pointer dereference, address: 0000000000000010
CPU: 6 UID: 0 PID: 576 Comm: fsstress Not tainted 6.11.0-rc2-dirty #847
RIP: 0010:ext4_split_extent_at+0x6d/0x560
Call Trace:
<TASK>
ext4_split_extent.isra.0+0xcb/0x1b0
ext4_ext_convert_to_initialized+0x168/0x6c0
ext4_ext_handle_unwritten_extents+0x325/0x4d0
ext4_ext_map_blocks+0x520/0xdb0
ext4_map_blocks+0x2b0/0x690
ext4_iomap_begin+0x20e/0x2c0
[...]
==================================================================
Therefore, *orig_path is updated when the extent lookup succeeds, so that
the caller can safely use path or *ppath.
Fixes: 10809df84a4d ("ext4: teach ext4_ext_find_extent() to realloc path if necessary")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240822023545.1994557-6-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/extents.c | 3 ++-
fs/ext4/move_extent.c | 1 -
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/extents.c
+++ b/fs/ext4/extents.c
@@ -957,6 +957,8 @@ ext4_find_extent(struct inode *inode, ex
ext4_ext_show_path(inode, path);
+ if (orig_path)
+ *orig_path = path;
return path;
err:
@@ -3249,7 +3251,6 @@ static int ext4_split_extent_at(handle_t
}
depth = ext_depth(inode);
ex = path[depth].p_ext;
- *ppath = path;
if (EXT4_EXT_MAY_ZEROOUT & split_flag) {
if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {
--- a/fs/ext4/move_extent.c
+++ b/fs/ext4/move_extent.c
@@ -36,7 +36,6 @@ get_ext_path(struct inode *inode, ext4_l
*ppath = NULL;
return -ENODATA;
}
- *ppath = path;
return 0;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 243/386] ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 242/386] ext4: update orig_path in ext4_find_extent() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 244/386] ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Greg Kroah-Hartman
` (153 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luis Henriques (SUSE), Jan Kara,
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit dd589b0f1445e1ea1085b98edca6e4d5dedb98d0 upstream.
Function ext4_wait_for_tail_page_commit() assumes that '0' is not a valid
value for transaction IDs, which is incorrect. Don't assume that and invoke
jbd2_log_wait_commit() if the journal had a committing transaction instead.
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240724161119.13448-2-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 11 +++++++----
1 file changed, 7 insertions(+), 4 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5257,8 +5257,9 @@ static void ext4_wait_for_tail_page_comm
{
unsigned offset;
journal_t *journal = EXT4_SB(inode->i_sb)->s_journal;
- tid_t commit_tid = 0;
+ tid_t commit_tid;
int ret;
+ bool has_transaction;
offset = inode->i_size & (PAGE_SIZE - 1);
/*
@@ -5283,12 +5284,14 @@ static void ext4_wait_for_tail_page_comm
folio_put(folio);
if (ret != -EBUSY)
return;
- commit_tid = 0;
+ has_transaction = false;
read_lock(&journal->j_state_lock);
- if (journal->j_committing_transaction)
+ if (journal->j_committing_transaction) {
commit_tid = journal->j_committing_transaction->t_tid;
+ has_transaction = true;
+ }
read_unlock(&journal->j_state_lock);
- if (commit_tid)
+ if (has_transaction)
jbd2_log_wait_commit(journal, commit_tid);
}
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 244/386] ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 243/386] ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 245/386] ext4: fix fast commit inode enqueueing during a full journal commit Greg Kroah-Hartman
` (152 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luis Henriques (SUSE), Jan Kara,
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit 7a6443e1dad70281f99f0bd394d7fd342481a632 upstream.
Function jbd2_journal_shrink_checkpoint_list() assumes that '0' is not a
valid value for transaction IDs, which is incorrect. Don't assume that and
use two extra boolean variables to control the loop iterations and keep
track of the first and last tid.
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240724161119.13448-4-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -412,6 +412,7 @@ unsigned long jbd2_journal_shrink_checkp
tid_t tid = 0;
unsigned long nr_freed = 0;
unsigned long freed;
+ bool first_set = false;
again:
spin_lock(&journal->j_list_lock);
@@ -431,8 +432,10 @@ again:
else
transaction = journal->j_checkpoint_transactions;
- if (!first_tid)
+ if (!first_set) {
first_tid = transaction->t_tid;
+ first_set = true;
+ }
last_transaction = journal->j_checkpoint_transactions->t_cpprev;
next_transaction = transaction;
last_tid = last_transaction->t_tid;
@@ -462,7 +465,7 @@ again:
spin_unlock(&journal->j_list_lock);
cond_resched();
- if (*nr_to_scan && next_tid)
+ if (*nr_to_scan && journal->j_shrink_transaction)
goto again;
out:
trace_jbd2_shrink_checkpoint_list(journal, first_tid, tid, last_tid,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 245/386] ext4: fix fast commit inode enqueueing during a full journal commit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 244/386] ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 246/386] ext4: use handle to mark fc as ineligible in __track_dentry_update() Greg Kroah-Hartman
` (151 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Luis Henriques (SUSE),
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit 6db3c1575a750fd417a70e0178bdf6efa0dd5037 upstream.
When a full journal commit is on-going, any fast commit has to be enqueued
into a different queue: FC_Q_STAGING instead of FC_Q_MAIN. This enqueueing
is done only once, i.e. if an inode is already queued in a previous fast
commit entry it won't be enqueued again. However, if a full commit starts
_after_ the inode is enqueued into FC_Q_MAIN, the next fast commit needs to
be done into FC_Q_STAGING. And this is not being done in function
ext4_fc_track_template().
This patch fixes the issue by re-enqueuing an inode into the STAGING queue
during the fast commit clean-up callback when doing a full commit. However,
to prevent a race with a fast-commit, the clean-up callback has to be called
with the journal locked.
This bug was found using fstest generic/047. This test creates several 32k
bytes files, sync'ing each of them after it's creation, and then shutting
down the filesystem. Some data may be loss in this operation; for example a
file may have it's size truncated to zero.
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240717172220.14201-1-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 15 ++++++++++++++-
fs/jbd2/journal.c | 2 +-
2 files changed, 15 insertions(+), 2 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1295,8 +1295,21 @@ static void ext4_fc_cleanup(journal_t *j
list_del_init(&iter->i_fc_list);
ext4_clear_inode_state(&iter->vfs_inode,
EXT4_STATE_FC_COMMITTING);
- if (tid_geq(tid, iter->i_sync_tid))
+ if (tid_geq(tid, iter->i_sync_tid)) {
ext4_fc_reset_inode(&iter->vfs_inode);
+ } else if (full) {
+ /*
+ * We are called after a full commit, inode has been
+ * modified while the commit was running. Re-enqueue
+ * the inode into STAGING, which will then be splice
+ * back into MAIN. This cannot happen during
+ * fastcommit because the journal is locked all the
+ * time in that case (and tid doesn't increase so
+ * tid check above isn't reliable).
+ */
+ list_add_tail(&EXT4_I(&iter->vfs_inode)->i_fc_list,
+ &sbi->s_fc_q[FC_Q_STAGING]);
+ }
/* Make sure EXT4_STATE_FC_COMMITTING bit is clear */
smp_mb();
#if (BITS_PER_LONG < 64)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -755,9 +755,9 @@ EXPORT_SYMBOL(jbd2_fc_begin_commit);
*/
static int __jbd2_fc_end_commit(journal_t *journal, tid_t tid, bool fallback)
{
- jbd2_journal_unlock_updates(journal);
if (journal->j_fc_cleanup_callback)
journal->j_fc_cleanup_callback(journal, 0, tid);
+ jbd2_journal_unlock_updates(journal);
write_lock(&journal->j_state_lock);
journal->j_flags &= ~JBD2_FAST_COMMIT_ONGOING;
if (fallback)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 246/386] ext4: use handle to mark fc as ineligible in __track_dentry_update()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 245/386] ext4: fix fast commit inode enqueueing during a full journal commit Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 247/386] ext4: mark fc as ineligible using an handle in ext4_xattr_set() Greg Kroah-Hartman
` (150 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Luis Henriques (SUSE),
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit faab35a0370fd6e0821c7a8dd213492946fc776f upstream.
Calling ext4_fc_mark_ineligible() with a NULL handle is racy and may result
in a fast-commit being done before the filesystem is effectively marked as
ineligible. This patch fixes the calls to this function in
__track_dentry_update() by adding an extra parameter to the callback used in
ext4_fc_track_template().
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240923104909.18342-2-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -379,7 +379,7 @@ void ext4_fc_mark_ineligible(struct supe
*/
static int ext4_fc_track_template(
handle_t *handle, struct inode *inode,
- int (*__fc_track_fn)(struct inode *, void *, bool),
+ int (*__fc_track_fn)(handle_t *handle, struct inode *, void *, bool),
void *args, int enqueue)
{
bool update = false;
@@ -396,7 +396,7 @@ static int ext4_fc_track_template(
ext4_fc_reset_inode(inode);
ei->i_sync_tid = tid;
}
- ret = __fc_track_fn(inode, args, update);
+ ret = __fc_track_fn(handle, inode, args, update);
mutex_unlock(&ei->i_fc_lock);
if (!enqueue)
@@ -420,7 +420,8 @@ struct __track_dentry_update_args {
};
/* __track_fn for directory entry updates. Called with ei->i_fc_lock. */
-static int __track_dentry_update(struct inode *inode, void *arg, bool update)
+static int __track_dentry_update(handle_t *handle, struct inode *inode,
+ void *arg, bool update)
{
struct ext4_fc_dentry_update *node;
struct ext4_inode_info *ei = EXT4_I(inode);
@@ -435,14 +436,14 @@ static int __track_dentry_update(struct
if (IS_ENCRYPTED(dir)) {
ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_ENCRYPTED_FILENAME,
- NULL);
+ handle);
mutex_lock(&ei->i_fc_lock);
return -EOPNOTSUPP;
}
node = kmem_cache_alloc(ext4_fc_dentry_cachep, GFP_NOFS);
if (!node) {
- ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM, NULL);
+ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM, handle);
mutex_lock(&ei->i_fc_lock);
return -ENOMEM;
}
@@ -454,7 +455,7 @@ static int __track_dentry_update(struct
node->fcd_name.name = kmalloc(dentry->d_name.len, GFP_NOFS);
if (!node->fcd_name.name) {
kmem_cache_free(ext4_fc_dentry_cachep, node);
- ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM, NULL);
+ ext4_fc_mark_ineligible(sb, EXT4_FC_REASON_NOMEM, handle);
mutex_lock(&ei->i_fc_lock);
return -ENOMEM;
}
@@ -576,7 +577,8 @@ void ext4_fc_track_create(handle_t *hand
}
/* __track_fn for inode tracking */
-static int __track_inode(struct inode *inode, void *arg, bool update)
+static int __track_inode(handle_t *handle, struct inode *inode, void *arg,
+ bool update)
{
if (update)
return -EEXIST;
@@ -614,7 +616,8 @@ struct __track_range_args {
};
/* __track_fn for tracking data updates */
-static int __track_range(struct inode *inode, void *arg, bool update)
+static int __track_range(handle_t *handle, struct inode *inode, void *arg,
+ bool update)
{
struct ext4_inode_info *ei = EXT4_I(inode);
ext4_lblk_t oldstart;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 247/386] ext4: mark fc as ineligible using an handle in ext4_xattr_set()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 246/386] ext4: use handle to mark fc as ineligible in __track_dentry_update() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 248/386] parisc: Fix 64-bit userspace syscall path Greg Kroah-Hartman
` (149 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Luis Henriques (SUSE),
Theodore Tso, stable
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luis Henriques (SUSE) <luis.henriques@linux.dev>
commit 04e6ce8f06d161399e5afde3df5dcfa9455b4952 upstream.
Calling ext4_fc_mark_ineligible() with a NULL handle is racy and may result
in a fast-commit being done before the filesystem is effectively marked as
ineligible. This patch moves the call to this function so that an handle
can be used. If a transaction fails to start, then there's not point in
trying to mark the filesystem as ineligible, and an error will eventually be
returned to user-space.
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Luis Henriques (SUSE) <luis.henriques@linux.dev>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240923104909.18342-3-luis.henriques@linux.dev
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/xattr.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2554,6 +2554,8 @@ retry:
error = ext4_xattr_set_handle(handle, inode, name_index, name,
value, value_len, flags);
+ ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_XATTR,
+ handle);
error2 = ext4_journal_stop(handle);
if (error == -ENOSPC &&
ext4_should_retry_alloc(sb, &retries))
@@ -2561,7 +2563,6 @@ retry:
if (error == 0)
error = error2;
}
- ext4_fc_mark_ineligible(inode->i_sb, EXT4_FC_REASON_XATTR, NULL);
return error;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 248/386] parisc: Fix 64-bit userspace syscall path
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 247/386] ext4: mark fc as ineligible using an handle in ext4_xattr_set() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 249/386] parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Greg Kroah-Hartman
` (148 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@kernel.org>
commit d24449864da5838936669618356b0e30ca2999c3 upstream.
Currently the glibc isn't yet ported to 64-bit for hppa, so
there is no usable userspace available yet.
But it's possible to manually build a static 64-bit binary
and run that for testing. One such 64-bit test program is
available at http://ftp.parisc-linux.org/src/64bit.tar.gz
and it shows various issues with the existing 64-bit syscall
path in the kernel.
This patch fixes those issues.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v4.19+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/syscall.S | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/arch/parisc/kernel/syscall.S
+++ b/arch/parisc/kernel/syscall.S
@@ -243,10 +243,10 @@ linux_gateway_entry:
#ifdef CONFIG_64BIT
ldil L%sys_call_table, %r1
- or,= %r2,%r2,%r2
- addil L%(sys_call_table64-sys_call_table), %r1
+ or,ev %r2,%r2,%r2
+ ldil L%sys_call_table64, %r1
ldo R%sys_call_table(%r1), %r19
- or,= %r2,%r2,%r2
+ or,ev %r2,%r2,%r2
ldo R%sys_call_table64(%r1), %r19
#else
load32 sys_call_table, %r19
@@ -379,10 +379,10 @@ tracesys_next:
extrd,u %r19,63,1,%r2 /* W hidden in bottom bit */
ldil L%sys_call_table, %r1
- or,= %r2,%r2,%r2
- addil L%(sys_call_table64-sys_call_table), %r1
+ or,ev %r2,%r2,%r2
+ ldil L%sys_call_table64, %r1
ldo R%sys_call_table(%r1), %r19
- or,= %r2,%r2,%r2
+ or,ev %r2,%r2,%r2
ldo R%sys_call_table64(%r1), %r19
#else
load32 sys_call_table, %r19
@@ -1327,6 +1327,8 @@ ENTRY(sys_call_table)
END(sys_call_table)
#ifdef CONFIG_64BIT
+#undef __SYSCALL_WITH_COMPAT
+#define __SYSCALL_WITH_COMPAT(nr, native, compat) __SYSCALL(nr, native)
.align 8
ENTRY(sys_call_table64)
#include <asm/syscall_table_64.h> /* 64-bit syscalls */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 249/386] parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 248/386] parisc: Fix 64-bit userspace syscall path Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 250/386] parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Greg Kroah-Hartman
` (147 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Camm Maguire, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@kernel.org>
commit 5d698966fa7b452035c44c937d704910bf3440dd upstream.
When userspace allocates memory with mmap() in order to be used for stack,
allow this memory region to automatically expand upwards up until the
current maximum process stack size.
The fault handler checks if the VM_GROWSUP bit is set in the vm_flags field
of a memory area before it allows it to expand.
This patch modifies the parisc specific code only.
A RFC for a generic patch to modify mmap() for all architectures was sent
to the mailing list but did not get enough Acks.
Reported-by: Camm Maguire <camm@maguirefamily.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: stable@vger.kernel.org # v5.10+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/mman.h | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/arch/parisc/include/asm/mman.h
+++ b/arch/parisc/include/asm/mman.h
@@ -11,4 +11,18 @@ static inline bool arch_memory_deny_writ
}
#define arch_memory_deny_write_exec_supported arch_memory_deny_write_exec_supported
+static inline unsigned long arch_calc_vm_flag_bits(unsigned long flags)
+{
+ /*
+ * The stack on parisc grows upwards, so if userspace requests memory
+ * for a stack, mark it with VM_GROWSUP so that the stack expansion in
+ * the fault handler will work.
+ */
+ if (flags & MAP_STACK)
+ return VM_GROWSUP;
+
+ return 0;
+}
+#define arch_calc_vm_flag_bits(flags) arch_calc_vm_flag_bits(flags)
+
#endif /* __ASM_MMAN_H__ */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 250/386] parisc: Fix stack start for ADDR_NO_RANDOMIZE personality
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 249/386] parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 251/386] drm/rockchip: vop: clear DMA stop bit on RK3066 Greg Kroah-Hartman
` (146 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Camm Maguire, Helge Deller
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Helge Deller <deller@gmx.de>
commit f31b256994acec6929306dfa86ac29716e7503d6 upstream.
Fix the stack start address calculation for the parisc architecture in
setup_arg_pages() when address randomization is disabled. When the
ADDR_NO_RANDOMIZE process personality is disabled there is no need to add
additional space for the stack.
Note that this patch touches code inside an #ifdef CONFIG_STACK_GROWSUP hunk,
which is why only the parisc architecture is affected since it's the
only Linux architecture where the stack grows upwards.
Without this patch you will find the stack in the middle of some
mapped libaries and suddenly limited to 6MB instead of 8MB:
root@parisc:~# setarch -R /bin/bash -c "cat /proc/self/maps"
00010000-00019000 r-xp 00000000 08:05 1182034 /usr/bin/cat
00019000-0001a000 rwxp 00009000 08:05 1182034 /usr/bin/cat
0001a000-0003b000 rwxp 00000000 00:00 0 [heap]
f90c4000-f9283000 r-xp 00000000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6
f9283000-f9285000 r--p 001bf000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6
f9285000-f928a000 rwxp 001c1000 08:05 1573004 /usr/lib/hppa-linux-gnu/libc.so.6
f928a000-f9294000 rwxp 00000000 00:00 0
f9301000-f9323000 rwxp 00000000 00:00 0 [stack]
f98b4000-f98e4000 r-xp 00000000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1
f98e4000-f98e5000 r--p 00030000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1
f98e5000-f98e9000 rwxp 00031000 08:05 1572869 /usr/lib/hppa-linux-gnu/ld.so.1
f9ad8000-f9b00000 rw-p 00000000 00:00 0
f9b00000-f9b01000 r-xp 00000000 00:00 0 [vdso]
With the patch the stack gets correctly mapped at the end
of the process memory map:
root@panama:~# setarch -R /bin/bash -c "cat /proc/self/maps"
00010000-00019000 r-xp 00000000 08:13 16385582 /usr/bin/cat
00019000-0001a000 rwxp 00009000 08:13 16385582 /usr/bin/cat
0001a000-0003b000 rwxp 00000000 00:00 0 [heap]
fef29000-ff0eb000 r-xp 00000000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6
ff0eb000-ff0ed000 r--p 001c2000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6
ff0ed000-ff0f2000 rwxp 001c4000 08:13 16122400 /usr/lib/hppa-linux-gnu/libc.so.6
ff0f2000-ff0fc000 rwxp 00000000 00:00 0
ff4b4000-ff4e4000 r-xp 00000000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1
ff4e4000-ff4e6000 r--p 00030000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1
ff4e6000-ff4ea000 rwxp 00032000 08:13 16121913 /usr/lib/hppa-linux-gnu/ld.so.1
ff6d7000-ff6ff000 rw-p 00000000 00:00 0
ff6ff000-ff700000 r-xp 00000000 00:00 0 [vdso]
ff700000-ff722000 rwxp 00000000 00:00 0 [stack]
Reported-by: Camm Maguire <camm@maguirefamily.org>
Signed-off-by: Helge Deller <deller@gmx.de>
Fixes: d045c77c1a69 ("parisc,metag: Fix crashes due to stack randomization on stack-grows-upwards architectures")
Fixes: 17d9822d4b4c ("parisc: Consider stack randomization for mmap base only when necessary")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exec.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/exec.c
+++ b/fs/exec.c
@@ -770,7 +770,8 @@ int setup_arg_pages(struct linux_binprm
stack_base = calc_max_stack_size(stack_base);
/* Add space for stack randomization. */
- stack_base += (STACK_RND_MASK << PAGE_SHIFT);
+ if (current->flags & PF_RANDOMIZE)
+ stack_base += (STACK_RND_MASK << PAGE_SHIFT);
/* Make sure we didn't let the argument array grow too large. */
if (vma->vm_end - vma->vm_start > stack_base)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 251/386] drm/rockchip: vop: clear DMA stop bit on RK3066
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 250/386] parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 252/386] of: address: Report error on resource bounds overflow Greg Kroah-Hartman
` (145 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Val Packett, Heiko Stuebner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
commit 6b44aa559d6c7f4ea591ef9d2352a7250138d62a upstream.
The RK3066 VOP sets a dma_stop bit when it's done scanning out a frame
and needs the driver to acknowledge that by clearing the bit.
Unless we clear it "between" frames, the RGB output only shows noise
instead of the picture. atomic_flush is the place for it that least
affects other code (doing it on vblank would require converting all
other usages of the reg_lock to spin_(un)lock_irq, which would affect
performance for everyone).
This seems to be a redundant synchronization mechanism that was removed
in later iterations of the VOP hardware block.
Fixes: f4a6de855eae ("drm: rockchip: vop: add rk3066 vop definitions")
Cc: stable@vger.kernel.org
Signed-off-by: Val Packett <val@packett.cool>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20240624204054.5524-2-val@packett.cool
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/rockchip/rockchip_drm_vop.c | 4 ++++
drivers/gpu/drm/rockchip/rockchip_drm_vop.h | 1 +
drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 1 +
3 files changed, 6 insertions(+)
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.c
@@ -1566,6 +1566,10 @@ static void vop_crtc_atomic_flush(struct
VOP_AFBC_SET(vop, enable, s->enable_afbc);
vop_cfg_done(vop);
+ /* Ack the DMA transfer of the previous frame (RK3066). */
+ if (VOP_HAS_REG(vop, common, dma_stop))
+ VOP_REG_SET(vop, common, dma_stop, 0);
+
spin_unlock(&vop->reg_lock);
/*
--- a/drivers/gpu/drm/rockchip/rockchip_drm_vop.h
+++ b/drivers/gpu/drm/rockchip/rockchip_drm_vop.h
@@ -122,6 +122,7 @@ struct vop_common {
struct vop_reg lut_buffer_index;
struct vop_reg gate_en;
struct vop_reg mmu_en;
+ struct vop_reg dma_stop;
struct vop_reg out_mode;
struct vop_reg standby;
};
--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
@@ -435,6 +435,7 @@ static const struct vop_output rk3066_ou
};
static const struct vop_common rk3066_common = {
+ .dma_stop = VOP_REG(RK3066_SYS_CTRL0, 0x1, 0),
.standby = VOP_REG(RK3066_SYS_CTRL0, 0x1, 1),
.out_mode = VOP_REG(RK3066_DSP_CTRL0, 0xf, 0),
.cfg_done = VOP_REG(RK3066_REG_CFG_DONE, 0x1, 0),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 252/386] of: address: Report error on resource bounds overflow
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (250 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 251/386] drm/rockchip: vop: clear DMA stop bit on RK3066 Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 253/386] of/irq: Support #msi-cells=<0> in of_msi_get_domain Greg Kroah-Hartman
` (144 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Weißschuh, Nam Cao,
Rob Herring (Arm)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
commit 000f6d588a8f3d128f89351058dc04d38e54a327 upstream.
The members "start" and "end" of struct resource are of type
"resource_size_t" which can be 32bit wide.
Values read from OF however are always 64bit wide.
Avoid silently truncating the value and instead return an error value.
This can happen on real systems when the DT was created for a
PAE-enabled kernel and a non-PAE kernel is actually running.
For example with an arm defconfig and "qemu-system-arm -M virt".
Link: https://bugs.launchpad.net/qemu/+bug/1790975
Signed-off-by: Thomas Weißschuh <thomas.weissschuh@linutronix.de>
Tested-by: Nam Cao <namcao@linutronix.de>
Reviewed-by: Nam Cao <namcao@linutronix.de>
Link: https://lore.kernel.org/r/20240905-of-resource-overflow-v1-1-0cd8bb92cc1f@linutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/address.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/of/address.c
+++ b/drivers/of/address.c
@@ -8,6 +8,7 @@
#include <linux/logic_pio.h>
#include <linux/module.h>
#include <linux/of_address.h>
+#include <linux/overflow.h>
#include <linux/pci.h>
#include <linux/pci_regs.h>
#include <linux/sizes.h>
@@ -1142,7 +1143,11 @@ static int __of_address_to_resource(stru
if (of_mmio_is_nonposted(dev))
flags |= IORESOURCE_MEM_NONPOSTED;
+ if (overflows_type(taddr, r->start))
+ return -EOVERFLOW;
r->start = taddr;
+ if (overflows_type(taddr + size - 1, r->end))
+ return -EOVERFLOW;
r->end = taddr + size - 1;
r->flags = flags;
r->name = name ? name : dev->full_name;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 253/386] of/irq: Support #msi-cells=<0> in of_msi_get_domain
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (251 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 252/386] of: address: Report error on resource bounds overflow Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 254/386] drm: omapdrm: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
` (143 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andrew Jones, Rob Herring (Arm)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrew Jones <ajones@ventanamicro.com>
commit db8e81132cf051843c9a59b46fa5a071c45baeb3 upstream.
An 'msi-parent' property with a single entry and no accompanying
'#msi-cells' property is considered the legacy definition as opposed
to its definition after being expanded with commit 126b16e2ad98
("Docs: dt: add generic MSI bindings"). However, the legacy
definition is completely compatible with the current definition and,
since of_phandle_iterator_next() tolerates missing and present-but-
zero *cells properties since commit e42ee61017f5 ("of: Let
of_for_each_phandle fallback to non-negative cell_count"), there's no
need anymore to special case the legacy definition in
of_msi_get_domain().
Indeed, special casing has turned out to be harmful, because, as of
commit 7c025238b47a ("dt-bindings: irqchip: Describe the IMX MU block
as a MSI controller"), MSI controller DT bindings have started
specifying '#msi-cells' as a required property (even when the value
must be zero) as an effort to make the bindings more explicit. But,
since the special casing of 'msi-parent' only uses the existence of
'#msi-cells' for its heuristic, and not whether or not it's also
nonzero, the legacy path is not taken. Furthermore, the path to
support the new, broader definition isn't taken either since that
path has been restricted to the platform-msi bus.
But, neither the definition of 'msi-parent' nor the definition of
'#msi-cells' is platform-msi-specific (the platform-msi bus was just
the first bus that needed '#msi-cells'), so remove both the special
casing and the restriction. The code removal also requires changing
to of_parse_phandle_with_optional_args() in order to ensure the
legacy (but compatible) use of 'msi-parent' remains supported. This
not only simplifies the code but also resolves an issue with PCI
devices finding their MSI controllers on riscv, as the riscv,imsics
binding requires '#msi-cells=<0>'.
Signed-off-by: Andrew Jones <ajones@ventanamicro.com>
Link: https://lore.kernel.org/r/20240817074107.31153-2-ajones@ventanamicro.com
Cc: stable@vger.kernel.org
Signed-off-by: Rob Herring (Arm) <robh@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/of/irq.c | 34 +++++++---------------------------
1 file changed, 7 insertions(+), 27 deletions(-)
--- a/drivers/of/irq.c
+++ b/drivers/of/irq.c
@@ -716,8 +716,7 @@ struct irq_domain *of_msi_map_get_device
* @np: device node for @dev
* @token: bus type for this domain
*
- * Parse the msi-parent property (both the simple and the complex
- * versions), and returns the corresponding MSI domain.
+ * Parse the msi-parent property and returns the corresponding MSI domain.
*
* Returns: the MSI domain for this device (or NULL on failure).
*/
@@ -725,33 +724,14 @@ struct irq_domain *of_msi_get_domain(str
struct device_node *np,
enum irq_domain_bus_token token)
{
- struct device_node *msi_np;
+ struct of_phandle_iterator it;
struct irq_domain *d;
+ int err;
- /* Check for a single msi-parent property */
- msi_np = of_parse_phandle(np, "msi-parent", 0);
- if (msi_np && !of_property_read_bool(msi_np, "#msi-cells")) {
- d = irq_find_matching_host(msi_np, token);
- if (!d)
- of_node_put(msi_np);
- return d;
- }
-
- if (token == DOMAIN_BUS_PLATFORM_MSI) {
- /* Check for the complex msi-parent version */
- struct of_phandle_args args;
- int index = 0;
-
- while (!of_parse_phandle_with_args(np, "msi-parent",
- "#msi-cells",
- index, &args)) {
- d = irq_find_matching_host(args.np, token);
- if (d)
- return d;
-
- of_node_put(args.np);
- index++;
- }
+ of_for_each_phandle(&it, err, np, "msi-parent", "#msi-cells", 0) {
+ d = irq_find_matching_host(it.node, token);
+ if (d)
+ return d;
}
return NULL;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 254/386] drm: omapdrm: Add missing check for alloc_ordered_workqueue
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (252 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 253/386] of/irq: Support #msi-cells=<0> in of_msi_get_domain Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 255/386] resource: fix region_intersects() vs add_memory_driver_managed() Greg Kroah-Hartman
` (142 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Tomi Valkeinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make24@iscas.ac.cn>
commit e794b7b9b92977365c693760a259f8eef940c536 upstream.
As it may return NULL pointer and cause NULL pointer dereference. Add check
for the return value of alloc_ordered_workqueue.
Cc: stable@vger.kernel.org
Fixes: 2f95bc6d324a ("drm: omapdrm: Perform initialization/cleanup at probe/remove time")
Signed-off-by: Ma Ke <make24@iscas.ac.cn>
Signed-off-by: Tomi Valkeinen <tomi.valkeinen@ideasonboard.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240808061336.2796729-1-make24@iscas.ac.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/omapdrm/omap_drv.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/omapdrm/omap_drv.c
+++ b/drivers/gpu/drm/omapdrm/omap_drv.c
@@ -695,6 +695,10 @@ static int omapdrm_init(struct omap_drm_
soc = soc_device_match(omapdrm_soc_devices);
priv->omaprev = soc ? (uintptr_t)soc->data : 0;
priv->wq = alloc_ordered_workqueue("omapdrm", 0);
+ if (!priv->wq) {
+ ret = -ENOMEM;
+ goto err_alloc_workqueue;
+ }
mutex_init(&priv->list_lock);
INIT_LIST_HEAD(&priv->obj_list);
@@ -753,6 +757,7 @@ err_gem_deinit:
drm_mode_config_cleanup(ddev);
omap_gem_deinit(ddev);
destroy_workqueue(priv->wq);
+err_alloc_workqueue:
omap_disconnect_pipelines(ddev);
drm_dev_put(ddev);
return ret;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 255/386] resource: fix region_intersects() vs add_memory_driver_managed()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (253 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 254/386] drm: omapdrm: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 256/386] jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Greg Kroah-Hartman
` (141 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Huang, Ying, Dan Williams,
David Hildenbrand, Davidlohr Bueso, Jonathan Cameron, Dave Jiang,
Alison Schofield, Vishal Verma, Ira Weiny, Alistair Popple,
Andy Shevchenko, Bjorn Helgaas, Baoquan He, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Huang Ying <ying.huang@intel.com>
commit b4afe4183ec77f230851ea139d91e5cf2644c68b upstream.
On a system with CXL memory, the resource tree (/proc/iomem) related to
CXL memory may look like something as follows.
490000000-50fffffff : CXL Window 0
490000000-50fffffff : region0
490000000-50fffffff : dax0.0
490000000-50fffffff : System RAM (kmem)
Because drivers/dax/kmem.c calls add_memory_driver_managed() during
onlining CXL memory, which makes "System RAM (kmem)" a descendant of "CXL
Window X". This confuses region_intersects(), which expects all "System
RAM" resources to be at the top level of iomem_resource. This can lead to
bugs.
For example, when the following command line is executed to write some
memory in CXL memory range via /dev/mem,
$ dd if=data of=/dev/mem bs=$((1 << 10)) seek=$((0x490000000 >> 10)) count=1
dd: error writing '/dev/mem': Bad address
1+0 records in
0+0 records out
0 bytes copied, 0.0283507 s, 0.0 kB/s
the command fails as expected. However, the error code is wrong. It
should be "Operation not permitted" instead of "Bad address". More
seriously, the /dev/mem permission checking in devmem_is_allowed() passes
incorrectly. Although the accessing is prevented later because ioremap()
isn't allowed to map system RAM, it is a potential security issue. During
command executing, the following warning is reported in the kernel log for
calling ioremap() on system RAM.
ioremap on RAM at 0x0000000490000000 - 0x0000000490000fff
WARNING: CPU: 2 PID: 416 at arch/x86/mm/ioremap.c:216 __ioremap_caller.constprop.0+0x131/0x35d
Call Trace:
memremap+0xcb/0x184
xlate_dev_mem_ptr+0x25/0x2f
write_mem+0x94/0xfb
vfs_write+0x128/0x26d
ksys_write+0xac/0xfe
do_syscall_64+0x9a/0xfd
entry_SYSCALL_64_after_hwframe+0x4b/0x53
The details of command execution process are as follows. In the above
resource tree, "System RAM" is a descendant of "CXL Window 0" instead of a
top level resource. So, region_intersects() will report no System RAM
resources in the CXL memory region incorrectly, because it only checks the
top level resources. Consequently, devmem_is_allowed() will return 1
(allow access via /dev/mem) for CXL memory region incorrectly.
Fortunately, ioremap() doesn't allow to map System RAM and reject the
access.
So, region_intersects() needs to be fixed to work correctly with the
resource tree with "System RAM" not at top level as above. To fix it, if
we found a unmatched resource in the top level, we will continue to search
matched resources in its descendant resources. So, we will not miss any
matched resources in resource tree anymore.
In the new implementation, an example resource tree
|------------- "CXL Window 0" ------------|
|-- "System RAM" --|
will behave similar as the following fake resource tree for
region_intersects(, IORESOURCE_SYSTEM_RAM, ),
|-- "System RAM" --||-- "CXL Window 0a" --|
Where "CXL Window 0a" is part of the original "CXL Window 0" that
isn't covered by "System RAM".
Link: https://lkml.kernel.org/r/20240906030713.204292-2-ying.huang@intel.com
Fixes: c221c0b0308f ("device-dax: "Hotplug" persistent memory for use like normal RAM")
Signed-off-by: "Huang, Ying" <ying.huang@intel.com>
Cc: Dan Williams <dan.j.williams@intel.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Davidlohr Bueso <dave@stgolabs.net>
Cc: Jonathan Cameron <jonathan.cameron@huawei.com>
Cc: Dave Jiang <dave.jiang@intel.com>
Cc: Alison Schofield <alison.schofield@intel.com>
Cc: Vishal Verma <vishal.l.verma@intel.com>
Cc: Ira Weiny <ira.weiny@intel.com>
Cc: Alistair Popple <apopple@nvidia.com>
Cc: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Cc: Bjorn Helgaas <bhelgaas@google.com>
Cc: Baoquan He <bhe@redhat.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/resource.c | 58 ++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 50 insertions(+), 8 deletions(-)
--- a/kernel/resource.c
+++ b/kernel/resource.c
@@ -493,20 +493,62 @@ static int __region_intersects(struct re
size_t size, unsigned long flags,
unsigned long desc)
{
- struct resource res;
+ resource_size_t ostart, oend;
int type = 0; int other = 0;
- struct resource *p;
+ struct resource *p, *dp;
+ bool is_type, covered;
+ struct resource res;
res.start = start;
res.end = start + size - 1;
for (p = parent->child; p ; p = p->sibling) {
- bool is_type = (((p->flags & flags) == flags) &&
- ((desc == IORES_DESC_NONE) ||
- (desc == p->desc)));
-
- if (resource_overlaps(p, &res))
- is_type ? type++ : other++;
+ if (!resource_overlaps(p, &res))
+ continue;
+ is_type = (p->flags & flags) == flags &&
+ (desc == IORES_DESC_NONE || desc == p->desc);
+ if (is_type) {
+ type++;
+ continue;
+ }
+ /*
+ * Continue to search in descendant resources as if the
+ * matched descendant resources cover some ranges of 'p'.
+ *
+ * |------------- "CXL Window 0" ------------|
+ * |-- "System RAM" --|
+ *
+ * will behave similar as the following fake resource
+ * tree when searching "System RAM".
+ *
+ * |-- "System RAM" --||-- "CXL Window 0a" --|
+ */
+ covered = false;
+ ostart = max(res.start, p->start);
+ oend = min(res.end, p->end);
+ for_each_resource(p, dp, false) {
+ if (!resource_overlaps(dp, &res))
+ continue;
+ is_type = (dp->flags & flags) == flags &&
+ (desc == IORES_DESC_NONE || desc == dp->desc);
+ if (is_type) {
+ type++;
+ /*
+ * Range from 'ostart' to 'dp->start'
+ * isn't covered by matched resource.
+ */
+ if (dp->start > ostart)
+ break;
+ if (dp->end >= oend) {
+ covered = true;
+ break;
+ }
+ /* Remove covered range */
+ ostart = max(ostart, dp->end + 1);
+ }
+ }
+ if (!covered)
+ other++;
}
if (type == 0)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 256/386] jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (254 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 255/386] resource: fix region_intersects() vs add_memory_driver_managed() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 257/386] jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Greg Kroah-Hartman
` (140 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, Jan Kara,
Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit f5cacdc6f2bb2a9bf214469dd7112b43dd2dd68a upstream.
In __jbd2_log_wait_for_space(), we might call jbd2_cleanup_journal_tail()
to recover some journal space. But if an error occurs while executing
jbd2_cleanup_journal_tail() (e.g., an EIO), we don't stop waiting for free
space right away, we try other branches, and if j_committing_transaction
is NULL (i.e., the tid is 0), we will get the following complain:
============================================
JBD2: I/O error when updating journal superblock for sdd-8.
__jbd2_log_wait_for_space: needed 256 blocks and only had 217 space available
__jbd2_log_wait_for_space: no way to get more journal space in sdd-8
------------[ cut here ]------------
WARNING: CPU: 2 PID: 139804 at fs/jbd2/checkpoint.c:109 __jbd2_log_wait_for_space+0x251/0x2e0
Modules linked in:
CPU: 2 PID: 139804 Comm: kworker/u8:3 Not tainted 6.6.0+ #1
RIP: 0010:__jbd2_log_wait_for_space+0x251/0x2e0
Call Trace:
<TASK>
add_transaction_credits+0x5d1/0x5e0
start_this_handle+0x1ef/0x6a0
jbd2__journal_start+0x18b/0x340
ext4_dirty_inode+0x5d/0xb0
__mark_inode_dirty+0xe4/0x5d0
generic_update_time+0x60/0x70
[...]
============================================
So only if jbd2_cleanup_journal_tail() returns 1, i.e., there is nothing to
clean up at the moment, continue to try to reclaim free space in other ways.
Note that this fix relies on commit 6f6a6fda2945 ("jbd2: fix ocfs2 corrupt
when updating journal superblock fails") to make jbd2_cleanup_journal_tail
return the correct error code.
Fixes: 8c3f25d8950c ("jbd2: don't give up looking for space so easily in __jbd2_log_wait_for_space")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://patch.msgid.link/20240718115336.2554501-1-libaokun@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/checkpoint.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/fs/jbd2/checkpoint.c
+++ b/fs/jbd2/checkpoint.c
@@ -89,8 +89,11 @@ __releases(&journal->j_state_lock)
write_unlock(&journal->j_state_lock);
if (chkpt) {
jbd2_log_do_checkpoint(journal);
- } else if (jbd2_cleanup_journal_tail(journal) == 0) {
- /* We were able to recover space; yay! */
+ } else if (jbd2_cleanup_journal_tail(journal) <= 0) {
+ /*
+ * We were able to recover space or the
+ * journal was aborted due to an error.
+ */
;
} else if (has_transaction) {
/*
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 257/386] jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (255 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 256/386] jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 258/386] mm: krealloc: consider spare memory for __GFP_ZERO Greg Kroah-Hartman
` (139 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Jan Kara, Zhang Yi,
stable, Theodore Tso
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kemeng Shi <shikemeng@huaweicloud.com>
commit f0e3c14802515f60a47e6ef347ea59c2733402aa upstream.
Use tid_geq to compare tids to work over sequence number wraps.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Zhang Yi <yi.zhang@huawei.com>
Cc: stable@kernel.org
Link: https://patch.msgid.link/20240801013815.2393869-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -725,7 +725,7 @@ int jbd2_fc_begin_commit(journal_t *jour
return -EINVAL;
write_lock(&journal->j_state_lock);
- if (tid <= journal->j_commit_sequence) {
+ if (tid_geq(journal->j_commit_sequence, tid)) {
write_unlock(&journal->j_state_lock);
return -EALREADY;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 258/386] mm: krealloc: consider spare memory for __GFP_ZERO
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (256 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 257/386] jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 259/386] ocfs2: fix the la space leak when unmounting an ocfs2 volume Greg Kroah-Hartman
` (138 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Danilo Krummrich, Vlastimil Babka,
David Rientjes, Christoph Lameter, Hyeonggon Yoo, Joonsoo Kim,
Pekka Enberg, Roman Gushchin, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Danilo Krummrich <dakr@kernel.org>
commit 1a83a716ec233990e1fd5b6fbb1200ade63bf450 upstream.
As long as krealloc() is called with __GFP_ZERO consistently, starting
with the initial memory allocation, __GFP_ZERO should be fully honored.
However, if for an existing allocation krealloc() is called with a
decreased size, it is not ensured that the spare portion the allocation is
zeroed. Thus, if krealloc() is subsequently called with a larger size
again, __GFP_ZERO can't be fully honored, since we don't know the previous
size, but only the bucket size.
Example:
buf = kzalloc(64, GFP_KERNEL);
memset(buf, 0xff, 64);
buf = krealloc(buf, 48, GFP_KERNEL | __GFP_ZERO);
/* After this call the last 16 bytes are still 0xff. */
buf = krealloc(buf, 64, GFP_KERNEL | __GFP_ZERO);
Fix this, by explicitly setting spare memory to zero, when shrinking an
allocation with __GFP_ZERO flag set or init_on_alloc enabled.
Link: https://lkml.kernel.org/r/20240812223707.32049-1-dakr@kernel.org
Signed-off-by: Danilo Krummrich <dakr@kernel.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Acked-by: David Rientjes <rientjes@google.com>
Cc: Christoph Lameter <cl@linux.com>
Cc: Hyeonggon Yoo <42.hyeyoo@gmail.com>
Cc: Joonsoo Kim <iamjoonsoo.kim@lge.com>
Cc: Pekka Enberg <penberg@kernel.org>
Cc: Roman Gushchin <roman.gushchin@linux.dev>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab_common.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -1388,6 +1388,13 @@ __do_krealloc(const void *p, size_t new_
/* If the object still fits, repoison it precisely. */
if (ks >= new_size) {
+ /* Zero out spare memory. */
+ if (want_init_on_alloc(flags)) {
+ kasan_disable_current();
+ memset((void *)p + new_size, 0, ks - new_size);
+ kasan_enable_current();
+ }
+
p = kasan_krealloc((void *)p, new_size, flags);
return (void *)p;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 259/386] ocfs2: fix the la space leak when unmounting an ocfs2 volume
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (257 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 258/386] mm: krealloc: consider spare memory for __GFP_ZERO Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 260/386] ocfs2: fix uninit-value in ocfs2_get_block() Greg Kroah-Hartman
` (137 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heming Zhao, Su Yue, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Gang He,
Jun Piao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heming Zhao <heming.zhao@suse.com>
commit dfe6c5692fb525e5e90cefe306ee0dffae13d35f upstream.
This bug has existed since the initial OCFS2 code. The code logic in
ocfs2_sync_local_to_main() is wrong, as it ignores the last contiguous
free bits, which causes an OCFS2 volume to lose the last free clusters of
LA window on each umount command.
Link: https://lkml.kernel.org/r/20240719114310.14245-1-heming.zhao@suse.com
Signed-off-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Su Yue <glass.su@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/localalloc.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
--- a/fs/ocfs2/localalloc.c
+++ b/fs/ocfs2/localalloc.c
@@ -1008,6 +1008,25 @@ static int ocfs2_sync_local_to_main(stru
start = bit_off + 1;
}
+ /* clear the contiguous bits until the end boundary */
+ if (count) {
+ blkno = la_start_blk +
+ ocfs2_clusters_to_blocks(osb->sb,
+ start - count);
+
+ trace_ocfs2_sync_local_to_main_free(
+ count, start - count,
+ (unsigned long long)la_start_blk,
+ (unsigned long long)blkno);
+
+ status = ocfs2_release_clusters(handle,
+ main_bm_inode,
+ main_bm_bh, blkno,
+ count);
+ if (status < 0)
+ mlog_errno(status);
+ }
+
bail:
if (status)
mlog_errno(status);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 260/386] ocfs2: fix uninit-value in ocfs2_get_block()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (258 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 259/386] ocfs2: fix the la space leak when unmounting an ocfs2 volume Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 261/386] ocfs2: reserve space for inline xattr before attaching reflink tree Greg Kroah-Hartman
` (136 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Qi,
syzbot+9709e73bae885b05314b, Heming Zhao, Mark Fasheh,
Joel Becker, Junxiao Bi, Changwei Ge, Gang He, Jun Piao,
Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@linux.alibaba.com>
commit 2af148ef8549a12f8025286b8825c2833ee6bcb8 upstream.
syzbot reported an uninit-value BUG:
BUG: KMSAN: uninit-value in ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159
ocfs2_get_block+0xed2/0x2710 fs/ocfs2/aops.c:159
do_mpage_readpage+0xc45/0x2780 fs/mpage.c:225
mpage_readahead+0x43f/0x840 fs/mpage.c:374
ocfs2_readahead+0x269/0x320 fs/ocfs2/aops.c:381
read_pages+0x193/0x1110 mm/readahead.c:160
page_cache_ra_unbounded+0x901/0x9f0 mm/readahead.c:273
do_page_cache_ra mm/readahead.c:303 [inline]
force_page_cache_ra+0x3b1/0x4b0 mm/readahead.c:332
force_page_cache_readahead mm/internal.h:347 [inline]
generic_fadvise+0x6b0/0xa90 mm/fadvise.c:106
vfs_fadvise mm/fadvise.c:185 [inline]
ksys_fadvise64_64 mm/fadvise.c:199 [inline]
__do_sys_fadvise64 mm/fadvise.c:214 [inline]
__se_sys_fadvise64 mm/fadvise.c:212 [inline]
__x64_sys_fadvise64+0x1fb/0x3a0 mm/fadvise.c:212
x64_sys_call+0xe11/0x3ba0
arch/x86/include/generated/asm/syscalls_64.h:222
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xcd/0x1e0 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
This is because when ocfs2_extent_map_get_blocks() fails, p_blkno is
uninitialized. So the error log will trigger the above uninit-value
access.
The error log is out-of-date since get_blocks() was removed long time ago.
And the error code will be logged in ocfs2_extent_map_get_blocks() once
ocfs2_get_cluster() fails, so fix this by only logging inode and block.
Link: https://syzkaller.appspot.com/bug?extid=9709e73bae885b05314b
Link: https://lkml.kernel.org/r/20240925090600.3643376-1-joseph.qi@linux.alibaba.com
Fixes: ccd979bdbce9 ("[PATCH] OCFS2: The Second Oracle Cluster Filesystem")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com
Tested-by: syzbot+9709e73bae885b05314b@syzkaller.appspotmail.com
Cc: Heming Zhao <heming.zhao@suse.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/aops.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/fs/ocfs2/aops.c
+++ b/fs/ocfs2/aops.c
@@ -156,9 +156,8 @@ int ocfs2_get_block(struct inode *inode,
err = ocfs2_extent_map_get_blocks(inode, iblock, &p_blkno, &count,
&ext_flags);
if (err) {
- mlog(ML_ERROR, "Error %d from get_blocks(0x%p, %llu, 1, "
- "%llu, NULL)\n", err, inode, (unsigned long long)iblock,
- (unsigned long long)p_blkno);
+ mlog(ML_ERROR, "get_blocks() failed, inode: 0x%p, "
+ "block: %llu\n", inode, (unsigned long long)iblock);
goto bail;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 261/386] ocfs2: reserve space for inline xattr before attaching reflink tree
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (259 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 260/386] ocfs2: fix uninit-value in ocfs2_get_block() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 262/386] ocfs2: cancel dqi_sync_work before freeing oinfo Greg Kroah-Hartman
` (135 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gautham Ananthakrishna, Joseph Qi,
Mark Fasheh, Joel Becker, Junxiao Bi, Changwei Ge, Gang He,
Jun Piao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
commit 5ca60b86f57a4d9648f68418a725b3a7de2816b0 upstream.
One of our customers reported a crash and a corrupted ocfs2 filesystem.
The crash was due to the detection of corruption. Upon troubleshooting,
the fsck -fn output showed the below corruption
[EXTENT_LIST_FREE] Extent list in owner 33080590 claims 230 as the next free chain record,
but fsck believes the largest valid value is 227. Clamp the next record value? n
The stat output from the debugfs.ocfs2 showed the following corruption
where the "Next Free Rec:" had overshot the "Count:" in the root metadata
block.
Inode: 33080590 Mode: 0640 Generation: 2619713622 (0x9c25a856)
FS Generation: 904309833 (0x35e6ac49)
CRC32: 00000000 ECC: 0000
Type: Regular Attr: 0x0 Flags: Valid
Dynamic Features: (0x16) HasXattr InlineXattr Refcounted
Extended Attributes Block: 0 Extended Attributes Inline Size: 256
User: 0 (root) Group: 0 (root) Size: 281320357888
Links: 1 Clusters: 141738
ctime: 0x66911b56 0x316edcb8 -- Fri Jul 12 06:02:30.829349048 2024
atime: 0x66911d6b 0x7f7a28d -- Fri Jul 12 06:11:23.133669517 2024
mtime: 0x66911b56 0x12ed75d7 -- Fri Jul 12 06:02:30.317552087 2024
dtime: 0x0 -- Wed Dec 31 17:00:00 1969
Refcount Block: 2777346
Last Extblk: 2886943 Orphan Slot: 0
Sub Alloc Slot: 0 Sub Alloc Bit: 14
Tree Depth: 1 Count: 227 Next Free Rec: 230
## Offset Clusters Block#
0 0 2310 2776351
1 2310 2139 2777375
2 4449 1221 2778399
3 5670 731 2779423
4 6401 566 2780447
....... .... .......
....... .... .......
The issue was in the reflink workfow while reserving space for inline
xattr. The problematic function is ocfs2_reflink_xattr_inline(). By the
time this function is called the reflink tree is already recreated at the
destination inode from the source inode. At this point, this function
reserves space for inline xattrs at the destination inode without even
checking if there is space at the root metadata block. It simply reduces
the l_count from 243 to 227 thereby making space of 256 bytes for inline
xattr whereas the inode already has extents beyond this index (in this
case up to 230), thereby causing corruption.
The fix for this is to reserve space for inline metadata at the destination
inode before the reflink tree gets recreated. The customer has verified the
fix.
Link: https://lkml.kernel.org/r/20240918063844.1830332-1-gautham.ananthakrishna@oracle.com
Fixes: ef962df057aa ("ocfs2: xattr: fix inlined xattr reflink")
Signed-off-by: Gautham Ananthakrishna <gautham.ananthakrishna@oracle.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/refcounttree.c | 26 ++++++++++++++++++++++++--
fs/ocfs2/xattr.c | 11 +----------
2 files changed, 25 insertions(+), 12 deletions(-)
--- a/fs/ocfs2/refcounttree.c
+++ b/fs/ocfs2/refcounttree.c
@@ -25,6 +25,7 @@
#include "namei.h"
#include "ocfs2_trace.h"
#include "file.h"
+#include "symlink.h"
#include <linux/bio.h>
#include <linux/blkdev.h>
@@ -4155,8 +4156,9 @@ static int __ocfs2_reflink(struct dentry
int ret;
struct inode *inode = d_inode(old_dentry);
struct buffer_head *new_bh = NULL;
+ struct ocfs2_inode_info *oi = OCFS2_I(inode);
- if (OCFS2_I(inode)->ip_flags & OCFS2_INODE_SYSTEM_FILE) {
+ if (oi->ip_flags & OCFS2_INODE_SYSTEM_FILE) {
ret = -EINVAL;
mlog_errno(ret);
goto out;
@@ -4182,6 +4184,26 @@ static int __ocfs2_reflink(struct dentry
goto out_unlock;
}
+ if ((oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) &&
+ (oi->ip_dyn_features & OCFS2_INLINE_XATTR_FL)) {
+ /*
+ * Adjust extent record count to reserve space for extended attribute.
+ * Inline data count had been adjusted in ocfs2_duplicate_inline_data().
+ */
+ struct ocfs2_inode_info *new_oi = OCFS2_I(new_inode);
+
+ if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) &&
+ !(ocfs2_inode_is_fast_symlink(new_inode))) {
+ struct ocfs2_dinode *new_di = (struct ocfs2_dinode *)new_bh->b_data;
+ struct ocfs2_dinode *old_di = (struct ocfs2_dinode *)old_bh->b_data;
+ struct ocfs2_extent_list *el = &new_di->id2.i_list;
+ int inline_size = le16_to_cpu(old_di->i_xattr_inline_size);
+
+ le16_add_cpu(&el->l_count, -(inline_size /
+ sizeof(struct ocfs2_extent_rec)));
+ }
+ }
+
ret = ocfs2_create_reflink_node(inode, old_bh,
new_inode, new_bh, preserve);
if (ret) {
@@ -4189,7 +4211,7 @@ static int __ocfs2_reflink(struct dentry
goto inode_unlock;
}
- if (OCFS2_I(inode)->ip_dyn_features & OCFS2_HAS_XATTR_FL) {
+ if (oi->ip_dyn_features & OCFS2_HAS_XATTR_FL) {
ret = ocfs2_reflink_xattrs(inode, old_bh,
new_inode, new_bh,
preserve);
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -6520,16 +6520,7 @@ static int ocfs2_reflink_xattr_inline(st
}
new_oi = OCFS2_I(args->new_inode);
- /*
- * Adjust extent record count to reserve space for extended attribute.
- * Inline data count had been adjusted in ocfs2_duplicate_inline_data().
- */
- if (!(new_oi->ip_dyn_features & OCFS2_INLINE_DATA_FL) &&
- !(ocfs2_inode_is_fast_symlink(args->new_inode))) {
- struct ocfs2_extent_list *el = &new_di->id2.i_list;
- le16_add_cpu(&el->l_count, -(inline_size /
- sizeof(struct ocfs2_extent_rec)));
- }
+
spin_lock(&new_oi->ip_lock);
new_oi->ip_dyn_features |= OCFS2_HAS_XATTR_FL | OCFS2_INLINE_XATTR_FL;
new_di->i_dyn_features = cpu_to_le16(new_oi->ip_dyn_features);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 262/386] ocfs2: cancel dqi_sync_work before freeing oinfo
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (260 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 261/386] ocfs2: reserve space for inline xattr before attaching reflink tree Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 263/386] ocfs2: remove unreasonable unlock in ocfs2_read_blocks Greg Kroah-Hartman
` (134 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joseph Qi, Heming Zhao,
syzbot+f7af59df5d6b25f0febd, Mark Fasheh, Joel Becker, Junxiao Bi,
Changwei Ge, Gang He, Jun Piao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joseph Qi <joseph.qi@linux.alibaba.com>
commit 35fccce29feb3706f649726d410122dd81b92c18 upstream.
ocfs2_global_read_info() will initialize and schedule dqi_sync_work at the
end, if error occurs after successfully reading global quota, it will
trigger the following warning with CONFIG_DEBUG_OBJECTS_* enabled:
ODEBUG: free active (active state 0) object: 00000000d8b0ce28 object type: timer_list hint: qsync_work_fn+0x0/0x16c
This reports that there is an active delayed work when freeing oinfo in
error handling, so cancel dqi_sync_work first. BTW, return status instead
of -1 when .read_file_info fails.
Link: https://syzkaller.appspot.com/bug?extid=f7af59df5d6b25f0febd
Link: https://lkml.kernel.org/r/20240904071004.2067695-1-joseph.qi@linux.alibaba.com
Fixes: 171bf93ce11f ("ocfs2: Periodic quota syncing")
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reported-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com
Tested-by: syzbot+f7af59df5d6b25f0febd@syzkaller.appspotmail.com
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/quota_local.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/fs/ocfs2/quota_local.c
+++ b/fs/ocfs2/quota_local.c
@@ -689,7 +689,7 @@ static int ocfs2_local_read_info(struct
int status;
struct buffer_head *bh = NULL;
struct ocfs2_quota_recovery *rec;
- int locked = 0;
+ int locked = 0, global_read = 0;
info->dqi_max_spc_limit = 0x7fffffffffffffffLL;
info->dqi_max_ino_limit = 0x7fffffffffffffffLL;
@@ -697,6 +697,7 @@ static int ocfs2_local_read_info(struct
if (!oinfo) {
mlog(ML_ERROR, "failed to allocate memory for ocfs2 quota"
" info.");
+ status = -ENOMEM;
goto out_err;
}
info->dqi_priv = oinfo;
@@ -709,6 +710,7 @@ static int ocfs2_local_read_info(struct
status = ocfs2_global_read_info(sb, type);
if (status < 0)
goto out_err;
+ global_read = 1;
status = ocfs2_inode_lock(lqinode, &oinfo->dqi_lqi_bh, 1);
if (status < 0) {
@@ -779,10 +781,12 @@ out_err:
if (locked)
ocfs2_inode_unlock(lqinode, 1);
ocfs2_release_local_quota_bitmaps(&oinfo->dqi_chunk);
+ if (global_read)
+ cancel_delayed_work_sync(&oinfo->dqi_sync_work);
kfree(oinfo);
}
brelse(bh);
- return -1;
+ return status;
}
/* Write local info to quota file */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 263/386] ocfs2: remove unreasonable unlock in ocfs2_read_blocks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (261 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 262/386] ocfs2: cancel dqi_sync_work before freeing oinfo Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 264/386] ocfs2: fix null-ptr-deref when journal load failed Greg Kroah-Hartman
` (133 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lizhi Xu, Joseph Qi, Heming Zhao,
syzbot+ab134185af9ef88dfed5, Mark Fasheh, Joel Becker, Junxiao Bi,
Changwei Ge, Gang He, Jun Piao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
commit c03a82b4a0c935774afa01fd6d128b444fd930a1 upstream.
Patch series "Misc fixes for ocfs2_read_blocks", v5.
This series contains 2 fixes for ocfs2_read_blocks(). The first patch fix
the issue reported by syzbot, which detects bad unlock balance in
ocfs2_read_blocks(). The second patch fixes an issue reported by Heming
Zhao when reviewing above fix.
This patch (of 2):
There was a lock release before exiting, so remove the unreasonable unlock.
Link: https://lkml.kernel.org/r/20240902023636.1843422-1-joseph.qi@linux.alibaba.com
Link: https://lkml.kernel.org/r/20240902023636.1843422-2-joseph.qi@linux.alibaba.com
Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside")
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Heming Zhao <heming.zhao@suse.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ab134185af9ef88dfed5
Tested-by: syzbot+ab134185af9ef88dfed5@syzkaller.appspotmail.com
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org> [4.20+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/buffer_head_io.c | 1 -
1 file changed, 1 deletion(-)
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -235,7 +235,6 @@ int ocfs2_read_blocks(struct ocfs2_cachi
if (bhs[i] == NULL) {
bhs[i] = sb_getblk(sb, block++);
if (bhs[i] == NULL) {
- ocfs2_metadata_cache_io_unlock(ci);
status = -ENOMEM;
mlog_errno(status);
/* Don't forget to put previous bh! */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 264/386] ocfs2: fix null-ptr-deref when journal load failed.
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (262 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 263/386] ocfs2: remove unreasonable unlock in ocfs2_read_blocks Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 265/386] ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Greg Kroah-Hartman
` (132 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Julian Sun,
syzbot+05b9b39d8bdfe1a0861f, Joseph Qi, Mark Fasheh, Joel Becker,
Junxiao Bi, Changwei Ge, Gang He, Jun Piao, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Julian Sun <sunjunchao2870@gmail.com>
commit 5784d9fcfd43bd853654bb80c87ef293b9e8e80a upstream.
During the mounting process, if journal_reset() fails because of too short
journal, then lead to jbd2_journal_load() fails with NULL j_sb_buffer.
Subsequently, ocfs2_journal_shutdown() calls
jbd2_journal_flush()->jbd2_cleanup_journal_tail()->
__jbd2_update_log_tail()->jbd2_journal_update_sb_log_tail()
->lock_buffer(journal->j_sb_buffer), resulting in a null-pointer
dereference error.
To resolve this issue, we should check the JBD2_LOADED flag to ensure the
journal was properly loaded. Additionally, use journal instead of
osb->journal directly to simplify the code.
Link: https://syzkaller.appspot.com/bug?extid=05b9b39d8bdfe1a0861f
Link: https://lkml.kernel.org/r/20240902030844.422725-1-sunjunchao2870@gmail.com
Fixes: f6f50e28f0cb ("jbd2: Fail to load a journal if it is too short")
Signed-off-by: Julian Sun <sunjunchao2870@gmail.com>
Reported-by: syzbot+05b9b39d8bdfe1a0861f@syzkaller.appspotmail.com
Suggested-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Cc: Mark Fasheh <mark@fasheh.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Jun Piao <piaojun@huawei.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/journal.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/ocfs2/journal.c
+++ b/fs/ocfs2/journal.c
@@ -1055,7 +1055,7 @@ void ocfs2_journal_shutdown(struct ocfs2
if (!igrab(inode))
BUG();
- num_running_trans = atomic_read(&(osb->journal->j_num_trans));
+ num_running_trans = atomic_read(&(journal->j_num_trans));
trace_ocfs2_journal_shutdown(num_running_trans);
/* Do a commit_cache here. It will flush our journal, *and*
@@ -1074,9 +1074,10 @@ void ocfs2_journal_shutdown(struct ocfs2
osb->commit_task = NULL;
}
- BUG_ON(atomic_read(&(osb->journal->j_num_trans)) != 0);
+ BUG_ON(atomic_read(&(journal->j_num_trans)) != 0);
- if (ocfs2_mount_local(osb)) {
+ if (ocfs2_mount_local(osb) &&
+ (journal->j_journal->j_flags & JBD2_LOADED)) {
jbd2_journal_lock_updates(journal->j_journal);
status = jbd2_journal_flush(journal->j_journal, 0);
jbd2_journal_unlock_updates(journal->j_journal);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 265/386] ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (263 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 264/386] ocfs2: fix null-ptr-deref when journal load failed Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 266/386] arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
` (131 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lizhi Xu, Joseph Qi, Heming Zhao,
Changwei Ge, Gang He, Joel Becker, Jun Piao, Junxiao Bi,
Mark Fasheh, Andrew Morton
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lizhi Xu <lizhi.xu@windriver.com>
commit 33b525cef4cff49e216e4133cc48452e11c0391e upstream.
When doing cleanup, if flags without OCFS2_BH_READAHEAD, it may trigger
NULL pointer dereference in the following ocfs2_set_buffer_uptodate() if
bh is NULL.
Link: https://lkml.kernel.org/r/20240902023636.1843422-3-joseph.qi@linux.alibaba.com
Fixes: cf76c78595ca ("ocfs2: don't put and assigning null to bh allocated outside")
Signed-off-by: Lizhi Xu <lizhi.xu@windriver.com>
Signed-off-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reported-by: Heming Zhao <heming.zhao@suse.com>
Suggested-by: Heming Zhao <heming.zhao@suse.com>
Cc: <stable@vger.kernel.org> [4.20+]
Cc: Changwei Ge <gechangwei@live.cn>
Cc: Gang He <ghe@suse.com>
Cc: Joel Becker <jlbec@evilplan.org>
Cc: Jun Piao <piaojun@huawei.com>
Cc: Junxiao Bi <junxiao.bi@oracle.com>
Cc: Mark Fasheh <mark@fasheh.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/buffer_head_io.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/ocfs2/buffer_head_io.c
+++ b/fs/ocfs2/buffer_head_io.c
@@ -388,7 +388,8 @@ read_failure:
/* Always set the buffer in the cache, even if it was
* a forced read, or read-ahead which hasn't yet
* completed. */
- ocfs2_set_buffer_uptodate(ci, bh);
+ if (bh)
+ ocfs2_set_buffer_uptodate(ci, bh);
}
ocfs2_metadata_cache_io_unlock(ci);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 266/386] arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (264 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 265/386] ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 267/386] arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Greg Kroah-Hartman
` (130 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Will Deacon,
Catalin Marinas
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
commit b3d6121eaeb22aee8a02f46706745b1968cc0292 upstream.
The Kconfig logic to select HAVE_DYNAMIC_FTRACE_WITH_ARGS is incorrect,
and HAVE_DYNAMIC_FTRACE_WITH_ARGS may be selected when it is not
supported by the combination of clang and GNU LD, resulting in link-time
errors:
aarch64-linux-gnu-ld: .init.data has both ordered [`__patchable_function_entries' in init/main.o] and unordered [`.meminit.data' in mm/sparse.o] sections
aarch64-linux-gnu-ld: final link failed: bad value
... which can be seen when building with CC=clang using a binutils
version older than 2.36.
We originally fixed that in commit:
45bd8951806eb5e8 ("arm64: Improve HAVE_DYNAMIC_FTRACE_WITH_REGS selection for clang")
... by splitting the "select HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement
into separete CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS and
GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS options which individually select
HAVE_DYNAMIC_FTRACE_WITH_ARGS.
Subsequently we accidentally re-introduced the common "select
HAVE_DYNAMIC_FTRACE_WITH_ARGS" statement in commit:
26299b3f6ba26bfc ("ftrace: arm64: move from REGS to ARGS")
... then we removed it again in commit:
68a63a412d18bd2e ("arm64: Fix build with CC=clang, CONFIG_FTRACE=y and CONFIG_STACK_TRACER=y")
... then we accidentally re-introduced it again in commit:
2aa6ac03516d078c ("arm64: ftrace: Add direct call support")
Fix this for the third time by keeping the unified select statement and
making this depend onf either GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS or
CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS. This is more consistent with
usual style and less likely to go wrong in future.
Fixes: 2aa6ac03516d ("arm64: ftrace: Add direct call support")
Cc: <stable@vger.kernel.org> # 6.4.x
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240930120448.3352564-1-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/Kconfig | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -191,7 +191,8 @@ config ARM64
select HAVE_DMA_CONTIGUOUS
select HAVE_DYNAMIC_FTRACE
select HAVE_DYNAMIC_FTRACE_WITH_ARGS \
- if $(cc-option,-fpatchable-function-entry=2)
+ if (GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS || \
+ CLANG_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS)
select HAVE_DYNAMIC_FTRACE_WITH_DIRECT_CALLS \
if DYNAMIC_FTRACE_WITH_ARGS && DYNAMIC_FTRACE_WITH_CALL_OPS
select HAVE_DYNAMIC_FTRACE_WITH_CALL_OPS \
@@ -262,12 +263,10 @@ config CLANG_SUPPORTS_DYNAMIC_FTRACE_WIT
def_bool CC_IS_CLANG
# https://github.com/ClangBuiltLinux/linux/issues/1507
depends on AS_IS_GNU || (AS_IS_LLVM && (LD_IS_LLD || LD_VERSION >= 23600))
- select HAVE_DYNAMIC_FTRACE_WITH_ARGS
config GCC_SUPPORTS_DYNAMIC_FTRACE_WITH_ARGS
def_bool CC_IS_GCC
depends on $(cc-option,-fpatchable-function-entry=2)
- select HAVE_DYNAMIC_FTRACE_WITH_ARGS
config 64BIT
def_bool y
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 267/386] arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (265 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 266/386] arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 268/386] riscv: define ILLEGAL_POINTER_VALUE for 64bit Greg Kroah-Hartman
` (129 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James More,
Will Deacon, Easwar Hariharan, Catalin Marinas
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Easwar Hariharan <eahariha@linux.microsoft.com>
commit 3eddb108abe3de6723cc4b77e8558ce1b3047987 upstream.
Add the Microsoft Azure Cobalt 100 CPU to the list of CPUs suffering
from erratum 3194386 added in commit 75b3c43eab59 ("arm64: errata:
Expand speculative SSBS workaround")
CC: Mark Rutland <mark.rutland@arm.com>
CC: James More <james.morse@arm.com>
CC: Will Deacon <will@kernel.org>
CC: stable@vger.kernel.org # 6.6+
Signed-off-by: Easwar Hariharan <eahariha@linux.microsoft.com>
Link: https://lore.kernel.org/r/20241003225239.321774-1-eahariha@linux.microsoft.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arch/arm64/silicon-errata.rst | 2 ++
arch/arm64/kernel/cpu_errata.c | 1 +
2 files changed, 3 insertions(+)
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -280,3 +280,5 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| Microsoft | Azure Cobalt 100| #2253138 | ARM64_ERRATUM_2253138 |
+----------------+-----------------+-----------------+-----------------------------+
+| Microsoft | Azure Cobalt 100| #3324339 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -463,6 +463,7 @@ static const struct midr_range erratum_s
MIDR_ALL_VERSIONS(MIDR_CORTEX_X3),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X4),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X925),
+ MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 268/386] riscv: define ILLEGAL_POINTER_VALUE for 64bit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (266 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 267/386] arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 269/386] exfat: fix memory leak in exfat_load_bitmap() Greg Kroah-Hartman
` (128 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jisheng Zhang, Palmer Dabbelt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jisheng Zhang <jszhang@kernel.org>
commit 5c178472af247c7b50f962495bb7462ba453b9fb upstream.
This is used in poison.h for poison pointer offset. Based on current
SV39, SV48 and SV57 vm layout, 0xdead000000000000 is a proper value
that is not mappable, this can avoid potentially turning an oops to
an expolit.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Fixes: fbe934d69eb7 ("RISC-V: Build Infrastructure")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240705170210.3236-1-jszhang@kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/Kconfig | 5 +++++
1 file changed, 5 insertions(+)
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -259,6 +259,11 @@ config GENERIC_HWEIGHT
config FIX_EARLYCON_MEM
def_bool MMU
+config ILLEGAL_POINTER_VALUE
+ hex
+ default 0 if 32BIT
+ default 0xdead000000000000 if 64BIT
+
config PGTABLE_LEVELS
int
default 5 if 64BIT
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 269/386] exfat: fix memory leak in exfat_load_bitmap()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (267 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 268/386] riscv: define ILLEGAL_POINTER_VALUE for 64bit Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 270/386] perf python: Disable -Wno-cast-function-type-mismatch if present on clang Greg Kroah-Hartman
` (127 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Yuezhang Mo, Aoyama Wataru,
Namjae Jeon
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yuezhang Mo <Yuezhang.Mo@sony.com>
commit d2b537b3e533f28e0d97293fe9293161fe8cd137 upstream.
If the first directory entry in the root directory is not a bitmap
directory entry, 'bh' will not be released and reassigned, which
will cause a memory leak.
Fixes: 1e49a94cf707 ("exfat: add bitmap operations")
Cc: stable@vger.kernel.org
Signed-off-by: Yuezhang Mo <Yuezhang.Mo@sony.com>
Reviewed-by: Aoyama Wataru <wataru.aoyama@sony.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/exfat/balloc.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/exfat/balloc.c
+++ b/fs/exfat/balloc.c
@@ -110,11 +110,8 @@ int exfat_load_bitmap(struct super_block
return -EIO;
type = exfat_get_entry_type(ep);
- if (type == TYPE_UNUSED)
- break;
- if (type != TYPE_BITMAP)
- continue;
- if (ep->dentry.bitmap.flags == 0x0) {
+ if (type == TYPE_BITMAP &&
+ ep->dentry.bitmap.flags == 0x0) {
int err;
err = exfat_allocate_bitmap(sb, ep);
@@ -122,6 +119,9 @@ int exfat_load_bitmap(struct super_block
return err;
}
brelse(bh);
+
+ if (type == TYPE_UNUSED)
+ return -EINVAL;
}
if (exfat_get_next_cluster(sb, &clu.dir))
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 270/386] perf python: Disable -Wno-cast-function-type-mismatch if present on clang
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (268 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 269/386] exfat: fix memory leak in exfat_load_bitmap() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 271/386] perf hist: Update hist symbol when updating maps Greg Kroah-Hartman
` (126 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sedat Dilek, Ian Rogers, Ingo Molnar,
Namhyung Kim, Nathan Chancellor, Peter Zijlstra,
Arnaldo Carvalho de Melo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnaldo Carvalho de Melo <acme@redhat.com>
commit 00dc514612fe98cfa117193b9df28f15e7c9db9c upstream.
The -Wcast-function-type-mismatch option was introduced in clang 19 and
its enabled by default, since we use -Werror, and python bindings do
casts that are valid but trips this warning, disable it if present.
Closes: https://lore.kernel.org/all/CA+icZUXoJ6BS3GMhJHV3aZWyb5Cz2haFneX0C5pUMUUhG-UVKQ@mail.gmail.com
Reported-by: Sedat Dilek <sedat.dilek@gmail.com>
Tested-by: Sedat Dilek <sedat.dilek@gmail.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: stable@vger.kernel.org # To allow building with the upcoming clang 19
Link: https://lore.kernel.org/lkml/CA+icZUVtHn8X1Tb_Y__c-WswsO0K8U9uy3r2MzKXwTA5THtL7w@mail.gmail.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/setup.py | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/perf/util/setup.py
+++ b/tools/perf/util/setup.py
@@ -63,6 +63,8 @@ cflags = getenv('CFLAGS', '').split()
cflags += ['-fno-strict-aliasing', '-Wno-write-strings', '-Wno-unused-parameter', '-Wno-redundant-decls', '-DPYTHON_PERF' ]
if cc_is_clang:
cflags += ["-Wno-unused-command-line-argument" ]
+ if clang_has_option("-Wno-cast-function-type-mismatch"):
+ cflags += ["-Wno-cast-function-type-mismatch" ]
else:
cflags += ['-Wno-cast-function-type' ]
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 271/386] perf hist: Update hist symbol when updating maps
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (269 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 270/386] perf python: Disable -Wno-cast-function-type-mismatch if present on clang Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 272/386] nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Greg Kroah-Hartman
` (125 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yunzhao Li,
Matt Fleming (Cloudflare), Ian Rogers, kernel-team, Namhyung Kim,
Riccardo Mancini, Arnaldo Carvalho de Melo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matt Fleming <matt@readmodwrite.com>
commit ac01c8c4246546fd8340a232f3ada1921dc0ee48 upstream.
AddressSanitizer found a use-after-free bug in the symbol code which
manifested as 'perf top' segfaulting.
==1238389==ERROR: AddressSanitizer: heap-use-after-free on address 0x60b00c48844b at pc 0x5650d8035961 bp 0x7f751aaecc90 sp 0x7f751aaecc80
READ of size 1 at 0x60b00c48844b thread T193
#0 0x5650d8035960 in _sort__sym_cmp util/sort.c:310
#1 0x5650d8043744 in hist_entry__cmp util/hist.c:1286
#2 0x5650d8043951 in hists__findnew_entry util/hist.c:614
#3 0x5650d804568f in __hists__add_entry util/hist.c:754
#4 0x5650d8045bf9 in hists__add_entry util/hist.c:772
#5 0x5650d8045df1 in iter_add_single_normal_entry util/hist.c:997
#6 0x5650d8043326 in hist_entry_iter__add util/hist.c:1242
#7 0x5650d7ceeefe in perf_event__process_sample /home/matt/src/linux/tools/perf/builtin-top.c:845
#8 0x5650d7ceeefe in deliver_event /home/matt/src/linux/tools/perf/builtin-top.c:1208
#9 0x5650d7fdb51b in do_flush util/ordered-events.c:245
#10 0x5650d7fdb51b in __ordered_events__flush util/ordered-events.c:324
#11 0x5650d7ced743 in process_thread /home/matt/src/linux/tools/perf/builtin-top.c:1120
#12 0x7f757ef1f133 in start_thread nptl/pthread_create.c:442
#13 0x7f757ef9f7db in clone3 ../sysdeps/unix/sysv/linux/x86_64/clone3.S:81
When updating hist maps it's also necessary to update the hist symbol
reference because the old one gets freed in map__put().
While this bug was probably introduced with 5c24b67aae72f54c ("perf
tools: Replace map->referenced & maps->removed_maps with map->refcnt"),
the symbol objects were leaked until c087e9480cf33672 ("perf machine:
Fix refcount usage when processing PERF_RECORD_KSYMBOL") was merged so
the bug was masked.
Fixes: c087e9480cf33672 ("perf machine: Fix refcount usage when processing PERF_RECORD_KSYMBOL")
Reported-by: Yunzhao Li <yunzhao@cloudflare.com>
Signed-off-by: Matt Fleming (Cloudflare) <matt@readmodwrite.com>
Cc: Ian Rogers <irogers@google.com>
Cc: kernel-team@cloudflare.com
Cc: Namhyung Kim <namhyung@kernel.org>
Cc: Riccardo Mancini <rickyman7@gmail.com>
Cc: stable@vger.kernel.org # v5.13+
Link: https://lore.kernel.org/r/20240815142212.3834625-1-matt@readmodwrite.com
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/hist.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/tools/perf/util/hist.c
+++ b/tools/perf/util/hist.c
@@ -638,6 +638,11 @@ static struct hist_entry *hists__findnew
* the history counter to increment.
*/
if (he->ms.map != entry->ms.map) {
+ if (he->ms.sym) {
+ u64 addr = he->ms.sym->start;
+ he->ms.sym = map__find_symbol(entry->ms.map, addr);
+ }
+
map__put(he->ms.map);
he->ms.map = map__get(entry->ms.map);
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 272/386] nfsd: fix delegation_blocked() to block correctly for at least 30 seconds
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (270 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 271/386] perf hist: Update hist symbol when updating maps Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 273/386] nfsd: map the EBADMSG to nfserr_io to avoid warning Greg Kroah-Hartman
` (124 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, NeilBrown,
Benjamin Coddington, Jeff Layton, Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: NeilBrown <neilb@suse.de>
commit 45bb63ed20e02ae146336412889fe5450316a84f upstream.
The pair of bloom filtered used by delegation_blocked() was intended to
block delegations on given filehandles for between 30 and 60 seconds. A
new filehandle would be recorded in the "new" bit set. That would then
be switch to the "old" bit set between 0 and 30 seconds later, and it
would remain as the "old" bit set for 30 seconds.
Unfortunately the code intended to clear the old bit set once it reached
30 seconds old, preparing it to be the next new bit set, instead cleared
the *new* bit set before switching it to be the old bit set. This means
that the "old" bit set is always empty and delegations are blocked
between 0 and 30 seconds.
This patch updates bd->new before clearing the set with that index,
instead of afterwards.
Reported-by: Olga Kornievskaia <okorniev@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 6282cd565553 ("NFSD: Don't hand out delegations for 30 seconds after recalling them.")
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4state.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -1087,7 +1087,8 @@ static void nfs4_free_deleg(struct nfs4_
* When a delegation is recalled, the filehandle is stored in the "new"
* filter.
* Every 30 seconds we swap the filters and clear the "new" one,
- * unless both are empty of course.
+ * unless both are empty of course. This results in delegations for a
+ * given filehandle being blocked for between 30 and 60 seconds.
*
* Each filter is 256 bits. We hash the filehandle to 32bit and use the
* low 3 bytes as hash-table indices.
@@ -1116,9 +1117,9 @@ static int delegation_blocked(struct knf
if (ktime_get_seconds() - bd->swap_time > 30) {
bd->entries -= bd->old_entries;
bd->old_entries = bd->entries;
+ bd->new = 1-bd->new;
memset(bd->set[bd->new], 0,
sizeof(bd->set[0]));
- bd->new = 1-bd->new;
bd->swap_time = ktime_get_seconds();
}
spin_unlock(&blocked_delegations_lock);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 273/386] nfsd: map the EBADMSG to nfserr_io to avoid warning
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (271 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 272/386] nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 274/386] NFSD: Fix NFSv4s PUTPUBFH operation Greg Kroah-Hartman
` (123 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Li Lingfeng, Jeff Layton,
Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Li Lingfeng <lilingfeng3@huawei.com>
commit 340e61e44c1d2a15c42ec72ade9195ad525fd048 upstream.
Ext4 will throw -EBADMSG through ext4_readdir when a checksum error
occurs, resulting in the following WARNING.
Fix it by mapping EBADMSG to nfserr_io.
nfsd_buffered_readdir
iterate_dir // -EBADMSG -74
ext4_readdir // .iterate_shared
ext4_dx_readdir
ext4_htree_fill_tree
htree_dirblock_to_tree
ext4_read_dirblock
__ext4_read_dirblock
ext4_dirblock_csum_verify
warn_no_space_for_csum
__warn_no_space_for_csum
return ERR_PTR(-EFSBADCRC) // -EBADMSG -74
nfserrno // WARNING
[ 161.115610] ------------[ cut here ]------------
[ 161.116465] nfsd: non-standard errno: -74
[ 161.117315] WARNING: CPU: 1 PID: 780 at fs/nfsd/nfsproc.c:878 nfserrno+0x9d/0xd0
[ 161.118596] Modules linked in:
[ 161.119243] CPU: 1 PID: 780 Comm: nfsd Not tainted 5.10.0-00014-g79679361fd5d #138
[ 161.120684] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qe
mu.org 04/01/2014
[ 161.123601] RIP: 0010:nfserrno+0x9d/0xd0
[ 161.124676] Code: 0f 87 da 30 dd 00 83 e3 01 b8 00 00 00 05 75 d7 44 89 ee 48 c7 c7 c0 57 24 98 89 44 24 04 c6
05 ce 2b 61 03 01 e8 99 20 d8 00 <0f> 0b 8b 44 24 04 eb b5 4c 89 e6 48 c7 c7 a0 6d a4 99 e8 cc 15 33
[ 161.127797] RSP: 0018:ffffc90000e2f9c0 EFLAGS: 00010286
[ 161.128794] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000000
[ 161.130089] RDX: 1ffff1103ee16f6d RSI: 0000000000000008 RDI: fffff520001c5f2a
[ 161.131379] RBP: 0000000000000022 R08: 0000000000000001 R09: ffff8881f70c1827
[ 161.132664] R10: ffffed103ee18304 R11: 0000000000000001 R12: 0000000000000021
[ 161.133949] R13: 00000000ffffffb6 R14: ffff8881317c0000 R15: ffffc90000e2fbd8
[ 161.135244] FS: 0000000000000000(0000) GS:ffff8881f7080000(0000) knlGS:0000000000000000
[ 161.136695] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 161.137761] CR2: 00007fcaad70b348 CR3: 0000000144256006 CR4: 0000000000770ee0
[ 161.139041] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 161.140291] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 161.141519] PKRU: 55555554
[ 161.142076] Call Trace:
[ 161.142575] ? __warn+0x9b/0x140
[ 161.143229] ? nfserrno+0x9d/0xd0
[ 161.143872] ? report_bug+0x125/0x150
[ 161.144595] ? handle_bug+0x41/0x90
[ 161.145284] ? exc_invalid_op+0x14/0x70
[ 161.146009] ? asm_exc_invalid_op+0x12/0x20
[ 161.146816] ? nfserrno+0x9d/0xd0
[ 161.147487] nfsd_buffered_readdir+0x28b/0x2b0
[ 161.148333] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.149258] ? nfsd_buffered_filldir+0xf0/0xf0
[ 161.150093] ? wait_for_concurrent_writes+0x170/0x170
[ 161.151004] ? generic_file_llseek_size+0x48/0x160
[ 161.151895] nfsd_readdir+0x132/0x190
[ 161.152606] ? nfsd4_encode_dirent_fattr+0x380/0x380
[ 161.153516] ? nfsd_unlink+0x380/0x380
[ 161.154256] ? override_creds+0x45/0x60
[ 161.155006] nfsd4_encode_readdir+0x21a/0x3d0
[ 161.155850] ? nfsd4_encode_readlink+0x210/0x210
[ 161.156731] ? write_bytes_to_xdr_buf+0x97/0xe0
[ 161.157598] ? __write_bytes_to_xdr_buf+0xd0/0xd0
[ 161.158494] ? lock_downgrade+0x90/0x90
[ 161.159232] ? nfs4svc_decode_voidarg+0x10/0x10
[ 161.160092] nfsd4_encode_operation+0x15a/0x440
[ 161.160959] nfsd4_proc_compound+0x718/0xe90
[ 161.161818] nfsd_dispatch+0x18e/0x2c0
[ 161.162586] svc_process_common+0x786/0xc50
[ 161.163403] ? nfsd_svc+0x380/0x380
[ 161.164137] ? svc_printk+0x160/0x160
[ 161.164846] ? svc_xprt_do_enqueue.part.0+0x365/0x380
[ 161.165808] ? nfsd_svc+0x380/0x380
[ 161.166523] ? rcu_is_watching+0x23/0x40
[ 161.167309] svc_process+0x1a5/0x200
[ 161.168019] nfsd+0x1f5/0x380
[ 161.168663] ? nfsd_shutdown_threads+0x260/0x260
[ 161.169554] kthread+0x1c4/0x210
[ 161.170224] ? kthread_insert_work_sanity_check+0x80/0x80
[ 161.171246] ret_from_fork+0x1f/0x30
Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/vfs.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfsd/vfs.c
+++ b/fs/nfsd/vfs.c
@@ -101,6 +101,7 @@ nfserrno (int errno)
{ nfserr_io, -EUCLEAN },
{ nfserr_perm, -ENOKEY },
{ nfserr_no_grace, -ENOGRACE},
+ { nfserr_io, -EBADMSG },
};
int i;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 274/386] NFSD: Fix NFSv4s PUTPUBFH operation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (272 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 273/386] nfsd: map the EBADMSG to nfserr_io to avoid warning Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 275/386] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Greg Kroah-Hartman
` (122 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cedric Blancher, Dan Shelton,
Roland Mainz, Chuck Lever
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
commit 202f39039a11402dcbcd5fece8d9fa6be83f49ae upstream.
According to RFC 8881, all minor versions of NFSv4 support PUTPUBFH.
Replace the XDR decoder for PUTPUBFH with a "noop" since we no
longer want the minorversion check, and PUTPUBFH has no arguments to
decode. (Ideally nfsd4_decode_noop should really be called
nfsd4_decode_void).
PUTPUBFH should now behave just like PUTROOTFH.
Reported-by: Cedric Blancher <cedric.blancher@gmail.com>
Fixes: e1a90ebd8b23 ("NFSD: Combine decode operations for v4 and v4.1")
Cc: Dan Shelton <dan.f.shelton@gmail.com>
Cc: Roland Mainz <roland.mainz@nrubsig.org>
Cc: stable@vger.kernel.org
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs4xdr.c | 10 +---------
1 file changed, 1 insertion(+), 9 deletions(-)
--- a/fs/nfsd/nfs4xdr.c
+++ b/fs/nfsd/nfs4xdr.c
@@ -1246,14 +1246,6 @@ nfsd4_decode_putfh(struct nfsd4_compound
}
static __be32
-nfsd4_decode_putpubfh(struct nfsd4_compoundargs *argp, union nfsd4_op_u *p)
-{
- if (argp->minorversion == 0)
- return nfs_ok;
- return nfserr_notsupp;
-}
-
-static __be32
nfsd4_decode_read(struct nfsd4_compoundargs *argp, union nfsd4_op_u *u)
{
struct nfsd4_read *read = &u->read;
@@ -2345,7 +2337,7 @@ static const nfsd4_dec nfsd4_dec_ops[] =
[OP_OPEN_CONFIRM] = nfsd4_decode_open_confirm,
[OP_OPEN_DOWNGRADE] = nfsd4_decode_open_downgrade,
[OP_PUTFH] = nfsd4_decode_putfh,
- [OP_PUTPUBFH] = nfsd4_decode_putpubfh,
+ [OP_PUTPUBFH] = nfsd4_decode_noop,
[OP_PUTROOTFH] = nfsd4_decode_noop,
[OP_READ] = nfsd4_decode_read,
[OP_READDIR] = nfsd4_decode_readdir,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 275/386] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (273 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 274/386] NFSD: Fix NFSv4s PUTPUBFH operation Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 276/386] RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Greg Kroah-Hartman
` (121 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kaixin Wang, Miquel Raynal, Frank Li,
Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kaixin Wang <kxwang23@m.fudan.edu.cn>
commit 61850725779709369c7e907ae8c7c75dc7cec4f3 upstream.
In the svc_i3c_master_probe function, &master->hj_work is bound with
svc_i3c_master_hj_work, &master->ibi_work is bound with
svc_i3c_master_ibi_work. And svc_i3c_master_ibi_work can start the
hj_work, svc_i3c_master_irq_handler can start the ibi_work.
If we remove the module which will call svc_i3c_master_remove to
make cleanup, it will free master->base through i3c_master_unregister
while the work mentioned above will be used. The sequence of operations
that may lead to a UAF bug is as follows:
CPU0 CPU1
| svc_i3c_master_hj_work
svc_i3c_master_remove |
i3c_master_unregister(&master->base)|
device_unregister(&master->dev) |
device_release |
//free master->base |
| i3c_master_do_daa(&master->base)
| //use master->base
Fix it by ensuring that the work is canceled before proceeding with the
cleanup in svc_i3c_master_remove.
Fixes: 0f74f8b6675c ("i3c: Make i3c_master_unregister() return void")
Cc: stable@vger.kernel.org
Signed-off-by: Kaixin Wang <kxwang23@m.fudan.edu.cn>
Reviewed-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Frank Li <Frank.Li@nxp.com>
Link: https://lore.kernel.org/stable/20240914154030.180-1-kxwang23%40m.fudan.edu.cn
Link: https://lore.kernel.org/r/20240914163932.253-1-kxwang23@m.fudan.edu.cn
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i3c/master/svc-i3c-master.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/i3c/master/svc-i3c-master.c
+++ b/drivers/i3c/master/svc-i3c-master.c
@@ -1697,6 +1697,7 @@ static void svc_i3c_master_remove(struct
{
struct svc_i3c_master *master = platform_get_drvdata(pdev);
+ cancel_work_sync(&master->hj_work);
i3c_master_unregister(&master->base);
pm_runtime_dont_use_autosuspend(&pdev->dev);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 276/386] RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (274 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 275/386] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 277/386] riscv: Fix kernel stack size when KASAN is enabled Greg Kroah-Hartman
` (120 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Leon Romanovsky
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
commit 4a3b99bc04e501b816db78f70064e26a01257910 upstream.
When mapping doorbell page from user-mode, the driver should use the system
page size as this memory is allocated via mmap() from user-mode.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Signed-off-by: Long Li <longli@microsoft.com>
Link: https://patch.msgid.link/1725030993-16213-2-git-send-email-longli@linuxonhyperv.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/infiniband/hw/mana/main.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/infiniband/hw/mana/main.c
+++ b/drivers/infiniband/hw/mana/main.c
@@ -460,13 +460,13 @@ int mana_ib_mmap(struct ib_ucontext *ibc
PAGE_SHIFT;
prot = pgprot_writecombine(vma->vm_page_prot);
- ret = rdma_user_mmap_io(ibcontext, vma, pfn, gc->db_page_size, prot,
+ ret = rdma_user_mmap_io(ibcontext, vma, pfn, PAGE_SIZE, prot,
NULL);
if (ret)
ibdev_dbg(ibdev, "can't rdma_user_mmap_io ret %d\n", ret);
else
- ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %u, ret %d\n",
- pfn, gc->db_page_size, ret);
+ ibdev_dbg(ibdev, "mapped I/O pfn 0x%llx page_size %lu, ret %d\n",
+ pfn, PAGE_SIZE, ret);
return ret;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 277/386] riscv: Fix kernel stack size when KASAN is enabled
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (275 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 276/386] RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 278/386] aoe: fix the potential use-after-free problem in more places Greg Kroah-Hartman
` (119 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+ba9eac24453387a9d502,
Alexandre Ghiti, Palmer Dabbelt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexandre Ghiti <alexghiti@rivosinc.com>
commit cfb10de18538e383dbc4f3ce7f477ce49287ff3d upstream.
We use Kconfig to select the kernel stack size, doubling the default
size if KASAN is enabled.
But that actually only works if KASAN is selected from the beginning,
meaning that if KASAN config is added later (for example using
menuconfig), CONFIG_THREAD_SIZE_ORDER won't be updated, keeping the
default size, which is not enough for KASAN as reported in [1].
So fix this by moving the logic to compute the right kernel stack into a
header.
Fixes: a7555f6b62e7 ("riscv: stack: Add config of thread stack size")
Reported-by: syzbot+ba9eac24453387a9d502@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000eb301906222aadc2@google.com/ [1]
Cc: stable@vger.kernel.org
Signed-off-by: Alexandre Ghiti <alexghiti@rivosinc.com>
Link: https://lore.kernel.org/r/20240917150328.59831-1-alexghiti@rivosinc.com
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/Kconfig | 3 +--
arch/riscv/include/asm/thread_info.h | 7 ++++++-
2 files changed, 7 insertions(+), 3 deletions(-)
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -633,8 +633,7 @@ config IRQ_STACKS
config THREAD_SIZE_ORDER
int "Kernel stack size (in power-of-two numbers of page size)" if VMAP_STACK && EXPERT
range 0 4
- default 1 if 32BIT && !KASAN
- default 3 if 64BIT && KASAN
+ default 1 if 32BIT
default 2
help
Specify the Pages of thread stack size (from 4KB to 64KB), which also
--- a/arch/riscv/include/asm/thread_info.h
+++ b/arch/riscv/include/asm/thread_info.h
@@ -12,7 +12,12 @@
#include <linux/const.h>
/* thread information allocation */
-#define THREAD_SIZE_ORDER CONFIG_THREAD_SIZE_ORDER
+#ifdef CONFIG_KASAN
+#define KASAN_STACK_ORDER 1
+#else
+#define KASAN_STACK_ORDER 0
+#endif
+#define THREAD_SIZE_ORDER (CONFIG_THREAD_SIZE_ORDER + KASAN_STACK_ORDER)
#define THREAD_SIZE (PAGE_SIZE << THREAD_SIZE_ORDER)
/*
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 278/386] aoe: fix the potential use-after-free problem in more places
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (276 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 277/386] riscv: Fix kernel stack size when KASAN is enabled Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 279/386] media: ov5675: Fix power on/off delay timings Greg Kroah-Hartman
` (118 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nicolai Stange, Chun-Yi Lee,
Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chun-Yi Lee <joeyli.kernel@gmail.com>
commit 6d6e54fc71ad1ab0a87047fd9c211e75d86084a3 upstream.
For fixing CVE-2023-6270, f98364e92662 ("aoe: fix the potential
use-after-free problem in aoecmd_cfg_pkts") makes tx() calling dev_put()
instead of doing in aoecmd_cfg_pkts(). It avoids that the tx() runs
into use-after-free.
Then Nicolai Stange found more places in aoe have potential use-after-free
problem with tx(). e.g. revalidate(), aoecmd_ata_rw(), resend(), probe()
and aoecmd_cfg_rsp(). Those functions also use aoenet_xmit() to push
packet to tx queue. So they should also use dev_hold() to increase the
refcnt of skb->dev.
On the other hand, moving dev_put() to tx() causes that the refcnt of
skb->dev be reduced to a negative value, because corresponding
dev_hold() are not called in revalidate(), aoecmd_ata_rw(), resend(),
probe(), and aoecmd_cfg_rsp(). This patch fixed this issue.
Cc: stable@vger.kernel.org
Link: https://nvd.nist.gov/vuln/detail/CVE-2023-6270
Fixes: f98364e92662 ("aoe: fix the potential use-after-free problem in aoecmd_cfg_pkts")
Reported-by: Nicolai Stange <nstange@suse.com>
Signed-off-by: Chun-Yi Lee <jlee@suse.com>
Link: https://lore.kernel.org/stable/20240624064418.27043-1-jlee%40suse.com
Link: https://lore.kernel.org/r/20241002035458.24401-1-jlee@suse.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/aoe/aoecmd.c | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
--- a/drivers/block/aoe/aoecmd.c
+++ b/drivers/block/aoe/aoecmd.c
@@ -361,6 +361,7 @@ ata_rw_frameinit(struct frame *f)
}
ah->cmdstat = ATA_CMD_PIO_READ | writebit | extbit;
+ dev_hold(t->ifp->nd);
skb->dev = t->ifp->nd;
}
@@ -401,6 +402,8 @@ aoecmd_ata_rw(struct aoedev *d)
__skb_queue_head_init(&queue);
__skb_queue_tail(&queue, skb);
aoenet_xmit(&queue);
+ } else {
+ dev_put(f->t->ifp->nd);
}
return 1;
}
@@ -483,10 +486,13 @@ resend(struct aoedev *d, struct frame *f
memcpy(h->dst, t->addr, sizeof h->dst);
memcpy(h->src, t->ifp->nd->dev_addr, sizeof h->src);
+ dev_hold(t->ifp->nd);
skb->dev = t->ifp->nd;
skb = skb_clone(skb, GFP_ATOMIC);
- if (skb == NULL)
+ if (skb == NULL) {
+ dev_put(t->ifp->nd);
return;
+ }
f->sent = ktime_get();
__skb_queue_head_init(&queue);
__skb_queue_tail(&queue, skb);
@@ -617,6 +623,8 @@ probe(struct aoetgt *t)
__skb_queue_head_init(&queue);
__skb_queue_tail(&queue, skb);
aoenet_xmit(&queue);
+ } else {
+ dev_put(f->t->ifp->nd);
}
}
@@ -1395,6 +1403,7 @@ aoecmd_ata_id(struct aoedev *d)
ah->cmdstat = ATA_CMD_ID_ATA;
ah->lba3 = 0xa0;
+ dev_hold(t->ifp->nd);
skb->dev = t->ifp->nd;
d->rttavg = RTTAVG_INIT;
@@ -1404,6 +1413,8 @@ aoecmd_ata_id(struct aoedev *d)
skb = skb_clone(skb, GFP_ATOMIC);
if (skb)
f->sent = ktime_get();
+ else
+ dev_put(t->ifp->nd);
return skb;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 279/386] media: ov5675: Fix power on/off delay timings
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (277 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 278/386] aoe: fix the potential use-after-free problem in more places Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 280/386] clk: rockchip: fix error for unknown clocks Greg Kroah-Hartman
` (117 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bryan ODonoghue, Johan Hovold,
Quentin Schulz, Sakari Ailus, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 719ec29fceda2f19c833d2784b1574638320400f upstream.
The ov5675 specification says that the gap between XSHUTDN deassert and the
first I2C transaction should be a minimum of 8192 XVCLK cycles.
Right now we use a usleep_rage() that gives a sleep time of between about
430 and 860 microseconds.
On the Lenovo X13s we have observed that in about 1/20 cases the current
timing is too tight and we start transacting before the ov5675's reset
cycle completes, leading to I2C bus transaction failures.
The reset racing is sometimes triggered at initial chip probe but, more
usually on a subsequent power-off/power-on cycle e.g.
[ 71.451662] ov5675 24-0010: failed to write reg 0x0103. error = -5
[ 71.451686] ov5675 24-0010: failed to set plls
The current quiescence period we have is too tight. Instead of expressing
the post reset delay in terms of the current XVCLK this patch converts the
power-on and power-off delays to the maximum theoretical delay @ 6 MHz with
an additional buffer.
1.365 milliseconds on the power-on path is 1.5 milliseconds with grace.
85.3 microseconds on the power-off path is 90 microseconds with grace.
Fixes: 49d9ad719e89 ("media: ov5675: add device-tree support and support runtime PM")
Cc: stable@vger.kernel.org
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Reviewed-by: Quentin Schulz <quentin.schulz@cherry.de>
Tested-by: Quentin Schulz <quentin.schulz@cherry.de> # RK3399 Puma with
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/i2c/ov5675.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/drivers/media/i2c/ov5675.c
+++ b/drivers/media/i2c/ov5675.c
@@ -979,12 +979,10 @@ static int ov5675_set_stream(struct v4l2
static int ov5675_power_off(struct device *dev)
{
- /* 512 xvclk cycles after the last SCCB transation or MIPI frame end */
- u32 delay_us = DIV_ROUND_UP(512, OV5675_XVCLK_19_2 / 1000 / 1000);
struct v4l2_subdev *sd = dev_get_drvdata(dev);
struct ov5675 *ov5675 = to_ov5675(sd);
- usleep_range(delay_us, delay_us * 2);
+ usleep_range(90, 100);
clk_disable_unprepare(ov5675->xvclk);
gpiod_set_value_cansleep(ov5675->reset_gpio, 1);
@@ -995,7 +993,6 @@ static int ov5675_power_off(struct devic
static int ov5675_power_on(struct device *dev)
{
- u32 delay_us = DIV_ROUND_UP(8192, OV5675_XVCLK_19_2 / 1000 / 1000);
struct v4l2_subdev *sd = dev_get_drvdata(dev);
struct ov5675 *ov5675 = to_ov5675(sd);
int ret;
@@ -1021,8 +1018,11 @@ static int ov5675_power_on(struct device
gpiod_set_value_cansleep(ov5675->reset_gpio, 0);
- /* 8192 xvclk cycles prior to the first SCCB transation */
- usleep_range(delay_us, delay_us * 2);
+ /* Worst case quiesence gap is 1.365 milliseconds @ 6MHz XVCLK
+ * Add an additional threshold grace period to ensure reset
+ * completion before initiating our first I2C transaction.
+ */
+ usleep_range(1500, 1600);
return 0;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 280/386] clk: rockchip: fix error for unknown clocks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (278 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 279/386] media: ov5675: Fix power on/off delay timings Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 281/386] remoteproc: k3-r5: Fix error handling when power-up failed Greg Kroah-Hartman
` (116 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sebastian Reichel, Heiko Stuebner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sebastian Reichel <sebastian.reichel@collabora.com>
commit 12fd64babaca4dc09d072f63eda76ba44119816a upstream.
There is a clk == NULL check after the switch to check for
unsupported clk types. Since clk is re-assigned in a loop,
this check is useless right now for anything but the first
round. Let's fix this up by assigning clk = NULL in the
loop before the switch statement.
Fixes: a245fecbb806 ("clk: rockchip: add basic infrastructure for clock branches")
Cc: stable@vger.kernel.org
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
[added fixes + stable-cc]
Link: https://lore.kernel.org/r/20240325193609.237182-6-sebastian.reichel@collabora.com
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/rockchip/clk.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/clk/rockchip/clk.c
+++ b/drivers/clk/rockchip/clk.c
@@ -433,12 +433,13 @@ void rockchip_clk_register_branches(stru
struct rockchip_clk_branch *list,
unsigned int nr_clk)
{
- struct clk *clk = NULL;
+ struct clk *clk;
unsigned int idx;
unsigned long flags;
for (idx = 0; idx < nr_clk; idx++, list++) {
flags = list->flags;
+ clk = NULL;
/* catch simple muxes */
switch (list->branch_type) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 281/386] remoteproc: k3-r5: Fix error handling when power-up failed
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (279 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 280/386] clk: rockchip: fix error for unknown clocks Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 282/386] clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Greg Kroah-Hartman
` (115 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kiszka, Beleswar Padhi,
Mathieu Poirier
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jan Kiszka <jan.kiszka@siemens.com>
commit 9ab27eb5866ccbf57715cfdba4b03d57776092fb upstream.
By simply bailing out, the driver was violating its rule and internal
assumptions that either both or no rproc should be initialized. E.g.,
this could cause the first core to be available but not the second one,
leading to crashes on its shutdown later on while trying to dereference
that second instance.
Fixes: 61f6f68447ab ("remoteproc: k3-r5: Wait for core0 power-up before powering up core1")
Signed-off-by: Jan Kiszka <jan.kiszka@siemens.com>
Acked-by: Beleswar Padhi <b-padhi@ti.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/9f481156-f220-4adf-b3d9-670871351e26@siemens.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/remoteproc/ti_k3_r5_remoteproc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
+++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
@@ -1331,7 +1331,7 @@ init_rmem:
dev_err(dev,
"Timed out waiting for %s core to power up!\n",
rproc->name);
- return ret;
+ goto err_powerup;
}
}
@@ -1347,6 +1347,7 @@ err_split:
}
}
+err_powerup:
rproc_del(rproc);
err_add:
k3_r5_reserved_mem_exit(kproc);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 282/386] clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (280 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 281/386] remoteproc: k3-r5: Fix error handling when power-up failed Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 283/386] media: sun4i_csi: Implement link validate for sun4i_csi subdev Greg Kroah-Hartman
` (114 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
commit 0e93c6320ecde0583de09f3fe801ce8822886fec upstream.
Add CLK_SET_RATE_PARENT for several branch clocks. Such clocks don't
have a way to change the rate, so set the parent rate instead.
Fixes: 80a18f4a8567 ("clk: qcom: Add display clock controller driver for SM8150 and SM8250")
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20240804-sm8350-fixes-v1-1-1149dd8399fe@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/dispcc-sm8250.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/clk/qcom/dispcc-sm8250.c
+++ b/drivers/clk/qcom/dispcc-sm8250.c
@@ -851,6 +851,7 @@ static struct clk_branch disp_cc_mdss_dp
&disp_cc_mdss_dp_link1_div_clk_src.clkr.hw,
},
.num_parents = 1,
+ .flags = CLK_SET_RATE_PARENT,
.ops = &clk_branch2_ops,
},
},
@@ -886,6 +887,7 @@ static struct clk_branch disp_cc_mdss_dp
&disp_cc_mdss_dp_link_div_clk_src.clkr.hw,
},
.num_parents = 1,
+ .flags = CLK_SET_RATE_PARENT,
.ops = &clk_branch2_ops,
},
},
@@ -1011,6 +1013,7 @@ static struct clk_branch disp_cc_mdss_md
&disp_cc_mdss_mdp_clk_src.clkr.hw,
},
.num_parents = 1,
+ .flags = CLK_SET_RATE_PARENT,
.ops = &clk_branch2_ops,
},
},
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 283/386] media: sun4i_csi: Implement link validate for sun4i_csi subdev
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (281 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 282/386] clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 284/386] clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
` (113 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Chen-Yu Tsai,
Tomi Valkeinen, Sakari Ailus
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
commit 2dc5d5d401f5c6cecd97800ffef82e8d17d228f0 upstream.
The sun4i_csi driver doesn't implement link validation for the subdev it
registers, leaving the link between the subdev and its source
unvalidated. Fix it, using the v4l2_subdev_link_validate() helper.
Fixes: 577bbf23b758 ("media: sunxi: Add A10 CSI driver")
Cc: stable@vger.kernel.org
Signed-off-by: Laurent Pinchart <laurent.pinchart+renesas@ideasonboard.com>
Acked-by: Chen-Yu Tsai <wens@csie.org>
Reviewed-by: Tomi Valkeinen <tomi.valkeinen+renesas@ideasonboard.com>
Acked-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c
+++ b/drivers/media/platform/sunxi/sun4i-csi/sun4i_csi.c
@@ -39,6 +39,10 @@ static const struct media_entity_operati
.link_validate = v4l2_subdev_link_validate,
};
+static const struct media_entity_operations sun4i_csi_subdev_entity_ops = {
+ .link_validate = v4l2_subdev_link_validate,
+};
+
static int sun4i_csi_notify_bound(struct v4l2_async_notifier *notifier,
struct v4l2_subdev *subdev,
struct v4l2_async_connection *asd)
@@ -213,6 +217,7 @@ static int sun4i_csi_probe(struct platfo
v4l2_subdev_init(subdev, &sun4i_csi_subdev_ops);
subdev->flags = V4L2_SUBDEV_FL_HAS_DEVNODE | V4L2_SUBDEV_FL_HAS_EVENTS;
subdev->entity.function = MEDIA_ENT_F_VID_IF_BRIDGE;
+ subdev->entity.ops = &sun4i_csi_subdev_entity_ops;
subdev->owner = THIS_MODULE;
snprintf(subdev->name, sizeof(subdev->name), "sun4i-csi-0");
v4l2_set_subdevdata(subdev, csi);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 284/386] clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (282 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 283/386] media: sun4i_csi: Implement link validate for sun4i_csi subdev Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 285/386] media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Greg Kroah-Hartman
` (112 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
commit 889e1332310656961855c0dcedbb4dbe78e39d22 upstream.
With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This
can happen during scenarios such as system suspend and breaks the resume
of PCIe controllers from suspend.
So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs
during gdsc_disable() and allow the hardware to transition the GDSCs to
retention when the parent domain enters low power state during system
suspend.
Cc: stable@vger.kernel.org # 5.17
Fixes: db0c944ee92b ("clk: qcom: Add clock driver for SM8450")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20240722105733.13040-1-manivannan.sadhasivam@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gcc-sm8450.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/clk/qcom/gcc-sm8450.c
+++ b/drivers/clk/qcom/gcc-sm8450.c
@@ -2974,7 +2974,7 @@ static struct gdsc pcie_0_gdsc = {
.pd = {
.name = "pcie_0_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc pcie_1_gdsc = {
@@ -2982,7 +2982,7 @@ static struct gdsc pcie_1_gdsc = {
.pd = {
.name = "pcie_1_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc ufs_phy_gdsc = {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 285/386] media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (283 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 284/386] clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 286/386] clk: qcom: clk-rpmh: Fix overflow in BCM vote Greg Kroah-Hartman
` (111 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans Verkuil, Mauro Carvalho Chehab
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans Verkuil <hverkuil-cisco@xs4all.nl>
commit 599f6899051cb70c4e0aa9fd591b9ee220cb6f14 upstream.
The cec_msg_set_reply_to() helper function never zeroed the
struct cec_msg flags field, this can cause unexpected behavior
if flags was uninitialized to begin with.
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Fixes: 0dbacebede1e ("[media] cec: move the CEC framework out of staging and to media")
Cc: <stable@vger.kernel.org>
Signed-off-by: Mauro Carvalho Chehab <mchehab+huawei@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/linux/cec.h | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/include/uapi/linux/cec.h
+++ b/include/uapi/linux/cec.h
@@ -132,6 +132,8 @@ static inline void cec_msg_init(struct c
* Set the msg destination to the orig initiator and the msg initiator to the
* orig destination. Note that msg and orig may be the same pointer, in which
* case the change is done in place.
+ *
+ * It also zeroes the reply, timeout and flags fields.
*/
static inline void cec_msg_set_reply_to(struct cec_msg *msg,
struct cec_msg *orig)
@@ -139,7 +141,9 @@ static inline void cec_msg_set_reply_to(
/* The destination becomes the initiator and vice versa */
msg->msg[0] = (cec_msg_destination(orig) << 4) |
cec_msg_initiator(orig);
- msg->reply = msg->timeout = 0;
+ msg->reply = 0;
+ msg->timeout = 0;
+ msg->flags = 0;
}
/**
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 286/386] clk: qcom: clk-rpmh: Fix overflow in BCM vote
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (284 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 285/386] media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 287/386] clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Greg Kroah-Hartman
` (110 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mike Tipton, Taniya Das, Imran Shaik,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mike Tipton <quic_mdtipton@quicinc.com>
commit a4e5af27e6f6a8b0d14bc0d7eb04f4a6c7291586 upstream.
Valid frequencies may result in BCM votes that exceed the max HW value.
Set vote ceiling to BCM_TCS_CMD_VOTE_MASK to ensure the votes aren't
truncated, which can result in lower frequencies than desired.
Fixes: 04053f4d23a4 ("clk: qcom: clk-rpmh: Add IPA clock support")
Cc: stable@vger.kernel.org
Signed-off-by: Mike Tipton <quic_mdtipton@quicinc.com>
Reviewed-by: Taniya Das <quic_tdas@quicinc.com>
Signed-off-by: Imran Shaik <quic_imrashai@quicinc.com>
Link: https://lore.kernel.org/r/20240809-clk-rpmh-bcm-vote-fix-v2-1-240c584b7ef9@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/clk-rpmh.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/clk/qcom/clk-rpmh.c
+++ b/drivers/clk/qcom/clk-rpmh.c
@@ -263,6 +263,8 @@ static int clk_rpmh_bcm_send_cmd(struct
cmd_state = 0;
}
+ cmd_state = min(cmd_state, BCM_TCS_CMD_VOTE_MASK);
+
if (c->last_sent_aggr_state != cmd_state) {
cmd.addr = c->res_addr;
cmd.data = BCM_TCS_CMD(1, enable, 0, cmd_state);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 287/386] clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (285 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 286/386] clk: qcom: clk-rpmh: Fix overflow in BCM vote Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 288/386] clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src Greg Kroah-Hartman
` (109 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David Virag, Krzysztof Kozlowski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Virag <virag.david003@gmail.com>
commit 217a5f23c290c349ceaa37a6f2c014ad4c2d5759 upstream.
Update CLKS_NR_FSYS to the proper value after a fix in DT bindings.
This should always be the last clock in a CMU + 1.
Fixes: cd268e309c29 ("dt-bindings: clock: Add bindings for Exynos7885 CMU_FSYS")
Cc: stable@vger.kernel.org
Signed-off-by: David Virag <virag.david003@gmail.com>
Link: https://lore.kernel.org/r/20240806121157.479212-5-virag.david003@gmail.com
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/samsung/clk-exynos7885.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/samsung/clk-exynos7885.c
+++ b/drivers/clk/samsung/clk-exynos7885.c
@@ -20,7 +20,7 @@
#define CLKS_NR_TOP (CLK_GOUT_FSYS_USB30DRD + 1)
#define CLKS_NR_CORE (CLK_GOUT_TREX_P_CORE_PCLK_P_CORE + 1)
#define CLKS_NR_PERI (CLK_GOUT_WDT1_PCLK + 1)
-#define CLKS_NR_FSYS (CLK_GOUT_MMC_SDIO_SDCLKIN + 1)
+#define CLKS_NR_FSYS (CLK_MOUT_FSYS_USB30DRD_USER + 1)
/* ---- CMU_TOP ------------------------------------------------------------- */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 288/386] clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (286 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 287/386] clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 289/386] media: venus: fix use after free bug in venus_remove due to race condition Greg Kroah-Hartman
` (108 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Satya Priya Kakitapalli,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
commit bab0c7a0bc586e736b7cd2aac8e6391709a70ef2 upstream.
The branch clocks of gcc_cpuss_ahb_clk_src are marked critical
and hence these clocks vote on XO blocking the suspend.
De-register these clocks and its source as there is no rate
setting happening on them.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Cc: stable@vger.kernel.org
Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-5-8b3eaa5fb856@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 63 -----------------------------------------
1 file changed, 63 deletions(-)
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -260,28 +260,6 @@ static const struct clk_parent_data gcc_
{ .hw = &gpll0_out_even.clkr.hw },
};
-static const struct freq_tbl ftbl_gcc_cpuss_ahb_clk_src[] = {
- F(19200000, P_BI_TCXO, 1, 0, 0),
- F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0),
- F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0),
- { }
-};
-
-static struct clk_rcg2 gcc_cpuss_ahb_clk_src = {
- .cmd_rcgr = 0x48014,
- .mnd_width = 0,
- .hid_width = 5,
- .parent_map = gcc_parent_map_0,
- .freq_tbl = ftbl_gcc_cpuss_ahb_clk_src,
- .clkr.hw.init = &(struct clk_init_data){
- .name = "gcc_cpuss_ahb_clk_src",
- .parent_data = gcc_parents_0,
- .num_parents = ARRAY_SIZE(gcc_parents_0),
- .flags = CLK_SET_RATE_PARENT,
- .ops = &clk_rcg2_ops,
- },
-};
-
static const struct freq_tbl ftbl_gcc_emac_ptp_clk_src[] = {
F(19200000, P_BI_TCXO, 1, 0, 0),
F(50000000, P_GPLL0_OUT_EVEN, 6, 0, 0),
@@ -1599,25 +1577,6 @@ static struct clk_branch gcc_cfg_noc_usb
},
};
-/* For CPUSS functionality the AHB clock needs to be left enabled */
-static struct clk_branch gcc_cpuss_ahb_clk = {
- .halt_reg = 0x48000,
- .halt_check = BRANCH_HALT_VOTED,
- .clkr = {
- .enable_reg = 0x52004,
- .enable_mask = BIT(21),
- .hw.init = &(struct clk_init_data){
- .name = "gcc_cpuss_ahb_clk",
- .parent_hws = (const struct clk_hw *[]){
- &gcc_cpuss_ahb_clk_src.clkr.hw
- },
- .num_parents = 1,
- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT,
- .ops = &clk_branch2_ops,
- },
- },
-};
-
static struct clk_branch gcc_cpuss_rbcpr_clk = {
.halt_reg = 0x48008,
.halt_check = BRANCH_HALT,
@@ -3150,25 +3109,6 @@ static struct clk_branch gcc_sdcc4_apps_
},
};
-/* For CPUSS functionality the SYS NOC clock needs to be left enabled */
-static struct clk_branch gcc_sys_noc_cpuss_ahb_clk = {
- .halt_reg = 0x4819c,
- .halt_check = BRANCH_HALT_VOTED,
- .clkr = {
- .enable_reg = 0x52004,
- .enable_mask = BIT(0),
- .hw.init = &(struct clk_init_data){
- .name = "gcc_sys_noc_cpuss_ahb_clk",
- .parent_hws = (const struct clk_hw *[]){
- &gcc_cpuss_ahb_clk_src.clkr.hw
- },
- .num_parents = 1,
- .flags = CLK_IS_CRITICAL | CLK_SET_RATE_PARENT,
- .ops = &clk_branch2_ops,
- },
- },
-};
-
static struct clk_branch gcc_tsif_ahb_clk = {
.halt_reg = 0x36004,
.halt_check = BRANCH_HALT,
@@ -4258,8 +4198,6 @@ static struct clk_regmap *gcc_sc8180x_cl
[GCC_CFG_NOC_USB3_MP_AXI_CLK] = &gcc_cfg_noc_usb3_mp_axi_clk.clkr,
[GCC_CFG_NOC_USB3_PRIM_AXI_CLK] = &gcc_cfg_noc_usb3_prim_axi_clk.clkr,
[GCC_CFG_NOC_USB3_SEC_AXI_CLK] = &gcc_cfg_noc_usb3_sec_axi_clk.clkr,
- [GCC_CPUSS_AHB_CLK] = &gcc_cpuss_ahb_clk.clkr,
- [GCC_CPUSS_AHB_CLK_SRC] = &gcc_cpuss_ahb_clk_src.clkr,
[GCC_CPUSS_RBCPR_CLK] = &gcc_cpuss_rbcpr_clk.clkr,
[GCC_DDRSS_GPU_AXI_CLK] = &gcc_ddrss_gpu_axi_clk.clkr,
[GCC_DISP_HF_AXI_CLK] = &gcc_disp_hf_axi_clk.clkr,
@@ -4396,7 +4334,6 @@ static struct clk_regmap *gcc_sc8180x_cl
[GCC_SDCC4_AHB_CLK] = &gcc_sdcc4_ahb_clk.clkr,
[GCC_SDCC4_APPS_CLK] = &gcc_sdcc4_apps_clk.clkr,
[GCC_SDCC4_APPS_CLK_SRC] = &gcc_sdcc4_apps_clk_src.clkr,
- [GCC_SYS_NOC_CPUSS_AHB_CLK] = &gcc_sys_noc_cpuss_ahb_clk.clkr,
[GCC_TSIF_AHB_CLK] = &gcc_tsif_ahb_clk.clkr,
[GCC_TSIF_INACTIVITY_TIMERS_CLK] = &gcc_tsif_inactivity_timers_clk.clkr,
[GCC_TSIF_REF_CLK] = &gcc_tsif_ref_clk.clkr,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 289/386] media: venus: fix use after free bug in venus_remove due to race condition
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (287 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 288/386] clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 290/386] clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
` (107 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Dikshita Agarwal,
Stanimir Varbanov, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zheng Wang <zyytlz.wz@163.com>
commit c5a85ed88e043474161bbfe54002c89c1cb50ee2 upstream.
in venus_probe, core->work is bound with venus_sys_error_handler, which is
used to handle error. The code use core->sys_err_done to make sync work.
The core->work is started in venus_event_notify.
If we call venus_remove, there might be an unfished work. The possible
sequence is as follows:
CPU0 CPU1
|venus_sys_error_handler
venus_remove |
hfi_destroy |
venus_hfi_destroy |
kfree(hdev); |
|hfi_reinit
|venus_hfi_queues_reinit
|//use hdev
Fix it by canceling the work in venus_remove.
Cc: stable@vger.kernel.org
Fixes: af2c3834c8ca ("[media] media: venus: adding core part and helper functions")
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Signed-off-by: Dikshita Agarwal <quic_dikshita@quicinc.com>
Signed-off-by: Stanimir Varbanov <stanimir.k.varbanov@gmail.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/venus/core.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/media/platform/qcom/venus/core.c
+++ b/drivers/media/platform/qcom/venus/core.c
@@ -424,6 +424,7 @@ static void venus_remove(struct platform
struct device *dev = core->dev;
int ret;
+ cancel_delayed_work_sync(&core->work);
ret = pm_runtime_get_sync(dev);
WARN_ON(ret < 0);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 290/386] clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (288 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 289/386] media: venus: fix use after free bug in venus_remove due to race condition Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 291/386] media: qcom: camss: Remove use_count guard in stop_streaming Greg Kroah-Hartman
` (106 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
commit ade508b545c969c72cd68479f275a5dd640fd8b9 upstream.
With PWRSTS_OFF_ON, PCIe GDSCs are turned off during gdsc_disable(). This
can happen during scenarios such as system suspend and breaks the resume
of PCIe controllers from suspend.
So use PWRSTS_RET_ON to indicate the GDSC driver to not turn off the GDSCs
during gdsc_disable() and allow the hardware to transition the GDSCs to
retention when the parent domain enters low power state during system
suspend.
Cc: stable@vger.kernel.org # 5.7
Fixes: 3e5770921a88 ("clk: qcom: gcc: Add global clock controller driver for SM8250")
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20240719134238.312191-1-manivannan.sadhasivam@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gcc-sm8250.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/clk/qcom/gcc-sm8250.c
+++ b/drivers/clk/qcom/gcc-sm8250.c
@@ -3226,7 +3226,7 @@ static struct gdsc pcie_0_gdsc = {
.pd = {
.name = "pcie_0_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc pcie_1_gdsc = {
@@ -3234,7 +3234,7 @@ static struct gdsc pcie_1_gdsc = {
.pd = {
.name = "pcie_1_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc pcie_2_gdsc = {
@@ -3242,7 +3242,7 @@ static struct gdsc pcie_2_gdsc = {
.pd = {
.name = "pcie_2_gdsc",
},
- .pwrsts = PWRSTS_OFF_ON,
+ .pwrsts = PWRSTS_RET_ON,
};
static struct gdsc ufs_card_gdsc = {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 291/386] media: qcom: camss: Remove use_count guard in stop_streaming
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (289 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 290/386] clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 292/386] media: qcom: camss: Fix ordering of pm_runtime_enable Greg Kroah-Hartman
` (105 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bryan ODonoghue,
Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit 25f18cb1b673220b76a86ebef8e7fb79bd303b27 upstream.
The use_count check was introduced so that multiple concurrent Raw Data
Interfaces RDIs could be driven by different virtual channels VCs on the
CSIPHY input driving the video pipeline.
This is an invalid use of use_count though as use_count pertains to the
number of times a video entity has been opened by user-space not the number
of active streams.
If use_count and stream-on count don't agree then stop_streaming() will
break as is currently the case and has become apparent when using CAMSS
with libcamera's released softisp 0.3.
The use of use_count like this is a bit hacky and right now breaks regular
usage of CAMSS for a single stream case. Stopping qcam results in the splat
below, and then it cannot be started again and any attempts to do so fails
with -EBUSY.
[ 1265.509831] WARNING: CPU: 5 PID: 919 at drivers/media/common/videobuf2/videobuf2-core.c:2183 __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]
...
[ 1265.510630] Call trace:
[ 1265.510636] __vb2_queue_cancel+0x230/0x2c8 [videobuf2_common]
[ 1265.510648] vb2_core_streamoff+0x24/0xcc [videobuf2_common]
[ 1265.510660] vb2_ioctl_streamoff+0x5c/0xa8 [videobuf2_v4l2]
[ 1265.510673] v4l_streamoff+0x24/0x30 [videodev]
[ 1265.510707] __video_do_ioctl+0x190/0x3f4 [videodev]
[ 1265.510732] video_usercopy+0x304/0x8c4 [videodev]
[ 1265.510757] video_ioctl2+0x18/0x34 [videodev]
[ 1265.510782] v4l2_ioctl+0x40/0x60 [videodev]
...
[ 1265.510944] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 0 in active state
[ 1265.511175] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 1 in active state
[ 1265.511398] videobuf2_common: driver bug: stop_streaming operation is leaving buffer 2 in active st
One CAMSS specific way to handle multiple VCs on the same RDI might be:
- Reference count each pipeline enable for CSIPHY, CSID, VFE and RDIx.
- The video buffers are already associated with msm_vfeN_rdiX so
release video buffers when told to do so by stop_streaming.
- Only release the power-domains for the CSIPHY, CSID and VFE when
their internal refcounts drop.
Either way refusing to release video buffers based on use_count is
erroneous and should be reverted. The silicon enabling code for selecting
VCs is perfectly fine. Its a "known missing feature" that concurrent VCs
won't work with CAMSS right now.
Initial testing with this code didn't show an error but, SoftISP and "real"
usage with Google Hangouts breaks the upstream code pretty quickly, we need
to do a partial revert and take another pass at VCs.
This commit partially reverts commit 89013969e232 ("media: camss: sm8250:
Pipeline starting and stopping for multiple virtual channels")
Fixes: 89013969e232 ("media: camss: sm8250: Pipeline starting and stopping for multiple virtual channels")
Reported-by: Johan Hovold <johan+linaro@kernel.org>
Closes: https://lore.kernel.org/lkml/ZoVNHOTI0PKMNt4_@hovoldconsulting.com/
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/camss/camss-video.c | 6 ------
1 file changed, 6 deletions(-)
--- a/drivers/media/platform/qcom/camss/camss-video.c
+++ b/drivers/media/platform/qcom/camss/camss-video.c
@@ -557,12 +557,6 @@ static void video_stop_streaming(struct
ret = v4l2_subdev_call(subdev, video, s_stream, 0);
- if (entity->use_count > 1) {
- /* Don't stop if other instances of the pipeline are still running */
- dev_dbg(video->camss->dev, "Video pipeline still used, don't stop streaming.\n");
- return;
- }
-
if (ret) {
dev_err(video->camss->dev, "Video pipeline stop failed: %d\n", ret);
return;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 292/386] media: qcom: camss: Fix ordering of pm_runtime_enable
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (290 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 291/386] media: qcom: camss: Remove use_count guard in stop_streaming Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 293/386] clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Greg Kroah-Hartman
` (104 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Bryan ODonoghue,
Konrad Dybcio, Hans Verkuil
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
commit a151766bd3688f6803e706c6433a7c8d3c6a6a94 upstream.
pm_runtime_enable() should happen prior to vfe_get() since vfe_get() calls
pm_runtime_resume_and_get().
This is a basic race condition that doesn't show up for most users so is
not widely reported. If you blacklist qcom-camss in modules.d and then
subsequently modprobe the module post-boot it is possible to reliably show
this error up.
The kernel log for this error looks like this:
qcom-camss ac5a000.camss: Failed to power up pipeline: -13
Fixes: 02afa816dbbf ("media: camss: Add basic runtime PM support")
Reported-by: Johan Hovold <johan+linaro@kernel.org>
Closes: https://lore.kernel.org/lkml/ZoVNHOTI0PKMNt4_@hovoldconsulting.com/
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Cc: <stable@vger.kernel.org>
Signed-off-by: Bryan O'Donoghue <bryan.odonoghue@linaro.org>
Reviewed-by: Konrad Dybcio <konradybcio@kernel.org>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/platform/qcom/camss/camss.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/media/platform/qcom/camss/camss.c
+++ b/drivers/media/platform/qcom/camss/camss.c
@@ -1665,6 +1665,8 @@ static int camss_probe(struct platform_d
v4l2_async_nf_init(&camss->notifier, &camss->v4l2_dev);
+ pm_runtime_enable(dev);
+
num_subdevs = camss_of_parse_ports(camss);
if (num_subdevs < 0) {
ret = num_subdevs;
@@ -1701,8 +1703,6 @@ static int camss_probe(struct platform_d
}
}
- pm_runtime_enable(dev);
-
return 0;
err_register_subdevs:
@@ -1710,6 +1710,7 @@ err_register_subdevs:
err_v4l2_device_unregister:
v4l2_device_unregister(&camss->v4l2_dev);
v4l2_async_nf_cleanup(&camss->notifier);
+ pm_runtime_disable(dev);
err_genpd_cleanup:
camss_genpd_cleanup(camss);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 293/386] clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (291 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 292/386] media: qcom: camss: Fix ordering of pm_runtime_enable Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 294/386] clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Greg Kroah-Hartman
` (103 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Satya Priya Kakitapalli,
Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
commit b8acaf2de8081371761ab4cf1e7a8ee4e7acc139 upstream.
Update the frequency tables of gcc_sdcc2_apps_clk and gcc_sdcc4_apps_clk
as per the latest frequency plan.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Cc: stable@vger.kernel.org
Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-4-8b3eaa5fb856@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -894,7 +894,7 @@ static const struct freq_tbl ftbl_gcc_sd
F(25000000, P_GPLL0_OUT_MAIN, 12, 1, 2),
F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0),
F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0),
- F(200000000, P_GPLL0_OUT_MAIN, 3, 0, 0),
+ F(202000000, P_GPLL9_OUT_MAIN, 4, 0, 0),
{ }
};
@@ -917,9 +917,8 @@ static const struct freq_tbl ftbl_gcc_sd
F(400000, P_BI_TCXO, 12, 1, 4),
F(9600000, P_BI_TCXO, 2, 0, 0),
F(19200000, P_BI_TCXO, 1, 0, 0),
- F(37500000, P_GPLL0_OUT_MAIN, 16, 0, 0),
F(50000000, P_GPLL0_OUT_MAIN, 12, 0, 0),
- F(75000000, P_GPLL0_OUT_MAIN, 8, 0, 0),
+ F(100000000, P_GPLL0_OUT_MAIN, 6, 0, 0),
{ }
};
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 294/386] clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (292 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 293/386] clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Greg Kroah-Hartman
@ 2024-10-08 12:08 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 295/386] smb: client: use actual path when queryfs Greg Kroah-Hartman
` (102 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ajit Pandey, Dmitry Baryshkov,
Vladimir Zapolskiy, Bjorn Andersson
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ajit Pandey <quic_ajipan@quicinc.com>
commit fff617979f97c773aaa9432c31cf62444b3bdbd4 upstream.
In LUCID EVO PLL CAL_L_VAL and L_VAL bitfields are part of single
PLL_L_VAL register. Update for L_VAL bitfield values in PLL_L_VAL
register using regmap_write() API in __alpha_pll_trion_set_rate
callback will override LUCID EVO PLL initial configuration related
to PLL_CAL_L_VAL bit fields in PLL_L_VAL register.
Observed random PLL lock failures during PLL enable due to such
override in PLL calibration value. Use regmap_update_bits() with
L_VAL bitfield mask instead of regmap_write() API to update only
PLL_L_VAL bitfields in __alpha_pll_trion_set_rate callback.
Fixes: 260e36606a03 ("clk: qcom: clk-alpha-pll: add Lucid EVO PLL configuration interfaces")
Cc: stable@vger.kernel.org
Signed-off-by: Ajit Pandey <quic_ajipan@quicinc.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Acked-by: Vladimir Zapolskiy <vladimir.zapolskiy@linaro.org>
Link: https://lore.kernel.org/r/20240611133752.2192401-2-quic_ajipan@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clk/qcom/clk-alpha-pll.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/clk/qcom/clk-alpha-pll.c
+++ b/drivers/clk/qcom/clk-alpha-pll.c
@@ -1638,7 +1638,7 @@ static int __alpha_pll_trion_set_rate(st
if (ret < 0)
return ret;
- regmap_write(pll->clkr.regmap, PLL_L_VAL(pll), l);
+ regmap_update_bits(pll->clkr.regmap, PLL_L_VAL(pll), LUCID_EVO_PLL_L_VAL_MASK, l);
regmap_write(pll->clkr.regmap, PLL_ALPHA_VAL(pll), a);
/* Latch the PLL input */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 295/386] smb: client: use actual path when queryfs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (293 preceding siblings ...)
2024-10-08 12:08 ` [PATCH 6.6 294/386] clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 296/386] smb3: fix incorrect mode displayed for read-only files Greg Kroah-Hartman
` (101 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wangrong, Paulo Alcantara (Red Hat),
Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: wangrong <wangrong@uniontech.com>
commit a421e3fe0e6abe27395078f4f0cec5daf466caea upstream.
Due to server permission control, the client does not have access to
the shared root directory, but can access subdirectories normally, so
users usually mount the shared subdirectories directly. In this case,
queryfs should use the actual path instead of the root directory to
avoid the call returning an error (EACCES).
Signed-off-by: wangrong <wangrong@uniontech.com>
Reviewed-by: Paulo Alcantara (Red Hat) <pc@manguebit.com>
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/cifsfs.c | 13 ++++++++++++-
fs/smb/client/cifsglob.h | 2 +-
fs/smb/client/smb1ops.c | 2 +-
fs/smb/client/smb2ops.c | 19 ++++++++++++-------
4 files changed, 26 insertions(+), 10 deletions(-)
--- a/fs/smb/client/cifsfs.c
+++ b/fs/smb/client/cifsfs.c
@@ -312,8 +312,17 @@ cifs_statfs(struct dentry *dentry, struc
struct TCP_Server_Info *server = tcon->ses->server;
unsigned int xid;
int rc = 0;
+ const char *full_path;
+ void *page;
xid = get_xid();
+ page = alloc_dentry_path();
+
+ full_path = build_path_from_dentry(dentry, page);
+ if (IS_ERR(full_path)) {
+ rc = PTR_ERR(full_path);
+ goto statfs_out;
+ }
if (le32_to_cpu(tcon->fsAttrInfo.MaxPathNameComponentLength) > 0)
buf->f_namelen =
@@ -329,8 +338,10 @@ cifs_statfs(struct dentry *dentry, struc
buf->f_ffree = 0; /* unlimited */
if (server->ops->queryfs)
- rc = server->ops->queryfs(xid, tcon, cifs_sb, buf);
+ rc = server->ops->queryfs(xid, tcon, full_path, cifs_sb, buf);
+statfs_out:
+ free_dentry_path(page);
free_xid(xid);
return rc;
}
--- a/fs/smb/client/cifsglob.h
+++ b/fs/smb/client/cifsglob.h
@@ -485,7 +485,7 @@ struct smb_version_operations {
__u16 net_fid, struct cifsInodeInfo *cifs_inode);
/* query remote filesystem */
int (*queryfs)(const unsigned int, struct cifs_tcon *,
- struct cifs_sb_info *, struct kstatfs *);
+ const char *, struct cifs_sb_info *, struct kstatfs *);
/* send mandatory brlock to the server */
int (*mand_lock)(const unsigned int, struct cifsFileInfo *, __u64,
__u64, __u32, int, int, bool);
--- a/fs/smb/client/smb1ops.c
+++ b/fs/smb/client/smb1ops.c
@@ -909,7 +909,7 @@ cifs_oplock_response(struct cifs_tcon *t
static int
cifs_queryfs(const unsigned int xid, struct cifs_tcon *tcon,
- struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
+ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
{
int rc = -EOPNOTSUPP;
--- a/fs/smb/client/smb2ops.c
+++ b/fs/smb/client/smb2ops.c
@@ -2783,7 +2783,7 @@ out_free_path:
static int
smb2_queryfs(const unsigned int xid, struct cifs_tcon *tcon,
- struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
+ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
{
struct smb2_query_info_rsp *rsp;
struct smb2_fs_full_size_info *info = NULL;
@@ -2792,7 +2792,7 @@ smb2_queryfs(const unsigned int xid, str
int rc;
- rc = smb2_query_info_compound(xid, tcon, "",
+ rc = smb2_query_info_compound(xid, tcon, path,
FILE_READ_ATTRIBUTES,
FS_FULL_SIZE_INFORMATION,
SMB2_O_INFO_FILESYSTEM,
@@ -2820,28 +2820,33 @@ qfs_exit:
static int
smb311_queryfs(const unsigned int xid, struct cifs_tcon *tcon,
- struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
+ const char *path, struct cifs_sb_info *cifs_sb, struct kstatfs *buf)
{
int rc;
- __le16 srch_path = 0; /* Null - open root of share */
+ __le16 *utf16_path = NULL;
u8 oplock = SMB2_OPLOCK_LEVEL_NONE;
struct cifs_open_parms oparms;
struct cifs_fid fid;
if (!tcon->posix_extensions)
- return smb2_queryfs(xid, tcon, cifs_sb, buf);
+ return smb2_queryfs(xid, tcon, path, cifs_sb, buf);
oparms = (struct cifs_open_parms) {
.tcon = tcon,
- .path = "",
+ .path = path,
.desired_access = FILE_READ_ATTRIBUTES,
.disposition = FILE_OPEN,
.create_options = cifs_create_options(cifs_sb, 0),
.fid = &fid,
};
- rc = SMB2_open(xid, &oparms, &srch_path, &oplock, NULL, NULL,
+ utf16_path = cifs_convert_path_to_utf16(path, cifs_sb);
+ if (utf16_path == NULL)
+ return -ENOMEM;
+
+ rc = SMB2_open(xid, &oparms, utf16_path, &oplock, NULL, NULL,
NULL, NULL);
+ kfree(utf16_path);
if (rc)
return rc;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 296/386] smb3: fix incorrect mode displayed for read-only files
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (294 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 295/386] smb: client: use actual path when queryfs Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 297/386] iio: magnetometer: ak8975: Fix reading for ak099xx sensors Greg Kroah-Hartman
` (100 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Steve French
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Steve French <stfrench@microsoft.com>
commit 2f3017e7cc7515e0110a3733d8dca84de2a1d23d upstream.
Commands like "chmod 0444" mark a file readonly via the attribute flag
(when mapping of mode bits into the ACL are not set, or POSIX extensions
are not negotiated), but they were not reported correctly for stat of
directories (they were reported ok for files and for "ls"). See example
below:
root:~# ls /mnt2 -l
total 12
drwxr-xr-x 2 root root 0 Sep 21 18:03 normaldir
-rwxr-xr-x 1 root root 0 Sep 21 23:24 normalfile
dr-xr-xr-x 2 root root 0 Sep 21 17:55 readonly-dir
-r-xr-xr-x 1 root root 209716224 Sep 21 18:15 readonly-file
root:~# stat -c %a /mnt2/readonly-dir
755
root:~# stat -c %a /mnt2/readonly-file
555
This fixes the stat of directories when ATTR_READONLY is set
(in cases where the mode can not be obtained other ways).
root:~# stat -c %a /mnt2/readonly-dir
555
Cc: stable@vger.kernel.org
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/smb/client/inode.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/fs/smb/client/inode.c
+++ b/fs/smb/client/inode.c
@@ -779,10 +779,6 @@ static void cifs_open_info_to_fattr(stru
fattr->cf_mode = S_IFREG | cifs_sb->ctx->file_mode;
fattr->cf_dtype = DT_REG;
- /* clear write bits if ATTR_READONLY is set */
- if (fattr->cf_cifsattrs & ATTR_READONLY)
- fattr->cf_mode &= ~(S_IWUGO);
-
/*
* Don't accept zero nlink from non-unix servers unless
* delete is pending. Instead mark it as unknown.
@@ -795,6 +791,10 @@ static void cifs_open_info_to_fattr(stru
}
}
+ /* clear write bits if ATTR_READONLY is set */
+ if (fattr->cf_cifsattrs & ATTR_READONLY)
+ fattr->cf_mode &= ~(S_IWUGO);
+
out_reparse:
if (S_ISLNK(fattr->cf_mode)) {
if (likely(data->symlink_target))
@@ -1212,11 +1212,14 @@ handle_mnt_opt:
__func__, rc);
goto out;
}
- }
-
- /* fill in remaining high mode bits e.g. SUID, VTX */
- if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)
+ } else if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_UNX_EMUL)
+ /* fill in remaining high mode bits e.g. SUID, VTX */
cifs_sfu_mode(fattr, full_path, cifs_sb, xid);
+ else if (!(tcon->posix_extensions))
+ /* clear write bits if ATTR_READONLY is set */
+ if (fattr->cf_cifsattrs & ATTR_READONLY)
+ fattr->cf_mode &= ~(S_IWUGO);
+
/* check for Minshall+French symlinks */
if (cifs_sb->mnt_cifs_flags & CIFS_MOUNT_MF_SYMLINKS) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 297/386] iio: magnetometer: ak8975: Fix reading for ak099xx sensors
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (295 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 296/386] smb3: fix incorrect mode displayed for read-only files Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 298/386] vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Greg Kroah-Hartman
` (99 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Barnabás Czémán,
Stable, Jonathan Cameron
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Barnabás Czémán <barnabas.czeman@mainlining.org>
commit 129464e86c7445a858b790ac2d28d35f58256bbe upstream.
Move ST2 reading with overflow handling after measurement data
reading.
ST2 register read have to be read after read measurment data,
because it means end of the reading and realease the lock on the data.
Remove ST2 read skip on interrupt based waiting because ST2 required to
be read out at and of the axis read.
Fixes: 57e73a423b1e ("iio: ak8975: add ak09911 and ak09912 support")
Signed-off-by: Barnabás Czémán <barnabas.czeman@mainlining.org>
Link: https://patch.msgid.link/20240819-ak09918-v4-2-f0734d14cfb9@mainlining.org
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/magnetometer/ak8975.c | 32 ++++++++++++++++----------------
1 file changed, 16 insertions(+), 16 deletions(-)
--- a/drivers/iio/magnetometer/ak8975.c
+++ b/drivers/iio/magnetometer/ak8975.c
@@ -692,22 +692,8 @@ static int ak8975_start_read_axis(struct
if (ret < 0)
return ret;
- /* This will be executed only for non-interrupt based waiting case */
- if (ret & data->def->ctrl_masks[ST1_DRDY]) {
- ret = i2c_smbus_read_byte_data(client,
- data->def->ctrl_regs[ST2]);
- if (ret < 0) {
- dev_err(&client->dev, "Error in reading ST2\n");
- return ret;
- }
- if (ret & (data->def->ctrl_masks[ST2_DERR] |
- data->def->ctrl_masks[ST2_HOFL])) {
- dev_err(&client->dev, "ST2 status error 0x%x\n", ret);
- return -EINVAL;
- }
- }
-
- return 0;
+ /* Return with zero if the data is ready. */
+ return !data->def->ctrl_regs[ST1_DRDY];
}
/* Retrieve raw flux value for one of the x, y, or z axis. */
@@ -734,6 +720,20 @@ static int ak8975_read_axis(struct iio_d
if (ret < 0)
goto exit;
+ /* Read out ST2 for release lock on measurment data. */
+ ret = i2c_smbus_read_byte_data(client, data->def->ctrl_regs[ST2]);
+ if (ret < 0) {
+ dev_err(&client->dev, "Error in reading ST2\n");
+ goto exit;
+ }
+
+ if (ret & (data->def->ctrl_masks[ST2_DERR] |
+ data->def->ctrl_masks[ST2_HOFL])) {
+ dev_err(&client->dev, "ST2 status error 0x%x\n", ret);
+ ret = -EINVAL;
+ goto exit;
+ }
+
mutex_unlock(&data->lock);
pm_runtime_mark_last_busy(&data->client->dev);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 298/386] vrf: revert "vrf: Remove unnecessary RCU-bh critical section"
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (296 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 297/386] iio: magnetometer: ak8975: Fix reading for ak099xx sensors Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 299/386] gso: fix udp gso fraglist segmentation after pull from frag_list Greg Kroah-Hartman
` (98 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Greear, Willem de Bruijn,
Ido Schimmel, David Ahern, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit b04c4d9eb4f25b950b33218e33b04c94e7445e51 upstream.
This reverts commit 504fc6f4f7f681d2a03aa5f68aad549d90eab853.
dev_queue_xmit_nit is expected to be called with BH disabled.
__dev_queue_xmit has the following:
/* Disable soft irqs for various locks below. Also
* stops preemption for RCU.
*/
rcu_read_lock_bh();
VRF must follow this invariant. The referenced commit removed this
protection. Which triggered a lockdep warning:
================================
WARNING: inconsistent lock state
6.11.0 #1 Tainted: G W
--------------------------------
inconsistent {IN-SOFTIRQ-W} -> {SOFTIRQ-ON-W} usage.
btserver/134819 [HC0[0]:SC0[0]:HE1:SE1] takes:
ffff8882da30c118 (rlock-AF_PACKET){+.?.}-{2:2}, at: tpacket_rcv+0x863/0x3b30
{IN-SOFTIRQ-W} state was registered at:
lock_acquire+0x19a/0x4f0
_raw_spin_lock+0x27/0x40
packet_rcv+0xa33/0x1320
__netif_receive_skb_core.constprop.0+0xcb0/0x3a90
__netif_receive_skb_list_core+0x2c9/0x890
netif_receive_skb_list_internal+0x610/0xcc0
[...]
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0
----
lock(rlock-AF_PACKET);
<Interrupt>
lock(rlock-AF_PACKET);
*** DEADLOCK ***
Call Trace:
<TASK>
dump_stack_lvl+0x73/0xa0
mark_lock+0x102e/0x16b0
__lock_acquire+0x9ae/0x6170
lock_acquire+0x19a/0x4f0
_raw_spin_lock+0x27/0x40
tpacket_rcv+0x863/0x3b30
dev_queue_xmit_nit+0x709/0xa40
vrf_finish_direct+0x26e/0x340 [vrf]
vrf_l3_out+0x5f4/0xe80 [vrf]
__ip_local_out+0x51e/0x7a0
[...]
Fixes: 504fc6f4f7f6 ("vrf: Remove unnecessary RCU-bh critical section")
Link: https://lore.kernel.org/netdev/20240925185216.1990381-1-greearb@candelatech.com/
Reported-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: Willem de Bruijn <willemb@google.com>
Cc: stable@vger.kernel.org
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Tested-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://patch.msgid.link/20240929061839.1175300-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/vrf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/vrf.c
+++ b/drivers/net/vrf.c
@@ -628,7 +628,9 @@ static void vrf_finish_direct(struct sk_
eth_zero_addr(eth->h_dest);
eth->h_proto = skb->protocol;
+ rcu_read_lock_bh();
dev_queue_xmit_nit(skb, vrf_dev);
+ rcu_read_unlock_bh();
skb_pull(skb, ETH_HLEN);
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 299/386] gso: fix udp gso fraglist segmentation after pull from frag_list
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (297 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 298/386] vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 300/386] tomoyo: fallback to realpath if symlinks pathname does not exist Greg Kroah-Hartman
` (97 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Willem de Bruijn, Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit a1e40ac5b5e9077fe1f7ae0eb88034db0f9ae1ab upstream.
Detect gso fraglist skbs with corrupted geometry (see below) and
pass these to skb_segment instead of skb_segment_list, as the first
can segment them correctly.
Valid SKB_GSO_FRAGLIST skbs
- consist of two or more segments
- the head_skb holds the protocol headers plus first gso_size
- one or more frag_list skbs hold exactly one segment
- all but the last must be gso_size
Optional datapath hooks such as NAT and BPF (bpf_skb_pull_data) can
modify these skbs, breaking these invariants.
In extreme cases they pull all data into skb linear. For UDP, this
causes a NULL ptr deref in __udpv4_gso_segment_list_csum at
udp_hdr(seg->next)->dest.
Detect invalid geometry due to pull, by checking head_skb size.
Don't just drop, as this may blackhole a destination. Convert to be
able to pass to regular skb_segment.
Link: https://lore.kernel.org/netdev/20240428142913.18666-1-shiming.cheng@mediatek.com/
Fixes: 9fd1ff5d2ac7 ("udp: Support UDP fraglist GRO/GSO.")
Signed-off-by: Willem de Bruijn <willemb@google.com>
Cc: stable@vger.kernel.org
Link: https://patch.msgid.link/20241001171752.107580-1-willemdebruijn.kernel@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udp_offload.c | 22 ++++++++++++++++++++--
1 file changed, 20 insertions(+), 2 deletions(-)
--- a/net/ipv4/udp_offload.c
+++ b/net/ipv4/udp_offload.c
@@ -290,8 +290,26 @@ struct sk_buff *__udp_gso_segment(struct
return NULL;
}
- if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST)
- return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+ if (skb_shinfo(gso_skb)->gso_type & SKB_GSO_FRAGLIST) {
+ /* Detect modified geometry and pass those to skb_segment. */
+ if (skb_pagelen(gso_skb) - sizeof(*uh) == skb_shinfo(gso_skb)->gso_size)
+ return __udp_gso_segment_list(gso_skb, features, is_ipv6);
+
+ /* Setup csum, as fraglist skips this in udp4_gro_receive. */
+ gso_skb->csum_start = skb_transport_header(gso_skb) - gso_skb->head;
+ gso_skb->csum_offset = offsetof(struct udphdr, check);
+ gso_skb->ip_summed = CHECKSUM_PARTIAL;
+
+ uh = udp_hdr(gso_skb);
+ if (is_ipv6)
+ uh->check = ~udp_v6_check(gso_skb->len,
+ &ipv6_hdr(gso_skb)->saddr,
+ &ipv6_hdr(gso_skb)->daddr, 0);
+ else
+ uh->check = ~udp_v4_check(gso_skb->len,
+ ip_hdr(gso_skb)->saddr,
+ ip_hdr(gso_skb)->daddr, 0);
+ }
skb_pull(gso_skb, sizeof(*uh));
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 300/386] tomoyo: fallback to realpath if symlinks pathname does not exist
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (298 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 299/386] gso: fix udp gso fraglist segmentation after pull from frag_list Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 301/386] net: stmmac: Fix zero-division error when disabling tc cbs Greg Kroah-Hartman
` (96 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alfred Agrell, Tetsuo Handa
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit ada1986d07976d60bed5017aa38b7f7cf27883f7 upstream.
Alfred Agrell found that TOMOYO cannot handle execveat(AT_EMPTY_PATH)
inside chroot environment where /dev and /proc are not mounted, for
commit 51f39a1f0cea ("syscalls: implement execveat() system call") missed
that TOMOYO tries to canonicalize argv[0] when the filename fed to the
executed program as argv[0] is supplied using potentially nonexistent
pathname.
Since "/dev/fd/<fd>" already lost symlink information used for obtaining
that <fd>, it is too late to reconstruct symlink's pathname. Although
<filename> part of "/dev/fd/<fd>/<filename>" might not be canonicalized,
TOMOYO cannot use tomoyo_realpath_nofollow() when /dev or /proc is not
mounted. Therefore, fallback to tomoyo_realpath_from_path() when
tomoyo_realpath_nofollow() failed.
Reported-by: Alfred Agrell <blubban@gmail.com>
Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1082001
Fixes: 51f39a1f0cea ("syscalls: implement execveat() system call")
Cc: stable@vger.kernel.org # v3.19+
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/tomoyo/domain.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/security/tomoyo/domain.c
+++ b/security/tomoyo/domain.c
@@ -723,10 +723,13 @@ int tomoyo_find_next_domain(struct linux
ee->r.obj = &ee->obj;
ee->obj.path1 = bprm->file->f_path;
/* Get symlink's pathname of program. */
- retval = -ENOENT;
exename.name = tomoyo_realpath_nofollow(original_name);
- if (!exename.name)
- goto out;
+ if (!exename.name) {
+ /* Fallback to realpath if symlink's pathname does not exist. */
+ exename.name = tomoyo_realpath_from_path(&bprm->file->f_path);
+ if (!exename.name)
+ goto out;
+ }
tomoyo_fill_path_info(&exename);
retry:
/* Check 'aggregator' directive. */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 301/386] net: stmmac: Fix zero-division error when disabling tc cbs
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (299 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 300/386] tomoyo: fallback to realpath if symlinks pathname does not exist Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 302/386] rtc: at91sam9: fix OF node leak in probe() error path Greg Kroah-Hartman
` (95 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Choong Yong Liang, KhaiWenTan,
Simon Horman, Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: KhaiWenTan <khai.wen.tan@linux.intel.com>
commit 675faf5a14c14a2be0b870db30a70764df81e2df upstream.
The commit b8c43360f6e4 ("net: stmmac: No need to calculate speed divider
when offload is disabled") allows the "port_transmit_rate_kbps" to be
set to a value of 0, which is then passed to the "div_s64" function when
tc-cbs is disabled. This leads to a zero-division error.
When tc-cbs is disabled, the idleslope, sendslope, and credit values the
credit values are not required to be configured. Therefore, adding a return
statement after setting the txQ mode to DCB when tc-cbs is disabled would
prevent a zero-division error.
Fixes: b8c43360f6e4 ("net: stmmac: No need to calculate speed divider when offload is disabled")
Cc: <stable@vger.kernel.org>
Co-developed-by: Choong Yong Liang <yong.liang.choong@linux.intel.com>
Signed-off-by: Choong Yong Liang <yong.liang.choong@linux.intel.com>
Signed-off-by: KhaiWenTan <khai.wen.tan@linux.intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/20240918061422.1589662-1-khai.wen.tan@linux.intel.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -396,6 +396,7 @@ static int tc_setup_cbs(struct stmmac_pr
return ret;
priv->plat->tx_queues_cfg[queue].mode_to_use = MTL_QUEUE_DCB;
+ return 0;
}
/* Final adjustments for HW */
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 302/386] rtc: at91sam9: fix OF node leak in probe() error path
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (300 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 301/386] net: stmmac: Fix zero-division error when disabling tc cbs Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 303/386] Input: adp5589-keys - fix NULL pointer dereference Greg Kroah-Hartman
` (94 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Alexandre Belloni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 73580e2ee6adfb40276bd420da3bb1abae204e10 upstream.
Driver is leaking an OF node reference obtained from
of_parse_phandle_with_fixed_args().
Fixes: 43e112bb3dea ("rtc: at91sam9: make use of syscon/regmap to access GPBR registers")
Cc: stable@vger.kernel.org
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20240825183103.102904-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Alexandre Belloni <alexandre.belloni@bootlin.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rtc/rtc-at91sam9.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/rtc/rtc-at91sam9.c
+++ b/drivers/rtc/rtc-at91sam9.c
@@ -368,6 +368,7 @@ static int at91_rtc_probe(struct platfor
return ret;
rtc->gpbr = syscon_node_to_regmap(args.np);
+ of_node_put(args.np);
rtc->gpbr_offset = args.args[0];
if (IS_ERR(rtc->gpbr)) {
dev_err(&pdev->dev, "failed to retrieve gpbr regmap, aborting.\n");
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 303/386] Input: adp5589-keys - fix NULL pointer dereference
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (301 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 302/386] rtc: at91sam9: fix OF node leak in probe() error path Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 304/386] Input: adp5589-keys - fix adp5589_gpio_get_value() Greg Kroah-Hartman
` (93 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nuno Sa, Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
commit fb5cc65f973661241e4a2b7390b429aa7b330c69 upstream.
We register a devm action to call adp5589_clear_config() and then pass
the i2c client as argument so that we can call i2c_get_clientdata() in
order to get our device object. However, i2c_set_clientdata() is only
being set at the end of the probe function which means that we'll get a
NULL pointer dereference in case the probe function fails early.
Fixes: 30df385e35a4 ("Input: adp5589-keys - use devm_add_action_or_reset() for register clear")
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-1-fca0149dfc47@analog.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/adp5589-keys.c | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
--- a/drivers/input/keyboard/adp5589-keys.c
+++ b/drivers/input/keyboard/adp5589-keys.c
@@ -936,10 +936,9 @@ static int adp5589_keypad_add(struct adp
static void adp5589_clear_config(void *data)
{
- struct i2c_client *client = data;
- struct adp5589_kpad *kpad = i2c_get_clientdata(client);
+ struct adp5589_kpad *kpad = data;
- adp5589_write(client, kpad->var->reg(ADP5589_GENERAL_CFG), 0);
+ adp5589_write(kpad->client, kpad->var->reg(ADP5589_GENERAL_CFG), 0);
}
static int adp5589_probe(struct i2c_client *client)
@@ -983,7 +982,7 @@ static int adp5589_probe(struct i2c_clie
}
error = devm_add_action_or_reset(&client->dev, adp5589_clear_config,
- client);
+ kpad);
if (error)
return error;
@@ -1010,8 +1009,6 @@ static int adp5589_probe(struct i2c_clie
if (error)
return error;
- i2c_set_clientdata(client, kpad);
-
dev_info(&client->dev, "Rev.%d keypad, irq %d\n", revid, client->irq);
return 0;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 304/386] Input: adp5589-keys - fix adp5589_gpio_get_value()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (302 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 303/386] Input: adp5589-keys - fix NULL pointer dereference Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 305/386] cachefiles: fix dentry leak in cachefiles_open_file() Greg Kroah-Hartman
` (92 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nuno Sa, Dmitry Torokhov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nuno Sa <nuno.sa@analog.com>
commit c684771630e64bc39bddffeb65dd8a6612a6b249 upstream.
The adp5589 seems to have the same behavior as similar devices as
explained in commit 910a9f5636f5 ("Input: adp5588-keys - get value from
data out when dir is out").
Basically, when the gpio is set as output we need to get the value from
ADP5589_GPO_DATA_OUT_A register instead of ADP5589_GPI_STATUS_A.
Fixes: 9d2e173644bb ("Input: ADP5589 - new driver for I2C Keypad Decoder and I/O Expander")
Signed-off-by: Nuno Sa <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20241001-b4-dev-adp5589-fw-conversion-v1-2-fca0149dfc47@analog.com
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/input/keyboard/adp5589-keys.c | 13 ++++++++++---
1 file changed, 10 insertions(+), 3 deletions(-)
--- a/drivers/input/keyboard/adp5589-keys.c
+++ b/drivers/input/keyboard/adp5589-keys.c
@@ -391,10 +391,17 @@ static int adp5589_gpio_get_value(struct
struct adp5589_kpad *kpad = gpiochip_get_data(chip);
unsigned int bank = kpad->var->bank(kpad->gpiomap[off]);
unsigned int bit = kpad->var->bit(kpad->gpiomap[off]);
+ int val;
- return !!(adp5589_read(kpad->client,
- kpad->var->reg(ADP5589_GPI_STATUS_A) + bank) &
- bit);
+ mutex_lock(&kpad->gpio_lock);
+ if (kpad->dir[bank] & bit)
+ val = kpad->dat_out[bank];
+ else
+ val = adp5589_read(kpad->client,
+ kpad->var->reg(ADP5589_GPI_STATUS_A) + bank);
+ mutex_unlock(&kpad->gpio_lock);
+
+ return !!(val & bit);
}
static void adp5589_gpio_set_value(struct gpio_chip *chip,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 305/386] cachefiles: fix dentry leak in cachefiles_open_file()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (303 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 304/386] Input: adp5589-keys - fix adp5589_gpio_get_value() Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 306/386] ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
` (91 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Baokun Li, David Howells,
Christian Brauner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Baokun Li <libaokun1@huawei.com>
commit da6ef2dffe6056aad3435e6cf7c6471c2a62187c upstream.
A dentry leak may be caused when a lookup cookie and a cull are concurrent:
P1 | P2
-----------------------------------------------------------
cachefiles_lookup_cookie
cachefiles_look_up_object
lookup_one_positive_unlocked
// get dentry
cachefiles_cull
inode->i_flags |= S_KERNEL_FILE;
cachefiles_open_file
cachefiles_mark_inode_in_use
__cachefiles_mark_inode_in_use
can_use = false
if (!(inode->i_flags & S_KERNEL_FILE))
can_use = true
return false
return false
// Returns an error but doesn't put dentry
After that the following WARNING will be triggered when the backend folder
is umounted:
==================================================================
BUG: Dentry 000000008ad87947{i=7a,n=Dx_1_1.img} still in use (1) [unmount of ext4 sda]
WARNING: CPU: 4 PID: 359261 at fs/dcache.c:1767 umount_check+0x5d/0x70
CPU: 4 PID: 359261 Comm: umount Not tainted 6.6.0-dirty #25
RIP: 0010:umount_check+0x5d/0x70
Call Trace:
<TASK>
d_walk+0xda/0x2b0
do_one_tree+0x20/0x40
shrink_dcache_for_umount+0x2c/0x90
generic_shutdown_super+0x20/0x160
kill_block_super+0x1a/0x40
ext4_kill_sb+0x22/0x40
deactivate_locked_super+0x35/0x80
cleanup_mnt+0x104/0x160
==================================================================
Whether cachefiles_open_file() returns true or false, the reference count
obtained by lookup_positive_unlocked() in cachefiles_look_up_object()
should be released.
Therefore release that reference count in cachefiles_look_up_object() to
fix the above issue and simplify the code.
Fixes: 1f08c925e7a3 ("cachefiles: Implement backing file wrangling")
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Link: https://lore.kernel.org/r/20240829083409.3788142-1-libaokun@huaweicloud.com
Acked-by: David Howells <dhowells@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cachefiles/namei.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -594,14 +594,12 @@ static bool cachefiles_open_file(struct
* write and readdir but not lookup or open).
*/
touch_atime(&file->f_path);
- dput(dentry);
return true;
check_failed:
fscache_cookie_lookup_negative(object->cookie);
cachefiles_unmark_inode_in_use(object, file);
fput(file);
- dput(dentry);
if (ret == -ESTALE)
return cachefiles_create_file(object);
return false;
@@ -610,7 +608,6 @@ error_fput:
fput(file);
error:
cachefiles_do_unmark_inode_in_use(object, d_inode(dentry));
- dput(dentry);
return false;
}
@@ -653,7 +650,9 @@ bool cachefiles_look_up_object(struct ca
goto new_file;
}
- if (!cachefiles_open_file(object, dentry))
+ ret = cachefiles_open_file(object, dentry);
+ dput(dentry);
+ if (!ret)
return false;
_leave(" = t [%lu]", file_inode(object->file)->i_ino);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 306/386] ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[]
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (304 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 305/386] cachefiles: fix dentry leak in cachefiles_open_file() Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 307/386] ACPI: resource: Add Asus ExpertBook B2502CVA " Greg Kroah-Hartman
` (90 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lamome Julien, Hans de Goede,
Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 2f80ce0b78c340e332f04a5801dee5e4ac8cfaeb upstream.
Like other Asus Vivobook models the X1704VAP has its keybopard IRQ (1)
described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh
which breaks the keyboard.
Add the X1704VAP to the irq1_level_low_skip_override[] quirk table to fix
this.
Reported-by: Lamome Julien <julien.lamome@wanadoo.fr>
Closes: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1078696
Closes: https://lore.kernel.org/all/1226760b-4699-4529-bf57-6423938157a3@wanadoo.fr/
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patch.msgid.link/20240927141606.66826-3-hdegoede@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/resource.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -440,6 +440,13 @@ static const struct dmi_system_id asus_l
},
},
{
+ /* Asus Vivobook X1704VAP */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "X1704VAP"),
+ },
+ },
+ {
.ident = "Asus ExpertBook B1402CBA",
.matches = {
DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 307/386] ACPI: resource: Add Asus ExpertBook B2502CVA to irq1_level_low_skip_override[]
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (305 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 306/386] ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 308/386] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Greg Kroah-Hartman
` (89 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 056301e7c7c886f96d799edd36f3406cc30e1822 upstream.
Like other Asus ExpertBook models the B2502CVA has its keybopard IRQ (1)
described as ActiveLow in the DSDT, which the kernel overrides to EdgeHigh
which breaks the keyboard.
Add the B2502CVA to the irq1_level_low_skip_override[] quirk table to fix
this.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217760
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://patch.msgid.link/20240927141606.66826-4-hdegoede@redhat.com
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/resource.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/acpi/resource.c
+++ b/drivers/acpi/resource.c
@@ -510,6 +510,13 @@ static const struct dmi_system_id mainge
}
},
{
+ /* Asus ExpertBook B2502CVA */
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "ASUSTeK COMPUTER INC."),
+ DMI_MATCH(DMI_BOARD_NAME, "B2502CVA"),
+ },
+ },
+ {
/* TongFang GMxXGxx/TUXEDO Polaris 15 Gen5 AMD */
.matches = {
DMI_MATCH(DMI_BOARD_NAME, "GMxXGxx"),
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 308/386] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (306 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 307/386] ACPI: resource: Add Asus ExpertBook B2502CVA " Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 309/386] btrfs: send: fix invalid clone operation for file that got its size decreased Greg Kroah-Hartman
` (88 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+283673dbc38527ef9f3d,
Josef Bacik, Qu Wenruo, David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Qu Wenruo <wqu@suse.com>
commit c3b47f49e83197e8dffd023ec568403bcdbb774b upstream.
[BUG]
Syzbot reported a NULL pointer dereference with the following crash:
FAULT_INJECTION: forcing a failure.
start_transaction+0x830/0x1670 fs/btrfs/transaction.c:676
prepare_to_relocate+0x31f/0x4c0 fs/btrfs/relocation.c:3642
relocate_block_group+0x169/0xd20 fs/btrfs/relocation.c:3678
...
BTRFS info (device loop0): balance: ended with status: -12
Oops: general protection fault, probably for non-canonical address 0xdffffc00000000cc: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000660-0x0000000000000667]
RIP: 0010:btrfs_update_reloc_root+0x362/0xa80 fs/btrfs/relocation.c:926
Call Trace:
<TASK>
commit_fs_roots+0x2ee/0x720 fs/btrfs/transaction.c:1496
btrfs_commit_transaction+0xfaf/0x3740 fs/btrfs/transaction.c:2430
del_balance_item fs/btrfs/volumes.c:3678 [inline]
reset_balance_state+0x25e/0x3c0 fs/btrfs/volumes.c:3742
btrfs_balance+0xead/0x10c0 fs/btrfs/volumes.c:4574
btrfs_ioctl_balance+0x493/0x7c0 fs/btrfs/ioctl.c:3673
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:907 [inline]
__se_sys_ioctl+0xf9/0x170 fs/ioctl.c:893
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
[CAUSE]
The allocation failure happens at the start_transaction() inside
prepare_to_relocate(), and during the error handling we call
unset_reloc_control(), which makes fs_info->balance_ctl to be NULL.
Then we continue the error path cleanup in btrfs_balance() by calling
reset_balance_state() which will call del_balance_item() to fully delete
the balance item in the root tree.
However during the small window between set_reloc_contrl() and
unset_reloc_control(), we can have a subvolume tree update and created a
reloc_root for that subvolume.
Then we go into the final btrfs_commit_transaction() of
del_balance_item(), and into btrfs_update_reloc_root() inside
commit_fs_roots().
That function checks if fs_info->reloc_ctl is in the merge_reloc_tree
stage, but since fs_info->reloc_ctl is NULL, it results a NULL pointer
dereference.
[FIX]
Just add extra check on fs_info->reloc_ctl inside
btrfs_update_reloc_root(), before checking
fs_info->reloc_ctl->merge_reloc_tree.
That DEAD_RELOC_TREE handling is to prevent further modification to the
reloc tree during merge stage, but since there is no reloc_ctl at all,
we do not need to bother that.
Reported-by: syzbot+283673dbc38527ef9f3d@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/66f6bfa7.050a0220.38ace9.0019.GAE@google.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/relocation.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -931,7 +931,7 @@ int btrfs_update_reloc_root(struct btrfs
btrfs_grab_root(reloc_root);
/* root->reloc_root will stay until current relocation finished */
- if (fs_info->reloc_ctl->merge_reloc_tree &&
+ if (fs_info->reloc_ctl && fs_info->reloc_ctl->merge_reloc_tree &&
btrfs_root_refs(root_item) == 0) {
set_bit(BTRFS_ROOT_DEAD_RELOC_TREE, &root->state);
/*
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 309/386] btrfs: send: fix invalid clone operation for file that got its size decreased
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (307 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 308/386] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 310/386] btrfs: wait for fixup workers before stopping cleaner kthread during umount Greg Kroah-Hartman
` (87 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Millwood, Qu Wenruo,
Filipe Manana, David Sterba
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit fa630df665aa9ddce3a96ce7b54e10a38e4d2a2b upstream.
During an incremental send we may end up sending an invalid clone
operation, for the last extent of a file which ends at an unaligned offset
that matches the final i_size of the file in the send snapshot, in case
the file had its initial size (the size in the parent snapshot) decreased
in the send snapshot. In this case the destination will fail to apply the
clone operation because its end offset is not sector size aligned and it
ends before the current size of the file.
Sending the truncate operation always happens when we finish processing an
inode, after we process all its extents (and xattrs, names, etc). So fix
this by ensuring the file has a valid size before we send a clone
operation for an unaligned extent that ends at the final i_size of the
file. The size we truncate to matches the start offset of the clone range
but it could be any value between that start offset and the final size of
the file since the clone operation will expand the i_size if the current
size is smaller than the end offset. The start offset of the range was
chosen because it's always sector size aligned and avoids a truncation
into the middle of a page, which results in dirtying the page due to
filling part of it with zeroes and then making the clone operation at the
receiver trigger IO.
The following test reproduces the issue:
$ cat test.sh
#!/bin/bash
DEV=/dev/sdi
MNT=/mnt/sdi
mkfs.btrfs -f $DEV
mount $DEV $MNT
# Create a file with a size of 256K + 5 bytes, having two extents, one
# with a size of 128K and another one with a size of 128K + 5 bytes.
last_ext_size=$((128 * 1024 + 5))
xfs_io -f -d -c "pwrite -S 0xab -b 128K 0 128K" \
-c "pwrite -S 0xcd -b $last_ext_size 128K $last_ext_size" \
$MNT/foo
# Another file which we will later clone foo into, but initially with
# a larger size than foo.
xfs_io -f -c "pwrite -S 0xef 0 1M" $MNT/bar
btrfs subvolume snapshot -r $MNT/ $MNT/snap1
# Now resize bar and clone foo into it.
xfs_io -c "truncate 0" \
-c "reflink $MNT/foo" $MNT/bar
btrfs subvolume snapshot -r $MNT/ $MNT/snap2
rm -f /tmp/send-full /tmp/send-inc
btrfs send -f /tmp/send-full $MNT/snap1
btrfs send -p $MNT/snap1 -f /tmp/send-inc $MNT/snap2
umount $MNT
mkfs.btrfs -f $DEV
mount $DEV $MNT
btrfs receive -f /tmp/send-full $MNT
btrfs receive -f /tmp/send-inc $MNT
umount $MNT
Running it before this patch:
$ ./test.sh
(...)
At subvol snap1
At snapshot snap2
ERROR: failed to clone extents to bar: Invalid argument
A test case for fstests will be sent soon.
Reported-by: Ben Millwood <thebenmachine@gmail.com>
Link: https://lore.kernel.org/linux-btrfs/CAJhrHS2z+WViO2h=ojYvBPDLsATwLbg+7JaNCyYomv0fUxEpQQ@mail.gmail.com/
Fixes: 46a6e10a1ab1 ("btrfs: send: allow cloning non-aligned extent if it ends at i_size")
CC: stable@vger.kernel.org # 6.11
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/send.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/fs/btrfs/send.c
+++ b/fs/btrfs/send.c
@@ -6190,8 +6190,29 @@ static int send_write_or_clone(struct se
if (ret < 0)
return ret;
- if (clone_root->offset + num_bytes == info.size)
+ if (clone_root->offset + num_bytes == info.size) {
+ /*
+ * The final size of our file matches the end offset, but it may
+ * be that its current size is larger, so we have to truncate it
+ * to any value between the start offset of the range and the
+ * final i_size, otherwise the clone operation is invalid
+ * because it's unaligned and it ends before the current EOF.
+ * We do this truncate to the final i_size when we finish
+ * processing the inode, but it's too late by then. And here we
+ * truncate to the start offset of the range because it's always
+ * sector size aligned while if it were the final i_size it
+ * would result in dirtying part of a page, filling part of a
+ * page with zeroes and then having the clone operation at the
+ * receiver trigger IO and wait for it due to the dirty page.
+ */
+ if (sctx->parent_root != NULL) {
+ ret = send_truncate(sctx, sctx->cur_ino,
+ sctx->cur_inode_gen, offset);
+ if (ret < 0)
+ return ret;
+ }
goto clone_data;
+ }
write_data:
ret = send_extent_data(sctx, path, offset, num_bytes);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 310/386] btrfs: wait for fixup workers before stopping cleaner kthread during umount
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (308 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 309/386] btrfs: send: fix invalid clone operation for file that got its size decreased Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 311/386] cpufreq: Avoid a bad reference count on CPU node Greg Kroah-Hartman
` (86 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+8aaf2df2ef0164ffe1fb,
Qu Wenruo, Johannes Thumshirn, David Sterba, Filipe Manana
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
commit 41fd1e94066a815a7ab0a7025359e9b40e4b3576 upstream.
During unmount, at close_ctree(), we have the following steps in this order:
1) Park the cleaner kthread - this doesn't destroy the kthread, it basically
halts its execution (wake ups against it work but do nothing);
2) We stop the cleaner kthread - this results in freeing the respective
struct task_struct;
3) We call btrfs_stop_all_workers() which waits for any jobs running in all
the work queues and then free the work queues.
Syzbot reported a case where a fixup worker resulted in a crash when doing
a delayed iput on its inode while attempting to wake up the cleaner at
btrfs_add_delayed_iput(), because the task_struct of the cleaner kthread
was already freed. This can happen during unmount because we don't wait
for any fixup workers still running before we call kthread_stop() against
the cleaner kthread, which stops and free all its resources.
Fix this by waiting for any fixup workers at close_ctree() before we call
kthread_stop() against the cleaner and run pending delayed iputs.
The stack traces reported by syzbot were the following:
BUG: KASAN: slab-use-after-free in __lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
Read of size 8 at addr ffff8880272a8a18 by task kworker/u8:3/52
CPU: 1 UID: 0 PID: 52 Comm: kworker/u8:3 Not tainted 6.12.0-rc1-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/13/2024
Workqueue: btrfs-fixup btrfs_work_helper
Call Trace:
<TASK>
__dump_stack lib/dump_stack.c:94 [inline]
dump_stack_lvl+0x241/0x360 lib/dump_stack.c:120
print_address_description mm/kasan/report.c:377 [inline]
print_report+0x169/0x550 mm/kasan/report.c:488
kasan_report+0x143/0x180 mm/kasan/report.c:601
__lock_acquire+0x77/0x2050 kernel/locking/lockdep.c:5065
lock_acquire+0x1ed/0x550 kernel/locking/lockdep.c:5825
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0xd5/0x120 kernel/locking/spinlock.c:162
class_raw_spinlock_irqsave_constructor include/linux/spinlock.h:551 [inline]
try_to_wake_up+0xb0/0x1480 kernel/sched/core.c:4154
btrfs_writepage_fixup_worker+0xc16/0xdf0 fs/btrfs/inode.c:2842
btrfs_work_helper+0x390/0xc50 fs/btrfs/async-thread.c:314
process_one_work kernel/workqueue.c:3229 [inline]
process_scheduled_works+0xa63/0x1850 kernel/workqueue.c:3310
worker_thread+0x870/0xd30 kernel/workqueue.c:3391
kthread+0x2f0/0x390 kernel/kthread.c:389
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
</TASK>
Allocated by task 2:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
unpoison_slab_object mm/kasan/common.c:319 [inline]
__kasan_slab_alloc+0x66/0x80 mm/kasan/common.c:345
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_node_noprof+0x16b/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
Freed by task 61:
kasan_save_stack mm/kasan/common.c:47 [inline]
kasan_save_track+0x3f/0x80 mm/kasan/common.c:68
kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579
poison_slab_object mm/kasan/common.c:247 [inline]
__kasan_slab_free+0x59/0x70 mm/kasan/common.c:264
kasan_slab_free include/linux/kasan.h:230 [inline]
slab_free_hook mm/slub.c:2343 [inline]
slab_free mm/slub.c:4580 [inline]
kmem_cache_free+0x1a2/0x420 mm/slub.c:4682
put_task_struct include/linux/sched/task.h:144 [inline]
delayed_put_task_struct+0x125/0x300 kernel/exit.c:228
rcu_do_batch kernel/rcu/tree.c:2567 [inline]
rcu_core+0xaaa/0x17a0 kernel/rcu/tree.c:2823
handle_softirqs+0x2c5/0x980 kernel/softirq.c:554
__do_softirq kernel/softirq.c:588 [inline]
invoke_softirq kernel/softirq.c:428 [inline]
__irq_exit_rcu+0xf4/0x1c0 kernel/softirq.c:637
irq_exit_rcu+0x9/0x30 kernel/softirq.c:649
instr_sysvec_apic_timer_interrupt arch/x86/kernel/apic/apic.c:1037 [inline]
sysvec_apic_timer_interrupt+0xa6/0xc0 arch/x86/kernel/apic/apic.c:1037
asm_sysvec_apic_timer_interrupt+0x1a/0x20 arch/x86/include/asm/idtentry.h:702
Last potentially related work creation:
kasan_save_stack+0x3f/0x60 mm/kasan/common.c:47
__kasan_record_aux_stack+0xac/0xc0 mm/kasan/generic.c:541
__call_rcu_common kernel/rcu/tree.c:3086 [inline]
call_rcu+0x167/0xa70 kernel/rcu/tree.c:3190
context_switch kernel/sched/core.c:5318 [inline]
__schedule+0x184b/0x4ae0 kernel/sched/core.c:6675
schedule_idle+0x56/0x90 kernel/sched/core.c:6793
do_idle+0x56a/0x5d0 kernel/sched/idle.c:354
cpu_startup_entry+0x42/0x60 kernel/sched/idle.c:424
start_secondary+0x102/0x110 arch/x86/kernel/smpboot.c:314
common_startup_64+0x13e/0x147
The buggy address belongs to the object at ffff8880272a8000
which belongs to the cache task_struct of size 7424
The buggy address is located 2584 bytes inside of
freed 7424-byte region [ffff8880272a8000, ffff8880272a9d00)
The buggy address belongs to the physical page:
page: refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x272a8
head: order:3 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0
flags: 0xfff00000000040(head|node=0|zone=1|lastcpupid=0x7ff)
page_type: f5(slab)
raw: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
raw: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
head: 00fff00000000040 ffff88801bafa500 dead000000000122 0000000000000000
head: 0000000000000000 0000000080040004 00000001f5000000 0000000000000000
head: 00fff00000000003 ffffea00009caa01 ffffffffffffffff 0000000000000000
head: 0000000000000008 0000000000000000 00000000ffffffff 0000000000000000
page dumped because: kasan: bad access detected
page_owner tracks the page as allocated
page last allocated via order 3, migratetype Unmovable, gfp_mask 0xd20c0(__GFP_IO|__GFP_FS|__GFP_NOWARN|__GFP_NORETRY|__GFP_COMP|__GFP_NOMEMALLOC), pid 2, tgid 2 (kthreadd), ts 71247381401, free_ts 71214998153
set_page_owner include/linux/page_owner.h:32 [inline]
post_alloc_hook+0x1f3/0x230 mm/page_alloc.c:1537
prep_new_page mm/page_alloc.c:1545 [inline]
get_page_from_freelist+0x3039/0x3180 mm/page_alloc.c:3457
__alloc_pages_noprof+0x256/0x6c0 mm/page_alloc.c:4733
alloc_pages_mpol_noprof+0x3e8/0x680 mm/mempolicy.c:2265
alloc_slab_page+0x6a/0x120 mm/slub.c:2413
allocate_slab+0x5a/0x2f0 mm/slub.c:2579
new_slab mm/slub.c:2632 [inline]
___slab_alloc+0xcd1/0x14b0 mm/slub.c:3819
__slab_alloc+0x58/0xa0 mm/slub.c:3909
__slab_alloc_node mm/slub.c:3962 [inline]
slab_alloc_node mm/slub.c:4123 [inline]
kmem_cache_alloc_node_noprof+0x1fe/0x320 mm/slub.c:4187
alloc_task_struct_node kernel/fork.c:180 [inline]
dup_task_struct+0x57/0x8c0 kernel/fork.c:1107
copy_process+0x5d1/0x3d50 kernel/fork.c:2206
kernel_clone+0x223/0x880 kernel/fork.c:2787
kernel_thread+0x1bc/0x240 kernel/fork.c:2849
create_kthread kernel/kthread.c:412 [inline]
kthreadd+0x60d/0x810 kernel/kthread.c:765
ret_from_fork+0x4b/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:244
page last free pid 5230 tgid 5230 stack trace:
reset_page_owner include/linux/page_owner.h:25 [inline]
free_pages_prepare mm/page_alloc.c:1108 [inline]
free_unref_page+0xcd0/0xf00 mm/page_alloc.c:2638
discard_slab mm/slub.c:2678 [inline]
__put_partials+0xeb/0x130 mm/slub.c:3146
put_cpu_partial+0x17c/0x250 mm/slub.c:3221
__slab_free+0x2ea/0x3d0 mm/slub.c:4450
qlink_free mm/kasan/quarantine.c:163 [inline]
qlist_free_all+0x9a/0x140 mm/kasan/quarantine.c:179
kasan_quarantine_reduce+0x14f/0x170 mm/kasan/quarantine.c:286
__kasan_slab_alloc+0x23/0x80 mm/kasan/common.c:329
kasan_slab_alloc include/linux/kasan.h:247 [inline]
slab_post_alloc_hook mm/slub.c:4086 [inline]
slab_alloc_node mm/slub.c:4135 [inline]
kmem_cache_alloc_noprof+0x135/0x2a0 mm/slub.c:4142
getname_flags+0xb7/0x540 fs/namei.c:139
do_sys_openat2+0xd2/0x1d0 fs/open.c:1409
do_sys_open fs/open.c:1430 [inline]
__do_sys_openat fs/open.c:1446 [inline]
__se_sys_openat fs/open.c:1441 [inline]
__x64_sys_openat+0x247/0x2a0 fs/open.c:1441
do_syscall_x64 arch/x86/entry/common.c:52 [inline]
do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Memory state around the buggy address:
ffff8880272a8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880272a8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880272a8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880272a8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880272a8b00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Reported-by: syzbot+8aaf2df2ef0164ffe1fb@syzkaller.appspotmail.com
Link: https://lore.kernel.org/linux-btrfs/66fb36b1.050a0220.aab67.003b.GAE@google.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4314,6 +4314,17 @@ void __cold close_ctree(struct btrfs_fs_
btrfs_cleanup_defrag_inodes(fs_info);
/*
+ * Wait for any fixup workers to complete.
+ * If we don't wait for them here and they are still running by the time
+ * we call kthread_stop() against the cleaner kthread further below, we
+ * get an use-after-free on the cleaner because the fixup worker adds an
+ * inode to the list of delayed iputs and then attempts to wakeup the
+ * cleaner kthread, which was already stopped and destroyed. We parked
+ * already the cleaner, but below we run all pending delayed iputs.
+ */
+ btrfs_flush_workqueue(fs_info->fixup_workers);
+
+ /*
* After we parked the cleaner kthread, ordered extents may have
* completed and created new delayed iputs. If one of the async reclaim
* tasks is running and in the RUN_DELAYED_IPUTS flush state, then we
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 311/386] cpufreq: Avoid a bad reference count on CPU node
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (309 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 310/386] btrfs: wait for fixup workers before stopping cleaner kthread during umount Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 312/386] gpio: davinci: fix lazy disable Greg Kroah-Hartman
` (85 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Miquel Sabaté Solà,
Viresh Kumar, Rafael J. Wysocki
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Sabaté Solà <mikisabate@gmail.com>
commit c0f02536fffbbec71aced36d52a765f8c4493dc2 upstream.
In the parse_perf_domain function, if the call to
of_parse_phandle_with_args returns an error, then the reference to the
CPU device node that was acquired at the start of the function would not
be properly decremented.
Address this by declaring the variable with the __free(device_node)
cleanup attribute.
Signed-off-by: Miquel Sabaté Solà <mikisabate@gmail.com>
Acked-by: Viresh Kumar <viresh.kumar@linaro.org>
Link: https://patch.msgid.link/20240917134246.584026-1-mikisabate@gmail.com
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/cpufreq.h | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
--- a/include/linux/cpufreq.h
+++ b/include/linux/cpufreq.h
@@ -1124,10 +1124,9 @@ static inline int parse_perf_domain(int
const char *cell_name,
struct of_phandle_args *args)
{
- struct device_node *cpu_np;
int ret;
- cpu_np = of_cpu_device_node_get(cpu);
+ struct device_node *cpu_np __free(device_node) = of_cpu_device_node_get(cpu);
if (!cpu_np)
return -ENODEV;
@@ -1135,9 +1134,6 @@ static inline int parse_perf_domain(int
args);
if (ret < 0)
return ret;
-
- of_node_put(cpu_np);
-
return 0;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 312/386] gpio: davinci: fix lazy disable
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (310 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 311/386] cpufreq: Avoid a bad reference count on CPU node Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 313/386] net: pcs: xpcs: fix the wrong register that was written back Greg Kroah-Hartman
` (84 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Emanuele Ghidoli, Parth Pancholi,
Keerthy, Bartosz Golaszewski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
commit 3360d41f4ac490282fddc3ccc0b58679aa5c065d upstream.
On a few platforms such as TI's AM69 device, disable_irq() fails to keep
track of the interrupts that happen between disable_irq() and
enable_irq() and those interrupts are missed. Use the ->irq_unmask() and
->irq_mask() methods instead of ->irq_enable() and ->irq_disable() to
correctly keep track of edges when disable_irq is called.
This solves the issue of disable_irq() not working as expected on such
platforms.
Fixes: 23265442b02b ("ARM: davinci: irq_data conversion.")
Signed-off-by: Emanuele Ghidoli <emanuele.ghidoli@toradex.com>
Signed-off-by: Parth Pancholi <parth.pancholi@toradex.com>
Acked-by: Keerthy <j-keerthy@ti.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240828133207.493961-1-parth105105@gmail.com
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-davinci.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/gpio/gpio-davinci.c
+++ b/drivers/gpio/gpio-davinci.c
@@ -289,7 +289,7 @@ static int davinci_gpio_probe(struct pla
* serve as EDMA event triggers.
*/
-static void gpio_irq_disable(struct irq_data *d)
+static void gpio_irq_mask(struct irq_data *d)
{
struct davinci_gpio_regs __iomem *g = irq2regs(d);
uintptr_t mask = (uintptr_t)irq_data_get_irq_handler_data(d);
@@ -298,7 +298,7 @@ static void gpio_irq_disable(struct irq_
writel_relaxed(mask, &g->clr_rising);
}
-static void gpio_irq_enable(struct irq_data *d)
+static void gpio_irq_unmask(struct irq_data *d)
{
struct davinci_gpio_regs __iomem *g = irq2regs(d);
uintptr_t mask = (uintptr_t)irq_data_get_irq_handler_data(d);
@@ -324,8 +324,8 @@ static int gpio_irq_type(struct irq_data
static struct irq_chip gpio_irqchip = {
.name = "GPIO",
- .irq_enable = gpio_irq_enable,
- .irq_disable = gpio_irq_disable,
+ .irq_unmask = gpio_irq_unmask,
+ .irq_mask = gpio_irq_mask,
.irq_set_type = gpio_irq_type,
.flags = IRQCHIP_SET_TYPE_MASKED | IRQCHIP_SKIP_SET_WAKE,
};
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 313/386] net: pcs: xpcs: fix the wrong register that was written back
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (311 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 312/386] gpio: davinci: fix lazy disable Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 314/386] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
` (83 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiawen Wu, Russell King (Oracle),
Paolo Abeni
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawen Wu <jiawenwu@trustnetic.com>
commit 93ef6ee5c20e9330477930ec6347672c9e0cf5a6 upstream.
The value is read from the register TXGBE_RX_GEN_CTL3, and it should be
written back to TXGBE_RX_GEN_CTL3 when it changes some fields.
Cc: stable@vger.kernel.org
Fixes: f629acc6f210 ("net: pcs: xpcs: support to switch mode for Wangxun NICs")
Signed-off-by: Jiawen Wu <jiawenwu@trustnetic.com>
Reported-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://patch.msgid.link/20240924022857.865422-1-jiawenwu@trustnetic.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/pcs/pcs-xpcs-wx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/pcs/pcs-xpcs-wx.c b/drivers/net/pcs/pcs-xpcs-wx.c
index 19c75886f070..5f5cd3596cb8 100644
--- a/drivers/net/pcs/pcs-xpcs-wx.c
+++ b/drivers/net/pcs/pcs-xpcs-wx.c
@@ -109,7 +109,7 @@ static void txgbe_pma_config_1g(struct dw_xpcs *xpcs)
txgbe_write_pma(xpcs, TXGBE_DFE_TAP_CTL0, 0);
val = txgbe_read_pma(xpcs, TXGBE_RX_GEN_CTL3);
val = u16_replace_bits(val, 0x4, TXGBE_RX_GEN_CTL3_LOS_TRSHLD0);
- txgbe_write_pma(xpcs, TXGBE_RX_EQ_ATTN_CTL, val);
+ txgbe_write_pma(xpcs, TXGBE_RX_GEN_CTL3, val);
txgbe_write_pma(xpcs, TXGBE_MPLLA_CTL0, 0x20);
txgbe_write_pma(xpcs, TXGBE_MPLLA_CTL3, 0x46);
--
2.46.2
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 314/386] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (312 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 313/386] net: pcs: xpcs: fix the wrong register that was written back Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 315/386] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Greg Kroah-Hartman
` (82 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Kiran K
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit b25e11f978b63cb7857890edb3a698599cddb10e upstream.
This aligned BR/EDR JUST_WORKS method with LE which since 92516cd97fd4
("Bluetooth: Always request for user confirmation for Just Works")
always request user confirmation with confirm_hint set since the
likes of bluetoothd have dedicated policy around JUST_WORKS method
(e.g. main.conf:JustWorksRepairing).
CVE: CVE-2024-8805
Cc: stable@vger.kernel.org
Fixes: ba15a58b179e ("Bluetooth: Fix SSP acceptor just-works confirmation without MITM")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Tested-by: Kiran K <kiran.k@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 13 +++++--------
1 file changed, 5 insertions(+), 8 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5324,19 +5324,16 @@ static void hci_user_confirm_request_evt
goto unlock;
}
- /* If no side requires MITM protection; auto-accept */
+ /* If no side requires MITM protection; use JUST_CFM method */
if ((!loc_mitm || conn->remote_cap == HCI_IO_NO_INPUT_OUTPUT) &&
(!rem_mitm || conn->io_capability == HCI_IO_NO_INPUT_OUTPUT)) {
- /* If we're not the initiators request authorization to
- * proceed from user space (mgmt_user_confirm with
- * confirm_hint set to 1). The exception is if neither
- * side had MITM or if the local IO capability is
- * NoInputNoOutput, in which case we do auto-accept
+ /* If we're not the initiator of request authorization and the
+ * local IO capability is not NoInputNoOutput, use JUST_WORKS
+ * method (mgmt_user_confirm with confirm_hint set to 1).
*/
if (!test_bit(HCI_CONN_AUTH_PEND, &conn->flags) &&
- conn->io_capability != HCI_IO_NO_INPUT_OUTPUT &&
- (loc_mitm || rem_mitm)) {
+ conn->io_capability != HCI_IO_NO_INPUT_OUTPUT) {
bt_dev_dbg(hdev, "Confirming auto-accept as acceptor");
confirm_hint = 1;
goto confirm;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 315/386] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (313 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 314/386] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 316/386] ceph: fix cap ref leak via netfs init_request Greg Kroah-Hartman
` (81 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiawei Ye, Miquel Raynal,
Przemek Kitszel, Stefan Schmidt
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiawei Ye <jiawei.ye@foxmail.com>
commit bff1709b3980bd7f80be6786f64cc9a9ee9e56da upstream.
In the `mac802154_scan_worker` function, the `scan_req->type` field was
accessed after the RCU read-side critical section was unlocked. According
to RCU usage rules, this is illegal and can lead to unpredictable
behavior, such as accessing memory that has been updated or causing
use-after-free issues.
This possible bug was identified using a static analysis tool developed
by myself, specifically designed to detect RCU-related issues.
To address this, the `scan_req->type` value is now stored in a local
variable `scan_req_type` while still within the RCU read-side critical
section. The `scan_req_type` is then used after the RCU lock is released,
ensuring that the type value is safely accessed without violating RCU
rules.
Fixes: e2c3e6f53a7a ("mac802154: Handle active scanning")
Cc: stable@vger.kernel.org
Signed-off-by: Jiawei Ye <jiawei.ye@foxmail.com>
Acked-by: Miquel Raynal <miquel.raynal@bootlin.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Link: https://lore.kernel.org/tencent_3B2F4F2B4DA30FAE2F51A9634A16B3AD4908@qq.com
Signed-off-by: Stefan Schmidt <stefan@datenfreihafen.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mac802154/scan.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/mac802154/scan.c
+++ b/net/mac802154/scan.c
@@ -176,6 +176,7 @@ void mac802154_scan_worker(struct work_s
struct ieee802154_local *local =
container_of(work, struct ieee802154_local, scan_work.work);
struct cfg802154_scan_request *scan_req;
+ enum nl802154_scan_types scan_req_type;
struct ieee802154_sub_if_data *sdata;
unsigned int scan_duration = 0;
struct wpan_phy *wpan_phy;
@@ -209,6 +210,7 @@ void mac802154_scan_worker(struct work_s
}
wpan_phy = scan_req->wpan_phy;
+ scan_req_type = scan_req->type;
scan_req_duration = scan_req->duration;
/* Look for the next valid chan */
@@ -246,7 +248,7 @@ void mac802154_scan_worker(struct work_s
goto end_scan;
}
- if (scan_req->type == NL802154_SCAN_ACTIVE) {
+ if (scan_req_type == NL802154_SCAN_ACTIVE) {
ret = mac802154_transmit_beacon_req(local, sdata);
if (ret)
dev_err(&sdata->dev->dev,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 316/386] ceph: fix cap ref leak via netfs init_request
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (314 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 315/386] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 317/386] tracing/hwlat: Fix a race during cpuhp processing Greg Kroah-Hartman
` (80 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Patrick Donnelly, Ilya Dryomov
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Patrick Donnelly <pdonnell@redhat.com>
commit ccda9910d8490f4fb067131598e4b2e986faa5a0 upstream.
Log recovered from a user's cluster:
<7>[ 5413.970692] ceph: get_cap_refs 00000000958c114b ret 1 got Fr
<7>[ 5413.970695] ceph: start_read 00000000958c114b, no cache cap
...
<7>[ 5473.934609] ceph: my wanted = Fr, used = Fr, dirty -
<7>[ 5473.934616] ceph: revocation: pAsLsXsFr -> pAsLsXs (revoking Fr)
<7>[ 5473.934632] ceph: __ceph_caps_issued 00000000958c114b cap 00000000f7784259 issued pAsLsXs
<7>[ 5473.934638] ceph: check_caps 10000000e68.fffffffffffffffe file_want - used Fr dirty - flushing - issued pAsLsXs revoking Fr retain pAsLsXsFsr AUTHONLY NOINVAL FLUSH_FORCE
The MDS subsequently complains that the kernel client is late releasing
caps.
Approximately, a series of changes to this code by commits 49870056005c
("ceph: convert ceph_readpages to ceph_readahead"), 2de160417315
("netfs: Change ->init_request() to return an error code") and
a5c9dc445139 ("ceph: Make ceph_init_request() check caps on readahead")
resulted in subtle resource cleanup to be missed. The main culprit is
the change in error handling in 2de160417315 which meant that a failure
in init_request() would no longer cause cleanup to be called. That
would prevent the ceph_put_cap_refs() call which would cleanup the
leaked cap ref.
Cc: stable@vger.kernel.org
Fixes: a5c9dc445139 ("ceph: Make ceph_init_request() check caps on readahead")
Link: https://tracker.ceph.com/issues/67008
Signed-off-by: Patrick Donnelly <pdonnell@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/addr.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/ceph/addr.c
+++ b/fs/ceph/addr.c
@@ -483,8 +483,11 @@ static int ceph_init_request(struct netf
rreq->netfs_priv = priv;
out:
- if (ret < 0)
+ if (ret < 0) {
+ if (got)
+ ceph_put_cap_refs(ceph_inode(inode), got);
kfree(priv);
+ }
return ret;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 317/386] tracing/hwlat: Fix a race during cpuhp processing
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (315 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 316/386] ceph: fix cap ref leak via netfs init_request Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 318/386] tracing/timerlat: Drop interface_lock in stop_kthread() Greg Kroah-Hartman
` (79 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Wei Li, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Li <liwei391@huawei.com>
commit 2a13ca2e8abb12ee43ada8a107dadca83f140937 upstream.
The cpuhp online/offline processing race also exists in percpu-mode hwlat
tracer in theory, apply the fix too. That is:
T1 | T2
[CPUHP_ONLINE] | cpu_device_down()
hwlat_hotplug_workfn() |
| cpus_write_lock()
| takedown_cpu(1)
| cpus_write_unlock()
[CPUHP_OFFLINE] |
cpus_read_lock() |
start_kthread(1) |
cpus_read_unlock() |
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20240924094515.3561410-5-liwei391@huawei.com
Fixes: ba998f7d9531 ("trace/hwlat: Support hotplug operations")
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_hwlat.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_hwlat.c
+++ b/kernel/trace/trace_hwlat.c
@@ -520,6 +520,8 @@ static void hwlat_hotplug_workfn(struct
if (!hwlat_busy || hwlat_data.thread_mode != MODE_PER_CPU)
goto out_unlock;
+ if (!cpu_online(cpu))
+ goto out_unlock;
if (!cpumask_test_cpu(cpu, tr->tracing_cpumask))
goto out_unlock;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 318/386] tracing/timerlat: Drop interface_lock in stop_kthread()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (316 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 317/386] tracing/hwlat: Fix a race during cpuhp processing Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 319/386] tracing/timerlat: Fix a race during cpuhp processing Greg Kroah-Hartman
` (78 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Wei Li, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Li <liwei391@huawei.com>
commit b484a02c9cedf8703eff8f0756f94618004bd165 upstream.
stop_kthread() is the offline callback for "trace/osnoise:online", since
commit 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearing
of kthread in stop_kthread()"), the following ABBA deadlock scenario is
introduced:
T1 | T2 [BP] | T3 [AP]
osnoise_hotplug_workfn() | work_for_cpu_fn() | cpuhp_thread_fun()
| _cpu_down() | osnoise_cpu_die()
mutex_lock(&interface_lock) | | stop_kthread()
| cpus_write_lock() | mutex_lock(&interface_lock)
cpus_read_lock() | cpuhp_kick_ap() |
As the interface_lock here in just for protecting the "kthread" field of
the osn_var, use xchg() instead to fix this issue. Also use
for_each_online_cpu() back in stop_per_cpu_kthreads() as it can take
cpu_read_lock() again.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20240924094515.3561410-3-liwei391@huawei.com
Fixes: 5bfbcd1ee57b ("tracing/timerlat: Add interface_lock around clearing of kthread in stop_kthread()")
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_osnoise.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
diff --git a/kernel/trace/trace_osnoise.c b/kernel/trace/trace_osnoise.c
index d1a539913a5f..e22567174dd3 100644
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -1953,12 +1953,8 @@ static void stop_kthread(unsigned int cpu)
{
struct task_struct *kthread;
- mutex_lock(&interface_lock);
- kthread = per_cpu(per_cpu_osnoise_var, cpu).kthread;
+ kthread = xchg_relaxed(&(per_cpu(per_cpu_osnoise_var, cpu).kthread), NULL);
if (kthread) {
- per_cpu(per_cpu_osnoise_var, cpu).kthread = NULL;
- mutex_unlock(&interface_lock);
-
if (cpumask_test_and_clear_cpu(cpu, &kthread_cpumask) &&
!WARN_ON(!test_bit(OSN_WORKLOAD, &osnoise_options))) {
kthread_stop(kthread);
@@ -1972,7 +1968,6 @@ static void stop_kthread(unsigned int cpu)
put_task_struct(kthread);
}
} else {
- mutex_unlock(&interface_lock);
/* if no workload, just return */
if (!test_bit(OSN_WORKLOAD, &osnoise_options)) {
/*
@@ -1994,8 +1989,12 @@ static void stop_per_cpu_kthreads(void)
{
int cpu;
- for_each_possible_cpu(cpu)
+ cpus_read_lock();
+
+ for_each_online_cpu(cpu)
stop_kthread(cpu);
+
+ cpus_read_unlock();
}
/*
--
2.46.2
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 319/386] tracing/timerlat: Fix a race during cpuhp processing
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (317 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 318/386] tracing/timerlat: Drop interface_lock in stop_kthread() Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 320/386] tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Greg Kroah-Hartman
` (77 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Wei Li, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Li <liwei391@huawei.com>
commit 829e0c9f0855f26b3ae830d17b24aec103f7e915 upstream.
There is another found exception that the "timerlat/1" thread was
scheduled on CPU0, and lead to timer corruption finally:
```
ODEBUG: init active (active state 0) object: ffff888237c2e108 object type: hrtimer hint: timerlat_irq+0x0/0x220
WARNING: CPU: 0 PID: 426 at lib/debugobjects.c:518 debug_print_object+0x7d/0xb0
Modules linked in:
CPU: 0 UID: 0 PID: 426 Comm: timerlat/1 Not tainted 6.11.0-rc7+ #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014
RIP: 0010:debug_print_object+0x7d/0xb0
...
Call Trace:
<TASK>
? __warn+0x7c/0x110
? debug_print_object+0x7d/0xb0
? report_bug+0xf1/0x1d0
? prb_read_valid+0x17/0x20
? handle_bug+0x3f/0x70
? exc_invalid_op+0x13/0x60
? asm_exc_invalid_op+0x16/0x20
? debug_print_object+0x7d/0xb0
? debug_print_object+0x7d/0xb0
? __pfx_timerlat_irq+0x10/0x10
__debug_object_init+0x110/0x150
hrtimer_init+0x1d/0x60
timerlat_main+0xab/0x2d0
? __pfx_timerlat_main+0x10/0x10
kthread+0xb7/0xe0
? __pfx_kthread+0x10/0x10
ret_from_fork+0x2d/0x40
? __pfx_kthread+0x10/0x10
ret_from_fork_asm+0x1a/0x30
</TASK>
```
After tracing the scheduling event, it was discovered that the migration
of the "timerlat/1" thread was performed during thread creation. Further
analysis confirmed that it is because the CPU online processing for
osnoise is implemented through workers, which is asynchronous with the
offline processing. When the worker was scheduled to create a thread, the
CPU may has already been removed from the cpu_online_mask during the offline
process, resulting in the inability to select the right CPU:
T1 | T2
[CPUHP_ONLINE] | cpu_device_down()
osnoise_hotplug_workfn() |
| cpus_write_lock()
| takedown_cpu(1)
| cpus_write_unlock()
[CPUHP_OFFLINE] |
cpus_read_lock() |
start_kthread(1) |
cpus_read_unlock() |
To fix this, skip online processing if the CPU is already offline.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20240924094515.3561410-4-liwei391@huawei.com
Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations")
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_osnoise.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -2094,6 +2094,8 @@ static void osnoise_hotplug_workfn(struc
mutex_lock(&interface_lock);
cpus_read_lock();
+ if (!cpu_online(cpu))
+ goto out_unlock;
if (!cpumask_test_cpu(cpu, &osnoise_cpumask))
goto out_unlock;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 320/386] tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (318 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 319/386] tracing/timerlat: Fix a race during cpuhp processing Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 321/386] rtla: Fix the help text in osnoise and timerlat top tools Greg Kroah-Hartman
` (76 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Mathieu Desnoyers,
Wei Li, Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wei Li <liwei391@huawei.com>
commit 0bb0a5c12ecf36ad561542bbb95f96355e036a02 upstream.
osnoise_hotplug_workfn() is the asynchronous online callback for
"trace/osnoise:online". It may be congested when a CPU goes online and
offline repeatedly and is invoked for multiple times after a certain
online.
This will lead to kthread leak and timer corruption. Add a check
in start_kthread() to prevent this situation.
Cc: stable@vger.kernel.org
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Mathieu Desnoyers <mathieu.desnoyers@efficios.com>
Link: https://lore.kernel.org/20240924094515.3561410-2-liwei391@huawei.com
Fixes: c8895e271f79 ("trace/osnoise: Support hotplug operations")
Signed-off-by: Wei Li <liwei391@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_osnoise.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/kernel/trace/trace_osnoise.c
+++ b/kernel/trace/trace_osnoise.c
@@ -2006,6 +2006,10 @@ static int start_kthread(unsigned int cp
void *main = osnoise_main;
char comm[24];
+ /* Do not start a new thread if it is already running */
+ if (per_cpu(per_cpu_osnoise_var, cpu).kthread)
+ return 0;
+
if (timerlat_enabled()) {
snprintf(comm, 24, "timerlat/%d", cpu);
main = timerlat_main;
@@ -2060,11 +2064,10 @@ static int start_per_cpu_kthreads(void)
if (cpumask_test_and_clear_cpu(cpu, &kthread_cpumask)) {
struct task_struct *kthread;
- kthread = per_cpu(per_cpu_osnoise_var, cpu).kthread;
+ kthread = xchg_relaxed(&(per_cpu(per_cpu_osnoise_var, cpu).kthread), NULL);
if (!WARN_ON(!kthread))
kthread_stop(kthread);
}
- per_cpu(per_cpu_osnoise_var, cpu).kthread = NULL;
}
for_each_cpu(cpu, current_mask) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 321/386] rtla: Fix the help text in osnoise and timerlat top tools
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (319 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 320/386] tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 322/386] close_range(): fix the logics in descriptor table trimming Greg Kroah-Hartman
` (75 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomas Glozar, Eder Zulian,
Steven Rostedt (Google)
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eder Zulian <ezulian@redhat.com>
commit 3d7b8ea7a8a20a45d019382c4dc6ed79e8bb95cf upstream.
The help text in osnoise top and timerlat top had some minor errors
and omissions. The -d option was missing the 's' (second) abbreviation and
the error message for '-d' used '-D'.
Cc: stable@vger.kernel.org
Fixes: 1eceb2fc2ca54 ("rtla/osnoise: Add osnoise top mode")
Fixes: a828cd18bc4ad ("rtla: Add timerlat tool and timelart top mode")
Link: https://lore.kernel.org/20240813155831.384446-1-ezulian@redhat.com
Suggested-by: Tomas Glozar <tglozar@redhat.com>
Reviewed-by: Tomas Glozar <tglozar@redhat.com>
Signed-off-by: Eder Zulian <ezulian@redhat.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/tracing/rtla/src/osnoise_top.c | 2 +-
tools/tracing/rtla/src/timerlat_top.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
--- a/tools/tracing/rtla/src/osnoise_top.c
+++ b/tools/tracing/rtla/src/osnoise_top.c
@@ -428,7 +428,7 @@ struct osnoise_top_params *osnoise_top_p
case 'd':
params->duration = parse_seconds_duration(optarg);
if (!params->duration)
- osnoise_top_usage(params, "Invalid -D duration\n");
+ osnoise_top_usage(params, "Invalid -d duration\n");
break;
case 'e':
tevent = trace_event_alloc(optarg);
--- a/tools/tracing/rtla/src/timerlat_top.c
+++ b/tools/tracing/rtla/src/timerlat_top.c
@@ -339,7 +339,7 @@ static void timerlat_top_usage(char *usa
" -c/--cpus cpus: run the tracer only on the given cpus",
" -H/--house-keeping cpus: run rtla control threads only on the given cpus",
" -C/--cgroup[=cgroup_name]: set cgroup, if no cgroup_name is passed, the rtla's cgroup will be inherited",
- " -d/--duration time[m|h|d]: duration of the session in seconds",
+ " -d/--duration time[s|m|h|d]: duration of the session",
" -D/--debug: print debug info",
" --dump-tasks: prints the task running on all CPUs if stop conditions are met (depends on !--no-aa)",
" -t/--trace[=file]: save the stopped trace to [file|timerlat_trace.txt]",
@@ -485,7 +485,7 @@ static struct timerlat_top_params
case 'd':
params->duration = parse_seconds_duration(optarg);
if (!params->duration)
- timerlat_top_usage("Invalid -D duration\n");
+ timerlat_top_usage("Invalid -d duration\n");
break;
case 'e':
tevent = trace_event_alloc(optarg);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 322/386] close_range(): fix the logics in descriptor table trimming
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (320 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 321/386] rtla: Fix the help text in osnoise and timerlat top tools Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 323/386] drm/i915/gem: fix bitwise and logical AND mixup Greg Kroah-Hartman
` (74 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Al Viro
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Al Viro <viro@zeniv.linux.org.uk>
commit 678379e1d4f7443b170939525d3312cfc37bf86b upstream.
Cloning a descriptor table picks the size that would cover all currently
opened files. That's fine for clone() and unshare(), but for close_range()
there's an additional twist - we clone before we close, and it would be
a shame to have
close_range(3, ~0U, CLOSE_RANGE_UNSHARE)
leave us with a huge descriptor table when we are not going to keep
anything past stderr, just because some large file descriptor used to
be open before our call has taken it out.
Unfortunately, it had been dealt with in an inherently racy way -
sane_fdtable_size() gets a "don't copy anything past that" argument
(passed via unshare_fd() and dup_fd()), close_range() decides how much
should be trimmed and passes that to unshare_fd().
The problem is, a range that used to extend to the end of descriptor
table back when close_range() had looked at it might very well have stuff
grown after it by the time dup_fd() has allocated a new files_struct
and started to figure out the capacity of fdtable to be attached to that.
That leads to interesting pathological cases; at the very least it's a
QoI issue, since unshare(CLONE_FILES) is atomic in a sense that it takes
a snapshot of descriptor table one might have observed at some point.
Since CLOSE_RANGE_UNSHARE close_range() is supposed to be a combination
of unshare(CLONE_FILES) with plain close_range(), ending up with a
weird state that would never occur with unshare(2) is confusing, to put
it mildly.
It's not hard to get rid of - all it takes is passing both ends of the
range down to sane_fdtable_size(). There we are under ->files_lock,
so the race is trivially avoided.
So we do the following:
* switch close_files() from calling unshare_fd() to calling
dup_fd().
* undo the calling convention change done to unshare_fd() in
60997c3d45d9 "close_range: add CLOSE_RANGE_UNSHARE"
* introduce struct fd_range, pass a pointer to that to dup_fd()
and sane_fdtable_size() instead of "trim everything past that point"
they are currently getting. NULL means "we are not going to be punching
any holes"; NR_OPEN_MAX is gone.
* make sane_fdtable_size() use find_last_bit() instead of
open-coding it; it's easier to follow that way.
* while we are at it, have dup_fd() report errors by returning
ERR_PTR(), no need to use a separate int *errorp argument.
Fixes: 60997c3d45d9 "close_range: add CLOSE_RANGE_UNSHARE"
Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/file.c | 93 +++++++++++++++++-------------------------------
include/linux/fdtable.h | 8 ++--
kernel/fork.c | 32 +++++++---------
3 files changed, 51 insertions(+), 82 deletions(-)
--- a/fs/file.c
+++ b/fs/file.c
@@ -267,59 +267,45 @@ static inline void __clear_open_fd(unsig
__clear_bit(fd / BITS_PER_LONG, fdt->full_fds_bits);
}
-static unsigned int count_open_files(struct fdtable *fdt)
-{
- unsigned int size = fdt->max_fds;
- unsigned int i;
-
- /* Find the last open fd */
- for (i = size / BITS_PER_LONG; i > 0; ) {
- if (fdt->open_fds[--i])
- break;
- }
- i = (i + 1) * BITS_PER_LONG;
- return i;
-}
-
/*
* Note that a sane fdtable size always has to be a multiple of
* BITS_PER_LONG, since we have bitmaps that are sized by this.
*
- * 'max_fds' will normally already be properly aligned, but it
- * turns out that in the close_range() -> __close_range() ->
- * unshare_fd() -> dup_fd() -> sane_fdtable_size() we can end
- * up having a 'max_fds' value that isn't already aligned.
- *
- * Rather than make close_range() have to worry about this,
- * just make that BITS_PER_LONG alignment be part of a sane
- * fdtable size. Becuase that's really what it is.
+ * punch_hole is optional - when close_range() is asked to unshare
+ * and close, we don't need to copy descriptors in that range, so
+ * a smaller cloned descriptor table might suffice if the last
+ * currently opened descriptor falls into that range.
*/
-static unsigned int sane_fdtable_size(struct fdtable *fdt, unsigned int max_fds)
+static unsigned int sane_fdtable_size(struct fdtable *fdt, struct fd_range *punch_hole)
{
- unsigned int count;
+ unsigned int last = find_last_bit(fdt->open_fds, fdt->max_fds);
- count = count_open_files(fdt);
- if (max_fds < NR_OPEN_DEFAULT)
- max_fds = NR_OPEN_DEFAULT;
- return ALIGN(min(count, max_fds), BITS_PER_LONG);
+ if (last == fdt->max_fds)
+ return NR_OPEN_DEFAULT;
+ if (punch_hole && punch_hole->to >= last && punch_hole->from <= last) {
+ last = find_last_bit(fdt->open_fds, punch_hole->from);
+ if (last == punch_hole->from)
+ return NR_OPEN_DEFAULT;
+ }
+ return ALIGN(last + 1, BITS_PER_LONG);
}
/*
- * Allocate a new files structure and copy contents from the
- * passed in files structure.
- * errorp will be valid only when the returned files_struct is NULL.
+ * Allocate a new descriptor table and copy contents from the passed in
+ * instance. Returns a pointer to cloned table on success, ERR_PTR()
+ * on failure. For 'punch_hole' see sane_fdtable_size().
*/
-struct files_struct *dup_fd(struct files_struct *oldf, unsigned int max_fds, int *errorp)
+struct files_struct *dup_fd(struct files_struct *oldf, struct fd_range *punch_hole)
{
struct files_struct *newf;
struct file **old_fds, **new_fds;
unsigned int open_files, i;
struct fdtable *old_fdt, *new_fdt;
+ int error;
- *errorp = -ENOMEM;
newf = kmem_cache_alloc(files_cachep, GFP_KERNEL);
if (!newf)
- goto out;
+ return ERR_PTR(-ENOMEM);
atomic_set(&newf->count, 1);
@@ -336,7 +322,7 @@ struct files_struct *dup_fd(struct files
spin_lock(&oldf->file_lock);
old_fdt = files_fdtable(oldf);
- open_files = sane_fdtable_size(old_fdt, max_fds);
+ open_files = sane_fdtable_size(old_fdt, punch_hole);
/*
* Check whether we need to allocate a larger fd array and fd set.
@@ -349,14 +335,14 @@ struct files_struct *dup_fd(struct files
new_fdt = alloc_fdtable(open_files - 1);
if (!new_fdt) {
- *errorp = -ENOMEM;
+ error = -ENOMEM;
goto out_release;
}
/* beyond sysctl_nr_open; nothing to do */
if (unlikely(new_fdt->max_fds < open_files)) {
__free_fdtable(new_fdt);
- *errorp = -EMFILE;
+ error = -EMFILE;
goto out_release;
}
@@ -367,7 +353,7 @@ struct files_struct *dup_fd(struct files
*/
spin_lock(&oldf->file_lock);
old_fdt = files_fdtable(oldf);
- open_files = sane_fdtable_size(old_fdt, max_fds);
+ open_files = sane_fdtable_size(old_fdt, punch_hole);
}
copy_fd_bitmaps(new_fdt, old_fdt, open_files / BITS_PER_LONG);
@@ -401,8 +387,7 @@ struct files_struct *dup_fd(struct files
out_release:
kmem_cache_free(files_cachep, newf);
-out:
- return NULL;
+ return ERR_PTR(error);
}
static struct fdtable *close_files(struct files_struct * files)
@@ -736,37 +721,25 @@ int __close_range(unsigned fd, unsigned
if (fd > max_fd)
return -EINVAL;
- if (flags & CLOSE_RANGE_UNSHARE) {
- int ret;
- unsigned int max_unshare_fds = NR_OPEN_MAX;
+ if ((flags & CLOSE_RANGE_UNSHARE) && atomic_read(&cur_fds->count) > 1) {
+ struct fd_range range = {fd, max_fd}, *punch_hole = ⦥
/*
* If the caller requested all fds to be made cloexec we always
* copy all of the file descriptors since they still want to
* use them.
*/
- if (!(flags & CLOSE_RANGE_CLOEXEC)) {
- /*
- * If the requested range is greater than the current
- * maximum, we're closing everything so only copy all
- * file descriptors beneath the lowest file descriptor.
- */
- rcu_read_lock();
- if (max_fd >= last_fd(files_fdtable(cur_fds)))
- max_unshare_fds = fd;
- rcu_read_unlock();
- }
-
- ret = unshare_fd(CLONE_FILES, max_unshare_fds, &fds);
- if (ret)
- return ret;
+ if (flags & CLOSE_RANGE_CLOEXEC)
+ punch_hole = NULL;
+ fds = dup_fd(cur_fds, punch_hole);
+ if (IS_ERR(fds))
+ return PTR_ERR(fds);
/*
* We used to share our file descriptor table, and have now
* created a private one, make sure we're using it below.
*/
- if (fds)
- swap(cur_fds, fds);
+ swap(cur_fds, fds);
}
if (flags & CLOSE_RANGE_CLOEXEC)
--- a/include/linux/fdtable.h
+++ b/include/linux/fdtable.h
@@ -22,7 +22,6 @@
* as this is the granularity returned by copy_fdset().
*/
#define NR_OPEN_DEFAULT BITS_PER_LONG
-#define NR_OPEN_MAX ~0U
struct fdtable {
unsigned int max_fds;
@@ -117,7 +116,10 @@ struct task_struct;
void put_files_struct(struct files_struct *fs);
int unshare_files(void);
-struct files_struct *dup_fd(struct files_struct *, unsigned, int *) __latent_entropy;
+struct fd_range {
+ unsigned int from, to;
+};
+struct files_struct *dup_fd(struct files_struct *, struct fd_range *) __latent_entropy;
void do_close_on_exec(struct files_struct *);
int iterate_fd(struct files_struct *, unsigned,
int (*)(const void *, struct file *, unsigned),
@@ -126,8 +128,6 @@ int iterate_fd(struct files_struct *, un
extern int close_fd(unsigned int fd);
extern int __close_range(unsigned int fd, unsigned int max_fd, unsigned int flags);
extern struct file *close_fd_get_file(unsigned int fd);
-extern int unshare_fd(unsigned long unshare_flags, unsigned int max_fds,
- struct files_struct **new_fdp);
extern struct kmem_cache *files_cachep;
--- a/kernel/fork.c
+++ b/kernel/fork.c
@@ -1767,33 +1767,30 @@ static int copy_files(unsigned long clon
int no_files)
{
struct files_struct *oldf, *newf;
- int error = 0;
/*
* A background process may not have any files ...
*/
oldf = current->files;
if (!oldf)
- goto out;
+ return 0;
if (no_files) {
tsk->files = NULL;
- goto out;
+ return 0;
}
if (clone_flags & CLONE_FILES) {
atomic_inc(&oldf->count);
- goto out;
+ return 0;
}
- newf = dup_fd(oldf, NR_OPEN_MAX, &error);
- if (!newf)
- goto out;
+ newf = dup_fd(oldf, NULL);
+ if (IS_ERR(newf))
+ return PTR_ERR(newf);
tsk->files = newf;
- error = 0;
-out:
- return error;
+ return 0;
}
static int copy_sighand(unsigned long clone_flags, struct task_struct *tsk)
@@ -3358,17 +3355,16 @@ static int unshare_fs(unsigned long unsh
/*
* Unshare file descriptor table if it is being shared
*/
-int unshare_fd(unsigned long unshare_flags, unsigned int max_fds,
- struct files_struct **new_fdp)
+static int unshare_fd(unsigned long unshare_flags, struct files_struct **new_fdp)
{
struct files_struct *fd = current->files;
- int error = 0;
if ((unshare_flags & CLONE_FILES) &&
(fd && atomic_read(&fd->count) > 1)) {
- *new_fdp = dup_fd(fd, max_fds, &error);
- if (!*new_fdp)
- return error;
+ fd = dup_fd(fd, NULL);
+ if (IS_ERR(fd))
+ return PTR_ERR(fd);
+ *new_fdp = fd;
}
return 0;
@@ -3426,7 +3422,7 @@ int ksys_unshare(unsigned long unshare_f
err = unshare_fs(unshare_flags, &new_fs);
if (err)
goto bad_unshare_out;
- err = unshare_fd(unshare_flags, NR_OPEN_MAX, &new_fd);
+ err = unshare_fd(unshare_flags, &new_fd);
if (err)
goto bad_unshare_cleanup_fs;
err = unshare_userns(unshare_flags, &new_cred);
@@ -3518,7 +3514,7 @@ int unshare_files(void)
struct files_struct *old, *copy = NULL;
int error;
- error = unshare_fd(CLONE_FILES, NR_OPEN_MAX, ©);
+ error = unshare_fd(CLONE_FILES, ©);
if (error || !copy)
return error;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 323/386] drm/i915/gem: fix bitwise and logical AND mixup
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (321 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 322/386] close_range(): fix the logics in descriptor table trimming Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 324/386] drm/sched: Add locking to drm_sched_entity_modify_sched Greg Kroah-Hartman
` (73 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Auld, Rodrigo Vivi,
Anshuman Gupta, Andi Shyti, Nathan Chancellor, Jani Nikula,
Joonas Lahtinen
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jani Nikula <jani.nikula@intel.com>
commit 394b52462020b6cceff1f7f47fdebd03589574f3 upstream.
CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND is an int, defaulting to 250. When
the wakeref is non-zero, it's either -1 or a dynamically allocated
pointer, depending on CONFIG_DRM_I915_DEBUG_RUNTIME_PM. It's likely that
the code works by coincidence with the bitwise AND, but with
CONFIG_DRM_I915_DEBUG_RUNTIME_PM=y, there's the off chance that the
condition evaluates to false, and intel_wakeref_auto() doesn't get
called. Switch to the intended logical AND.
v2: Use != to avoid clang -Wconstant-logical-operand (Nathan)
Fixes: ad74457a6b5a ("drm/i915/dgfx: Release mmap on rpm suspend")
Cc: Matthew Auld <matthew.auld@intel.com>
Cc: Rodrigo Vivi <rodrigo.vivi@intel.com>
Cc: Anshuman Gupta <anshuman.gupta@intel.com>
Cc: Andi Shyti <andi.shyti@linux.intel.com>
Cc: Nathan Chancellor <nathan@kernel.org>
Cc: stable@vger.kernel.org # v6.1+
Reviewed-by: Matthew Auld <matthew.auld@intel.com>
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com> # v1
Link: https://patchwork.freedesktop.org/patch/msgid/643cc0a4d12f47fd8403d42581e83b1e9c4543c7.1726680898.git.jani.nikula@intel.com
Signed-off-by: Jani Nikula <jani.nikula@intel.com>
(cherry picked from commit 4c1bfe259ed1d2ade826f95d437e1c41b274df04)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_ttm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_ttm.c
@@ -1136,7 +1136,7 @@ static vm_fault_t vm_fault_ttm(struct vm
GEM_WARN_ON(!i915_ttm_cpu_maps_iomem(bo->resource));
}
- if (wakeref & CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND)
+ if (wakeref && CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND != 0)
intel_wakeref_auto(&to_i915(obj->base.dev)->runtime_pm.userfault_wakeref,
msecs_to_jiffies_timeout(CONFIG_DRM_I915_USERFAULT_AUTOSUSPEND));
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 324/386] drm/sched: Add locking to drm_sched_entity_modify_sched
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (322 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 323/386] drm/i915/gem: fix bitwise and logical AND mixup Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 325/386] drm/amd/display: Add HDR workaround for specific eDP Greg Kroah-Hartman
` (72 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tvrtko Ursulin, Christian König,
Alex Deucher, Luben Tuikov, Matthew Brost, David Airlie,
Daniel Vetter, dri-devel, Philipp Stanner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
commit 4286cc2c953983d44d248c9de1c81d3a9643345c upstream.
Without the locking amdgpu currently can race between
amdgpu_ctx_set_entity_priority() (via drm_sched_entity_modify_sched()) and
drm_sched_job_arm(), leading to the latter accesing potentially
inconsitent entity->sched_list and entity->num_sched_list pair.
v2:
* Improve commit message. (Philipp)
Signed-off-by: Tvrtko Ursulin <tvrtko.ursulin@igalia.com>
Fixes: b37aced31eb0 ("drm/scheduler: implement a function to modify sched list")
Cc: Christian König <christian.koenig@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Cc: Luben Tuikov <ltuikov89@gmail.com>
Cc: Matthew Brost <matthew.brost@intel.com>
Cc: David Airlie <airlied@gmail.com>
Cc: Daniel Vetter <daniel@ffwll.ch>
Cc: dri-devel@lists.freedesktop.org
Cc: Philipp Stanner <pstanner@redhat.com>
Cc: <stable@vger.kernel.org> # v5.7+
Reviewed-by: Christian König <christian.koenig@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20240913160559.49054-2-tursulin@igalia.com
Signed-off-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/scheduler/sched_entity.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/scheduler/sched_entity.c
+++ b/drivers/gpu/drm/scheduler/sched_entity.c
@@ -111,8 +111,10 @@ void drm_sched_entity_modify_sched(struc
{
WARN_ON(!num_sched_list || !sched_list);
+ spin_lock(&entity->rq_lock);
entity->sched_list = sched_list;
entity->num_sched_list = num_sched_list;
+ spin_unlock(&entity->rq_lock);
}
EXPORT_SYMBOL(drm_sched_entity_modify_sched);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 325/386] drm/amd/display: Add HDR workaround for specific eDP
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (323 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 324/386] drm/sched: Add locking to drm_sched_entity_modify_sched Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 326/386] drm/amd/display: Fix system hang while resume with TBT monitor Greg Kroah-Hartman
` (71 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mario Limonciello, Alex Deucher,
Rodrigo Siqueira, Alex Hung, Aurabindo Pillai, Daniel Wheeler
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit 05af800704ee7187d9edd461ec90f3679b1c4aba upstream.
[WHY & HOW]
Some eDP panels suffer from flicking when HDR is enabled in KDE. This
quirk works around it by skipping VSC that is incompatible with eDP
panels.
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/3151
Cc: Mario Limonciello <mario.limonciello@amd.com>
Cc: Alex Deucher <alexander.deucher@amd.com>
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 4d4257280d7957727998ef90ccc7b69c7cca8376)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 11 ++++++++++-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c | 4 ++++
drivers/gpu/drm/amd/display/dc/dc_types.h | 1 +
3 files changed, 15 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -6153,12 +6153,21 @@ create_stream_for_sink(struct amdgpu_dm_
if (stream->signal == SIGNAL_TYPE_DISPLAY_PORT ||
stream->signal == SIGNAL_TYPE_DISPLAY_PORT_MST ||
stream->signal == SIGNAL_TYPE_EDP) {
+ const struct dc_edid_caps *edid_caps;
+ unsigned int disable_colorimetry = 0;
+
+ if (aconnector->dc_sink) {
+ edid_caps = &aconnector->dc_sink->edid_caps;
+ disable_colorimetry = edid_caps->panel_patch.disable_colorimetry;
+ }
+
//
// should decide stream support vsc sdp colorimetry capability
// before building vsc info packet
//
stream->use_vsc_sdp_for_colorimetry = stream->link->dpcd_caps.dpcd_rev.raw >= 0x14 &&
- stream->link->dpcd_caps.dprx_feature.bits.VSC_SDP_COLORIMETRY_SUPPORTED;
+ stream->link->dpcd_caps.dprx_feature.bits.VSC_SDP_COLORIMETRY_SUPPORTED &&
+ !disable_colorimetry;
if (stream->out_transfer_func->tf == TRANSFER_FUNCTION_GAMMA22)
tf = TRANSFER_FUNC_GAMMA_22;
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_helpers.c
@@ -71,6 +71,10 @@ static void apply_edid_quirks(struct edi
DRM_DEBUG_DRIVER("Clearing DPCD 0x317 on monitor with panel id %X\n", panel_id);
edid_caps->panel_patch.remove_sink_ext_caps = true;
break;
+ case drm_edid_encode_panel_id('S', 'D', 'C', 0x4154):
+ DRM_DEBUG_DRIVER("Disabling VSC on monitor with panel id %X\n", panel_id);
+ edid_caps->panel_patch.disable_colorimetry = true;
+ break;
default:
return;
}
--- a/drivers/gpu/drm/amd/display/dc/dc_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_types.h
@@ -190,6 +190,7 @@ struct dc_panel_patch {
unsigned int skip_avmute;
unsigned int mst_start_top_delay;
unsigned int remove_sink_ext_caps;
+ unsigned int disable_colorimetry;
};
struct dc_edid_caps {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 326/386] drm/amd/display: Fix system hang while resume with TBT monitor
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (324 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 325/386] drm/amd/display: Add HDR workaround for specific eDP Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 327/386] cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Greg Kroah-Hartman
` (70 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wayne Lin, Tom Chung, Fangzhi Zuo,
Daniel Wheeler, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tom Chung <chiahsuan.chung@amd.com>
commit 52d4e3fb3d340447dcdac0e14ff21a764f326907 upstream.
[Why]
Connected with a Thunderbolt monitor and do the suspend and the system
may hang while resume.
The TBT monitor HPD will be triggered during the resume procedure
and call the drm_client_modeset_probe() while
struct drm_connector connector->dev->master is NULL.
It will mess up the pipe topology after resume.
[How]
Skip the TBT monitor HPD during the resume procedure because we
currently will probe the connectors after resume by default.
Reviewed-by: Wayne Lin <wayne.lin@amd.com>
Signed-off-by: Tom Chung <chiahsuan.chung@amd.com>
Signed-off-by: Fangzhi Zuo <jerry.zuo@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
(cherry picked from commit 453f86a26945207a16b8f66aaed5962dc2b95b85)
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -714,6 +714,12 @@ static void dmub_hpd_callback(struct amd
return;
}
+ /* Skip DMUB HPD IRQ in suspend/resume. We will probe them later. */
+ if (notify->type == DMUB_NOTIFICATION_HPD && adev->in_suspend) {
+ DRM_INFO("Skip DMUB HPD IRQ callback in suspend/resume\n");
+ return;
+ }
+
link_index = notify->link_index;
link = adev->dm.dc->links[link_index];
dev = adev->dm.ddev;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 327/386] cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (325 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 326/386] drm/amd/display: Fix system hang while resume with TBT monitor Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 328/386] kconfig: qconf: fix buffer overflow in debug links Greg Kroah-Hartman
` (69 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, xiao sheng wen,
Uwe Kleine-König, Srinivas Pandruvada,
Sebastian Andrzej Siewior, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Uwe Kleine-König <ukleinek@debian.org>
commit 8b4865cd904650cbed7f2407e653934c621b8127 upstream.
notify_hwp_interrupt() is called via sysvec_thermal() ->
smp_thermal_vector() -> intel_thermal_interrupt() in hard irq context.
For this reason it must not use a simple spin_lock that sleeps with
PREEMPT_RT enabled. So convert it to a raw spinlock.
Reported-by: xiao sheng wen <atzlinux@sina.com>
Link: https://bugs.debian.org/1076483
Signed-off-by: Uwe Kleine-König <ukleinek@debian.org>
Acked-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Acked-by: Sebastian Andrzej Siewior <bigeasy@linutronix.de>
Tested-by: xiao sheng wen <atzlinux@sina.com>
Link: https://patch.msgid.link/20240919081121.10784-2-ukleinek@debian.org
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
[ukleinek: Backport to v6.6.y]
Signed-off-by: Uwe Kleine-König <ukleinek@debian.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/cpufreq/intel_pstate.c | 20 ++++++++++----------
1 file changed, 10 insertions(+), 10 deletions(-)
diff --git a/drivers/cpufreq/intel_pstate.c b/drivers/cpufreq/intel_pstate.c
index 0ee3a04bb1022..8a4fdf212ce0d 100644
--- a/drivers/cpufreq/intel_pstate.c
+++ b/drivers/cpufreq/intel_pstate.c
@@ -1632,7 +1632,7 @@ static void intel_pstate_notify_work(struct work_struct *work)
wrmsrl_on_cpu(cpudata->cpu, MSR_HWP_STATUS, 0);
}
-static DEFINE_SPINLOCK(hwp_notify_lock);
+static DEFINE_RAW_SPINLOCK(hwp_notify_lock);
static cpumask_t hwp_intr_enable_mask;
void notify_hwp_interrupt(void)
@@ -1649,7 +1649,7 @@ void notify_hwp_interrupt(void)
if (!(value & 0x01))
return;
- spin_lock_irqsave(&hwp_notify_lock, flags);
+ raw_spin_lock_irqsave(&hwp_notify_lock, flags);
if (!cpumask_test_cpu(this_cpu, &hwp_intr_enable_mask))
goto ack_intr;
@@ -1673,13 +1673,13 @@ void notify_hwp_interrupt(void)
schedule_delayed_work(&cpudata->hwp_notify_work, msecs_to_jiffies(10));
- spin_unlock_irqrestore(&hwp_notify_lock, flags);
+ raw_spin_unlock_irqrestore(&hwp_notify_lock, flags);
return;
ack_intr:
wrmsrl_safe(MSR_HWP_STATUS, 0);
- spin_unlock_irqrestore(&hwp_notify_lock, flags);
+ raw_spin_unlock_irqrestore(&hwp_notify_lock, flags);
}
static void intel_pstate_disable_hwp_interrupt(struct cpudata *cpudata)
@@ -1692,10 +1692,10 @@ static void intel_pstate_disable_hwp_interrupt(struct cpudata *cpudata)
/* wrmsrl_on_cpu has to be outside spinlock as this can result in IPC */
wrmsrl_on_cpu(cpudata->cpu, MSR_HWP_INTERRUPT, 0x00);
- spin_lock_irqsave(&hwp_notify_lock, flags);
+ raw_spin_lock_irqsave(&hwp_notify_lock, flags);
if (cpumask_test_and_clear_cpu(cpudata->cpu, &hwp_intr_enable_mask))
cancel_delayed_work(&cpudata->hwp_notify_work);
- spin_unlock_irqrestore(&hwp_notify_lock, flags);
+ raw_spin_unlock_irqrestore(&hwp_notify_lock, flags);
}
static void intel_pstate_enable_hwp_interrupt(struct cpudata *cpudata)
@@ -1704,10 +1704,10 @@ static void intel_pstate_enable_hwp_interrupt(struct cpudata *cpudata)
if (boot_cpu_has(X86_FEATURE_HWP_NOTIFY)) {
unsigned long flags;
- spin_lock_irqsave(&hwp_notify_lock, flags);
+ raw_spin_lock_irqsave(&hwp_notify_lock, flags);
INIT_DELAYED_WORK(&cpudata->hwp_notify_work, intel_pstate_notify_work);
cpumask_set_cpu(cpudata->cpu, &hwp_intr_enable_mask);
- spin_unlock_irqrestore(&hwp_notify_lock, flags);
+ raw_spin_unlock_irqrestore(&hwp_notify_lock, flags);
/* wrmsrl_on_cpu has to be outside spinlock as this can result in IPC */
wrmsrl_on_cpu(cpudata->cpu, MSR_HWP_INTERRUPT, 0x01);
@@ -3136,10 +3136,10 @@ static void intel_pstate_driver_cleanup(void)
if (intel_pstate_driver == &intel_pstate)
intel_pstate_clear_update_util_hook(cpu);
- spin_lock(&hwp_notify_lock);
+ raw_spin_lock(&hwp_notify_lock);
kfree(all_cpu_data[cpu]);
WRITE_ONCE(all_cpu_data[cpu], NULL);
- spin_unlock(&hwp_notify_lock);
+ raw_spin_unlock(&hwp_notify_lock);
}
}
cpus_read_unlock();
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 328/386] kconfig: qconf: fix buffer overflow in debug links
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (326 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 327/386] cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 329/386] platform/x86: x86-android-tablets: Create a platform_device from module_init() Greg Kroah-Hartman
` (68 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masahiro Yamada, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masahiro Yamada <masahiroy@kernel.org>
[ Upstream commit 984ed20ece1c6c20789ece040cbff3eb1a388fa9 ]
If you enable "Option -> Show Debug Info" and click a link, the program
terminates with the following error:
*** buffer overflow detected ***: terminated
The buffer overflow is caused by the following line:
strcat(data, "$");
The buffer needs one more byte to accommodate the additional character.
Fixes: c4f7398bee9c ("kconfig: qconf: make debug links work again")
Signed-off-by: Masahiro Yamada <masahiroy@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/kconfig/qconf.cc | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/scripts/kconfig/qconf.cc b/scripts/kconfig/qconf.cc
index 620a3527c767a..4f3ba3debc08e 100644
--- a/scripts/kconfig/qconf.cc
+++ b/scripts/kconfig/qconf.cc
@@ -1174,7 +1174,7 @@ void ConfigInfoView::clicked(const QUrl &url)
{
QByteArray str = url.toEncoded();
const std::size_t count = str.size();
- char *data = new char[count + 1];
+ char *data = new char[count + 2]; // '$' + '\0'
struct symbol **result;
struct menu *m = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 329/386] platform/x86: x86-android-tablets: Create a platform_device from module_init()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (327 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 328/386] kconfig: qconf: fix buffer overflow in debug links Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 330/386] platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Greg Kroah-Hartman
` (67 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Linus Walleij,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 8b57d33a6fdbb53d03da762b31e65a1027f74caf ]
Create a platform_device from module_init() and change
x86_android_tablet_init() / cleanup() into platform_device
probe() and remove() functions.
This is a preparation patch for refactoring x86_android_tablet_get_gpiod()
to no longer use gpiolib private functions like gpiochip_find().
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Acked-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20230909141816.58358-6-hdegoede@redhat.com
Stable-dep-of: 2fae3129c0c0 ("platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../platform/x86/x86-android-tablets/core.c | 51 ++++++++++++++-----
1 file changed, 38 insertions(+), 13 deletions(-)
diff --git a/drivers/platform/x86/x86-android-tablets/core.c b/drivers/platform/x86/x86-android-tablets/core.c
index 2fd6060a31bb0..ebfd9a3dac957 100644
--- a/drivers/platform/x86/x86-android-tablets/core.c
+++ b/drivers/platform/x86/x86-android-tablets/core.c
@@ -25,6 +25,8 @@
#include "../../../gpio/gpiolib.h"
#include "../../../gpio/gpiolib-acpi.h"
+static struct platform_device *x86_android_tablet_device;
+
static int gpiochip_find_match_label(struct gpio_chip *gc, void *data)
{
return gc->label && !strcmp(gc->label, data);
@@ -224,7 +226,7 @@ static __init int x86_instantiate_serdev(const struct x86_serdev_info *info, int
return ret;
}
-static void x86_android_tablet_cleanup(void)
+static void x86_android_tablet_remove(struct platform_device *pdev)
{
int i;
@@ -255,7 +257,7 @@ static void x86_android_tablet_cleanup(void)
software_node_unregister(bat_swnode);
}
-static __init int x86_android_tablet_init(void)
+static __init int x86_android_tablet_probe(struct platform_device *pdev)
{
const struct x86_dev_info *dev_info;
const struct dmi_system_id *id;
@@ -267,6 +269,8 @@ static __init int x86_android_tablet_init(void)
return -ENODEV;
dev_info = id->driver_data;
+ /* Allow x86_android_tablet_device use before probe() exits */
+ x86_android_tablet_device = pdev;
/*
* The broken DSDTs on these devices often also include broken
@@ -303,7 +307,7 @@ static __init int x86_android_tablet_init(void)
if (dev_info->init) {
ret = dev_info->init();
if (ret < 0) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return ret;
}
exit_handler = dev_info->exit;
@@ -311,7 +315,7 @@ static __init int x86_android_tablet_init(void)
i2c_clients = kcalloc(dev_info->i2c_client_count, sizeof(*i2c_clients), GFP_KERNEL);
if (!i2c_clients) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return -ENOMEM;
}
@@ -319,7 +323,7 @@ static __init int x86_android_tablet_init(void)
for (i = 0; i < i2c_client_count; i++) {
ret = x86_instantiate_i2c_client(dev_info, i);
if (ret < 0) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return ret;
}
}
@@ -327,7 +331,7 @@ static __init int x86_android_tablet_init(void)
/* + 1 to make space for (optional) gpio_keys_button pdev */
pdevs = kcalloc(dev_info->pdev_count + 1, sizeof(*pdevs), GFP_KERNEL);
if (!pdevs) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return -ENOMEM;
}
@@ -335,14 +339,14 @@ static __init int x86_android_tablet_init(void)
for (i = 0; i < pdev_count; i++) {
pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
if (IS_ERR(pdevs[i])) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return PTR_ERR(pdevs[i]);
}
}
serdevs = kcalloc(dev_info->serdev_count, sizeof(*serdevs), GFP_KERNEL);
if (!serdevs) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return -ENOMEM;
}
@@ -350,7 +354,7 @@ static __init int x86_android_tablet_init(void)
for (i = 0; i < serdev_count; i++) {
ret = x86_instantiate_serdev(&dev_info->serdev_info[i], i);
if (ret < 0) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return ret;
}
}
@@ -361,7 +365,7 @@ static __init int x86_android_tablet_init(void)
buttons = kcalloc(dev_info->gpio_button_count, sizeof(*buttons), GFP_KERNEL);
if (!buttons) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return -ENOMEM;
}
@@ -369,7 +373,7 @@ static __init int x86_android_tablet_init(void)
ret = x86_android_tablet_get_gpiod(dev_info->gpio_button[i].chip,
dev_info->gpio_button[i].pin, &gpiod);
if (ret < 0) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return ret;
}
@@ -384,7 +388,7 @@ static __init int x86_android_tablet_init(void)
PLATFORM_DEVID_AUTO,
&pdata, sizeof(pdata));
if (IS_ERR(pdevs[pdev_count])) {
- x86_android_tablet_cleanup();
+ x86_android_tablet_remove(pdev);
return PTR_ERR(pdevs[pdev_count]);
}
pdev_count++;
@@ -393,8 +397,29 @@ static __init int x86_android_tablet_init(void)
return 0;
}
+static struct platform_driver x86_android_tablet_driver = {
+ .driver = {
+ .name = KBUILD_MODNAME,
+ },
+ .remove_new = x86_android_tablet_remove,
+};
+
+static int __init x86_android_tablet_init(void)
+{
+ x86_android_tablet_device = platform_create_bundle(&x86_android_tablet_driver,
+ x86_android_tablet_probe,
+ NULL, 0, NULL, 0);
+
+ return PTR_ERR_OR_ZERO(x86_android_tablet_device);
+}
module_init(x86_android_tablet_init);
-module_exit(x86_android_tablet_cleanup);
+
+static void __exit x86_android_tablet_exit(void)
+{
+ platform_device_unregister(x86_android_tablet_device);
+ platform_driver_unregister(&x86_android_tablet_driver);
+}
+module_exit(x86_android_tablet_exit);
MODULE_AUTHOR("Hans de Goede <hdegoede@redhat.com>");
MODULE_DESCRIPTION("X86 Android tablets DSDT fixups driver");
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 330/386] platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (328 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 329/386] platform/x86: x86-android-tablets: Create a platform_device from module_init() Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 331/386] i2c: create debugfs entry per adapter Greg Kroah-Hartman
` (66 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Burakov, Hans de Goede,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 2fae3129c0c08e72b1fe93e61fd8fd203252094a ]
x86_android_tablet_remove() frees the pdevs[] array, so it should not
be used after calling x86_android_tablet_remove().
When platform_device_register() fails, store the pdevs[x] PTR_ERR() value
into the local ret variable before calling x86_android_tablet_remove()
to avoid using pdevs[] after it has been freed.
Fixes: 5eba0141206e ("platform/x86: x86-android-tablets: Add support for instantiating platform-devs")
Fixes: e2200d3f26da ("platform/x86: x86-android-tablets: Add gpio_keys support to x86_android_tablet_init()")
Cc: stable@vger.kernel.org
Reported-by: Aleksandr Burakov <a.burakov@rosalinux.ru>
Closes: https://lore.kernel.org/platform-driver-x86/20240917120458.7300-1-a.burakov@rosalinux.ru/
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20241005130545.64136-1-hdegoede@redhat.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/x86-android-tablets/core.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/drivers/platform/x86/x86-android-tablets/core.c b/drivers/platform/x86/x86-android-tablets/core.c
index ebfd9a3dac957..a0fa0b6859c9c 100644
--- a/drivers/platform/x86/x86-android-tablets/core.c
+++ b/drivers/platform/x86/x86-android-tablets/core.c
@@ -339,8 +339,9 @@ static __init int x86_android_tablet_probe(struct platform_device *pdev)
for (i = 0; i < pdev_count; i++) {
pdevs[i] = platform_device_register_full(&dev_info->pdev_info[i]);
if (IS_ERR(pdevs[i])) {
+ ret = PTR_ERR(pdevs[i]);
x86_android_tablet_remove(pdev);
- return PTR_ERR(pdevs[i]);
+ return ret;
}
}
@@ -388,8 +389,9 @@ static __init int x86_android_tablet_probe(struct platform_device *pdev)
PLATFORM_DEVID_AUTO,
&pdata, sizeof(pdata));
if (IS_ERR(pdevs[pdev_count])) {
+ ret = PTR_ERR(pdevs[pdev_count]);
x86_android_tablet_remove(pdev);
- return PTR_ERR(pdevs[pdev_count]);
+ return ret;
}
pdev_count++;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 331/386] i2c: create debugfs entry per adapter
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (329 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 330/386] platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 332/386] i2c: core: Lock address during client device instantiation Greg Kroah-Hartman
` (65 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wolfram Sang, Wolfram Sang,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wolfram Sang <wsa+renesas@sang-engineering.com>
[ Upstream commit 73febd775bdbdb98c81255ff85773ac410ded5c4 ]
Two drivers already implement custom debugfs handling for their
i2c_adapter and more will come. So, let the core create a debugfs
directory per adapter and pass that to drivers for their debugfs files.
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Stable-dep-of: 8d3cefaf6592 ("i2c: core: Lock address during client device instantiation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-base.c | 11 +++++++++++
include/linux/i2c.h | 2 ++
2 files changed, 13 insertions(+)
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 1e873ff0a624d..9d918a7dfddae 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -16,6 +16,7 @@
#include <linux/acpi.h>
#include <linux/clk/clk-conf.h>
#include <linux/completion.h>
+#include <linux/debugfs.h>
#include <linux/delay.h>
#include <linux/err.h>
#include <linux/errno.h>
@@ -67,6 +68,8 @@ static int i2c_detect(struct i2c_adapter *adapter, struct i2c_driver *driver);
static DEFINE_STATIC_KEY_FALSE(i2c_trace_msg_key);
static bool is_registered;
+static struct dentry *i2c_debugfs_root;
+
int i2c_transfer_trace_reg(void)
{
static_branch_inc(&i2c_trace_msg_key);
@@ -1523,6 +1526,8 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
goto out_list;
}
+ adap->debugfs = debugfs_create_dir(dev_name(&adap->dev), i2c_debugfs_root);
+
res = i2c_setup_smbus_alert(adap);
if (res)
goto out_reg;
@@ -1562,6 +1567,7 @@ static int i2c_register_adapter(struct i2c_adapter *adap)
return 0;
out_reg:
+ debugfs_remove_recursive(adap->debugfs);
init_completion(&adap->dev_released);
device_unregister(&adap->dev);
wait_for_completion(&adap->dev_released);
@@ -1763,6 +1769,8 @@ void i2c_del_adapter(struct i2c_adapter *adap)
i2c_host_notify_irq_teardown(adap);
+ debugfs_remove_recursive(adap->debugfs);
+
/* wait until all references to the device are gone
*
* FIXME: This is old code and should ideally be replaced by an
@@ -2060,6 +2068,8 @@ static int __init i2c_init(void)
is_registered = true;
+ i2c_debugfs_root = debugfs_create_dir("i2c", NULL);
+
#ifdef CONFIG_I2C_COMPAT
i2c_adapter_compat_class = class_compat_register("i2c-adapter");
if (!i2c_adapter_compat_class) {
@@ -2098,6 +2108,7 @@ static void __exit i2c_exit(void)
#ifdef CONFIG_I2C_COMPAT
class_compat_unregister(i2c_adapter_compat_class);
#endif
+ debugfs_remove_recursive(i2c_debugfs_root);
bus_unregister(&i2c_bus_type);
tracepoint_synchronize_unregister();
}
diff --git a/include/linux/i2c.h b/include/linux/i2c.h
index 32cf5708d5a5b..033de64d09bba 100644
--- a/include/linux/i2c.h
+++ b/include/linux/i2c.h
@@ -746,6 +746,8 @@ struct i2c_adapter {
struct irq_domain *host_notify_domain;
struct regulator *bus_regulator;
+
+ struct dentry *debugfs;
};
#define to_i2c_adapter(d) container_of(d, struct i2c_adapter, dev)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 332/386] i2c: core: Lock address during client device instantiation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (330 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 331/386] i2c: create debugfs entry per adapter Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 333/386] i2c: synquacer: Remove a clk reference from struct synquacer_i2c Greg Kroah-Hartman
` (64 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Piotr Oledzki,
Heiner Kallweit, Wolfram Sang, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit 8d3cefaf659265aa82b0373a563fdb9d16a2b947 ]
Krzysztof reported an issue [0] which is caused by parallel attempts to
instantiate the same I2C client device. This can happen if driver
supports auto-detection, but certain devices are also instantiated
explicitly.
The original change isn't actually wrong, it just revealed that I2C core
isn't prepared yet to handle this scenario.
Calls to i2c_new_client_device() can be nested, therefore we can't use a
simple mutex here. Parallel instantiation of devices at different addresses
is ok, so we just have to prevent parallel instantiation at the same address.
We can use a bitmap with one bit per 7-bit I2C client address, and atomic
bit operations to set/check/clear bits.
Now a parallel attempt to instantiate a device at the same address will
result in -EBUSY being returned, avoiding the "sysfs: cannot create duplicate
filename" splash.
Note: This patch version includes small cosmetic changes to the Tested-by
version, only functional change is that address locking is supported
for slave addresses too.
[0] https://lore.kernel.org/linux-i2c/9479fe4e-eb0c-407e-84c0-bd60c15baf74@ans.pl/T/#m12706546e8e2414d8f1a0dc61c53393f731685cc
Fixes: caba40ec3531 ("eeprom: at24: Probe for DDR3 thermal sensor in the SPD case")
Cc: stable@vger.kernel.org
Tested-by: Krzysztof Piotr Oledzki <ole@ans.pl>
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Signed-off-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-core-base.c | 28 ++++++++++++++++++++++++++++
include/linux/i2c.h | 3 +++
2 files changed, 31 insertions(+)
diff --git a/drivers/i2c/i2c-core-base.c b/drivers/i2c/i2c-core-base.c
index 9d918a7dfddae..943f0021d6a2c 100644
--- a/drivers/i2c/i2c-core-base.c
+++ b/drivers/i2c/i2c-core-base.c
@@ -915,6 +915,27 @@ int i2c_dev_irq_from_resources(const struct resource *resources,
return 0;
}
+/*
+ * Serialize device instantiation in case it can be instantiated explicitly
+ * and by auto-detection
+ */
+static int i2c_lock_addr(struct i2c_adapter *adap, unsigned short addr,
+ unsigned short flags)
+{
+ if (!(flags & I2C_CLIENT_TEN) &&
+ test_and_set_bit(addr, adap->addrs_in_instantiation))
+ return -EBUSY;
+
+ return 0;
+}
+
+static void i2c_unlock_addr(struct i2c_adapter *adap, unsigned short addr,
+ unsigned short flags)
+{
+ if (!(flags & I2C_CLIENT_TEN))
+ clear_bit(addr, adap->addrs_in_instantiation);
+}
+
/**
* i2c_new_client_device - instantiate an i2c device
* @adap: the adapter managing the device
@@ -962,6 +983,10 @@ i2c_new_client_device(struct i2c_adapter *adap, struct i2c_board_info const *inf
goto out_err_silent;
}
+ status = i2c_lock_addr(adap, client->addr, client->flags);
+ if (status)
+ goto out_err_silent;
+
/* Check for address business */
status = i2c_check_addr_busy(adap, i2c_encode_flags_to_addr(client));
if (status)
@@ -993,6 +1018,8 @@ i2c_new_client_device(struct i2c_adapter *adap, struct i2c_board_info const *inf
dev_dbg(&adap->dev, "client [%s] registered with bus id %s\n",
client->name, dev_name(&client->dev));
+ i2c_unlock_addr(adap, client->addr, client->flags);
+
return client;
out_remove_swnode:
@@ -1004,6 +1031,7 @@ i2c_new_client_device(struct i2c_adapter *adap, struct i2c_board_info const *inf
dev_err(&adap->dev,
"Failed to register i2c client %s at 0x%02x (%d)\n",
client->name, client->addr, status);
+ i2c_unlock_addr(adap, client->addr, client->flags);
out_err_silent:
if (need_put)
put_device(&client->dev);
diff --git a/include/linux/i2c.h b/include/linux/i2c.h
index 033de64d09bba..a3166100f0cce 100644
--- a/include/linux/i2c.h
+++ b/include/linux/i2c.h
@@ -748,6 +748,9 @@ struct i2c_adapter {
struct regulator *bus_regulator;
struct dentry *debugfs;
+
+ /* 7bit address space */
+ DECLARE_BITMAP(addrs_in_instantiation, 1 << 7);
};
#define to_i2c_adapter(d) container_of(d, struct i2c_adapter, dev)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 333/386] i2c: synquacer: Remove a clk reference from struct synquacer_i2c
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (331 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 332/386] i2c: core: Lock address during client device instantiation Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 334/386] i2c: synquacer: Deal with optional PCLK correctly Greg Kroah-Hartman
` (63 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Ard Biesheuvel,
Andi Shyti, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit e6722ea6b9ed731f7392277d76ca912dfffca7ee ]
'pclk' is only used locally in the probe. Remove it from the
'synquacer_i2c' structure.
Also remove a useless debug message.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Stable-dep-of: f2990f863053 ("i2c: synquacer: Deal with optional PCLK correctly")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-synquacer.c | 11 +++++------
1 file changed, 5 insertions(+), 6 deletions(-)
diff --git a/drivers/i2c/busses/i2c-synquacer.c b/drivers/i2c/busses/i2c-synquacer.c
index a73f5bb9a1645..e774b9f499b63 100644
--- a/drivers/i2c/busses/i2c-synquacer.c
+++ b/drivers/i2c/busses/i2c-synquacer.c
@@ -138,7 +138,6 @@ struct synquacer_i2c {
int irq;
struct device *dev;
void __iomem *base;
- struct clk *pclk;
u32 pclkrate;
u32 speed_khz;
u32 timeout_ms;
@@ -535,6 +534,7 @@ static const struct i2c_adapter synquacer_i2c_ops = {
static int synquacer_i2c_probe(struct platform_device *pdev)
{
struct synquacer_i2c *i2c;
+ struct clk *pclk;
u32 bus_speed;
int ret;
@@ -550,13 +550,12 @@ static int synquacer_i2c_probe(struct platform_device *pdev)
device_property_read_u32(&pdev->dev, "socionext,pclk-rate",
&i2c->pclkrate);
- i2c->pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
- if (IS_ERR(i2c->pclk))
- return dev_err_probe(&pdev->dev, PTR_ERR(i2c->pclk),
+ pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
+ if (IS_ERR(pclk))
+ return dev_err_probe(&pdev->dev, PTR_ERR(pclk),
"failed to get and enable clock\n");
- dev_dbg(&pdev->dev, "clock source %p\n", i2c->pclk);
- i2c->pclkrate = clk_get_rate(i2c->pclk);
+ i2c->pclkrate = clk_get_rate(pclk);
if (i2c->pclkrate < SYNQUACER_I2C_MIN_CLK_RATE ||
i2c->pclkrate > SYNQUACER_I2C_MAX_CLK_RATE)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 334/386] i2c: synquacer: Deal with optional PCLK correctly
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (332 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 333/386] i2c: synquacer: Remove a clk reference from struct synquacer_i2c Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 335/386] arm64: cputype: Add Neoverse-N3 definitions Greg Kroah-Hartman
` (62 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andi Shyti, Christophe JAILLET,
Ard Biesheuvel, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ard Biesheuvel <ardb@kernel.org>
[ Upstream commit f2990f8630531a99cad4dc5c44cb2a11ded42492 ]
ACPI boot does not provide clocks and regulators, but instead, provides
the PCLK rate directly, and enables the clock in firmware. So deal
gracefully with this.
Fixes: 55750148e559 ("i2c: synquacer: Fix an error handling path in synquacer_i2c_probe()")
Cc: stable@vger.kernel.org # v6.10+
Cc: Andi Shyti <andi.shyti@kernel.org>
Cc: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/busses/i2c-synquacer.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/i2c/busses/i2c-synquacer.c b/drivers/i2c/busses/i2c-synquacer.c
index e774b9f499b63..9bb69a8ab6582 100644
--- a/drivers/i2c/busses/i2c-synquacer.c
+++ b/drivers/i2c/busses/i2c-synquacer.c
@@ -550,12 +550,13 @@ static int synquacer_i2c_probe(struct platform_device *pdev)
device_property_read_u32(&pdev->dev, "socionext,pclk-rate",
&i2c->pclkrate);
- pclk = devm_clk_get_enabled(&pdev->dev, "pclk");
+ pclk = devm_clk_get_optional_enabled(&pdev->dev, "pclk");
if (IS_ERR(pclk))
return dev_err_probe(&pdev->dev, PTR_ERR(pclk),
"failed to get and enable clock\n");
- i2c->pclkrate = clk_get_rate(pclk);
+ if (pclk)
+ i2c->pclkrate = clk_get_rate(pclk);
if (i2c->pclkrate < SYNQUACER_I2C_MIN_CLK_RATE ||
i2c->pclkrate > SYNQUACER_I2C_MAX_CLK_RATE)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 335/386] arm64: cputype: Add Neoverse-N3 definitions
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (333 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 334/386] i2c: synquacer: Deal with optional PCLK correctly Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 336/386] arm64: errata: Expand speculative SSBS workaround once more Greg Kroah-Hartman
` (61 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 924725707d80bc2588cefafef76ff3f164d299bc ]
Add cputype definitions for Neoverse-N3. These will be used for errata
detection in subsequent patches.
These values can be found in Table A-261 ("MIDR_EL1 bit descriptions")
in issue 02 of the Neoverse-N3 TRM, which can be found at:
https://developer.arm.com/documentation/107997/0000/?lang=en
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240930111705.3352047-2-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: trivial backport ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/include/asm/cputype.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/arch/arm64/include/asm/cputype.h b/arch/arm64/include/asm/cputype.h
index 5a7dfeb8e8eb5..488f8e7513495 100644
--- a/arch/arm64/include/asm/cputype.h
+++ b/arch/arm64/include/asm/cputype.h
@@ -94,6 +94,7 @@
#define ARM_CPU_PART_NEOVERSE_V3 0xD84
#define ARM_CPU_PART_CORTEX_X925 0xD85
#define ARM_CPU_PART_CORTEX_A725 0xD87
+#define ARM_CPU_PART_NEOVERSE_N3 0xD8E
#define APM_CPU_PART_XGENE 0x000
#define APM_CPU_VAR_POTENZA 0x00
@@ -176,6 +177,7 @@
#define MIDR_NEOVERSE_V3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_V3)
#define MIDR_CORTEX_X925 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_X925)
#define MIDR_CORTEX_A725 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_CORTEX_A725)
+#define MIDR_NEOVERSE_N3 MIDR_CPU_MODEL(ARM_CPU_IMP_ARM, ARM_CPU_PART_NEOVERSE_N3)
#define MIDR_THUNDERX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX)
#define MIDR_THUNDERX_81XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_81XX)
#define MIDR_THUNDERX_83XX MIDR_CPU_MODEL(ARM_CPU_IMP_CAVIUM, CAVIUM_CPU_PART_THUNDERX_83XX)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 336/386] arm64: errata: Expand speculative SSBS workaround once more
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (334 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 335/386] arm64: cputype: Add Neoverse-N3 definitions Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 337/386] io_uring/net: harden multishot termination case for recv Greg Kroah-Hartman
` (60 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, James Morse,
Will Deacon, Catalin Marinas, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Rutland <mark.rutland@arm.com>
[ Upstream commit 081eb7932c2b244f63317a982c5e3990e2c7fbdd ]
A number of Arm Ltd CPUs suffer from errata whereby an MSR to the SSBS
special-purpose register does not affect subsequent speculative
instructions, permitting speculative store bypassing for a window of
time.
We worked around this for a number of CPUs in commits:
* 7187bb7d0b5c7dfa ("arm64: errata: Add workaround for Arm errata 3194386 and 3312417")
* 75b3c43eab594bfb ("arm64: errata: Expand speculative SSBS workaround")
* 145502cac7ea70b5 ("arm64: errata: Expand speculative SSBS workaround (again)")
Since then, a (hopefully final) batch of updates have been published,
with two more affected CPUs. For the affected CPUs the existing
mitigation is sufficient, as described in their respective Software
Developer Errata Notice (SDEN) documents:
* Cortex-A715 (MP148) SDEN v15.0, erratum 3456084
https://developer.arm.com/documentation/SDEN-2148827/1500/
* Neoverse-N3 (MP195) SDEN v5.0, erratum 3456111
https://developer.arm.com/documentation/SDEN-3050973/0500/
Enable the existing mitigation by adding the relevant MIDRs to
erratum_spec_ssbs_list, and update silicon-errata.rst and the
Kconfig text accordingly.
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Cc: James Morse <james.morse@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20240930111705.3352047-3-mark.rutland@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
[ Mark: fix conflict in silicon-errata.rst ]
Signed-off-by: Mark Rutland <mark.rutland@arm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/arch/arm64/silicon-errata.rst | 4 ++++
arch/arm64/Kconfig | 2 ++
arch/arm64/kernel/cpu_errata.c | 2 ++
3 files changed, 8 insertions(+)
diff --git a/Documentation/arch/arm64/silicon-errata.rst b/Documentation/arch/arm64/silicon-errata.rst
index 815be40244f79..3cf806733083c 100644
--- a/Documentation/arch/arm64/silicon-errata.rst
+++ b/Documentation/arch/arm64/silicon-errata.rst
@@ -141,6 +141,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A715 | #2645198 | ARM64_ERRATUM_2645198 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A715 | #3456084 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A720 | #3456091 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A725 | #3456106 | ARM64_ERRATUM_3194386 |
@@ -177,6 +179,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-N2 | #3324339 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Neoverse-N3 | #3456111 | ARM64_ERRATUM_3194386 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V1 | #3324341 | ARM64_ERRATUM_3194386 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Neoverse-V2 | #3324336 | ARM64_ERRATUM_3194386 |
diff --git a/arch/arm64/Kconfig b/arch/arm64/Kconfig
index fbd840c0948b5..eab866d690334 100644
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -1079,6 +1079,7 @@ config ARM64_ERRATUM_3194386
* ARM Cortex-A78C erratum 3324346
* ARM Cortex-A78C erratum 3324347
* ARM Cortex-A710 erratam 3324338
+ * ARM Cortex-A715 errartum 3456084
* ARM Cortex-A720 erratum 3456091
* ARM Cortex-A725 erratum 3456106
* ARM Cortex-X1 erratum 3324344
@@ -1089,6 +1090,7 @@ config ARM64_ERRATUM_3194386
* ARM Cortex-X925 erratum 3324334
* ARM Neoverse-N1 erratum 3324349
* ARM Neoverse N2 erratum 3324339
+ * ARM Neoverse-N3 erratum 3456111
* ARM Neoverse-V1 erratum 3324341
* ARM Neoverse V2 erratum 3324336
* ARM Neoverse-V3 erratum 3312417
diff --git a/arch/arm64/kernel/cpu_errata.c b/arch/arm64/kernel/cpu_errata.c
index 437f96205e4fc..463b48d0f9250 100644
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -455,6 +455,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = {
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A78C),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A710),
+ MIDR_ALL_VERSIONS(MIDR_CORTEX_A715),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A720),
MIDR_ALL_VERSIONS(MIDR_CORTEX_A725),
MIDR_ALL_VERSIONS(MIDR_CORTEX_X1),
@@ -466,6 +467,7 @@ static const struct midr_range erratum_spec_ssbs_list[] = {
MIDR_ALL_VERSIONS(MIDR_MICROSOFT_AZURE_COBALT_100),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N2),
+ MIDR_ALL_VERSIONS(MIDR_NEOVERSE_N3),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V1),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V2),
MIDR_ALL_VERSIONS(MIDR_NEOVERSE_V3),
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 337/386] io_uring/net: harden multishot termination case for recv
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (335 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 336/386] arm64: errata: Expand speculative SSBS workaround once more Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 338/386] uprobes: fix kernel info leak via "[uprobes]" vma Greg Kroah-Hartman
` (59 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jens Axboe, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
[ Upstream commit c314094cb4cfa6fc5a17f4881ead2dfebfa717a7 ]
If the recv returns zero, or an error, then it doesn't matter if more
data has already been received for this buffer. A condition like that
should terminate the multishot receive. Rather than pass in the
collected return value, pass in whether to terminate or keep the recv
going separately.
Note that this isn't a bug right now, as the only way to get there is
via setting MSG_WAITALL with multishot receive. And if an application
does that, then -EINVAL is returned anyway. But it seems like an easy
bug to introduce, so let's make it a bit more explicit.
Link: https://github.com/axboe/liburing/issues/1246
Cc: stable@vger.kernel.org
Fixes: b3fdea6ecb55 ("io_uring: multishot recv")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/net.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/io_uring/net.c b/io_uring/net.c
index cf1060fb04f43..7412904387bfa 100644
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -930,6 +930,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags)
int ret, min_ret = 0;
bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
size_t len = sr->len;
+ bool mshot_finished;
if (!(req->flags & REQ_F_POLLED) &&
(sr->flags & IORING_RECVSEND_POLL_FIRST))
@@ -999,6 +1000,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags)
req_set_fail(req);
}
+ mshot_finished = ret <= 0;
if (ret > 0)
ret += sr->done_io;
else if (sr->done_io)
@@ -1006,7 +1008,7 @@ int io_recv(struct io_kiocb *req, unsigned int issue_flags)
else
io_kbuf_recycle(req, issue_flags);
- if (!io_recv_finish(req, &ret, &msg, ret <= 0, issue_flags))
+ if (!io_recv_finish(req, &ret, &msg, mshot_finished, issue_flags))
goto retry_multishot;
return ret;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 338/386] uprobes: fix kernel info leak via "[uprobes]" vma
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (336 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 337/386] io_uring/net: harden multishot termination case for recv Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 339/386] mm: z3fold: deprecate CONFIG_Z3FOLD Greg Kroah-Hartman
` (58 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon,
Masami Hiramatsu (Google), Oleg Nesterov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Oleg Nesterov <oleg@redhat.com>
commit 34820304cc2cd1804ee1f8f3504ec77813d29c8e upstream.
xol_add_vma() maps the uninitialized page allocated by __create_xol_area()
into userspace. On some architectures (x86) this memory is readable even
without VM_READ, VM_EXEC results in the same pgprot_t as VM_EXEC|VM_READ,
although this doesn't really matter, debugger can read this memory anyway.
Link: https://lore.kernel.org/all/20240929162047.GA12611@redhat.com/
Reported-by: Will Deacon <will@kernel.org>
Fixes: d4b3b6384f98 ("uprobes/core: Allocate XOL slots for uprobes use")
Cc: stable@vger.kernel.org
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/events/uprobes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/events/uprobes.c b/kernel/events/uprobes.c
index 6876b7f152b10..6dac0b5798213 100644
--- a/kernel/events/uprobes.c
+++ b/kernel/events/uprobes.c
@@ -1491,7 +1491,7 @@ static struct xol_area *__create_xol_area(unsigned long vaddr)
area->xol_mapping.name = "[uprobes]";
area->xol_mapping.pages = area->pages;
- area->pages[0] = alloc_page(GFP_HIGHUSER);
+ area->pages[0] = alloc_page(GFP_HIGHUSER | __GFP_ZERO);
if (!area->pages[0])
goto free_bitmap;
area->pages[1] = NULL;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 339/386] mm: z3fold: deprecate CONFIG_Z3FOLD
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (337 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 338/386] uprobes: fix kernel info leak via "[uprobes]" vma Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 340/386] drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Greg Kroah-Hartman
` (57 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yosry Ahmed, Arnd Bergmann,
Chris Down, Nhat Pham, Johannes Weiner, Vitaly Wool,
Christoph Hellwig, Aneesh Kumar K.V, Christophe Leroy,
Huacai Chen, Miaohe Lin, Michael Ellerman, Naveen N. Rao,
Nicholas Piggin, Sergey Senozhatsky, WANG Xuerui, Andrew Morton,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yosry Ahmed <yosryahmed@google.com>
The z3fold compressed pages allocator is rarely used, most users use
zsmalloc. The only disadvantage of zsmalloc in comparison is the
dependency on MMU, and zbud is a more common option for !MMU as it was the
default zswap allocator for a long time.
Historically, zsmalloc had worse latency than zbud and z3fold but offered
better memory savings. This is no longer the case as shown by a simple
recent analysis [1]. That analysis showed that z3fold does not have any
advantage over zsmalloc or zbud considering both performance and memory
usage. In a kernel build test on tmpfs in a limited cgroup, z3fold took
3% more time and used 1.8% more memory. The latency of zswap_load() was
7% higher, and that of zswap_store() was 10% higher. Zsmalloc is better
in all metrics.
Moreover, z3fold apparently has latent bugs, which was made noticeable by
a recent soft lockup bug report with z3fold [2]. Switching to zsmalloc
not only fixed the problem, but also reduced the swap usage from 6~8G to
1~2G. Other users have also reported being bitten by mistakenly enabling
z3fold.
Other than hurting users, z3fold is repeatedly causing wasted engineering
effort. Apart from investigating the above bug, it came up in multiple
development discussions (e.g. [3]) as something we need to handle, when
there aren't any legit users (at least not intentionally).
The natural course of action is to deprecate z3fold, and remove in a few
cycles if no objections are raised from active users. Next on the list
should be zbud, as it offers marginal latency gains at the cost of huge
memory waste when compared to zsmalloc. That one will need to wait until
zsmalloc does not depend on MMU.
Rename the user-visible config option from CONFIG_Z3FOLD to
CONFIG_Z3FOLD_DEPRECATED so that users with CONFIG_Z3FOLD=y get a new
prompt with explanation during make oldconfig. Also, remove
CONFIG_Z3FOLD=y from defconfigs.
[1]https://lore.kernel.org/lkml/CAJD7tkbRF6od-2x_L8-A1QL3=2Ww13sCj4S3i4bNndqF+3+_Vg@mail.gmail.com/
[2]https://lore.kernel.org/lkml/EF0ABD3E-A239-4111-A8AB-5C442E759CF3@gmail.com/
[3]https://lore.kernel.org/lkml/CAJD7tkbnmeVugfunffSovJf9FAgy9rhBVt_tx=nxUveLUfqVsA@mail.gmail.com/
[arnd@arndb.de: deprecate ZSWAP_ZPOOL_DEFAULT_Z3FOLD as well]
Link: https://lkml.kernel.org/r/20240909202625.1054880-1-arnd@kernel.org
Link: https://lkml.kernel.org/r/20240904233343.933462-1-yosryahmed@google.com
Signed-off-by: Yosry Ahmed <yosryahmed@google.com>
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Chris Down <chris@chrisdown.name>
Acked-by: Nhat Pham <nphamcs@gmail.com>
Acked-by: Johannes Weiner <hannes@cmpxchg.org>
Acked-by: Vitaly Wool <vitaly.wool@konsulko.com>
Acked-by: Christoph Hellwig <hch@lst.de>
Cc: Aneesh Kumar K.V <aneesh.kumar@kernel.org>
Cc: Christophe Leroy <christophe.leroy@csgroup.eu>
Cc: Huacai Chen <chenhuacai@kernel.org>
Cc: Miaohe Lin <linmiaohe@huawei.com>
Cc: Michael Ellerman <mpe@ellerman.id.au>
Cc: Naveen N. Rao <naveen.n.rao@linux.ibm.com>
Cc: Nicholas Piggin <npiggin@gmail.com>
Cc: Sergey Senozhatsky <senozhatsky@chromium.org>
Cc: WANG Xuerui <kernel@xen0n.name>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
(cherry picked from commit 7a2369b74abf76cd3e54c45b30f6addb497f831b)
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/loongarch/configs/loongson3_defconfig | 1 -
arch/powerpc/configs/ppc64_defconfig | 1 -
mm/Kconfig | 25 ++++++++++++++++------
3 files changed, 19 insertions(+), 8 deletions(-)
diff --git a/arch/loongarch/configs/loongson3_defconfig b/arch/loongarch/configs/loongson3_defconfig
index a3b52aaa83b33..e5f70642ed206 100644
--- a/arch/loongarch/configs/loongson3_defconfig
+++ b/arch/loongarch/configs/loongson3_defconfig
@@ -83,7 +83,6 @@ CONFIG_ZPOOL=y
CONFIG_ZSWAP=y
CONFIG_ZSWAP_COMPRESSOR_DEFAULT_ZSTD=y
CONFIG_ZBUD=y
-CONFIG_Z3FOLD=y
CONFIG_ZSMALLOC=m
# CONFIG_COMPAT_BRK is not set
CONFIG_MEMORY_HOTPLUG=y
diff --git a/arch/powerpc/configs/ppc64_defconfig b/arch/powerpc/configs/ppc64_defconfig
index 6e7b9e8fd2251..65e518dde2c2f 100644
--- a/arch/powerpc/configs/ppc64_defconfig
+++ b/arch/powerpc/configs/ppc64_defconfig
@@ -81,7 +81,6 @@ CONFIG_MODULE_SIG_SHA512=y
CONFIG_PARTITION_ADVANCED=y
CONFIG_BINFMT_MISC=m
CONFIG_ZSWAP=y
-CONFIG_Z3FOLD=y
CONFIG_ZSMALLOC=y
# CONFIG_SLAB_MERGE_DEFAULT is not set
CONFIG_SLAB_FREELIST_RANDOM=y
diff --git a/mm/Kconfig b/mm/Kconfig
index ece4f2847e2b4..c11cd01169e8d 100644
--- a/mm/Kconfig
+++ b/mm/Kconfig
@@ -147,12 +147,15 @@ config ZSWAP_ZPOOL_DEFAULT_ZBUD
help
Use the zbud allocator as the default allocator.
-config ZSWAP_ZPOOL_DEFAULT_Z3FOLD
- bool "z3fold"
- select Z3FOLD
+config ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED
+ bool "z3foldi (DEPRECATED)"
+ select Z3FOLD_DEPRECATED
help
Use the z3fold allocator as the default allocator.
+ Deprecated and scheduled for removal in a few cycles,
+ see CONFIG_Z3FOLD_DEPRECATED.
+
config ZSWAP_ZPOOL_DEFAULT_ZSMALLOC
bool "zsmalloc"
select ZSMALLOC
@@ -164,7 +167,7 @@ config ZSWAP_ZPOOL_DEFAULT
string
depends on ZSWAP
default "zbud" if ZSWAP_ZPOOL_DEFAULT_ZBUD
- default "z3fold" if ZSWAP_ZPOOL_DEFAULT_Z3FOLD
+ default "z3fold" if ZSWAP_ZPOOL_DEFAULT_Z3FOLD_DEPRECATED
default "zsmalloc" if ZSWAP_ZPOOL_DEFAULT_ZSMALLOC
default ""
@@ -178,15 +181,25 @@ config ZBUD
deterministic reclaim properties that make it preferable to a higher
density approach when reclaim will be used.
-config Z3FOLD
- tristate "3:1 compression allocator (z3fold)"
+config Z3FOLD_DEPRECATED
+ tristate "3:1 compression allocator (z3fold) (DEPRECATED)"
depends on ZSWAP
help
+ Deprecated and scheduled for removal in a few cycles. If you have
+ a good reason for using Z3FOLD over ZSMALLOC, please contact
+ linux-mm@kvack.org and the zswap maintainers.
+
A special purpose allocator for storing compressed pages.
It is designed to store up to three compressed pages per physical
page. It is a ZBUD derivative so the simplicity and determinism are
still there.
+config Z3FOLD
+ tristate
+ default y if Z3FOLD_DEPRECATED=y
+ default m if Z3FOLD_DEPRECATED=m
+ depends on Z3FOLD_DEPRECATED
+
config ZSMALLOC
tristate
prompt "N:1 compression allocator (zsmalloc)" if ZSWAP
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 340/386] drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT`
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (338 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 339/386] mm: z3fold: deprecate CONFIG_Z3FOLD Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 341/386] build-id: require program headers to be right after ELF header Greg Kroah-Hartman
` (56 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland,
Thomas Weißschuh, Mario Limonciello, Alex Deucher,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit 87d749a6aab73d8069d0345afaa98297816cb220 ]
The issue with panel power savings compatibility below
`AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` happens at
`AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` as well.
That issue will be fixed separately, so don't prevent the backlight
brightness from going that low.
Cc: Harry Wentland <harry.wentland@amd.com>
Cc: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/amd-gfx/be04226a-a9e3-4a45-a83b-6d263c6557d8@t-8ch.de/T/#m400dee4e2fc61fe9470334d20a7c8c89c9aef44f
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
index 3636872429d19..a3f17c572bf06 100644
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c
@@ -4064,7 +4064,7 @@ static void amdgpu_dm_update_backlight_caps(struct amdgpu_display_manager *dm,
int spread = caps.max_input_signal - caps.min_input_signal;
if (caps.max_input_signal > AMDGPU_DM_DEFAULT_MAX_BACKLIGHT ||
- caps.min_input_signal < AMDGPU_DM_DEFAULT_MIN_BACKLIGHT ||
+ caps.min_input_signal < 0 ||
spread > AMDGPU_DM_DEFAULT_MAX_BACKLIGHT ||
spread < AMDGPU_DM_MIN_SPREAD) {
DRM_DEBUG_KMS("DM: Invalid backlight caps: min=%d, max=%d\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 341/386] build-id: require program headers to be right after ELF header
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (339 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 340/386] drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 342/386] lib/buildid: harden build ID parsing logic Greg Kroah-Hartman
` (55 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexey Dobriyan, Jiri Olsa,
Andrew Morton, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alexey Dobriyan <adobriyan@gmail.com>
[ Upstream commit 961a2851324561caed579764ffbee3db82b32829 ]
Neither ELF spec not ELF loader require program header to be placed right
after ELF header, but build-id code very much assumes such placement:
See
find_get_page(vma->vm_file->f_mapping, 0);
line and checks against PAGE_SIZE.
Returns errors for now until someone rewrites build-id parser
to be more inline with load_elf_binary().
Link: https://lkml.kernel.org/r/d58bc281-6ca7-467a-9a64-40fa214bd63e@p183
Signed-off-by: Alexey Dobriyan <adobriyan@gmail.com>
Reviewed-by: Jiri Olsa <jolsa@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Stable-dep-of: 905415ff3ffb ("lib/buildid: harden build ID parsing logic")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/buildid.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/lib/buildid.c b/lib/buildid.c
index e3a7acdeef0ed..cdc0950f73843 100644
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -73,6 +73,13 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id,
Elf32_Phdr *phdr;
int i;
+ /*
+ * FIXME
+ * Neither ELF spec nor ELF loader require that program headers
+ * start immediately after ELF header.
+ */
+ if (ehdr->e_phoff != sizeof(Elf32_Ehdr))
+ return -EINVAL;
/* only supports phdr that fits in one page */
if (ehdr->e_phnum >
(PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
@@ -98,6 +105,13 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id,
Elf64_Phdr *phdr;
int i;
+ /*
+ * FIXME
+ * Neither ELF spec nor ELF loader require that program headers
+ * start immediately after ELF header.
+ */
+ if (ehdr->e_phoff != sizeof(Elf64_Ehdr))
+ return -EINVAL;
/* only supports phdr that fits in one page */
if (ehdr->e_phnum >
(PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr))
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 342/386] lib/buildid: harden build ID parsing logic
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (340 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 341/386] build-id: require program headers to be right after ELF header Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 343/386] sched: psi: fix bogus pressure spikes from aggregation race Greg Kroah-Hartman
` (54 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eduard Zingerman, Jann Horn,
Andi Kleen, Andrii Nakryiko, Alexei Starovoitov, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andrii Nakryiko <andrii@kernel.org>
[ Upstream commit 905415ff3ffb1d7e5afa62bacabd79776bd24606 ]
Harden build ID parsing logic, adding explicit READ_ONCE() where it's
important to have a consistent value read and validated just once.
Also, as pointed out by Andi Kleen, we need to make sure that entire ELF
note is within a page bounds, so move the overflow check up and add an
extra note_size boundaries validation.
Fixes tag below points to the code that moved this code into
lib/buildid.c, and then subsequently was used in perf subsystem, making
this code exposed to perf_event_open() users in v5.12+.
Cc: stable@vger.kernel.org
Reviewed-by: Eduard Zingerman <eddyz87@gmail.com>
Reviewed-by: Jann Horn <jannh@google.com>
Suggested-by: Andi Kleen <ak@linux.intel.com>
Fixes: bd7525dacd7e ("bpf: Move stack_map_get_build_id into lib")
Signed-off-by: Andrii Nakryiko <andrii@kernel.org>
Link: https://lore.kernel.org/r/20240829174232.3133883-2-andrii@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/buildid.c | 76 +++++++++++++++++++++++++++++----------------------
1 file changed, 44 insertions(+), 32 deletions(-)
diff --git a/lib/buildid.c b/lib/buildid.c
index cdc0950f73843..d3bc3d0528d5c 100644
--- a/lib/buildid.c
+++ b/lib/buildid.c
@@ -18,31 +18,37 @@ static int parse_build_id_buf(unsigned char *build_id,
const void *note_start,
Elf32_Word note_size)
{
- Elf32_Word note_offs = 0, new_offs;
-
- while (note_offs + sizeof(Elf32_Nhdr) < note_size) {
- Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_offs);
+ const char note_name[] = "GNU";
+ const size_t note_name_sz = sizeof(note_name);
+ u64 note_off = 0, new_off, name_sz, desc_sz;
+ const char *data;
+
+ while (note_off + sizeof(Elf32_Nhdr) < note_size &&
+ note_off + sizeof(Elf32_Nhdr) > note_off /* overflow */) {
+ Elf32_Nhdr *nhdr = (Elf32_Nhdr *)(note_start + note_off);
+
+ name_sz = READ_ONCE(nhdr->n_namesz);
+ desc_sz = READ_ONCE(nhdr->n_descsz);
+
+ new_off = note_off + sizeof(Elf32_Nhdr);
+ if (check_add_overflow(new_off, ALIGN(name_sz, 4), &new_off) ||
+ check_add_overflow(new_off, ALIGN(desc_sz, 4), &new_off) ||
+ new_off > note_size)
+ break;
if (nhdr->n_type == BUILD_ID &&
- nhdr->n_namesz == sizeof("GNU") &&
- !strcmp((char *)(nhdr + 1), "GNU") &&
- nhdr->n_descsz > 0 &&
- nhdr->n_descsz <= BUILD_ID_SIZE_MAX) {
- memcpy(build_id,
- note_start + note_offs +
- ALIGN(sizeof("GNU"), 4) + sizeof(Elf32_Nhdr),
- nhdr->n_descsz);
- memset(build_id + nhdr->n_descsz, 0,
- BUILD_ID_SIZE_MAX - nhdr->n_descsz);
+ name_sz == note_name_sz &&
+ memcmp(nhdr + 1, note_name, note_name_sz) == 0 &&
+ desc_sz > 0 && desc_sz <= BUILD_ID_SIZE_MAX) {
+ data = note_start + note_off + ALIGN(note_name_sz, 4);
+ memcpy(build_id, data, desc_sz);
+ memset(build_id + desc_sz, 0, BUILD_ID_SIZE_MAX - desc_sz);
if (size)
- *size = nhdr->n_descsz;
+ *size = desc_sz;
return 0;
}
- new_offs = note_offs + sizeof(Elf32_Nhdr) +
- ALIGN(nhdr->n_namesz, 4) + ALIGN(nhdr->n_descsz, 4);
- if (new_offs <= note_offs) /* overflow */
- break;
- note_offs = new_offs;
+
+ note_off = new_off;
}
return -EINVAL;
@@ -71,7 +77,7 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id,
{
Elf32_Ehdr *ehdr = (Elf32_Ehdr *)page_addr;
Elf32_Phdr *phdr;
- int i;
+ __u32 i, phnum;
/*
* FIXME
@@ -80,18 +86,19 @@ static int get_build_id_32(const void *page_addr, unsigned char *build_id,
*/
if (ehdr->e_phoff != sizeof(Elf32_Ehdr))
return -EINVAL;
+
+ phnum = READ_ONCE(ehdr->e_phnum);
/* only supports phdr that fits in one page */
- if (ehdr->e_phnum >
- (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
+ if (phnum > (PAGE_SIZE - sizeof(Elf32_Ehdr)) / sizeof(Elf32_Phdr))
return -EINVAL;
phdr = (Elf32_Phdr *)(page_addr + sizeof(Elf32_Ehdr));
- for (i = 0; i < ehdr->e_phnum; ++i) {
+ for (i = 0; i < phnum; ++i) {
if (phdr[i].p_type == PT_NOTE &&
!parse_build_id(page_addr, build_id, size,
- page_addr + phdr[i].p_offset,
- phdr[i].p_filesz))
+ page_addr + READ_ONCE(phdr[i].p_offset),
+ READ_ONCE(phdr[i].p_filesz)))
return 0;
}
return -EINVAL;
@@ -103,7 +110,7 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id,
{
Elf64_Ehdr *ehdr = (Elf64_Ehdr *)page_addr;
Elf64_Phdr *phdr;
- int i;
+ __u32 i, phnum;
/*
* FIXME
@@ -112,18 +119,19 @@ static int get_build_id_64(const void *page_addr, unsigned char *build_id,
*/
if (ehdr->e_phoff != sizeof(Elf64_Ehdr))
return -EINVAL;
+
+ phnum = READ_ONCE(ehdr->e_phnum);
/* only supports phdr that fits in one page */
- if (ehdr->e_phnum >
- (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr))
+ if (phnum > (PAGE_SIZE - sizeof(Elf64_Ehdr)) / sizeof(Elf64_Phdr))
return -EINVAL;
phdr = (Elf64_Phdr *)(page_addr + sizeof(Elf64_Ehdr));
- for (i = 0; i < ehdr->e_phnum; ++i) {
+ for (i = 0; i < phnum; ++i) {
if (phdr[i].p_type == PT_NOTE &&
!parse_build_id(page_addr, build_id, size,
- page_addr + phdr[i].p_offset,
- phdr[i].p_filesz))
+ page_addr + READ_ONCE(phdr[i].p_offset),
+ READ_ONCE(phdr[i].p_filesz)))
return 0;
}
return -EINVAL;
@@ -152,6 +160,10 @@ int build_id_parse(struct vm_area_struct *vma, unsigned char *build_id,
page = find_get_page(vma->vm_file->f_mapping, 0);
if (!page)
return -EFAULT; /* page not mapped */
+ if (!PageUptodate(page)) {
+ put_page(page);
+ return -EFAULT;
+ }
ret = -EINVAL;
page_addr = kmap_atomic(page);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 343/386] sched: psi: fix bogus pressure spikes from aggregation race
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (341 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 342/386] lib/buildid: harden build ID parsing logic Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 344/386] net: mana: Enable MANA driver on ARM64 with 4K page size Greg Kroah-Hartman
` (53 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Brandon Duffany, Johannes Weiner,
Chengming Zhou, Linus Torvalds, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Weiner <hannes@cmpxchg.org>
[ Upstream commit 3840cbe24cf060ea05a585ca497814609f5d47d1 ]
Brandon reports sporadic, non-sensical spikes in cumulative pressure
time (total=) when reading cpu.pressure at a high rate. This is due to
a race condition between reader aggregation and tasks changing states.
While it affects all states and all resources captured by PSI, in
practice it most likely triggers with CPU pressure, since scheduling
events are so frequent compared to other resource events.
The race context is the live snooping of ongoing stalls during a
pressure read. The read aggregates per-cpu records for stalls that
have concluded, but will also incorporate ad-hoc the duration of any
active state that hasn't been recorded yet. This is important to get
timely measurements of ongoing stalls. Those ad-hoc samples are
calculated on-the-fly up to the current time on that CPU; since the
stall hasn't concluded, it's expected that this is the minimum amount
of stall time that will enter the per-cpu records once it does.
The problem is that the path that concludes the state uses a CPU clock
read that is not synchronized against aggregators; the clock is read
outside of the seqlock protection. This allows aggregators to race and
snoop a stall with a longer duration than will actually be recorded.
With the recorded stall time being less than the last snapshot
remembered by the aggregator, a subsequent sample will underflow and
observe a bogus delta value, resulting in an erratic jump in pressure.
Fix this by moving the clock read of the state change into the seqlock
protection. This ensures no aggregation can snoop live stalls past the
time that's recorded when the state concludes.
Reported-by: Brandon Duffany <brandon@buildbuddy.io>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=219194
Link: https://lore.kernel.org/lkml/20240827121851.GB438928@cmpxchg.org/
Fixes: df77430639c9 ("psi: Reduce calls to sched_clock() in psi")
Cc: stable@vger.kernel.org
Signed-off-by: Johannes Weiner <hannes@cmpxchg.org>
Reviewed-by: Chengming Zhou <chengming.zhou@linux.dev>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/psi.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/kernel/sched/psi.c b/kernel/sched/psi.c
index 431971acc7632..f97e1473389ff 100644
--- a/kernel/sched/psi.c
+++ b/kernel/sched/psi.c
@@ -776,13 +776,14 @@ static void record_times(struct psi_group_cpu *groupc, u64 now)
}
static void psi_group_change(struct psi_group *group, int cpu,
- unsigned int clear, unsigned int set, u64 now,
+ unsigned int clear, unsigned int set,
bool wake_clock)
{
struct psi_group_cpu *groupc;
unsigned int t, m;
enum psi_states s;
u32 state_mask;
+ u64 now;
lockdep_assert_rq_held(cpu_rq(cpu));
groupc = per_cpu_ptr(group->pcpu, cpu);
@@ -797,6 +798,7 @@ static void psi_group_change(struct psi_group *group, int cpu,
* SOME and FULL time these may have resulted in.
*/
write_seqcount_begin(&groupc->seq);
+ now = cpu_clock(cpu);
/*
* Start with TSK_ONCPU, which doesn't have a corresponding
@@ -910,18 +912,15 @@ void psi_task_change(struct task_struct *task, int clear, int set)
{
int cpu = task_cpu(task);
struct psi_group *group;
- u64 now;
if (!task->pid)
return;
psi_flags_change(task, clear, set);
- now = cpu_clock(cpu);
-
group = task_psi_group(task);
do {
- psi_group_change(group, cpu, clear, set, now, true);
+ psi_group_change(group, cpu, clear, set, true);
} while ((group = group->parent));
}
@@ -930,7 +929,6 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
{
struct psi_group *group, *common = NULL;
int cpu = task_cpu(prev);
- u64 now = cpu_clock(cpu);
if (next->pid) {
psi_flags_change(next, 0, TSK_ONCPU);
@@ -947,7 +945,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
break;
}
- psi_group_change(group, cpu, 0, TSK_ONCPU, now, true);
+ psi_group_change(group, cpu, 0, TSK_ONCPU, true);
} while ((group = group->parent));
}
@@ -985,7 +983,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
do {
if (group == common)
break;
- psi_group_change(group, cpu, clear, set, now, wake_clock);
+ psi_group_change(group, cpu, clear, set, wake_clock);
} while ((group = group->parent));
/*
@@ -997,7 +995,7 @@ void psi_task_switch(struct task_struct *prev, struct task_struct *next,
if ((prev->psi_flags ^ next->psi_flags) & ~TSK_ONCPU) {
clear &= ~TSK_ONCPU;
for (; group; group = group->parent)
- psi_group_change(group, cpu, clear, set, now, wake_clock);
+ psi_group_change(group, cpu, clear, set, wake_clock);
}
}
}
@@ -1008,8 +1006,8 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
int cpu = task_cpu(curr);
struct psi_group *group;
struct psi_group_cpu *groupc;
- u64 now, irq;
s64 delta;
+ u64 irq;
if (!curr->pid)
return;
@@ -1019,7 +1017,6 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
if (prev && task_psi_group(prev) == group)
return;
- now = cpu_clock(cpu);
irq = irq_time_read(cpu);
delta = (s64)(irq - rq->psi_irq_time);
if (delta < 0)
@@ -1027,12 +1024,15 @@ void psi_account_irqtime(struct rq *rq, struct task_struct *curr, struct task_st
rq->psi_irq_time = irq;
do {
+ u64 now;
+
if (!group->enabled)
continue;
groupc = per_cpu_ptr(group->pcpu, cpu);
write_seqcount_begin(&groupc->seq);
+ now = cpu_clock(cpu);
record_times(groupc, now);
groupc->times[PSI_IRQ_FULL] += delta;
@@ -1231,11 +1231,9 @@ void psi_cgroup_restart(struct psi_group *group)
for_each_possible_cpu(cpu) {
struct rq *rq = cpu_rq(cpu);
struct rq_flags rf;
- u64 now;
rq_lock_irq(rq, &rf);
- now = cpu_clock(cpu);
- psi_group_change(group, cpu, 0, 0, now, true);
+ psi_group_change(group, cpu, 0, 0, true);
rq_unlock_irq(rq, &rf);
}
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 344/386] net: mana: Enable MANA driver on ARM64 with 4K page size
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (342 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 343/386] sched: psi: fix bogus pressure spikes from aggregation race Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 345/386] net: mana: Add support for page sizes other than 4KB on ARM64 Greg Kroah-Hartman
` (52 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Jakub Kicinski,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
[ Upstream commit 40a1d11fc670ac03c5dc2e5a9724b330e74f38b0 ]
Change the Kconfig dependency, so this driver can be built and run on ARM64
with 4K page size.
16/64K page sizes are not supported yet.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Link: https://lore.kernel.org/r/1715632141-8089-1-git-send-email-haiyangz@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 9e517a8e9d9a ("RDMA/mana_ib: use the correct page table index based on hardware page size")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/Kconfig | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig
index 01eb7445ead95..286f0d5697a16 100644
--- a/drivers/net/ethernet/microsoft/Kconfig
+++ b/drivers/net/ethernet/microsoft/Kconfig
@@ -17,7 +17,8 @@ if NET_VENDOR_MICROSOFT
config MICROSOFT_MANA
tristate "Microsoft Azure Network Adapter (MANA) support"
- depends on PCI_MSI && X86_64
+ depends on PCI_MSI
+ depends on X86_64 || (ARM64 && !CPU_BIG_ENDIAN && ARM64_4K_PAGES)
depends on PCI_HYPERV
select AUXILIARY_BUS
select PAGE_POOL
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 345/386] net: mana: Add support for page sizes other than 4KB on ARM64
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (343 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 344/386] net: mana: Enable MANA driver on ARM64 with 4K page size Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 346/386] RDMA/mana_ib: use the correct page table index based on hardware page size Greg Kroah-Hartman
` (51 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haiyang Zhang, Michael Kelley,
Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haiyang Zhang <haiyangz@microsoft.com>
[ Upstream commit 382d1741b5b2feffef7942dd074206372afe1a96 ]
As defined by the MANA Hardware spec, the queue size for DMA is 4KB
minimal, and power of 2. And, the HWC queue size has to be exactly
4KB.
To support page sizes other than 4KB on ARM64, define the minimal
queue size as a macro separately from the PAGE_SIZE, which we always
assumed it to be 4KB before supporting ARM64.
Also, add MANA specific macros and update code related to size
alignment, DMA region calculations, etc.
Signed-off-by: Haiyang Zhang <haiyangz@microsoft.com>
Reviewed-by: Michael Kelley <mhklinux@outlook.com>
Link: https://lore.kernel.org/r/1718655446-6576-1-git-send-email-haiyangz@microsoft.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 9e517a8e9d9a ("RDMA/mana_ib: use the correct page table index based on hardware page size")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/microsoft/Kconfig | 2 +-
drivers/net/ethernet/microsoft/mana/gdma_main.c | 10 +++++-----
drivers/net/ethernet/microsoft/mana/hw_channel.c | 14 +++++++-------
drivers/net/ethernet/microsoft/mana/mana_en.c | 8 ++++----
drivers/net/ethernet/microsoft/mana/shm_channel.c | 13 +++++++------
include/net/mana/gdma.h | 10 +++++++++-
include/net/mana/mana.h | 3 ++-
7 files changed, 35 insertions(+), 25 deletions(-)
diff --git a/drivers/net/ethernet/microsoft/Kconfig b/drivers/net/ethernet/microsoft/Kconfig
index 286f0d5697a16..901fbffbf718e 100644
--- a/drivers/net/ethernet/microsoft/Kconfig
+++ b/drivers/net/ethernet/microsoft/Kconfig
@@ -18,7 +18,7 @@ if NET_VENDOR_MICROSOFT
config MICROSOFT_MANA
tristate "Microsoft Azure Network Adapter (MANA) support"
depends on PCI_MSI
- depends on X86_64 || (ARM64 && !CPU_BIG_ENDIAN && ARM64_4K_PAGES)
+ depends on X86_64 || (ARM64 && !CPU_BIG_ENDIAN)
depends on PCI_HYPERV
select AUXILIARY_BUS
select PAGE_POOL
diff --git a/drivers/net/ethernet/microsoft/mana/gdma_main.c b/drivers/net/ethernet/microsoft/mana/gdma_main.c
index 6367de0c2c2e8..ae014e21eb605 100644
--- a/drivers/net/ethernet/microsoft/mana/gdma_main.c
+++ b/drivers/net/ethernet/microsoft/mana/gdma_main.c
@@ -179,7 +179,7 @@ int mana_gd_alloc_memory(struct gdma_context *gc, unsigned int length,
dma_addr_t dma_handle;
void *buf;
- if (length < PAGE_SIZE || !is_power_of_2(length))
+ if (length < MANA_PAGE_SIZE || !is_power_of_2(length))
return -EINVAL;
gmi->dev = gc->dev;
@@ -720,7 +720,7 @@ EXPORT_SYMBOL_NS(mana_gd_destroy_dma_region, NET_MANA);
static int mana_gd_create_dma_region(struct gdma_dev *gd,
struct gdma_mem_info *gmi)
{
- unsigned int num_page = gmi->length / PAGE_SIZE;
+ unsigned int num_page = gmi->length / MANA_PAGE_SIZE;
struct gdma_create_dma_region_req *req = NULL;
struct gdma_create_dma_region_resp resp = {};
struct gdma_context *gc = gd->gdma_context;
@@ -730,10 +730,10 @@ static int mana_gd_create_dma_region(struct gdma_dev *gd,
int err;
int i;
- if (length < PAGE_SIZE || !is_power_of_2(length))
+ if (length < MANA_PAGE_SIZE || !is_power_of_2(length))
return -EINVAL;
- if (offset_in_page(gmi->virt_addr) != 0)
+ if (!MANA_PAGE_ALIGNED(gmi->virt_addr))
return -EINVAL;
hwc = gc->hwc.driver_data;
@@ -754,7 +754,7 @@ static int mana_gd_create_dma_region(struct gdma_dev *gd,
req->page_addr_list_len = num_page;
for (i = 0; i < num_page; i++)
- req->page_addr_list[i] = gmi->dma_handle + i * PAGE_SIZE;
+ req->page_addr_list[i] = gmi->dma_handle + i * MANA_PAGE_SIZE;
err = mana_gd_send_request(gc, req_msg_size, req, sizeof(resp), &resp);
if (err)
diff --git a/drivers/net/ethernet/microsoft/mana/hw_channel.c b/drivers/net/ethernet/microsoft/mana/hw_channel.c
index 236daa0535ba0..9d6426d4158e3 100644
--- a/drivers/net/ethernet/microsoft/mana/hw_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/hw_channel.c
@@ -366,12 +366,12 @@ static int mana_hwc_create_cq(struct hw_channel_context *hwc, u16 q_depth,
int err;
eq_size = roundup_pow_of_two(GDMA_EQE_SIZE * q_depth);
- if (eq_size < MINIMUM_SUPPORTED_PAGE_SIZE)
- eq_size = MINIMUM_SUPPORTED_PAGE_SIZE;
+ if (eq_size < MANA_MIN_QSIZE)
+ eq_size = MANA_MIN_QSIZE;
cq_size = roundup_pow_of_two(GDMA_CQE_SIZE * q_depth);
- if (cq_size < MINIMUM_SUPPORTED_PAGE_SIZE)
- cq_size = MINIMUM_SUPPORTED_PAGE_SIZE;
+ if (cq_size < MANA_MIN_QSIZE)
+ cq_size = MANA_MIN_QSIZE;
hwc_cq = kzalloc(sizeof(*hwc_cq), GFP_KERNEL);
if (!hwc_cq)
@@ -433,7 +433,7 @@ static int mana_hwc_alloc_dma_buf(struct hw_channel_context *hwc, u16 q_depth,
dma_buf->num_reqs = q_depth;
- buf_size = PAGE_ALIGN(q_depth * max_msg_size);
+ buf_size = MANA_PAGE_ALIGN(q_depth * max_msg_size);
gmi = &dma_buf->mem_info;
err = mana_gd_alloc_memory(gc, buf_size, gmi);
@@ -501,8 +501,8 @@ static int mana_hwc_create_wq(struct hw_channel_context *hwc,
else
queue_size = roundup_pow_of_two(GDMA_MAX_SQE_SIZE * q_depth);
- if (queue_size < MINIMUM_SUPPORTED_PAGE_SIZE)
- queue_size = MINIMUM_SUPPORTED_PAGE_SIZE;
+ if (queue_size < MANA_MIN_QSIZE)
+ queue_size = MANA_MIN_QSIZE;
hwc_wq = kzalloc(sizeof(*hwc_wq), GFP_KERNEL);
if (!hwc_wq)
diff --git a/drivers/net/ethernet/microsoft/mana/mana_en.c b/drivers/net/ethernet/microsoft/mana/mana_en.c
index d8cce3771af21..89852bbc877c1 100644
--- a/drivers/net/ethernet/microsoft/mana/mana_en.c
+++ b/drivers/net/ethernet/microsoft/mana/mana_en.c
@@ -1902,10 +1902,10 @@ static int mana_create_txq(struct mana_port_context *apc,
* to prevent overflow.
*/
txq_size = MAX_SEND_BUFFERS_PER_QUEUE * 32;
- BUILD_BUG_ON(!PAGE_ALIGNED(txq_size));
+ BUILD_BUG_ON(!MANA_PAGE_ALIGNED(txq_size));
cq_size = MAX_SEND_BUFFERS_PER_QUEUE * COMP_ENTRY_SIZE;
- cq_size = PAGE_ALIGN(cq_size);
+ cq_size = MANA_PAGE_ALIGN(cq_size);
gc = gd->gdma_context;
@@ -2203,8 +2203,8 @@ static struct mana_rxq *mana_create_rxq(struct mana_port_context *apc,
if (err)
goto out;
- rq_size = PAGE_ALIGN(rq_size);
- cq_size = PAGE_ALIGN(cq_size);
+ rq_size = MANA_PAGE_ALIGN(rq_size);
+ cq_size = MANA_PAGE_ALIGN(cq_size);
/* Create RQ */
memset(&spec, 0, sizeof(spec));
diff --git a/drivers/net/ethernet/microsoft/mana/shm_channel.c b/drivers/net/ethernet/microsoft/mana/shm_channel.c
index 5553af9c8085a..0f1679ebad96b 100644
--- a/drivers/net/ethernet/microsoft/mana/shm_channel.c
+++ b/drivers/net/ethernet/microsoft/mana/shm_channel.c
@@ -6,6 +6,7 @@
#include <linux/io.h>
#include <linux/mm.h>
+#include <net/mana/gdma.h>
#include <net/mana/shm_channel.h>
#define PAGE_FRAME_L48_WIDTH_BYTES 6
@@ -155,8 +156,8 @@ int mana_smc_setup_hwc(struct shm_channel *sc, bool reset_vf, u64 eq_addr,
return err;
}
- if (!PAGE_ALIGNED(eq_addr) || !PAGE_ALIGNED(cq_addr) ||
- !PAGE_ALIGNED(rq_addr) || !PAGE_ALIGNED(sq_addr))
+ if (!MANA_PAGE_ALIGNED(eq_addr) || !MANA_PAGE_ALIGNED(cq_addr) ||
+ !MANA_PAGE_ALIGNED(rq_addr) || !MANA_PAGE_ALIGNED(sq_addr))
return -EINVAL;
if ((eq_msix_index & VECTOR_MASK) != eq_msix_index)
@@ -183,7 +184,7 @@ int mana_smc_setup_hwc(struct shm_channel *sc, bool reset_vf, u64 eq_addr,
/* EQ addr: low 48 bits of frame address */
shmem = (u64 *)ptr;
- frame_addr = PHYS_PFN(eq_addr);
+ frame_addr = MANA_PFN(eq_addr);
*shmem = frame_addr & PAGE_FRAME_L48_MASK;
all_addr_h4bits |= (frame_addr >> PAGE_FRAME_L48_WIDTH_BITS) <<
(frame_addr_seq++ * PAGE_FRAME_H4_WIDTH_BITS);
@@ -191,7 +192,7 @@ int mana_smc_setup_hwc(struct shm_channel *sc, bool reset_vf, u64 eq_addr,
/* CQ addr: low 48 bits of frame address */
shmem = (u64 *)ptr;
- frame_addr = PHYS_PFN(cq_addr);
+ frame_addr = MANA_PFN(cq_addr);
*shmem = frame_addr & PAGE_FRAME_L48_MASK;
all_addr_h4bits |= (frame_addr >> PAGE_FRAME_L48_WIDTH_BITS) <<
(frame_addr_seq++ * PAGE_FRAME_H4_WIDTH_BITS);
@@ -199,7 +200,7 @@ int mana_smc_setup_hwc(struct shm_channel *sc, bool reset_vf, u64 eq_addr,
/* RQ addr: low 48 bits of frame address */
shmem = (u64 *)ptr;
- frame_addr = PHYS_PFN(rq_addr);
+ frame_addr = MANA_PFN(rq_addr);
*shmem = frame_addr & PAGE_FRAME_L48_MASK;
all_addr_h4bits |= (frame_addr >> PAGE_FRAME_L48_WIDTH_BITS) <<
(frame_addr_seq++ * PAGE_FRAME_H4_WIDTH_BITS);
@@ -207,7 +208,7 @@ int mana_smc_setup_hwc(struct shm_channel *sc, bool reset_vf, u64 eq_addr,
/* SQ addr: low 48 bits of frame address */
shmem = (u64 *)ptr;
- frame_addr = PHYS_PFN(sq_addr);
+ frame_addr = MANA_PFN(sq_addr);
*shmem = frame_addr & PAGE_FRAME_L48_MASK;
all_addr_h4bits |= (frame_addr >> PAGE_FRAME_L48_WIDTH_BITS) <<
(frame_addr_seq++ * PAGE_FRAME_H4_WIDTH_BITS);
diff --git a/include/net/mana/gdma.h b/include/net/mana/gdma.h
index 88b6ef7ce1a6e..3965343fdee0c 100644
--- a/include/net/mana/gdma.h
+++ b/include/net/mana/gdma.h
@@ -222,7 +222,15 @@ struct gdma_dev {
struct auxiliary_device *adev;
};
-#define MINIMUM_SUPPORTED_PAGE_SIZE PAGE_SIZE
+/* MANA_PAGE_SIZE is the DMA unit */
+#define MANA_PAGE_SHIFT 12
+#define MANA_PAGE_SIZE BIT(MANA_PAGE_SHIFT)
+#define MANA_PAGE_ALIGN(x) ALIGN((x), MANA_PAGE_SIZE)
+#define MANA_PAGE_ALIGNED(addr) IS_ALIGNED((unsigned long)(addr), MANA_PAGE_SIZE)
+#define MANA_PFN(a) ((a) >> MANA_PAGE_SHIFT)
+
+/* Required by HW */
+#define MANA_MIN_QSIZE MANA_PAGE_SIZE
#define GDMA_CQE_SIZE 64
#define GDMA_EQE_SIZE 16
diff --git a/include/net/mana/mana.h b/include/net/mana/mana.h
index 28e110f733ffd..7892b79854f62 100644
--- a/include/net/mana/mana.h
+++ b/include/net/mana/mana.h
@@ -42,7 +42,8 @@ enum TRI_STATE {
#define MAX_SEND_BUFFERS_PER_QUEUE 256
-#define EQ_SIZE (8 * PAGE_SIZE)
+#define EQ_SIZE (8 * MANA_PAGE_SIZE)
+
#define LOG2_EQ_THROTTLE 3
#define MAX_PORTS_IN_MANA_DEV 256
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 346/386] RDMA/mana_ib: use the correct page table index based on hardware page size
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (344 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 345/386] net: mana: Add support for page sizes other than 4KB on ARM64 Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 347/386] media: i2c: imx335: Enable regulator supplies Greg Kroah-Hartman
` (50 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Long Li, Leon Romanovsky,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Long Li <longli@microsoft.com>
[ Upstream commit 9e517a8e9d9a303bf9bde35e5c5374795544c152 ]
MANA hardware uses 4k page size. When calculating the page table index,
it should use the hardware page size, not the system page size.
Cc: stable@vger.kernel.org
Fixes: 0266a177631d ("RDMA/mana_ib: Add a driver for Microsoft Azure Network Adapter")
Signed-off-by: Long Li <longli@microsoft.com>
Link: https://patch.msgid.link/1725030993-16213-1-git-send-email-longli@linuxonhyperv.com
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/hw/mana/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/infiniband/hw/mana/main.c b/drivers/infiniband/hw/mana/main.c
index 5dd5b9803f4e5..85717482a616e 100644
--- a/drivers/infiniband/hw/mana/main.c
+++ b/drivers/infiniband/hw/mana/main.c
@@ -359,7 +359,7 @@ int mana_ib_gd_create_dma_region(struct mana_ib_dev *dev, struct ib_umem *umem,
create_req->length = umem->length;
create_req->offset_in_page = ib_umem_dma_offset(umem, page_sz);
- create_req->gdma_page_type = order_base_2(page_sz) - PAGE_SHIFT;
+ create_req->gdma_page_type = order_base_2(page_sz) - MANA_PAGE_SHIFT;
create_req->page_count = num_pages_total;
ibdev_dbg(&dev->ib_dev, "size_dma_region %lu num_pages_total %lu\n",
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 347/386] media: i2c: imx335: Enable regulator supplies
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (345 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 346/386] RDMA/mana_ib: use the correct page table index based on hardware page size Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 348/386] media: imx335: Fix reset-gpio handling Greg Kroah-Hartman
` (49 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kieran Bingham, Sakari Ailus,
Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kieran Bingham <kieran.bingham@ideasonboard.com>
[ Upstream commit fea91ee73b7cd19f08017221923d789f984abc54 ]
Provide support for enabling and disabling regulator supplies to control
power to the camera sensor.
While updating the power on function, document that a sleep is
represented as 'T4' in the datasheet power on sequence.
Signed-off-by: Kieran Bingham <kieran.bingham@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Stable-dep-of: 99d30e2fdea4 ("media: imx335: Fix reset-gpio handling")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/imx335.c | 36 ++++++++++++++++++++++++++++++++++--
1 file changed, 34 insertions(+), 2 deletions(-)
diff --git a/drivers/media/i2c/imx335.c b/drivers/media/i2c/imx335.c
index 26869abd77a67..771f13b524baf 100644
--- a/drivers/media/i2c/imx335.c
+++ b/drivers/media/i2c/imx335.c
@@ -75,6 +75,12 @@ struct imx335_reg_list {
const struct imx335_reg *regs;
};
+static const char * const imx335_supply_name[] = {
+ "avdd", /* Analog (2.9V) supply */
+ "ovdd", /* Digital I/O (1.8V) supply */
+ "dvdd", /* Digital Core (1.2V) supply */
+};
+
/**
* struct imx335_mode - imx335 sensor mode structure
* @width: Frame width
@@ -108,6 +114,7 @@ struct imx335_mode {
* @sd: V4L2 sub-device
* @pad: Media pad. Only one pad supported
* @reset_gpio: Sensor reset gpio
+ * @supplies: Regulator supplies to handle power control
* @inclk: Sensor input clock
* @ctrl_handler: V4L2 control handler
* @link_freq_ctrl: Pointer to link frequency control
@@ -127,6 +134,8 @@ struct imx335 {
struct v4l2_subdev sd;
struct media_pad pad;
struct gpio_desc *reset_gpio;
+ struct regulator_bulk_data supplies[ARRAY_SIZE(imx335_supply_name)];
+
struct clk *inclk;
struct v4l2_ctrl_handler ctrl_handler;
struct v4l2_ctrl *link_freq_ctrl;
@@ -790,6 +799,17 @@ static int imx335_parse_hw_config(struct imx335 *imx335)
return PTR_ERR(imx335->reset_gpio);
}
+ for (i = 0; i < ARRAY_SIZE(imx335_supply_name); i++)
+ imx335->supplies[i].supply = imx335_supply_name[i];
+
+ ret = devm_regulator_bulk_get(imx335->dev,
+ ARRAY_SIZE(imx335_supply_name),
+ imx335->supplies);
+ if (ret) {
+ dev_err(imx335->dev, "Failed to get regulators\n");
+ return ret;
+ }
+
/* Get sensor input clock */
imx335->inclk = devm_clk_get(imx335->dev, NULL);
if (IS_ERR(imx335->inclk)) {
@@ -868,6 +888,17 @@ static int imx335_power_on(struct device *dev)
struct imx335 *imx335 = to_imx335(sd);
int ret;
+ ret = regulator_bulk_enable(ARRAY_SIZE(imx335_supply_name),
+ imx335->supplies);
+ if (ret) {
+ dev_err(dev, "%s: failed to enable regulators\n",
+ __func__);
+ return ret;
+ }
+
+ usleep_range(500, 550); /* Tlow */
+
+ /* Set XCLR */
gpiod_set_value_cansleep(imx335->reset_gpio, 1);
ret = clk_prepare_enable(imx335->inclk);
@@ -876,12 +907,13 @@ static int imx335_power_on(struct device *dev)
goto error_reset;
}
- usleep_range(20, 22);
+ usleep_range(20, 22); /* T4 */
return 0;
error_reset:
gpiod_set_value_cansleep(imx335->reset_gpio, 0);
+ regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies);
return ret;
}
@@ -898,8 +930,8 @@ static int imx335_power_off(struct device *dev)
struct imx335 *imx335 = to_imx335(sd);
gpiod_set_value_cansleep(imx335->reset_gpio, 0);
-
clk_disable_unprepare(imx335->inclk);
+ regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies);
return 0;
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 348/386] media: imx335: Fix reset-gpio handling
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (346 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 347/386] media: i2c: imx335: Enable regulator supplies Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 349/386] remoteproc: k3-r5: Acquire mailbox handle during probe routine Greg Kroah-Hartman
` (48 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Laurent Pinchart, Umang Jain,
Sakari Ailus, Hans Verkuil, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Umang Jain <umang.jain@ideasonboard.com>
[ Upstream commit 99d30e2fdea4086be4e66e2deb10de854b547ab8 ]
Rectify the logical value of reset-gpio so that it is set to
0 (disabled) during power-on and to 1 (enabled) during power-off.
Set the reset-gpio to GPIO_OUT_HIGH at initialization time to make
sure it starts off in reset. Also drop the "Set XCLR" comment which
is not-so-informative.
The existing usage of imx335 had reset-gpios polarity inverted
(GPIO_ACTIVE_HIGH) in their device-tree sources. With this patch
included, those DTS will not be able to stream imx335 anymore. The
reset-gpio polarity will need to be rectified in the device-tree
sources as shown in [1] example, in order to get imx335 functional
again (as it remains in reset prior to this fix).
Cc: stable@vger.kernel.org
Fixes: 45d19b5fb9ae ("media: i2c: Add imx335 camera sensor driver")
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Link: https://lore.kernel.org/linux-media/20240729110437.199428-1-umang.jain@ideasonboard.com/
Signed-off-by: Umang Jain <umang.jain@ideasonboard.com>
Signed-off-by: Sakari Ailus <sakari.ailus@linux.intel.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/i2c/imx335.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/drivers/media/i2c/imx335.c b/drivers/media/i2c/imx335.c
index 771f13b524baf..cb3f4fc66a174 100644
--- a/drivers/media/i2c/imx335.c
+++ b/drivers/media/i2c/imx335.c
@@ -792,7 +792,7 @@ static int imx335_parse_hw_config(struct imx335 *imx335)
/* Request optional reset pin */
imx335->reset_gpio = devm_gpiod_get_optional(imx335->dev, "reset",
- GPIOD_OUT_LOW);
+ GPIOD_OUT_HIGH);
if (IS_ERR(imx335->reset_gpio)) {
dev_err(imx335->dev, "failed to get reset gpio %ld",
PTR_ERR(imx335->reset_gpio));
@@ -898,8 +898,7 @@ static int imx335_power_on(struct device *dev)
usleep_range(500, 550); /* Tlow */
- /* Set XCLR */
- gpiod_set_value_cansleep(imx335->reset_gpio, 1);
+ gpiod_set_value_cansleep(imx335->reset_gpio, 0);
ret = clk_prepare_enable(imx335->inclk);
if (ret) {
@@ -912,7 +911,7 @@ static int imx335_power_on(struct device *dev)
return 0;
error_reset:
- gpiod_set_value_cansleep(imx335->reset_gpio, 0);
+ gpiod_set_value_cansleep(imx335->reset_gpio, 1);
regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies);
return ret;
@@ -929,7 +928,7 @@ static int imx335_power_off(struct device *dev)
struct v4l2_subdev *sd = dev_get_drvdata(dev);
struct imx335 *imx335 = to_imx335(sd);
- gpiod_set_value_cansleep(imx335->reset_gpio, 0);
+ gpiod_set_value_cansleep(imx335->reset_gpio, 1);
clk_disable_unprepare(imx335->inclk);
regulator_bulk_disable(ARRAY_SIZE(imx335_supply_name), imx335->supplies);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 349/386] remoteproc: k3-r5: Acquire mailbox handle during probe routine
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (347 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 348/386] media: imx335: Fix reset-gpio handling Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 350/386] remoteproc: k3-r5: Delay notification of wakeup event Greg Kroah-Hartman
` (47 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Beleswar Padhi, Mathieu Poirier,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Beleswar Padhi <b-padhi@ti.com>
[ Upstream commit f3f11cfe890733373ddbb1ce8991ccd4ee5e79e1 ]
Acquire the mailbox handle during device probe and do not release handle
in stop/detach routine or error paths. This removes the redundant
requests for mbox handle later during rproc start/attach. This also
allows to defer remoteproc driver's probe if mailbox is not probed yet.
Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
Link: https://lore.kernel.org/r/20240808074127.2688131-3-b-padhi@ti.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Stable-dep-of: 8fa052c29e50 ("remoteproc: k3-r5: Delay notification of wakeup event")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/ti_k3_r5_remoteproc.c | 78 +++++++++---------------
1 file changed, 30 insertions(+), 48 deletions(-)
diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
index 7c48f41808fa3..15fc663389096 100644
--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
+++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
@@ -194,6 +194,10 @@ static void k3_r5_rproc_mbox_callback(struct mbox_client *client, void *data)
const char *name = kproc->rproc->name;
u32 msg = omap_mbox_message(data);
+ /* Do not forward message from a detached core */
+ if (kproc->rproc->state == RPROC_DETACHED)
+ return;
+
dev_dbg(dev, "mbox msg: 0x%x\n", msg);
switch (msg) {
@@ -229,6 +233,10 @@ static void k3_r5_rproc_kick(struct rproc *rproc, int vqid)
mbox_msg_t msg = (mbox_msg_t)vqid;
int ret;
+ /* Do not forward message to a detached core */
+ if (kproc->rproc->state == RPROC_DETACHED)
+ return;
+
/* send the index of the triggered virtqueue in the mailbox payload */
ret = mbox_send_message(kproc->mbox, (void *)msg);
if (ret < 0)
@@ -399,12 +407,9 @@ static int k3_r5_rproc_request_mbox(struct rproc *rproc)
client->knows_txdone = false;
kproc->mbox = mbox_request_channel(client, 0);
- if (IS_ERR(kproc->mbox)) {
- ret = -EBUSY;
- dev_err(dev, "mbox_request_channel failed: %ld\n",
- PTR_ERR(kproc->mbox));
- return ret;
- }
+ if (IS_ERR(kproc->mbox))
+ return dev_err_probe(dev, PTR_ERR(kproc->mbox),
+ "mbox_request_channel failed\n");
/*
* Ping the remote processor, this is only for sanity-sake for now;
@@ -552,10 +557,6 @@ static int k3_r5_rproc_start(struct rproc *rproc)
u32 boot_addr;
int ret;
- ret = k3_r5_rproc_request_mbox(rproc);
- if (ret)
- return ret;
-
boot_addr = rproc->bootaddr;
/* TODO: add boot_addr sanity checking */
dev_dbg(dev, "booting R5F core using boot addr = 0x%x\n", boot_addr);
@@ -564,7 +565,7 @@ static int k3_r5_rproc_start(struct rproc *rproc)
core = kproc->core;
ret = ti_sci_proc_set_config(core->tsp, boot_addr, 0, 0);
if (ret)
- goto put_mbox;
+ return ret;
/* unhalt/run all applicable cores */
if (cluster->mode == CLUSTER_MODE_LOCKSTEP) {
@@ -580,13 +581,12 @@ static int k3_r5_rproc_start(struct rproc *rproc)
if (core != core0 && core0->rproc->state == RPROC_OFFLINE) {
dev_err(dev, "%s: can not start core 1 before core 0\n",
__func__);
- ret = -EPERM;
- goto put_mbox;
+ return -EPERM;
}
ret = k3_r5_core_run(core);
if (ret)
- goto put_mbox;
+ return ret;
}
return 0;
@@ -596,8 +596,6 @@ static int k3_r5_rproc_start(struct rproc *rproc)
if (k3_r5_core_halt(core))
dev_warn(core->dev, "core halt back failed\n");
}
-put_mbox:
- mbox_free_channel(kproc->mbox);
return ret;
}
@@ -658,8 +656,6 @@ static int k3_r5_rproc_stop(struct rproc *rproc)
goto out;
}
- mbox_free_channel(kproc->mbox);
-
return 0;
unroll_core_halt:
@@ -674,42 +670,22 @@ static int k3_r5_rproc_stop(struct rproc *rproc)
/*
* Attach to a running R5F remote processor (IPC-only mode)
*
- * The R5F attach callback only needs to request the mailbox, the remote
- * processor is already booted, so there is no need to issue any TI-SCI
- * commands to boot the R5F cores in IPC-only mode. This callback is invoked
- * only in IPC-only mode.
+ * The R5F attach callback is a NOP. The remote processor is already booted, and
+ * all required resources have been acquired during probe routine, so there is
+ * no need to issue any TI-SCI commands to boot the R5F cores in IPC-only mode.
+ * This callback is invoked only in IPC-only mode and exists because
+ * rproc_validate() checks for its existence.
*/
-static int k3_r5_rproc_attach(struct rproc *rproc)
-{
- struct k3_r5_rproc *kproc = rproc->priv;
- struct device *dev = kproc->dev;
- int ret;
-
- ret = k3_r5_rproc_request_mbox(rproc);
- if (ret)
- return ret;
-
- dev_info(dev, "R5F core initialized in IPC-only mode\n");
- return 0;
-}
+static int k3_r5_rproc_attach(struct rproc *rproc) { return 0; }
/*
* Detach from a running R5F remote processor (IPC-only mode)
*
- * The R5F detach callback performs the opposite operation to attach callback
- * and only needs to release the mailbox, the R5F cores are not stopped and
- * will be left in booted state in IPC-only mode. This callback is invoked
- * only in IPC-only mode.
+ * The R5F detach callback is a NOP. The R5F cores are not stopped and will be
+ * left in booted state in IPC-only mode. This callback is invoked only in
+ * IPC-only mode and exists for sanity sake.
*/
-static int k3_r5_rproc_detach(struct rproc *rproc)
-{
- struct k3_r5_rproc *kproc = rproc->priv;
- struct device *dev = kproc->dev;
-
- mbox_free_channel(kproc->mbox);
- dev_info(dev, "R5F core deinitialized in IPC-only mode\n");
- return 0;
-}
+static int k3_r5_rproc_detach(struct rproc *rproc) { return 0; }
/*
* This function implements the .get_loaded_rsc_table() callback and is used
@@ -1277,6 +1253,10 @@ static int k3_r5_cluster_rproc_init(struct platform_device *pdev)
kproc->rproc = rproc;
core->rproc = rproc;
+ ret = k3_r5_rproc_request_mbox(rproc);
+ if (ret)
+ return ret;
+
ret = k3_r5_rproc_configure_mode(kproc);
if (ret < 0)
goto err_config;
@@ -1395,6 +1375,8 @@ static void k3_r5_cluster_rproc_exit(void *data)
}
}
+ mbox_free_channel(kproc->mbox);
+
rproc_del(rproc);
k3_r5_reserved_mem_exit(kproc);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 350/386] remoteproc: k3-r5: Delay notification of wakeup event
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (348 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 349/386] remoteproc: k3-r5: Acquire mailbox handle during probe routine Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 351/386] dt-bindings: clock: qcom: Add missing UFS QREF clocks Greg Kroah-Hartman
` (46 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Udit Kumar, Beleswar Padhi,
Mathieu Poirier, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Udit Kumar <u-kumar1@ti.com>
[ Upstream commit 8fa052c29e509f3e47d56d7fc2ca28094d78c60a ]
Few times, core1 was scheduled to boot first before core0, which leads
to error:
'k3_r5_rproc_start: can not start core 1 before core 0'.
This was happening due to some scheduling between prepare and start
callback. The probe function waits for event, which is getting
triggered by prepare callback. To avoid above condition move event
trigger to start instead of prepare callback.
Fixes: 61f6f68447ab ("remoteproc: k3-r5: Wait for core0 power-up before powering up core1")
Signed-off-by: Udit Kumar <u-kumar1@ti.com>
[ Applied wakeup event trigger only for Split-Mode booted rprocs ]
Signed-off-by: Beleswar Padhi <b-padhi@ti.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20240820105004.2788327-1-b-padhi@ti.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/ti_k3_r5_remoteproc.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/remoteproc/ti_k3_r5_remoteproc.c b/drivers/remoteproc/ti_k3_r5_remoteproc.c
index 15fc663389096..5491b1b17ca36 100644
--- a/drivers/remoteproc/ti_k3_r5_remoteproc.c
+++ b/drivers/remoteproc/ti_k3_r5_remoteproc.c
@@ -469,8 +469,6 @@ static int k3_r5_rproc_prepare(struct rproc *rproc)
ret);
return ret;
}
- core->released_from_reset = true;
- wake_up_interruptible(&cluster->core_transition);
/*
* Newer IP revisions like on J7200 SoCs support h/w auto-initialization
@@ -587,6 +585,9 @@ static int k3_r5_rproc_start(struct rproc *rproc)
ret = k3_r5_core_run(core);
if (ret)
return ret;
+
+ core->released_from_reset = true;
+ wake_up_interruptible(&cluster->core_transition);
}
return 0;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 351/386] dt-bindings: clock: qcom: Add missing UFS QREF clocks
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (349 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 350/386] remoteproc: k3-r5: Delay notification of wakeup event Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 352/386] dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Greg Kroah-Hartman
` (45 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Manivannan Sadhasivam, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
[ Upstream commit 26447dad8119fd084d7c6f167c3026700b701666 ]
Add missing QREF clocks for UFS MEM and UFS CARD controllers.
Fixes: 0fadcdfdcf57 ("dt-bindings: clock: Add SC8180x GCC binding")
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20240131-ufs-phy-clock-v3-3-58a49d2f4605@linaro.org
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Stable-dep-of: 648b4bde0aca ("dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 2 ++
1 file changed, 2 insertions(+)
diff --git a/include/dt-bindings/clock/qcom,gcc-sc8180x.h b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
index e893415ae13d0..90c6e021a0356 100644
--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h
+++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
@@ -246,6 +246,8 @@
#define GCC_PCIE_3_CLKREF_CLK 236
#define GCC_USB3_PRIM_CLKREF_CLK 237
#define GCC_USB3_SEC_CLKREF_CLK 238
+#define GCC_UFS_MEM_CLKREF_EN 239
+#define GCC_UFS_CARD_CLKREF_EN 240
#define GCC_EMAC_BCR 0
#define GCC_GPU_BCR 1
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 352/386] dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (350 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 351/386] dt-bindings: clock: qcom: Add missing UFS QREF clocks Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 353/386] iio: pressure: bmp280: Allow multiple chips id per family of devices Greg Kroah-Hartman
` (44 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski,
Satya Priya Kakitapalli, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
[ Upstream commit 648b4bde0aca2980ebc0b90cdfbb80d222370c3d ]
Add the missing GPLL9 which is required for the gcc sdcc2 clock.
Fixes: 0fadcdfdcf57 ("dt-bindings: clock: Add SC8180x GCC binding")
Cc: stable@vger.kernel.org
Acked-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-2-8b3eaa5fb856@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/dt-bindings/clock/qcom,gcc-sc8180x.h | 1 +
1 file changed, 1 insertion(+)
diff --git a/include/dt-bindings/clock/qcom,gcc-sc8180x.h b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
index 90c6e021a0356..2569f874fe13c 100644
--- a/include/dt-bindings/clock/qcom,gcc-sc8180x.h
+++ b/include/dt-bindings/clock/qcom,gcc-sc8180x.h
@@ -248,6 +248,7 @@
#define GCC_USB3_SEC_CLKREF_CLK 238
#define GCC_UFS_MEM_CLKREF_EN 239
#define GCC_UFS_CARD_CLKREF_EN 240
+#define GPLL9 241
#define GCC_EMAC_BCR 0
#define GCC_GPU_BCR 1
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 353/386] iio: pressure: bmp280: Allow multiple chips id per family of devices
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (351 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 352/386] dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 354/386] iio: pressure: bmp280: Improve indentation and line wrapping Greg Kroah-Hartman
` (43 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Angel Iglesias, Jonathan Cameron,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Angel Iglesias <ang.iglesiasg@gmail.com>
[ Upstream commit 33564435c8084ff29837c9ed9bb9574ec957751d ]
Improve device detection in certain chip families known to have
various chip IDs. When no ID matches, give a warning but follow
along what device said on the firmware side and try to configure
it.
Signed-off-by: Angel Iglesias <ang.iglesiasg@gmail.com>
Link: https://lore.kernel.org/r/eade22d11e9de4405ea19fdaa5a8249143ae94df.1697994521.git.ang.iglesiasg@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: b9065b0250e1 ("iio: pressure: bmp280: Fix regmap for BMP280 device")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/pressure/bmp280-core.c | 35 ++++++++++++++++++++++--------
drivers/iio/pressure/bmp280.h | 3 ++-
2 files changed, 28 insertions(+), 10 deletions(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index a65630d5742f0..ac72b175ffcc1 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -794,10 +794,12 @@ static int bmp280_chip_config(struct bmp280_data *data)
}
static const int bmp280_oversampling_avail[] = { 1, 2, 4, 8, 16 };
+static const u8 bmp280_chip_ids[] = { BMP280_CHIP_ID };
const struct bmp280_chip_info bmp280_chip_info = {
.id_reg = BMP280_REG_ID,
- .chip_id = BMP280_CHIP_ID,
+ .chip_id = bmp280_chip_ids,
+ .num_chip_id = ARRAY_SIZE(bmp280_chip_ids),
.regmap_config = &bmp280_regmap_config,
.start_up_time = 2000,
.channels = bmp280_channels,
@@ -846,9 +848,12 @@ static int bme280_chip_config(struct bmp280_data *data)
return bmp280_chip_config(data);
}
+static const u8 bme280_chip_ids[] = { BME280_CHIP_ID };
+
const struct bmp280_chip_info bme280_chip_info = {
.id_reg = BMP280_REG_ID,
- .chip_id = BME280_CHIP_ID,
+ .chip_id = bme280_chip_ids,
+ .num_chip_id = ARRAY_SIZE(bme280_chip_ids),
.regmap_config = &bmp280_regmap_config,
.start_up_time = 2000,
.channels = bmp280_channels,
@@ -1220,10 +1225,12 @@ static int bmp380_chip_config(struct bmp280_data *data)
static const int bmp380_oversampling_avail[] = { 1, 2, 4, 8, 16, 32 };
static const int bmp380_iir_filter_coeffs_avail[] = { 1, 2, 4, 8, 16, 32, 64, 128};
+static const u8 bmp380_chip_ids[] = { BMP380_CHIP_ID };
const struct bmp280_chip_info bmp380_chip_info = {
.id_reg = BMP380_REG_ID,
- .chip_id = BMP380_CHIP_ID,
+ .chip_id = bmp380_chip_ids,
+ .num_chip_id = ARRAY_SIZE(bmp380_chip_ids),
.regmap_config = &bmp380_regmap_config,
.start_up_time = 2000,
.channels = bmp380_channels,
@@ -1720,10 +1727,12 @@ static int bmp580_chip_config(struct bmp280_data *data)
}
static const int bmp580_oversampling_avail[] = { 1, 2, 4, 8, 16, 32, 64, 128 };
+static const u8 bmp580_chip_ids[] = { BMP580_CHIP_ID, BMP580_CHIP_ID_ALT };
const struct bmp280_chip_info bmp580_chip_info = {
.id_reg = BMP580_REG_CHIP_ID,
- .chip_id = BMP580_CHIP_ID,
+ .chip_id = bmp580_chip_ids,
+ .num_chip_id = ARRAY_SIZE(bmp580_chip_ids),
.regmap_config = &bmp580_regmap_config,
.start_up_time = 2000,
.channels = bmp380_channels,
@@ -1983,10 +1992,12 @@ static int bmp180_chip_config(struct bmp280_data *data)
static const int bmp180_oversampling_temp_avail[] = { 1 };
static const int bmp180_oversampling_press_avail[] = { 1, 2, 4, 8 };
+static const u8 bmp180_chip_ids[] = { BMP180_CHIP_ID };
const struct bmp280_chip_info bmp180_chip_info = {
.id_reg = BMP280_REG_ID,
- .chip_id = BMP180_CHIP_ID,
+ .chip_id = bmp180_chip_ids,
+ .num_chip_id = ARRAY_SIZE(bmp180_chip_ids),
.regmap_config = &bmp180_regmap_config,
.start_up_time = 2000,
.channels = bmp280_channels,
@@ -2077,6 +2088,7 @@ int bmp280_common_probe(struct device *dev,
struct bmp280_data *data;
struct gpio_desc *gpiod;
unsigned int chip_id;
+ unsigned int i;
int ret;
indio_dev = devm_iio_device_alloc(dev, sizeof(*data));
@@ -2142,12 +2154,17 @@ int bmp280_common_probe(struct device *dev,
ret = regmap_read(regmap, data->chip_info->id_reg, &chip_id);
if (ret < 0)
return ret;
- if (chip_id != data->chip_info->chip_id) {
- dev_err(dev, "bad chip id: expected %x got %x\n",
- data->chip_info->chip_id, chip_id);
- return -EINVAL;
+
+ for (i = 0; i < data->chip_info->num_chip_id; i++) {
+ if (chip_id == data->chip_info->chip_id[i]) {
+ dev_info(dev, "0x%x is a known chip id for %s\n", chip_id, name);
+ break;
+ }
}
+ if (i == data->chip_info->num_chip_id)
+ dev_warn(dev, "bad chip id: 0x%x is not a known chip id\n", chip_id);
+
if (data->chip_info->preinit) {
ret = data->chip_info->preinit(data);
if (ret)
diff --git a/drivers/iio/pressure/bmp280.h b/drivers/iio/pressure/bmp280.h
index 9d9f4ce2baa6e..a44ea33221635 100644
--- a/drivers/iio/pressure/bmp280.h
+++ b/drivers/iio/pressure/bmp280.h
@@ -418,7 +418,8 @@ struct bmp280_data {
struct bmp280_chip_info {
unsigned int id_reg;
- const unsigned int chip_id;
+ const u8 *chip_id;
+ int num_chip_id;
const struct regmap_config *regmap_config;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 354/386] iio: pressure: bmp280: Improve indentation and line wrapping
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (352 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 353/386] iio: pressure: bmp280: Allow multiple chips id per family of devices Greg Kroah-Hartman
@ 2024-10-08 12:09 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 355/386] iio: pressure: bmp280: Use BME prefix for BME280 specifics Greg Kroah-Hartman
` (42 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
[ Upstream commit 439ce8961bdd2e925c1f6adc82ce9fe3931e2c08 ]
Fix indentations that are not following the standards, remove
extra white lines and add missing white lines.
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240429190046.24252-2-vassilisamir@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: b9065b0250e1 ("iio: pressure: bmp280: Fix regmap for BMP280 device")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/pressure/bmp280-core.c | 108 ++++++++++++++++-------------
drivers/iio/pressure/bmp280-spi.c | 4 +-
2 files changed, 61 insertions(+), 51 deletions(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index ac72b175ffcc1..dac2a4e237929 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -51,7 +51,6 @@
*/
enum { AC1, AC2, AC3, AC4, AC5, AC6, B1, B2, MB, MC, MD };
-
enum bmp380_odr {
BMP380_ODR_200HZ,
BMP380_ODR_100HZ,
@@ -180,18 +179,19 @@ static int bmp280_read_calib(struct bmp280_data *data)
struct bmp280_calib *calib = &data->calib.bmp280;
int ret;
-
/* Read temperature and pressure calibration values. */
ret = regmap_bulk_read(data->regmap, BMP280_REG_COMP_TEMP_START,
- data->bmp280_cal_buf, sizeof(data->bmp280_cal_buf));
+ data->bmp280_cal_buf,
+ sizeof(data->bmp280_cal_buf));
if (ret < 0) {
dev_err(data->dev,
- "failed to read temperature and pressure calibration parameters\n");
+ "failed to read calibration parameters\n");
return ret;
}
- /* Toss the temperature and pressure calibration data into the entropy pool */
- add_device_randomness(data->bmp280_cal_buf, sizeof(data->bmp280_cal_buf));
+ /* Toss calibration data into the entropy pool */
+ add_device_randomness(data->bmp280_cal_buf,
+ sizeof(data->bmp280_cal_buf));
/* Parse temperature calibration values. */
calib->T1 = le16_to_cpu(data->bmp280_cal_buf[T1]);
@@ -222,7 +222,7 @@ static int bme280_read_calib(struct bmp280_data *data)
/* Load shared calibration params with bmp280 first */
ret = bmp280_read_calib(data);
if (ret < 0) {
- dev_err(dev, "failed to read common bmp280 calibration parameters\n");
+ dev_err(dev, "failed to read calibration parameters\n");
return ret;
}
@@ -282,6 +282,7 @@ static int bme280_read_calib(struct bmp280_data *data)
return 0;
}
+
/*
* Returns humidity in percent, resolution is 0.01 percent. Output value of
* "47445" represents 47445/1024 = 46.333 %RH.
@@ -304,7 +305,7 @@ static u32 bmp280_compensate_humidity(struct bmp280_data *data,
var = clamp_val(var, 0, 419430400);
return var >> 12;
-};
+}
/*
* Returns temperature in DegC, resolution is 0.01 DegC. Output value of
@@ -537,7 +538,7 @@ static int bmp280_read_raw(struct iio_dev *indio_dev,
}
static int bmp280_write_oversampling_ratio_humid(struct bmp280_data *data,
- int val)
+ int val)
{
const int *avail = data->chip_info->oversampling_humid_avail;
const int n = data->chip_info->num_oversampling_humid_avail;
@@ -562,7 +563,7 @@ static int bmp280_write_oversampling_ratio_humid(struct bmp280_data *data,
}
static int bmp280_write_oversampling_ratio_temp(struct bmp280_data *data,
- int val)
+ int val)
{
const int *avail = data->chip_info->oversampling_temp_avail;
const int n = data->chip_info->num_oversampling_temp_avail;
@@ -587,7 +588,7 @@ static int bmp280_write_oversampling_ratio_temp(struct bmp280_data *data,
}
static int bmp280_write_oversampling_ratio_press(struct bmp280_data *data,
- int val)
+ int val)
{
const int *avail = data->chip_info->oversampling_press_avail;
const int n = data->chip_info->num_oversampling_press_avail;
@@ -771,13 +772,12 @@ static int bmp280_chip_config(struct bmp280_data *data)
int ret;
ret = regmap_write_bits(data->regmap, BMP280_REG_CTRL_MEAS,
- BMP280_OSRS_TEMP_MASK |
- BMP280_OSRS_PRESS_MASK |
- BMP280_MODE_MASK,
- osrs | BMP280_MODE_NORMAL);
+ BMP280_OSRS_TEMP_MASK |
+ BMP280_OSRS_PRESS_MASK |
+ BMP280_MODE_MASK,
+ osrs | BMP280_MODE_NORMAL);
if (ret < 0) {
- dev_err(data->dev,
- "failed to write ctrl_meas register\n");
+ dev_err(data->dev, "failed to write ctrl_meas register\n");
return ret;
}
@@ -785,8 +785,7 @@ static int bmp280_chip_config(struct bmp280_data *data)
BMP280_FILTER_MASK,
BMP280_FILTER_4X);
if (ret < 0) {
- dev_err(data->dev,
- "failed to write config register\n");
+ dev_err(data->dev, "failed to write config register\n");
return ret;
}
@@ -925,8 +924,8 @@ static int bmp380_cmd(struct bmp280_data *data, u8 cmd)
}
/*
- * Returns temperature in Celsius degrees, resolution is 0.01º C. Output value of
- * "5123" equals 51.2º C. t_fine carries fine temperature as global value.
+ * Returns temperature in Celsius degrees, resolution is 0.01º C. Output value
+ * of "5123" equals 51.2º C. t_fine carries fine temperature as global value.
*
* Taken from datasheet, Section Appendix 9, "Compensation formula" and repo
* https://github.com/BoschSensortec/BMP3-Sensor-API.
@@ -1068,7 +1067,8 @@ static int bmp380_read_calib(struct bmp280_data *data)
/* Read temperature and pressure calibration data */
ret = regmap_bulk_read(data->regmap, BMP380_REG_CALIB_TEMP_START,
- data->bmp380_cal_buf, sizeof(data->bmp380_cal_buf));
+ data->bmp380_cal_buf,
+ sizeof(data->bmp380_cal_buf));
if (ret) {
dev_err(data->dev,
"failed to read temperature calibration parameters\n");
@@ -1076,7 +1076,8 @@ static int bmp380_read_calib(struct bmp280_data *data)
}
/* Toss the temperature calibration data into the entropy pool */
- add_device_randomness(data->bmp380_cal_buf, sizeof(data->bmp380_cal_buf));
+ add_device_randomness(data->bmp380_cal_buf,
+ sizeof(data->bmp380_cal_buf));
/* Parse calibration values */
calib->T1 = get_unaligned_le16(&data->bmp380_cal_buf[BMP380_T1]);
@@ -1158,7 +1159,8 @@ static int bmp380_chip_config(struct bmp280_data *data)
/* Configure output data rate */
ret = regmap_update_bits_check(data->regmap, BMP380_REG_ODR,
- BMP380_ODRS_MASK, data->sampling_freq, &aux);
+ BMP380_ODRS_MASK, data->sampling_freq,
+ &aux);
if (ret) {
dev_err(data->dev, "failed to write ODR selection register\n");
return ret;
@@ -1177,12 +1179,13 @@ static int bmp380_chip_config(struct bmp280_data *data)
if (change) {
/*
- * The configurations errors are detected on the fly during a measurement
- * cycle. If the sampling frequency is too low, it's faster to reset
- * the measurement loop than wait until the next measurement is due.
+ * The configurations errors are detected on the fly during a
+ * measurement cycle. If the sampling frequency is too low, it's
+ * faster to reset the measurement loop than wait until the next
+ * measurement is due.
*
- * Resets sensor measurement loop toggling between sleep and normal
- * operating modes.
+ * Resets sensor measurement loop toggling between sleep and
+ * normal operating modes.
*/
ret = regmap_write_bits(data->regmap, BMP380_REG_POWER_CONTROL,
BMP380_MODE_MASK,
@@ -1200,22 +1203,21 @@ static int bmp380_chip_config(struct bmp280_data *data)
return ret;
}
/*
- * Waits for measurement before checking configuration error flag.
- * Selected longest measure time indicated in section 3.9.1
- * in the datasheet.
+ * Waits for measurement before checking configuration error
+ * flag. Selected longest measure time indicated in
+ * section 3.9.1 in the datasheet.
*/
msleep(80);
/* Check config error flag */
ret = regmap_read(data->regmap, BMP380_REG_ERROR, &tmp);
if (ret) {
- dev_err(data->dev,
- "failed to read error register\n");
+ dev_err(data->dev, "failed to read error register\n");
return ret;
}
if (tmp & BMP380_ERR_CONF_MASK) {
dev_warn(data->dev,
- "sensor flagged configuration as incompatible\n");
+ "sensor flagged configuration as incompatible\n");
return -EINVAL;
}
}
@@ -1315,9 +1317,11 @@ static int bmp580_nvm_operation(struct bmp280_data *data, bool is_write)
}
/* Start NVM operation sequence */
- ret = regmap_write(data->regmap, BMP580_REG_CMD, BMP580_CMD_NVM_OP_SEQ_0);
+ ret = regmap_write(data->regmap, BMP580_REG_CMD,
+ BMP580_CMD_NVM_OP_SEQ_0);
if (ret) {
- dev_err(data->dev, "failed to send nvm operation's first sequence\n");
+ dev_err(data->dev,
+ "failed to send nvm operation's first sequence\n");
return ret;
}
if (is_write) {
@@ -1325,7 +1329,8 @@ static int bmp580_nvm_operation(struct bmp280_data *data, bool is_write)
ret = regmap_write(data->regmap, BMP580_REG_CMD,
BMP580_CMD_NVM_WRITE_SEQ_1);
if (ret) {
- dev_err(data->dev, "failed to send nvm write sequence\n");
+ dev_err(data->dev,
+ "failed to send nvm write sequence\n");
return ret;
}
/* Datasheet says on 4.8.1.2 it takes approximately 10ms */
@@ -1336,7 +1341,8 @@ static int bmp580_nvm_operation(struct bmp280_data *data, bool is_write)
ret = regmap_write(data->regmap, BMP580_REG_CMD,
BMP580_CMD_NVM_READ_SEQ_1);
if (ret) {
- dev_err(data->dev, "failed to send nvm read sequence\n");
+ dev_err(data->dev,
+ "failed to send nvm read sequence\n");
return ret;
}
/* Datasheet says on 4.8.1.1 it takes approximately 200us */
@@ -1499,8 +1505,8 @@ static int bmp580_nvmem_read(void *priv, unsigned int offset, void *val,
if (ret)
goto exit;
- ret = regmap_bulk_read(data->regmap, BMP580_REG_NVM_DATA_LSB, &data->le16,
- sizeof(data->le16));
+ ret = regmap_bulk_read(data->regmap, BMP580_REG_NVM_DATA_LSB,
+ &data->le16, sizeof(data->le16));
if (ret) {
dev_err(data->dev, "error reading nvm data regs\n");
goto exit;
@@ -1544,7 +1550,8 @@ static int bmp580_nvmem_write(void *priv, unsigned int offset, void *val,
while (bytes >= sizeof(*buf)) {
addr = bmp580_nvmem_addrs[offset / sizeof(*buf)];
- ret = regmap_write(data->regmap, BMP580_REG_NVM_ADDR, BMP580_NVM_PROG_EN |
+ ret = regmap_write(data->regmap, BMP580_REG_NVM_ADDR,
+ BMP580_NVM_PROG_EN |
FIELD_PREP(BMP580_NVM_ROW_ADDR_MASK, addr));
if (ret) {
dev_err(data->dev, "error writing nvm address\n");
@@ -1552,8 +1559,8 @@ static int bmp580_nvmem_write(void *priv, unsigned int offset, void *val,
}
data->le16 = cpu_to_le16(*buf++);
- ret = regmap_bulk_write(data->regmap, BMP580_REG_NVM_DATA_LSB, &data->le16,
- sizeof(data->le16));
+ ret = regmap_bulk_write(data->regmap, BMP580_REG_NVM_DATA_LSB,
+ &data->le16, sizeof(data->le16));
if (ret) {
dev_err(data->dev, "error writing LSB NVM data regs\n");
goto exit;
@@ -1660,7 +1667,8 @@ static int bmp580_chip_config(struct bmp280_data *data)
BMP580_OSR_PRESS_EN;
ret = regmap_update_bits_check(data->regmap, BMP580_REG_OSR_CONFIG,
- BMP580_OSR_TEMP_MASK | BMP580_OSR_PRESS_MASK |
+ BMP580_OSR_TEMP_MASK |
+ BMP580_OSR_PRESS_MASK |
BMP580_OSR_PRESS_EN,
reg_val, &aux);
if (ret) {
@@ -1711,7 +1719,8 @@ static int bmp580_chip_config(struct bmp280_data *data)
*/
ret = regmap_read(data->regmap, BMP580_REG_EFF_OSR, &tmp);
if (ret) {
- dev_err(data->dev, "error reading effective OSR register\n");
+ dev_err(data->dev,
+ "error reading effective OSR register\n");
return ret;
}
if (!(tmp & BMP580_EFF_OSR_VALID_ODR)) {
@@ -1846,7 +1855,8 @@ static int bmp180_read_calib(struct bmp280_data *data)
}
/* Toss the calibration data into the entropy pool */
- add_device_randomness(data->bmp180_cal_buf, sizeof(data->bmp180_cal_buf));
+ add_device_randomness(data->bmp180_cal_buf,
+ sizeof(data->bmp180_cal_buf));
calib->AC1 = be16_to_cpu(data->bmp180_cal_buf[AC1]);
calib->AC2 = be16_to_cpu(data->bmp180_cal_buf[AC2]);
@@ -1961,8 +1971,7 @@ static u32 bmp180_compensate_press(struct bmp280_data *data, s32 adc_press)
return p + ((x1 + x2 + 3791) >> 4);
}
-static int bmp180_read_press(struct bmp280_data *data,
- int *val, int *val2)
+static int bmp180_read_press(struct bmp280_data *data, int *val, int *val2)
{
u32 comp_press;
s32 adc_press;
@@ -2239,6 +2248,7 @@ static int bmp280_runtime_resume(struct device *dev)
ret = regulator_bulk_enable(BMP280_NUM_SUPPLIES, data->supplies);
if (ret)
return ret;
+
usleep_range(data->start_up_time, data->start_up_time + 100);
return data->chip_info->chip_config(data);
}
diff --git a/drivers/iio/pressure/bmp280-spi.c b/drivers/iio/pressure/bmp280-spi.c
index 9de923228a9f4..47122da8e716d 100644
--- a/drivers/iio/pressure/bmp280-spi.c
+++ b/drivers/iio/pressure/bmp280-spi.c
@@ -12,7 +12,7 @@
#include "bmp280.h"
static int bmp280_regmap_spi_write(void *context, const void *data,
- size_t count)
+ size_t count)
{
struct device *dev = context;
struct spi_device *spi = to_spi_device(dev);
@@ -29,7 +29,7 @@ static int bmp280_regmap_spi_write(void *context, const void *data,
}
static int bmp280_regmap_spi_read(void *context, const void *reg,
- size_t reg_size, void *val, size_t val_size)
+ size_t reg_size, void *val, size_t val_size)
{
struct device *dev = context;
struct spi_device *spi = to_spi_device(dev);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 355/386] iio: pressure: bmp280: Use BME prefix for BME280 specifics
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (353 preceding siblings ...)
2024-10-08 12:09 ` [PATCH 6.6 354/386] iio: pressure: bmp280: Improve indentation and line wrapping Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 356/386] iio: pressure: bmp280: Fix regmap for BMP280 device Greg Kroah-Hartman
` (41 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
[ Upstream commit b23be4cd99a6f1f46963b87952632268174e62c1 ]
Change the rest of the defines and function names that are
used specifically by the BME280 humidity sensor to BME280
as it is done for the rest of the BMP{0,1,3,5}80 sensors.
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://lore.kernel.org/r/20240429190046.24252-3-vassilisamir@gmail.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Stable-dep-of: b9065b0250e1 ("iio: pressure: bmp280: Fix regmap for BMP280 device")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/pressure/bmp280-core.c | 37 +++++++++++------------
drivers/iio/pressure/bmp280-regmap.c | 8 ++---
drivers/iio/pressure/bmp280.h | 45 +++++++++++++++-------------
3 files changed, 46 insertions(+), 44 deletions(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index dac2a4e237929..8f70fd72f132a 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -234,14 +234,14 @@ static int bme280_read_calib(struct bmp280_data *data)
* Humidity data is only available on BME280.
*/
- ret = regmap_read(data->regmap, BMP280_REG_COMP_H1, &tmp);
+ ret = regmap_read(data->regmap, BME280_REG_COMP_H1, &tmp);
if (ret < 0) {
dev_err(dev, "failed to read H1 comp value\n");
return ret;
}
calib->H1 = tmp;
- ret = regmap_bulk_read(data->regmap, BMP280_REG_COMP_H2,
+ ret = regmap_bulk_read(data->regmap, BME280_REG_COMP_H2,
&data->le16, sizeof(data->le16));
if (ret < 0) {
dev_err(dev, "failed to read H2 comp value\n");
@@ -249,14 +249,14 @@ static int bme280_read_calib(struct bmp280_data *data)
}
calib->H2 = sign_extend32(le16_to_cpu(data->le16), 15);
- ret = regmap_read(data->regmap, BMP280_REG_COMP_H3, &tmp);
+ ret = regmap_read(data->regmap, BME280_REG_COMP_H3, &tmp);
if (ret < 0) {
dev_err(dev, "failed to read H3 comp value\n");
return ret;
}
calib->H3 = tmp;
- ret = regmap_bulk_read(data->regmap, BMP280_REG_COMP_H4,
+ ret = regmap_bulk_read(data->regmap, BME280_REG_COMP_H4,
&data->be16, sizeof(data->be16));
if (ret < 0) {
dev_err(dev, "failed to read H4 comp value\n");
@@ -265,15 +265,15 @@ static int bme280_read_calib(struct bmp280_data *data)
calib->H4 = sign_extend32(((be16_to_cpu(data->be16) >> 4) & 0xff0) |
(be16_to_cpu(data->be16) & 0xf), 11);
- ret = regmap_bulk_read(data->regmap, BMP280_REG_COMP_H5,
+ ret = regmap_bulk_read(data->regmap, BME280_REG_COMP_H5,
&data->le16, sizeof(data->le16));
if (ret < 0) {
dev_err(dev, "failed to read H5 comp value\n");
return ret;
}
- calib->H5 = sign_extend32(FIELD_GET(BMP280_COMP_H5_MASK, le16_to_cpu(data->le16)), 11);
+ calib->H5 = sign_extend32(FIELD_GET(BME280_COMP_H5_MASK, le16_to_cpu(data->le16)), 11);
- ret = regmap_read(data->regmap, BMP280_REG_COMP_H6, &tmp);
+ ret = regmap_read(data->regmap, BME280_REG_COMP_H6, &tmp);
if (ret < 0) {
dev_err(dev, "failed to read H6 comp value\n");
return ret;
@@ -289,7 +289,7 @@ static int bme280_read_calib(struct bmp280_data *data)
*
* Taken from BME280 datasheet, Section 4.2.3, "Compensation formula".
*/
-static u32 bmp280_compensate_humidity(struct bmp280_data *data,
+static u32 bme280_compensate_humidity(struct bmp280_data *data,
s32 adc_humidity)
{
struct bmp280_calib *calib = &data->calib.bmp280;
@@ -429,7 +429,7 @@ static int bmp280_read_press(struct bmp280_data *data,
return IIO_VAL_FRACTIONAL;
}
-static int bmp280_read_humid(struct bmp280_data *data, int *val, int *val2)
+static int bme280_read_humid(struct bmp280_data *data, int *val, int *val2)
{
u32 comp_humidity;
s32 adc_humidity;
@@ -440,7 +440,7 @@ static int bmp280_read_humid(struct bmp280_data *data, int *val, int *val2)
if (ret < 0)
return ret;
- ret = regmap_bulk_read(data->regmap, BMP280_REG_HUMIDITY_MSB,
+ ret = regmap_bulk_read(data->regmap, BME280_REG_HUMIDITY_MSB,
&data->be16, sizeof(data->be16));
if (ret < 0) {
dev_err(data->dev, "failed to read humidity\n");
@@ -453,7 +453,7 @@ static int bmp280_read_humid(struct bmp280_data *data, int *val, int *val2)
dev_err(data->dev, "reading humidity skipped\n");
return -EIO;
}
- comp_humidity = bmp280_compensate_humidity(data, adc_humidity);
+ comp_humidity = bme280_compensate_humidity(data, adc_humidity);
*val = comp_humidity * 1000 / 1024;
@@ -537,7 +537,7 @@ static int bmp280_read_raw(struct iio_dev *indio_dev,
return ret;
}
-static int bmp280_write_oversampling_ratio_humid(struct bmp280_data *data,
+static int bme280_write_oversampling_ratio_humid(struct bmp280_data *data,
int val)
{
const int *avail = data->chip_info->oversampling_humid_avail;
@@ -681,7 +681,7 @@ static int bmp280_write_raw(struct iio_dev *indio_dev,
mutex_lock(&data->lock);
switch (chan->type) {
case IIO_HUMIDITYRELATIVE:
- ret = bmp280_write_oversampling_ratio_humid(data, val);
+ ret = bme280_write_oversampling_ratio_humid(data, val);
break;
case IIO_PRESSURE:
ret = bmp280_write_oversampling_ratio_press(data, val);
@@ -831,16 +831,15 @@ EXPORT_SYMBOL_NS(bmp280_chip_info, IIO_BMP280);
static int bme280_chip_config(struct bmp280_data *data)
{
- u8 osrs = FIELD_PREP(BMP280_OSRS_HUMIDITY_MASK, data->oversampling_humid + 1);
+ u8 osrs = FIELD_PREP(BME280_OSRS_HUMIDITY_MASK, data->oversampling_humid + 1);
int ret;
/*
* Oversampling of humidity must be set before oversampling of
* temperature/pressure is set to become effective.
*/
- ret = regmap_update_bits(data->regmap, BMP280_REG_CTRL_HUMIDITY,
- BMP280_OSRS_HUMIDITY_MASK, osrs);
-
+ ret = regmap_update_bits(data->regmap, BME280_REG_CTRL_HUMIDITY,
+ BME280_OSRS_HUMIDITY_MASK, osrs);
if (ret < 0)
return ret;
@@ -868,12 +867,12 @@ const struct bmp280_chip_info bme280_chip_info = {
.oversampling_humid_avail = bmp280_oversampling_avail,
.num_oversampling_humid_avail = ARRAY_SIZE(bmp280_oversampling_avail),
- .oversampling_humid_default = BMP280_OSRS_HUMIDITY_16X - 1,
+ .oversampling_humid_default = BME280_OSRS_HUMIDITY_16X - 1,
.chip_config = bme280_chip_config,
.read_temp = bmp280_read_temp,
.read_press = bmp280_read_press,
- .read_humid = bmp280_read_humid,
+ .read_humid = bme280_read_humid,
.read_calib = bme280_read_calib,
};
EXPORT_SYMBOL_NS(bme280_chip_info, IIO_BMP280);
diff --git a/drivers/iio/pressure/bmp280-regmap.c b/drivers/iio/pressure/bmp280-regmap.c
index 3ee56720428c5..fa52839474b18 100644
--- a/drivers/iio/pressure/bmp280-regmap.c
+++ b/drivers/iio/pressure/bmp280-regmap.c
@@ -45,7 +45,7 @@ static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg)
{
switch (reg) {
case BMP280_REG_CONFIG:
- case BMP280_REG_CTRL_HUMIDITY:
+ case BME280_REG_CTRL_HUMIDITY:
case BMP280_REG_CTRL_MEAS:
case BMP280_REG_RESET:
return true;
@@ -57,8 +57,8 @@ static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg)
static bool bmp280_is_volatile_reg(struct device *dev, unsigned int reg)
{
switch (reg) {
- case BMP280_REG_HUMIDITY_LSB:
- case BMP280_REG_HUMIDITY_MSB:
+ case BME280_REG_HUMIDITY_LSB:
+ case BME280_REG_HUMIDITY_MSB:
case BMP280_REG_TEMP_XLSB:
case BMP280_REG_TEMP_LSB:
case BMP280_REG_TEMP_MSB:
@@ -167,7 +167,7 @@ const struct regmap_config bmp280_regmap_config = {
.reg_bits = 8,
.val_bits = 8,
- .max_register = BMP280_REG_HUMIDITY_LSB,
+ .max_register = BME280_REG_HUMIDITY_LSB,
.cache_type = REGCACHE_RBTREE,
.writeable_reg = bmp280_is_writeable_reg,
diff --git a/drivers/iio/pressure/bmp280.h b/drivers/iio/pressure/bmp280.h
index a44ea33221635..1a6903a917add 100644
--- a/drivers/iio/pressure/bmp280.h
+++ b/drivers/iio/pressure/bmp280.h
@@ -192,8 +192,6 @@
#define BMP380_PRESS_SKIPPED 0x800000
/* BMP280 specific registers */
-#define BMP280_REG_HUMIDITY_LSB 0xFE
-#define BMP280_REG_HUMIDITY_MSB 0xFD
#define BMP280_REG_TEMP_XLSB 0xFC
#define BMP280_REG_TEMP_LSB 0xFB
#define BMP280_REG_TEMP_MSB 0xFA
@@ -207,15 +205,6 @@
#define BMP280_REG_CONFIG 0xF5
#define BMP280_REG_CTRL_MEAS 0xF4
#define BMP280_REG_STATUS 0xF3
-#define BMP280_REG_CTRL_HUMIDITY 0xF2
-
-/* Due to non linear mapping, and data sizes we can't do a bulk read */
-#define BMP280_REG_COMP_H1 0xA1
-#define BMP280_REG_COMP_H2 0xE1
-#define BMP280_REG_COMP_H3 0xE3
-#define BMP280_REG_COMP_H4 0xE4
-#define BMP280_REG_COMP_H5 0xE5
-#define BMP280_REG_COMP_H6 0xE7
#define BMP280_REG_COMP_TEMP_START 0x88
#define BMP280_COMP_TEMP_REG_COUNT 6
@@ -223,8 +212,6 @@
#define BMP280_REG_COMP_PRESS_START 0x8E
#define BMP280_COMP_PRESS_REG_COUNT 18
-#define BMP280_COMP_H5_MASK GENMASK(15, 4)
-
#define BMP280_CONTIGUOUS_CALIB_REGS (BMP280_COMP_TEMP_REG_COUNT + \
BMP280_COMP_PRESS_REG_COUNT)
@@ -235,14 +222,6 @@
#define BMP280_FILTER_8X 3
#define BMP280_FILTER_16X 4
-#define BMP280_OSRS_HUMIDITY_MASK GENMASK(2, 0)
-#define BMP280_OSRS_HUMIDITY_SKIP 0
-#define BMP280_OSRS_HUMIDITY_1X 1
-#define BMP280_OSRS_HUMIDITY_2X 2
-#define BMP280_OSRS_HUMIDITY_4X 3
-#define BMP280_OSRS_HUMIDITY_8X 4
-#define BMP280_OSRS_HUMIDITY_16X 5
-
#define BMP280_OSRS_TEMP_MASK GENMASK(7, 5)
#define BMP280_OSRS_TEMP_SKIP 0
#define BMP280_OSRS_TEMP_1X 1
@@ -264,6 +243,30 @@
#define BMP280_MODE_FORCED 1
#define BMP280_MODE_NORMAL 3
+/* BME280 specific registers */
+#define BME280_REG_HUMIDITY_LSB 0xFE
+#define BME280_REG_HUMIDITY_MSB 0xFD
+
+#define BME280_REG_CTRL_HUMIDITY 0xF2
+
+/* Due to non linear mapping, and data sizes we can't do a bulk read */
+#define BME280_REG_COMP_H1 0xA1
+#define BME280_REG_COMP_H2 0xE1
+#define BME280_REG_COMP_H3 0xE3
+#define BME280_REG_COMP_H4 0xE4
+#define BME280_REG_COMP_H5 0xE5
+#define BME280_REG_COMP_H6 0xE7
+
+#define BME280_COMP_H5_MASK GENMASK(15, 4)
+
+#define BME280_OSRS_HUMIDITY_MASK GENMASK(2, 0)
+#define BME280_OSRS_HUMIDITY_SKIP 0
+#define BME280_OSRS_HUMIDITY_1X 1
+#define BME280_OSRS_HUMIDITY_2X 2
+#define BME280_OSRS_HUMIDITY_4X 3
+#define BME280_OSRS_HUMIDITY_8X 4
+#define BME280_OSRS_HUMIDITY_16X 5
+
/* BMP180 specific registers */
#define BMP180_REG_OUT_XLSB 0xF8
#define BMP180_REG_OUT_LSB 0xF7
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 356/386] iio: pressure: bmp280: Fix regmap for BMP280 device
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (354 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 355/386] iio: pressure: bmp280: Use BME prefix for BME280 specifics Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 357/386] iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Greg Kroah-Hartman
` (40 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
[ Upstream commit b9065b0250e1705935445ede0a18c1850afe7b75 ]
Up to now, the BMP280 device is using the regmap of the BME280 which
has registers that exist only in the BME280 device.
Fixes: 14e8015f8569 ("iio: pressure: bmp280: split driver in logical parts")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://patch.msgid.link/20240711211558.106327-2-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/pressure/bmp280-core.c | 2 +-
drivers/iio/pressure/bmp280-regmap.c | 45 ++++++++++++++++++++++++++--
drivers/iio/pressure/bmp280.h | 1 +
3 files changed, 44 insertions(+), 4 deletions(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index 8f70fd72f132a..3ba718b11c464 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -852,7 +852,7 @@ const struct bmp280_chip_info bme280_chip_info = {
.id_reg = BMP280_REG_ID,
.chip_id = bme280_chip_ids,
.num_chip_id = ARRAY_SIZE(bme280_chip_ids),
- .regmap_config = &bmp280_regmap_config,
+ .regmap_config = &bme280_regmap_config,
.start_up_time = 2000,
.channels = bmp280_channels,
.num_channels = 3,
diff --git a/drivers/iio/pressure/bmp280-regmap.c b/drivers/iio/pressure/bmp280-regmap.c
index fa52839474b18..d27d68edd9065 100644
--- a/drivers/iio/pressure/bmp280-regmap.c
+++ b/drivers/iio/pressure/bmp280-regmap.c
@@ -41,7 +41,7 @@ const struct regmap_config bmp180_regmap_config = {
};
EXPORT_SYMBOL_NS(bmp180_regmap_config, IIO_BMP280);
-static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg)
+static bool bme280_is_writeable_reg(struct device *dev, unsigned int reg)
{
switch (reg) {
case BMP280_REG_CONFIG:
@@ -54,7 +54,35 @@ static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg)
}
}
+static bool bmp280_is_writeable_reg(struct device *dev, unsigned int reg)
+{
+ switch (reg) {
+ case BMP280_REG_CONFIG:
+ case BMP280_REG_CTRL_MEAS:
+ case BMP280_REG_RESET:
+ return true;
+ default:
+ return false;
+ }
+}
+
static bool bmp280_is_volatile_reg(struct device *dev, unsigned int reg)
+{
+ switch (reg) {
+ case BMP280_REG_TEMP_XLSB:
+ case BMP280_REG_TEMP_LSB:
+ case BMP280_REG_TEMP_MSB:
+ case BMP280_REG_PRESS_XLSB:
+ case BMP280_REG_PRESS_LSB:
+ case BMP280_REG_PRESS_MSB:
+ case BMP280_REG_STATUS:
+ return true;
+ default:
+ return false;
+ }
+}
+
+static bool bme280_is_volatile_reg(struct device *dev, unsigned int reg)
{
switch (reg) {
case BME280_REG_HUMIDITY_LSB:
@@ -71,7 +99,6 @@ static bool bmp280_is_volatile_reg(struct device *dev, unsigned int reg)
return false;
}
}
-
static bool bmp380_is_writeable_reg(struct device *dev, unsigned int reg)
{
switch (reg) {
@@ -167,7 +194,7 @@ const struct regmap_config bmp280_regmap_config = {
.reg_bits = 8,
.val_bits = 8,
- .max_register = BME280_REG_HUMIDITY_LSB,
+ .max_register = BMP280_REG_TEMP_XLSB,
.cache_type = REGCACHE_RBTREE,
.writeable_reg = bmp280_is_writeable_reg,
@@ -175,6 +202,18 @@ const struct regmap_config bmp280_regmap_config = {
};
EXPORT_SYMBOL_NS(bmp280_regmap_config, IIO_BMP280);
+const struct regmap_config bme280_regmap_config = {
+ .reg_bits = 8,
+ .val_bits = 8,
+
+ .max_register = BME280_REG_HUMIDITY_LSB,
+ .cache_type = REGCACHE_RBTREE,
+
+ .writeable_reg = bme280_is_writeable_reg,
+ .volatile_reg = bme280_is_volatile_reg,
+};
+EXPORT_SYMBOL_NS(bme280_regmap_config, IIO_BMP280);
+
const struct regmap_config bmp380_regmap_config = {
.reg_bits = 8,
.val_bits = 8,
diff --git a/drivers/iio/pressure/bmp280.h b/drivers/iio/pressure/bmp280.h
index 1a6903a917add..b60e551b7d318 100644
--- a/drivers/iio/pressure/bmp280.h
+++ b/drivers/iio/pressure/bmp280.h
@@ -468,6 +468,7 @@ extern const struct bmp280_chip_info bmp580_chip_info;
/* Regmap configurations */
extern const struct regmap_config bmp180_regmap_config;
extern const struct regmap_config bmp280_regmap_config;
+extern const struct regmap_config bme280_regmap_config;
extern const struct regmap_config bmp380_regmap_config;
extern const struct regmap_config bmp580_regmap_config;
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 357/386] iio: pressure: bmp280: Fix waiting time for BMP3xx configuration
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (355 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 356/386] iio: pressure: bmp280: Fix regmap for BMP280 device Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 358/386] r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Greg Kroah-Hartman
` (39 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vasileios Amoiridis, Stable,
Jonathan Cameron, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vasileios Amoiridis <vassilisamir@gmail.com>
[ Upstream commit 262a6634bcc4f0c1c53d13aa89882909f281a6aa ]
According to the datasheet, both pressure and temperature can go up to
oversampling x32. With this option, the maximum measurement time is not
80ms (this is for press x32 and temp x2), but it is 130ms nominal
(calculated from table 3.9.2) and since most of the maximum values
are around +15%, it is configured to 150ms.
Fixes: 8d329309184d ("iio: pressure: bmp280: Add support for BMP380 sensor family")
Signed-off-by: Vasileios Amoiridis <vassilisamir@gmail.com>
Link: https://patch.msgid.link/20240711211558.106327-3-vassilisamir@gmail.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/pressure/bmp280-core.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/iio/pressure/bmp280-core.c b/drivers/iio/pressure/bmp280-core.c
index 3ba718b11c464..84f6b333c9195 100644
--- a/drivers/iio/pressure/bmp280-core.c
+++ b/drivers/iio/pressure/bmp280-core.c
@@ -1203,10 +1203,11 @@ static int bmp380_chip_config(struct bmp280_data *data)
}
/*
* Waits for measurement before checking configuration error
- * flag. Selected longest measure time indicated in
- * section 3.9.1 in the datasheet.
+ * flag. Selected longest measurement time, calculated from
+ * formula in datasheet section 3.9.2 with an offset of ~+15%
+ * as it seen as well in table 3.9.1.
*/
- msleep(80);
+ msleep(150);
/* Check config error flag */
ret = regmap_read(data->regmap, BMP380_REG_ERROR, &tmp);
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 358/386] r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun"
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (356 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 357/386] iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 359/386] r8169: add tally counter fields added with RTL8125 Greg Kroah-Hartman
` (38 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Colin Ian King, Simon Horman,
Heiner Kallweit, Jakub Kicinski, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Colin Ian King <colin.i.king@gmail.com>
[ Upstream commit 8df9439389a44fb2cc4ef695e08d6a8870b1616c ]
There is a spelling mistake in the struct field tx_underun, rename
it to tx_underrun.
Signed-off-by: Colin Ian King <colin.i.king@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Heiner Kallweit <hkallweit1@gmail.com>
Link: https://patch.msgid.link/20240909140021.64884-1-colin.i.king@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: ced8e8b8f40a ("r8169: add tally counter fields added with RTL8125")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
index 8a732edac15a0..382ba8b04cbfa 100644
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -566,7 +566,7 @@ struct rtl8169_counters {
__le64 rx_broadcast;
__le32 rx_multicast;
__le16 tx_aborted;
- __le16 tx_underun;
+ __le16 tx_underrun;
};
struct rtl8169_tc_offsets {
@@ -1726,7 +1726,7 @@ static void rtl8169_get_ethtool_stats(struct net_device *dev,
data[9] = le64_to_cpu(counters->rx_broadcast);
data[10] = le32_to_cpu(counters->rx_multicast);
data[11] = le16_to_cpu(counters->tx_aborted);
- data[12] = le16_to_cpu(counters->tx_underun);
+ data[12] = le16_to_cpu(counters->tx_underrun);
}
static void rtl8169_get_strings(struct net_device *dev, u32 stringset, u8 *data)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 359/386] r8169: add tally counter fields added with RTL8125
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (357 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 358/386] r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 360/386] clk: qcom: gcc-sc8180x: Add GPLL9 support Greg Kroah-Hartman
` (37 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Simon Horman,
Paolo Abeni, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit ced8e8b8f40accfcce4a2bbd8b150aa76d5eff9a ]
RTL8125 added fields to the tally counter, what may result in the chip
dma'ing these new fields to unallocated memory. Therefore make sure
that the allocated memory area is big enough to hold all of the
tally counter values, even if we use only parts of it.
Fixes: f1bce4ad2f1c ("r8169: add support for RTL8125")
Cc: stable@vger.kernel.org
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://patch.msgid.link/741d26a9-2b2b-485d-91d9-ecb302e345b5@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/realtek/r8169_main.c | 27 +++++++++++++++++++++++
1 file changed, 27 insertions(+)
diff --git a/drivers/net/ethernet/realtek/r8169_main.c b/drivers/net/ethernet/realtek/r8169_main.c
index 382ba8b04cbfa..b499d8ea6d216 100644
--- a/drivers/net/ethernet/realtek/r8169_main.c
+++ b/drivers/net/ethernet/realtek/r8169_main.c
@@ -567,6 +567,33 @@ struct rtl8169_counters {
__le32 rx_multicast;
__le16 tx_aborted;
__le16 tx_underrun;
+ /* new since RTL8125 */
+ __le64 tx_octets;
+ __le64 rx_octets;
+ __le64 rx_multicast64;
+ __le64 tx_unicast64;
+ __le64 tx_broadcast64;
+ __le64 tx_multicast64;
+ __le32 tx_pause_on;
+ __le32 tx_pause_off;
+ __le32 tx_pause_all;
+ __le32 tx_deferred;
+ __le32 tx_late_collision;
+ __le32 tx_all_collision;
+ __le32 tx_aborted32;
+ __le32 align_errors32;
+ __le32 rx_frame_too_long;
+ __le32 rx_runt;
+ __le32 rx_pause_on;
+ __le32 rx_pause_off;
+ __le32 rx_pause_all;
+ __le32 rx_unknown_opcode;
+ __le32 rx_mac_error;
+ __le32 tx_underrun32;
+ __le32 rx_mac_missed;
+ __le32 rx_tcam_dropped;
+ __le32 tdu;
+ __le32 rdu;
};
struct rtl8169_tc_offsets {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 360/386] clk: qcom: gcc-sc8180x: Add GPLL9 support
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (358 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 359/386] r8169: add tally counter fields added with RTL8125 Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 361/386] ACPI: battery: Simplify battery hook locking Greg Kroah-Hartman
` (36 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov,
Satya Priya Kakitapalli, Bjorn Andersson, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
[ Upstream commit 818a2f8d5e4ad2c1e39a4290158fe8e39a744c70 ]
Add the missing GPLL9 pll and fix the gcc_parents_7 data to use
the correct pll hw.
Fixes: 4433594bbe5d ("clk: qcom: gcc: Add global clock controller driver for SC8180x")
Cc: stable@vger.kernel.org
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Satya Priya Kakitapalli <quic_skakitap@quicinc.com>
Link: https://lore.kernel.org/r/20240812-gcc-sc8180x-fixes-v2-3-8b3eaa5fb856@quicinc.com
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/qcom/gcc-sc8180x.c | 20 +++++++++++++++++++-
1 file changed, 19 insertions(+), 1 deletion(-)
diff --git a/drivers/clk/qcom/gcc-sc8180x.c b/drivers/clk/qcom/gcc-sc8180x.c
index 283bda4d1e701..ec0c45881c67a 100644
--- a/drivers/clk/qcom/gcc-sc8180x.c
+++ b/drivers/clk/qcom/gcc-sc8180x.c
@@ -142,6 +142,23 @@ static struct clk_alpha_pll gpll7 = {
},
};
+static struct clk_alpha_pll gpll9 = {
+ .offset = 0x1c000,
+ .regs = clk_alpha_pll_regs[CLK_ALPHA_PLL_TYPE_TRION],
+ .clkr = {
+ .enable_reg = 0x52000,
+ .enable_mask = BIT(9),
+ .hw.init = &(const struct clk_init_data) {
+ .name = "gpll9",
+ .parent_data = &(const struct clk_parent_data) {
+ .fw_name = "bi_tcxo",
+ },
+ .num_parents = 1,
+ .ops = &clk_alpha_pll_fixed_trion_ops,
+ },
+ },
+};
+
static const struct parent_map gcc_parent_map_0[] = {
{ P_BI_TCXO, 0 },
{ P_GPLL0_OUT_MAIN, 1 },
@@ -241,7 +258,7 @@ static const struct parent_map gcc_parent_map_7[] = {
static const struct clk_parent_data gcc_parents_7[] = {
{ .fw_name = "bi_tcxo", },
{ .hw = &gpll0.clkr.hw },
- { .name = "gppl9" },
+ { .hw = &gpll9.clkr.hw },
{ .hw = &gpll4.clkr.hw },
{ .hw = &gpll0_out_even.clkr.hw },
};
@@ -4419,6 +4436,7 @@ static struct clk_regmap *gcc_sc8180x_clocks[] = {
[GPLL1] = &gpll1.clkr,
[GPLL4] = &gpll4.clkr,
[GPLL7] = &gpll7.clkr,
+ [GPLL9] = &gpll9.clkr,
};
static const struct qcom_reset_map gcc_sc8180x_resets[] = {
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 361/386] ACPI: battery: Simplify battery hook locking
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (359 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 360/386] clk: qcom: gcc-sc8180x: Add GPLL9 support Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 362/386] ACPI: battery: Fix possible crash when unregistering a battery hook Greg Kroah-Hartman
` (35 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilpo Järvinen, Pali Rohár,
Armin Wolf, Rafael J. Wysocki, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 86309cbed26139e1caae7629dcca1027d9a28e75 ]
Move the conditional locking from __battery_hook_unregister()
into battery_hook_unregister() and rename the low-level function
to simplify the locking during battery hook removal.
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Reviewed-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20241001212835.341788-2-W_Armin@gmx.de
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Stable-dep-of: 76959aff14a0 ("ACPI: battery: Fix possible crash when unregistering a battery hook")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/battery.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index 7f7ad94f22b91..a14852b612bba 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -703,28 +703,28 @@ static LIST_HEAD(acpi_battery_list);
static LIST_HEAD(battery_hook_list);
static DEFINE_MUTEX(hook_mutex);
-static void __battery_hook_unregister(struct acpi_battery_hook *hook, int lock)
+static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
{
struct acpi_battery *battery;
+
/*
* In order to remove a hook, we first need to
* de-register all the batteries that are registered.
*/
- if (lock)
- mutex_lock(&hook_mutex);
list_for_each_entry(battery, &acpi_battery_list, list) {
if (!hook->remove_battery(battery->bat, hook))
power_supply_changed(battery->bat);
}
list_del(&hook->list);
- if (lock)
- mutex_unlock(&hook_mutex);
+
pr_info("extension unregistered: %s\n", hook->name);
}
void battery_hook_unregister(struct acpi_battery_hook *hook)
{
- __battery_hook_unregister(hook, 1);
+ mutex_lock(&hook_mutex);
+ battery_hook_unregister_unlocked(hook);
+ mutex_unlock(&hook_mutex);
}
EXPORT_SYMBOL_GPL(battery_hook_unregister);
@@ -750,7 +750,7 @@ void battery_hook_register(struct acpi_battery_hook *hook)
* hooks.
*/
pr_err("extension failed to load: %s", hook->name);
- __battery_hook_unregister(hook, 0);
+ battery_hook_unregister_unlocked(hook);
goto end;
}
@@ -789,7 +789,7 @@ static void battery_hook_add_battery(struct acpi_battery *battery)
*/
pr_err("error in extension, unloading: %s",
hook_node->name);
- __battery_hook_unregister(hook_node, 0);
+ battery_hook_unregister_unlocked(hook_node);
}
}
mutex_unlock(&hook_mutex);
@@ -822,7 +822,7 @@ static void __exit battery_hook_exit(void)
* need to remove the hooks.
*/
list_for_each_entry_safe(hook, ptr, &battery_hook_list, list) {
- __battery_hook_unregister(hook, 1);
+ battery_hook_unregister(hook);
}
mutex_destroy(&hook_mutex);
}
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 362/386] ACPI: battery: Fix possible crash when unregistering a battery hook
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (360 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 361/386] ACPI: battery: Simplify battery hook locking Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 363/386] btrfs: relocation: return bool from btrfs_should_ignore_reloc_root Greg Kroah-Hartman
` (34 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit 76959aff14a0012ad6b984ec7686d163deccdc16 ]
When a battery hook returns an error when adding a new battery, then
the battery hook is automatically unregistered.
However the battery hook provider cannot know that, so it will later
call battery_hook_unregister() on the already unregistered battery
hook, resulting in a crash.
Fix this by using the list head to mark already unregistered battery
hooks as already being unregistered so that they can be ignored by
battery_hook_unregister().
Fixes: fa93854f7a7e ("battery: Add the battery hooking API")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Link: https://patch.msgid.link/20241001212835.341788-3-W_Armin@gmx.de
Cc: All applicable <stable@vger.kernel.org>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/battery.c | 12 +++++++++---
1 file changed, 9 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/battery.c b/drivers/acpi/battery.c
index a14852b612bba..e3cbaf3c3bbc1 100644
--- a/drivers/acpi/battery.c
+++ b/drivers/acpi/battery.c
@@ -715,7 +715,7 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
if (!hook->remove_battery(battery->bat, hook))
power_supply_changed(battery->bat);
}
- list_del(&hook->list);
+ list_del_init(&hook->list);
pr_info("extension unregistered: %s\n", hook->name);
}
@@ -723,7 +723,14 @@ static void battery_hook_unregister_unlocked(struct acpi_battery_hook *hook)
void battery_hook_unregister(struct acpi_battery_hook *hook)
{
mutex_lock(&hook_mutex);
- battery_hook_unregister_unlocked(hook);
+ /*
+ * Ignore already unregistered battery hooks. This might happen
+ * if a battery hook was previously unloaded due to an error when
+ * adding a new battery.
+ */
+ if (!list_empty(&hook->list))
+ battery_hook_unregister_unlocked(hook);
+
mutex_unlock(&hook_mutex);
}
EXPORT_SYMBOL_GPL(battery_hook_unregister);
@@ -733,7 +740,6 @@ void battery_hook_register(struct acpi_battery_hook *hook)
struct acpi_battery *battery;
mutex_lock(&hook_mutex);
- INIT_LIST_HEAD(&hook->list);
list_add(&hook->list, &battery_hook_list);
/*
* Now that the driver is registered, we need
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 363/386] btrfs: relocation: return bool from btrfs_should_ignore_reloc_root
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (361 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 362/386] ACPI: battery: Fix possible crash when unregistering a battery hook Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 364/386] btrfs: relocation: constify parameters where possible Greg Kroah-Hartman
` (33 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, Qu Wenruo,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit 32f2abca380fedc60f7a8d3288e4c9586672e207 ]
btrfs_should_ignore_reloc_root() is a predicate so it should return
bool.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: db7e68b522c0 ("btrfs: drop the backref cache during relocation if we commit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/relocation.c | 19 +++++++++----------
fs/btrfs/relocation.h | 2 +-
2 files changed, 10 insertions(+), 11 deletions(-)
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 05b2a59ce8897..1f4fd6c86fb00 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -329,31 +329,30 @@ static bool have_reloc_root(struct btrfs_root *root)
return true;
}
-int btrfs_should_ignore_reloc_root(struct btrfs_root *root)
+bool btrfs_should_ignore_reloc_root(struct btrfs_root *root)
{
struct btrfs_root *reloc_root;
if (!test_bit(BTRFS_ROOT_SHAREABLE, &root->state))
- return 0;
+ return false;
/* This root has been merged with its reloc tree, we can ignore it */
if (reloc_root_is_dead(root))
- return 1;
+ return true;
reloc_root = root->reloc_root;
if (!reloc_root)
- return 0;
+ return false;
if (btrfs_header_generation(reloc_root->commit_root) ==
root->fs_info->running_transaction->transid)
- return 0;
+ return false;
/*
- * if there is reloc tree and it was created in previous
- * transaction backref lookup can find the reloc tree,
- * so backref node for the fs tree root is useless for
- * relocation.
+ * If there is reloc tree and it was created in previous transaction
+ * backref lookup can find the reloc tree, so backref node for the fs
+ * tree root is useless for relocation.
*/
- return 1;
+ return true;
}
/*
diff --git a/fs/btrfs/relocation.h b/fs/btrfs/relocation.h
index 77d69f6ae967c..af749c780b4e7 100644
--- a/fs/btrfs/relocation.h
+++ b/fs/btrfs/relocation.h
@@ -18,7 +18,7 @@ int btrfs_reloc_post_snapshot(struct btrfs_trans_handle *trans,
struct btrfs_pending_snapshot *pending);
int btrfs_should_cancel_balance(struct btrfs_fs_info *fs_info);
struct btrfs_root *find_reloc_root(struct btrfs_fs_info *fs_info, u64 bytenr);
-int btrfs_should_ignore_reloc_root(struct btrfs_root *root);
+bool btrfs_should_ignore_reloc_root(struct btrfs_root *root);
u64 btrfs_get_reloc_bg_bytenr(struct btrfs_fs_info *fs_info);
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 364/386] btrfs: relocation: constify parameters where possible
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (362 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 363/386] btrfs: relocation: return bool from btrfs_should_ignore_reloc_root Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 365/386] btrfs: drop the backref cache during relocation if we commit Greg Kroah-Hartman
` (32 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Thumshirn, David Sterba,
Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Sterba <dsterba@suse.com>
[ Upstream commit ab7c8bbf3a088730e58da224bcad512f1dd9ca74 ]
Lots of the functions in relocation.c don't change pointer parameters
but lack the annotations. Add them and reformat according to current
coding style if needed.
Reviewed-by: Johannes Thumshirn <johannes.thumshirn@wdc.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: db7e68b522c0 ("btrfs: drop the backref cache during relocation if we commit")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/relocation.c | 56 +++++++++++++++++++++----------------------
fs/btrfs/relocation.h | 9 +++----
2 files changed, 33 insertions(+), 32 deletions(-)
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 1f4fd6c86fb00..6e590da98742b 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -299,7 +299,7 @@ static int update_backref_cache(struct btrfs_trans_handle *trans,
return 1;
}
-static bool reloc_root_is_dead(struct btrfs_root *root)
+static bool reloc_root_is_dead(const struct btrfs_root *root)
{
/*
* Pair with set_bit/clear_bit in clean_dirty_subvols and
@@ -320,7 +320,7 @@ static bool reloc_root_is_dead(struct btrfs_root *root)
* from no reloc root. But btrfs_should_ignore_reloc_root() below is a
* special case.
*/
-static bool have_reloc_root(struct btrfs_root *root)
+static bool have_reloc_root(const struct btrfs_root *root)
{
if (reloc_root_is_dead(root))
return false;
@@ -329,7 +329,7 @@ static bool have_reloc_root(struct btrfs_root *root)
return true;
}
-bool btrfs_should_ignore_reloc_root(struct btrfs_root *root)
+bool btrfs_should_ignore_reloc_root(const struct btrfs_root *root)
{
struct btrfs_root *reloc_root;
@@ -546,7 +546,7 @@ static noinline_for_stack struct btrfs_backref_node *build_backref_tree(
*/
static int clone_backref_node(struct btrfs_trans_handle *trans,
struct reloc_control *rc,
- struct btrfs_root *src,
+ const struct btrfs_root *src,
struct btrfs_root *dest)
{
struct btrfs_root *reloc_root = src->reloc_root;
@@ -1186,9 +1186,9 @@ int replace_file_extents(struct btrfs_trans_handle *trans,
return ret;
}
-static noinline_for_stack
-int memcmp_node_keys(struct extent_buffer *eb, int slot,
- struct btrfs_path *path, int level)
+static noinline_for_stack int memcmp_node_keys(const struct extent_buffer *eb,
+ int slot, const struct btrfs_path *path,
+ int level)
{
struct btrfs_disk_key key1;
struct btrfs_disk_key key2;
@@ -1517,8 +1517,8 @@ int walk_down_reloc_tree(struct btrfs_root *root, struct btrfs_path *path,
* [min_key, max_key)
*/
static int invalidate_extent_cache(struct btrfs_root *root,
- struct btrfs_key *min_key,
- struct btrfs_key *max_key)
+ const struct btrfs_key *min_key,
+ const struct btrfs_key *max_key)
{
struct btrfs_fs_info *fs_info = root->fs_info;
struct inode *inode = NULL;
@@ -2829,7 +2829,7 @@ int relocate_tree_blocks(struct btrfs_trans_handle *trans,
static noinline_for_stack int prealloc_file_extent_cluster(
struct btrfs_inode *inode,
- struct file_extent_cluster *cluster)
+ const struct file_extent_cluster *cluster)
{
u64 alloc_hint = 0;
u64 start;
@@ -2964,7 +2964,7 @@ static noinline_for_stack int setup_relocation_extent_mapping(struct inode *inod
/*
* Allow error injection to test balance/relocation cancellation
*/
-noinline int btrfs_should_cancel_balance(struct btrfs_fs_info *fs_info)
+noinline int btrfs_should_cancel_balance(const struct btrfs_fs_info *fs_info)
{
return atomic_read(&fs_info->balance_cancel_req) ||
atomic_read(&fs_info->reloc_cancel_req) ||
@@ -2972,7 +2972,7 @@ noinline int btrfs_should_cancel_balance(struct btrfs_fs_info *fs_info)
}
ALLOW_ERROR_INJECTION(btrfs_should_cancel_balance, TRUE);
-static u64 get_cluster_boundary_end(struct file_extent_cluster *cluster,
+static u64 get_cluster_boundary_end(const struct file_extent_cluster *cluster,
int cluster_nr)
{
/* Last extent, use cluster end directly */
@@ -2984,7 +2984,7 @@ static u64 get_cluster_boundary_end(struct file_extent_cluster *cluster,
}
static int relocate_one_page(struct inode *inode, struct file_ra_state *ra,
- struct file_extent_cluster *cluster,
+ const struct file_extent_cluster *cluster,
int *cluster_nr, unsigned long page_index)
{
struct btrfs_fs_info *fs_info = btrfs_sb(inode->i_sb);
@@ -3119,7 +3119,7 @@ static int relocate_one_page(struct inode *inode, struct file_ra_state *ra,
}
static int relocate_file_extent_cluster(struct inode *inode,
- struct file_extent_cluster *cluster)
+ const struct file_extent_cluster *cluster)
{
u64 offset = BTRFS_I(inode)->index_cnt;
unsigned long index;
@@ -3157,9 +3157,9 @@ static int relocate_file_extent_cluster(struct inode *inode,
return ret;
}
-static noinline_for_stack
-int relocate_data_extent(struct inode *inode, struct btrfs_key *extent_key,
- struct file_extent_cluster *cluster)
+static noinline_for_stack int relocate_data_extent(struct inode *inode,
+ const struct btrfs_key *extent_key,
+ struct file_extent_cluster *cluster)
{
int ret;
@@ -3192,7 +3192,7 @@ int relocate_data_extent(struct inode *inode, struct btrfs_key *extent_key,
* the major work is getting the generation and level of the block
*/
static int add_tree_block(struct reloc_control *rc,
- struct btrfs_key *extent_key,
+ const struct btrfs_key *extent_key,
struct btrfs_path *path,
struct rb_root *blocks)
{
@@ -3443,11 +3443,10 @@ static int delete_v1_space_cache(struct extent_buffer *leaf,
/*
* helper to find all tree blocks that reference a given data extent
*/
-static noinline_for_stack
-int add_data_references(struct reloc_control *rc,
- struct btrfs_key *extent_key,
- struct btrfs_path *path,
- struct rb_root *blocks)
+static noinline_for_stack int add_data_references(struct reloc_control *rc,
+ const struct btrfs_key *extent_key,
+ struct btrfs_path *path,
+ struct rb_root *blocks)
{
struct btrfs_backref_walk_ctx ctx = { 0 };
struct ulist_iterator leaf_uiter;
@@ -3873,9 +3872,9 @@ static void delete_orphan_inode(struct btrfs_trans_handle *trans,
* helper to create inode for data relocation.
* the inode is in data relocation tree and its link count is 0
*/
-static noinline_for_stack
-struct inode *create_reloc_inode(struct btrfs_fs_info *fs_info,
- struct btrfs_block_group *group)
+static noinline_for_stack struct inode *create_reloc_inode(
+ struct btrfs_fs_info *fs_info,
+ const struct btrfs_block_group *group)
{
struct inode *inode = NULL;
struct btrfs_trans_handle *trans;
@@ -4421,7 +4420,8 @@ int btrfs_reloc_clone_csums(struct btrfs_ordered_extent *ordered)
}
int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans,
- struct btrfs_root *root, struct extent_buffer *buf,
+ struct btrfs_root *root,
+ const struct extent_buffer *buf,
struct extent_buffer *cow)
{
struct btrfs_fs_info *fs_info = root->fs_info;
@@ -4560,7 +4560,7 @@ int btrfs_reloc_post_snapshot(struct btrfs_trans_handle *trans,
*
* Return U64_MAX if no running relocation.
*/
-u64 btrfs_get_reloc_bg_bytenr(struct btrfs_fs_info *fs_info)
+u64 btrfs_get_reloc_bg_bytenr(const struct btrfs_fs_info *fs_info)
{
u64 logical = U64_MAX;
diff --git a/fs/btrfs/relocation.h b/fs/btrfs/relocation.h
index af749c780b4e7..5fb60f2deb530 100644
--- a/fs/btrfs/relocation.h
+++ b/fs/btrfs/relocation.h
@@ -10,15 +10,16 @@ int btrfs_update_reloc_root(struct btrfs_trans_handle *trans,
int btrfs_recover_relocation(struct btrfs_fs_info *fs_info);
int btrfs_reloc_clone_csums(struct btrfs_ordered_extent *ordered);
int btrfs_reloc_cow_block(struct btrfs_trans_handle *trans,
- struct btrfs_root *root, struct extent_buffer *buf,
+ struct btrfs_root *root,
+ const struct extent_buffer *buf,
struct extent_buffer *cow);
void btrfs_reloc_pre_snapshot(struct btrfs_pending_snapshot *pending,
u64 *bytes_to_reserve);
int btrfs_reloc_post_snapshot(struct btrfs_trans_handle *trans,
struct btrfs_pending_snapshot *pending);
-int btrfs_should_cancel_balance(struct btrfs_fs_info *fs_info);
+int btrfs_should_cancel_balance(const struct btrfs_fs_info *fs_info);
struct btrfs_root *find_reloc_root(struct btrfs_fs_info *fs_info, u64 bytenr);
-bool btrfs_should_ignore_reloc_root(struct btrfs_root *root);
-u64 btrfs_get_reloc_bg_bytenr(struct btrfs_fs_info *fs_info);
+bool btrfs_should_ignore_reloc_root(const struct btrfs_root *root);
+u64 btrfs_get_reloc_bg_bytenr(const struct btrfs_fs_info *fs_info);
#endif
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 365/386] btrfs: drop the backref cache during relocation if we commit
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (363 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 364/386] btrfs: relocation: constify parameters where possible Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 366/386] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Greg Kroah-Hartman
` (31 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Boris Burkov, Josef Bacik,
David Sterba, Sasha Levin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit db7e68b522c01eb666cfe1f31637775f18997811 ]
Since the inception of relocation we have maintained the backref cache
across transaction commits, updating the backref cache with the new
bytenr whenever we COWed blocks that were in the cache, and then
updating their bytenr once we detected a transaction id change.
This works as long as we're only ever modifying blocks, not changing the
structure of the tree.
However relocation does in fact change the structure of the tree. For
example, if we are relocating a data extent, we will look up all the
leaves that point to this data extent. We will then call
do_relocation() on each of these leaves, which will COW down to the leaf
and then update the file extent location.
But, a key feature of do_relocation() is the pending list. This is all
the pending nodes that we modified when we updated the file extent item.
We will then process all of these blocks via finish_pending_nodes, which
calls do_relocation() on all of the nodes that led up to that leaf.
The purpose of this is to make sure we don't break sharing unless we
absolutely have to. Consider the case that we have 3 snapshots that all
point to this leaf through the same nodes, the initial COW would have
created a whole new path. If we did this for all 3 snapshots we would
end up with 3x the number of nodes we had originally. To avoid this we
will cycle through each of the snapshots that point to each of these
nodes and update their pointers to point at the new nodes.
Once we update the pointer to the new node we will drop the node we
removed the link for and all of its children via btrfs_drop_subtree().
This is essentially just btrfs_drop_snapshot(), but for an arbitrary
point in the snapshot.
The problem with this is that we will never reflect this in the backref
cache. If we do this btrfs_drop_snapshot() for a node that is in the
backref tree, we will leave the node in the backref tree. This becomes
a problem when we change the transid, as now the backref cache has
entire subtrees that no longer exist, but exist as if they still are
pointed to by the same roots.
In the best case scenario you end up with "adding refs to an existing
tree ref" errors from insert_inline_extent_backref(), where we attempt
to link in nodes on roots that are no longer valid.
Worst case you will double free some random block and re-use it when
there's still references to the block.
This is extremely subtle, and the consequences are quite bad. There
isn't a way to make sure our backref cache is consistent between
transid's.
In order to fix this we need to simply evict the entire backref cache
anytime we cross transid's. This reduces performance in that we have to
rebuild this backref cache every time we change transid's, but fixes the
bug.
This has existed since relocation was added, and is a pretty critical
bug. There's a lot more cleanup that can be done now that this
functionality is going away, but this patch is as small as possible in
order to fix the problem and make it easy for us to backport it to all
the kernels it needs to be backported to.
Followup series will dismantle more of this code and simplify relocation
drastically to remove this functionality.
We have a reproducer that reproduced the corruption within a few minutes
of running. With this patch it survives several iterations/hours of
running the reproducer.
Fixes: 3fd0a5585eb9 ("Btrfs: Metadata ENOSPC handling for balance")
CC: stable@vger.kernel.org
Reviewed-by: Boris Burkov <boris@bur.io>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/backref.c | 12 ++++---
fs/btrfs/relocation.c | 75 ++-----------------------------------------
2 files changed, 11 insertions(+), 76 deletions(-)
diff --git a/fs/btrfs/backref.c b/fs/btrfs/backref.c
index df223ebf2551c..a2ba1c7fc16af 100644
--- a/fs/btrfs/backref.c
+++ b/fs/btrfs/backref.c
@@ -3098,10 +3098,14 @@ void btrfs_backref_release_cache(struct btrfs_backref_cache *cache)
btrfs_backref_cleanup_node(cache, node);
}
- cache->last_trans = 0;
-
- for (i = 0; i < BTRFS_MAX_LEVEL; i++)
- ASSERT(list_empty(&cache->pending[i]));
+ for (i = 0; i < BTRFS_MAX_LEVEL; i++) {
+ while (!list_empty(&cache->pending[i])) {
+ node = list_first_entry(&cache->pending[i],
+ struct btrfs_backref_node,
+ list);
+ btrfs_backref_cleanup_node(cache, node);
+ }
+ }
ASSERT(list_empty(&cache->pending_edge));
ASSERT(list_empty(&cache->useless_node));
ASSERT(list_empty(&cache->changed));
diff --git a/fs/btrfs/relocation.c b/fs/btrfs/relocation.c
index 6e590da98742b..299eac696eb42 100644
--- a/fs/btrfs/relocation.c
+++ b/fs/btrfs/relocation.c
@@ -235,70 +235,6 @@ static struct btrfs_backref_node *walk_down_backref(
return NULL;
}
-static void update_backref_node(struct btrfs_backref_cache *cache,
- struct btrfs_backref_node *node, u64 bytenr)
-{
- struct rb_node *rb_node;
- rb_erase(&node->rb_node, &cache->rb_root);
- node->bytenr = bytenr;
- rb_node = rb_simple_insert(&cache->rb_root, node->bytenr, &node->rb_node);
- if (rb_node)
- btrfs_backref_panic(cache->fs_info, bytenr, -EEXIST);
-}
-
-/*
- * update backref cache after a transaction commit
- */
-static int update_backref_cache(struct btrfs_trans_handle *trans,
- struct btrfs_backref_cache *cache)
-{
- struct btrfs_backref_node *node;
- int level = 0;
-
- if (cache->last_trans == 0) {
- cache->last_trans = trans->transid;
- return 0;
- }
-
- if (cache->last_trans == trans->transid)
- return 0;
-
- /*
- * detached nodes are used to avoid unnecessary backref
- * lookup. transaction commit changes the extent tree.
- * so the detached nodes are no longer useful.
- */
- while (!list_empty(&cache->detached)) {
- node = list_entry(cache->detached.next,
- struct btrfs_backref_node, list);
- btrfs_backref_cleanup_node(cache, node);
- }
-
- while (!list_empty(&cache->changed)) {
- node = list_entry(cache->changed.next,
- struct btrfs_backref_node, list);
- list_del_init(&node->list);
- BUG_ON(node->pending);
- update_backref_node(cache, node, node->new_bytenr);
- }
-
- /*
- * some nodes can be left in the pending list if there were
- * errors during processing the pending nodes.
- */
- for (level = 0; level < BTRFS_MAX_LEVEL; level++) {
- list_for_each_entry(node, &cache->pending[level], list) {
- BUG_ON(!node->pending);
- if (node->bytenr == node->new_bytenr)
- continue;
- update_backref_node(cache, node, node->new_bytenr);
- }
- }
-
- cache->last_trans = 0;
- return 1;
-}
-
static bool reloc_root_is_dead(const struct btrfs_root *root)
{
/*
@@ -557,9 +493,6 @@ static int clone_backref_node(struct btrfs_trans_handle *trans,
struct btrfs_backref_edge *new_edge;
struct rb_node *rb_node;
- if (cache->last_trans > 0)
- update_backref_cache(trans, cache);
-
rb_node = rb_simple_search(&cache->rb_root, src->commit_root->start);
if (rb_node) {
node = rb_entry(rb_node, struct btrfs_backref_node, rb_node);
@@ -3682,11 +3615,9 @@ static noinline_for_stack int relocate_block_group(struct reloc_control *rc)
break;
}
restart:
- if (update_backref_cache(trans, &rc->backref_cache)) {
- btrfs_end_transaction(trans);
- trans = NULL;
- continue;
- }
+ if (rc->backref_cache.last_trans != trans->transid)
+ btrfs_backref_release_cache(&rc->backref_cache);
+ rc->backref_cache.last_trans = trans->transid;
ret = find_next_extent(rc, path, &key);
if (ret < 0)
--
2.43.0
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 366/386] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (364 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 365/386] btrfs: drop the backref cache during relocation if we commit Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 367/386] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Greg Kroah-Hartman
` (30 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Val Packett, Heiko Stuebner
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Val Packett <val@packett.cool>
commit 6ed51ba95e27221ce87979bd2ad5926033b9e1b9 upstream.
The RK3066 does have RGB display output, so it should be marked as such.
Fixes: f4a6de855eae ("drm: rockchip: vop: add rk3066 vop definitions")
Cc: stable@vger.kernel.org
Signed-off-by: Val Packett <val@packett.cool>
Signed-off-by: Heiko Stuebner <heiko@sntech.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20240624204054.5524-3-val@packett.cool
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/rockchip/rockchip_vop_reg.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
+++ b/drivers/gpu/drm/rockchip/rockchip_vop_reg.c
@@ -484,6 +484,7 @@ static const struct vop_data rk3066_vop
.output = &rk3066_output,
.win = rk3066_vop_win_data,
.win_size = ARRAY_SIZE(rk3066_vop_win_data),
+ .feature = VOP_FEATURE_INTERNAL_RGB,
.max_output = { 1920, 1080 },
};
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 367/386] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link"
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (365 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 366/386] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 368/386] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
` (29 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jonathan Gray
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jonathan Gray <jsg@jsg.id.au>
This reverts commit a53841b074cc196c3caaa37e1f15d6bc90943b97.
duplicated a change made in 6.6.46
718d83f66fb07b2cab89a1fc984613a00e3db18f
Cc: stable@vger.kernel.org # 6.6
Signed-off-by: Jonathan Gray <jsg@jsg.id.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
+++ b/drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_mst_types.c
@@ -1269,9 +1269,6 @@ static bool is_dsc_need_re_compute(
if (new_stream_on_link_num == 0)
return false;
- if (new_stream_on_link_num == 0)
- return false;
-
/* check current_state if there stream on link but it is not in
* new request state
*/
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 368/386] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (366 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 367/386] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 369/386] netfilter: nf_tables: fix memleak in map from abort path Greg Kroah-Hartman
` (28 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Eric Biggers,
Eric Biggers, Richard Weinberger, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
[ Upstream commit 6379b44cdcd67f5f5d986b73953e99700591edfa ]
For error handling path in ubifs_symlink(), inode will be marked as
bad first, then iput() is invoked. If inode->i_link is initialized by
fscrypt_encrypt_symlink() in encryption scenario, inode->i_link won't
be freed by callchain ubifs_free_inode -> fscrypt_free_inode in error
handling path, because make_bad_inode() has changed 'inode->i_mode' as
'S_IFREG'.
Following kmemleak is easy to be reproduced by injecting error in
ubifs_jnl_update() when doing symlink in encryption scenario:
unreferenced object 0xffff888103da3d98 (size 8):
comm "ln", pid 1692, jiffies 4294914701 (age 12.045s)
backtrace:
kmemdup+0x32/0x70
__fscrypt_encrypt_symlink+0xed/0x1c0
ubifs_symlink+0x210/0x300 [ubifs]
vfs_symlink+0x216/0x360
do_symlinkat+0x11a/0x190
do_syscall_64+0x3b/0xe0
There are two ways fixing it:
1. Remove make_bad_inode() in error handling path. We can do that
because ubifs_evict_inode() will do same processes for good
symlink inode and bad symlink inode, for inode->i_nlink checking
is before is_bad_inode().
2. Free inode->i_link before marking inode bad.
Method 2 is picked, it has less influence, personally, I think.
Cc: stable@vger.kernel.org
Fixes: 2c58d548f570 ("fscrypt: cache decrypted symlink target in ->i_link")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Suggested-by: Eric Biggers <ebiggers@kernel.org>
Reviewed-by: Eric Biggers <ebiggers@google.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
(cherry picked from commit 6379b44cdcd67f5f5d986b73953e99700591edfa)
[Vegard: CVE-2024-26972; no conflicts]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 2 ++
1 file changed, 2 insertions(+)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -1126,6 +1126,8 @@ out_cancel:
dir_ui->ui_size = dir->i_size;
mutex_unlock(&dir_ui->ui_mutex);
out_inode:
+ /* Free inode->i_link before inode is marked as bad. */
+ fscrypt_free_inode(inode);
make_bad_inode(inode);
iput(inode);
out_fname:
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 369/386] netfilter: nf_tables: fix memleak in map from abort path
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (367 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 368/386] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 370/386] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
` (27 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
[ Upstream commit 86a1471d7cde792941109b93b558b5dc078b9ee9 ]
The delete set command does not rely on the transaction object for
element removal, therefore, a combination of delete element + delete set
from the abort path could result in restoring twice the refcount of the
mapping.
Check for inactive element in the next generation for the delete element
command in the abort path, skip restoring state if next generation bit
has been already cleared. This is similar to the activate logic using
the set walk iterator.
[ 6170.286929] ------------[ cut here ]------------
[ 6170.286939] WARNING: CPU: 6 PID: 790302 at net/netfilter/nf_tables_api.c:2086 nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
[ 6170.287071] Modules linked in: [...]
[ 6170.287633] CPU: 6 PID: 790302 Comm: kworker/6:2 Not tainted 6.9.0-rc3+ #365
[ 6170.287768] RIP: 0010:nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
[ 6170.287886] Code: df 48 8d 7d 58 e8 69 2e 3b df 48 8b 7d 58 e8 80 1b 37 df 48 8d 7d 68 e8 57 2e 3b df 48 8b 7d 68 e8 6e 1b 37 df 48 89 ef eb c4 <0f> 0b 48 83 c4 08 5b 5d 41 5c 41 5d 41 5e 41 5f c3 cc cc cc cc 0f
[ 6170.287895] RSP: 0018:ffff888134b8fd08 EFLAGS: 00010202
[ 6170.287904] RAX: 0000000000000001 RBX: ffff888125bffb28 RCX: dffffc0000000000
[ 6170.287912] RDX: 0000000000000003 RSI: ffffffffa20298ab RDI: ffff88811ebe4750
[ 6170.287919] RBP: ffff88811ebe4700 R08: ffff88838e812650 R09: fffffbfff0623a55
[ 6170.287926] R10: ffffffff8311d2af R11: 0000000000000001 R12: ffff888125bffb10
[ 6170.287933] R13: ffff888125bffb10 R14: dead000000000122 R15: dead000000000100
[ 6170.287940] FS: 0000000000000000(0000) GS:ffff888390b00000(0000) knlGS:0000000000000000
[ 6170.287948] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6170.287955] CR2: 00007fd31fc00710 CR3: 0000000133f60004 CR4: 00000000001706f0
[ 6170.287962] Call Trace:
[ 6170.287967] <TASK>
[ 6170.287973] ? __warn+0x9f/0x1a0
[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
[ 6170.288092] ? report_bug+0x1b1/0x1e0
[ 6170.287986] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
[ 6170.288092] ? report_bug+0x1b1/0x1e0
[ 6170.288104] ? handle_bug+0x3c/0x70
[ 6170.288112] ? exc_invalid_op+0x17/0x40
[ 6170.288120] ? asm_exc_invalid_op+0x1a/0x20
[ 6170.288132] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
[ 6170.288243] ? nf_tables_chain_destroy+0x1f7/0x220 [nf_tables]
[ 6170.288366] ? nf_tables_chain_destroy+0x2b/0x220 [nf_tables]
[ 6170.288483] nf_tables_trans_destroy_work+0x588/0x590 [nf_tables]
Fixes: 591054469b3e ("netfilter: nf_tables: revisit chain/object refcounting from elements")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit 86a1471d7cde792941109b93b558b5dc078b9ee9)
[Vegard: CVE-2024-27011; fixed conflicts due to missing commits
0e1ea651c9717ddcd8e0648d8468477a31867b0a ("netfilter: nf_tables: shrink
memory consumption of set elements") and
9dad402b89e81a0516bad5e0ac009b7a0a80898f ("netfilter: nf_tables: expose
opaque set element as struct nft_elem_priv") so we pass the correct types
and values to nft_setelem_active_next() + nft_set_elem_ext()]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -7061,6 +7061,16 @@ void nft_data_hold(const struct nft_data
}
}
+static int nft_setelem_active_next(const struct net *net,
+ const struct nft_set *set,
+ struct nft_set_elem *elem)
+{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+ u8 genmask = nft_genmask_next(net);
+
+ return nft_set_elem_active(ext, genmask);
+}
+
static void nft_setelem_data_activate(const struct net *net,
const struct nft_set *set,
struct nft_set_elem *elem)
@@ -10538,8 +10548,10 @@ static int __nf_tables_abort(struct net
case NFT_MSG_DESTROYSETELEM:
te = (struct nft_trans_elem *)trans->data;
- nft_setelem_data_activate(net, te->set, &te->elem);
- nft_setelem_activate(net, te->set, &te->elem);
+ if (!nft_setelem_active_next(net, te->set, &te->elem)) {
+ nft_setelem_data_activate(net, te->set, &te->elem);
+ nft_setelem_activate(net, te->set, &te->elem);
+ }
if (!nft_setelem_is_catchall(te->set, &te->elem))
te->set->ndeact--;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 370/386] netfilter: nf_tables: restore set elements when delete set fails
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (368 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 369/386] netfilter: nf_tables: fix memleak in map from abort path Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 371/386] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Greg Kroah-Hartman
` (26 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
>From abort path, nft_mapelem_activate() needs to restore refcounters to
the original state. Currently, it uses the set->ops->walk() to iterate
over these set elements. The existing set iterator skips inactive
elements in the next generation, this does not work from the abort path
to restore the original state since it has to skip active elements
instead (not inactive ones).
This patch moves the check for inactive elements to the set iterator
callback, then it reverses the logic for the .activate case which
needs to skip active elements.
Toggle next generation bit for elements when delete set command is
invoked and call nft_clear() from .activate (abort) path to restore the
next generation bit.
The splat below shows an object in mappings memleak:
[43929.457523] ------------[ cut here ]------------
[43929.457532] WARNING: CPU: 0 PID: 1139 at include/net/netfilter/nf_tables.h:1237 nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[...]
[43929.458014] RIP: 0010:nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458076] Code: 83 f8 01 77 ab 49 8d 7c 24 08 e8 37 5e d0 de 49 8b 6c 24 08 48 8d 7d 50 e8 e9 5c d0 de 8b 45 50 8d 50 ff 89 55 50 85 c0 75 86 <0f> 0b eb 82 0f 0b eb b3 0f 1f 40 00 90 90 90 90 90 90 90 90 90 90
[43929.458081] RSP: 0018:ffff888140f9f4b0 EFLAGS: 00010246
[43929.458086] RAX: 0000000000000000 RBX: ffff8881434f5288 RCX: dffffc0000000000
[43929.458090] RDX: 00000000ffffffff RSI: ffffffffa26d28a7 RDI: ffff88810ecc9550
[43929.458093] RBP: ffff88810ecc9500 R08: 0000000000000001 R09: ffffed10281f3e8f
[43929.458096] R10: 0000000000000003 R11: ffff0000ffff0000 R12: ffff8881434f52a0
[43929.458100] R13: ffff888140f9f5f4 R14: ffff888151c7a800 R15: 0000000000000002
[43929.458103] FS: 00007f0c687c4740(0000) GS:ffff888390800000(0000) knlGS:0000000000000000
[43929.458107] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[43929.458111] CR2: 00007f58dbe5b008 CR3: 0000000123602005 CR4: 00000000001706f0
[43929.458114] Call Trace:
[43929.458118] <TASK>
[43929.458121] ? __warn+0x9f/0x1a0
[43929.458127] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458188] ? report_bug+0x1b1/0x1e0
[43929.458196] ? handle_bug+0x3c/0x70
[43929.458200] ? exc_invalid_op+0x17/0x40
[43929.458211] ? nft_setelem_data_deactivate+0xd7/0xf0 [nf_tables]
[43929.458271] ? nft_setelem_data_deactivate+0xe4/0xf0 [nf_tables]
[43929.458332] nft_mapelem_deactivate+0x24/0x30 [nf_tables]
[43929.458392] nft_rhash_walk+0xdd/0x180 [nf_tables]
[43929.458453] ? __pfx_nft_rhash_walk+0x10/0x10 [nf_tables]
[43929.458512] ? rb_insert_color+0x2e/0x280
[43929.458520] nft_map_deactivate+0xdc/0x1e0 [nf_tables]
[43929.458582] ? __pfx_nft_map_deactivate+0x10/0x10 [nf_tables]
[43929.458642] ? __pfx_nft_mapelem_deactivate+0x10/0x10 [nf_tables]
[43929.458701] ? __rcu_read_unlock+0x46/0x70
[43929.458709] nft_delset+0xff/0x110 [nf_tables]
[43929.458769] nft_flush_table+0x16f/0x460 [nf_tables]
[43929.458830] nf_tables_deltable+0x501/0x580 [nf_tables]
Fixes: 628bd3e49cba ("netfilter: nf_tables: drop map element references from preparation phase")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
(cherry picked from commit e79b47a8615d42c68aaeb68971593333667382ed)
[Vegard: CVE-2024-27012; fixed conflicts due to missing commits
0e1ea651c9717ddcd8e0648d8468477a31867b0a ("netfilter: nf_tables: shrink
memory consumption of set elements") and
9dad402b89e81a0516bad5e0ac009b7a0a80898f ("netfilter: nf_tables: expose
opaque set element as struct nft_elem_priv") so we pass the correct types
and values to nft_setelem_data_deactivate(), nft_setelem_validate(),
nft_set_elem_ext(), etc.]
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 41 +++++++++++++++++++++++++++++++++++++----
net/netfilter/nft_set_bitmap.c | 4 +---
net/netfilter/nft_set_hash.c | 8 ++------
net/netfilter/nft_set_pipapo.c | 5 +----
net/netfilter/nft_set_rbtree.c | 4 +---
5 files changed, 42 insertions(+), 20 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -594,6 +594,12 @@ static int nft_mapelem_deactivate(const
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, elem);
return 0;
@@ -619,6 +625,7 @@ static void nft_map_catchall_deactivate(
continue;
elem.priv = catchall->elem;
+ nft_set_elem_change_active(ctx->net, set, ext);
nft_setelem_data_deactivate(ctx->net, set, &elem);
break;
}
@@ -3820,6 +3827,9 @@ int nft_setelem_validate(const struct nf
const struct nft_data *data;
int err;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_ext_exists(ext, NFT_SET_EXT_FLAGS) &&
*nft_set_ext_flags(ext) & NFT_SET_ELEM_INTERVAL_END)
return 0;
@@ -3843,19 +3853,22 @@ int nft_setelem_validate(const struct nf
int nft_set_catchall_validate(const struct nft_ctx *ctx, struct nft_set *set)
{
- u8 genmask = nft_genmask_next(ctx->net);
+ struct nft_set_iter dummy_iter = {
+ .genmask = nft_genmask_next(ctx->net),
+ };
struct nft_set_elem_catchall *catchall;
struct nft_set_elem elem;
+
struct nft_set_ext *ext;
int ret = 0;
list_for_each_entry_rcu(catchall, &set->catchall_list, list) {
ext = nft_set_elem_ext(set, catchall->elem);
- if (!nft_set_elem_active(ext, genmask))
+ if (!nft_set_elem_active(ext, dummy_iter.genmask))
continue;
elem.priv = catchall->elem;
- ret = nft_setelem_validate(ctx, set, NULL, &elem);
+ ret = nft_setelem_validate(ctx, set, &dummy_iter, &elem);
if (ret < 0)
return ret;
}
@@ -5347,6 +5360,11 @@ static int nf_tables_bind_check_setelem(
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
return nft_setelem_data_validate(ctx, set, elem);
}
@@ -5441,6 +5459,13 @@ static int nft_mapelem_activate(const st
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
+
+ /* called from abort path, reverse check to undo changes. */
+ if (nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
+ nft_clear(ctx->net, ext);
nft_setelem_data_activate(ctx->net, set, elem);
return 0;
@@ -5459,6 +5484,7 @@ static void nft_map_catchall_activate(co
if (!nft_set_elem_active(ext, genmask))
continue;
+ nft_clear(ctx->net, ext);
elem.priv = catchall->elem;
nft_setelem_data_activate(ctx->net, set, &elem);
break;
@@ -5733,6 +5759,9 @@ static int nf_tables_dump_setelem(const
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_set_dump_args *args;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
if (nft_set_elem_expired(ext) || nft_set_elem_is_dead(ext))
return 0;
@@ -6500,7 +6529,7 @@ static void nft_setelem_activate(struct
struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
if (nft_setelem_is_catchall(set, elem)) {
- nft_set_elem_change_active(net, set, ext);
+ nft_clear(net, ext);
} else {
set->ops->activate(net, set, elem);
}
@@ -7194,9 +7223,13 @@ static int nft_setelem_flush(const struc
const struct nft_set_iter *iter,
struct nft_set_elem *elem)
{
+ const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
struct nft_trans *trans;
int err;
+ if (!nft_set_elem_active(ext, iter->genmask))
+ return 0;
+
trans = nft_trans_alloc_gfp(ctx, NFT_MSG_DELSETELEM,
sizeof(struct nft_trans_elem), GFP_ATOMIC);
if (!trans)
--- a/net/netfilter/nft_set_bitmap.c
+++ b/net/netfilter/nft_set_bitmap.c
@@ -171,7 +171,7 @@ static void nft_bitmap_activate(const st
nft_bitmap_location(set, nft_set_ext_key(&be->ext), &idx, &off);
/* Enter 11 state. */
priv->bitmap[idx] |= (genmask << off);
- nft_set_elem_change_active(net, set, &be->ext);
+ nft_clear(net, &be->ext);
}
static bool nft_bitmap_flush(const struct net *net,
@@ -223,8 +223,6 @@ static void nft_bitmap_walk(const struct
list_for_each_entry_rcu(be, &priv->list, head) {
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&be->ext, iter->genmask))
- goto cont;
elem.priv = be;
--- a/net/netfilter/nft_set_hash.c
+++ b/net/netfilter/nft_set_hash.c
@@ -189,7 +189,7 @@ static void nft_rhash_activate(const str
{
struct nft_rhash_elem *he = elem->priv;
- nft_set_elem_change_active(net, set, &he->ext);
+ nft_clear(net, &he->ext);
}
static bool nft_rhash_flush(const struct net *net,
@@ -277,8 +277,6 @@ static void nft_rhash_walk(const struct
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&he->ext, iter->genmask))
- goto cont;
elem.priv = he;
@@ -587,7 +585,7 @@ static void nft_hash_activate(const stru
{
struct nft_hash_elem *he = elem->priv;
- nft_set_elem_change_active(net, set, &he->ext);
+ nft_clear(net, &he->ext);
}
static bool nft_hash_flush(const struct net *net,
@@ -641,8 +639,6 @@ static void nft_hash_walk(const struct n
hlist_for_each_entry_rcu(he, &priv->table[i], node) {
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&he->ext, iter->genmask))
- goto cont;
elem.priv = he;
--- a/net/netfilter/nft_set_pipapo.c
+++ b/net/netfilter/nft_set_pipapo.c
@@ -1766,7 +1766,7 @@ static void nft_pipapo_activate(const st
{
struct nft_pipapo_elem *e = elem->priv;
- nft_set_elem_change_active(net, set, &e->ext);
+ nft_clear(net, &e->ext);
}
/**
@@ -2068,9 +2068,6 @@ static void nft_pipapo_walk(const struct
e = f->mt[r].e;
- if (!nft_set_elem_active(&e->ext, iter->genmask))
- goto cont;
-
elem.priv = e;
iter->err = iter->fn(ctx, set, iter, &elem);
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -527,7 +527,7 @@ static void nft_rbtree_activate(const st
{
struct nft_rbtree_elem *rbe = elem->priv;
- nft_set_elem_change_active(net, set, &rbe->ext);
+ nft_clear(net, &rbe->ext);
}
static bool nft_rbtree_flush(const struct net *net,
@@ -596,8 +596,6 @@ static void nft_rbtree_walk(const struct
if (iter->count < iter->skip)
goto cont;
- if (!nft_set_elem_active(&rbe->ext, iter->genmask))
- goto cont;
elem.priv = rbe;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 371/386] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (369 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 370/386] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 372/386] iommufd: Fix protection fault in iommufd_test_syz_conv_iova Greg Kroah-Hartman
` (25 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Florian Fainelli,
Eric Dumazet, Jakub Kicinski, Harshit Mogalapalli, Vegard Nossum,
syzbot+d81bcd883824180500c8
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
[ Upstream commit 844f104790bd69c2e4dbb9ee3eba46fde1fcea7b ]
After the blamed commit, we started doing this dereference for every
NETDEV_CHANGEUPPER and NETDEV_PRECHANGEUPPER event in the system.
static inline struct dsa_port *dsa_user_to_port(const struct net_device *dev)
{
struct dsa_user_priv *p = netdev_priv(dev);
return p->dp;
}
Which is obviously bogus, because not all net_devices have a netdev_priv()
of type struct dsa_user_priv. But struct dsa_user_priv is fairly small,
and p->dp means dereferencing 8 bytes starting with offset 16. Most
drivers allocate that much private memory anyway, making our access not
fault, and we discard the bogus data quickly afterwards, so this wasn't
caught.
But the dummy interface is somewhat special in that it calls
alloc_netdev() with a priv size of 0. So every netdev_priv() dereference
is invalid, and we get this when we emit a NETDEV_PRECHANGEUPPER event
with a VLAN as its new upper:
$ ip link add dummy1 type dummy
$ ip link add link dummy1 name dummy1.100 type vlan id 100
[ 43.309174] ==================================================================
[ 43.316456] BUG: KASAN: slab-out-of-bounds in dsa_user_prechangeupper+0x30/0xe8
[ 43.323835] Read of size 8 at addr ffff3f86481d2990 by task ip/374
[ 43.330058]
[ 43.342436] Call trace:
[ 43.366542] dsa_user_prechangeupper+0x30/0xe8
[ 43.371024] dsa_user_netdevice_event+0xb38/0xee8
[ 43.375768] notifier_call_chain+0xa4/0x210
[ 43.379985] raw_notifier_call_chain+0x24/0x38
[ 43.384464] __netdev_upper_dev_link+0x3ec/0x5d8
[ 43.389120] netdev_upper_dev_link+0x70/0xa8
[ 43.393424] register_vlan_dev+0x1bc/0x310
[ 43.397554] vlan_newlink+0x210/0x248
[ 43.401247] rtnl_newlink+0x9fc/0xe30
[ 43.404942] rtnetlink_rcv_msg+0x378/0x580
Avoid the kernel oops by dereferencing after the type check, as customary.
Fixes: 4c3f80d22b2e ("net: dsa: walk through all changeupper notifier functions")
Reported-and-tested-by: syzbot+d81bcd883824180500c8@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/0000000000001d4255060e87545c@google.com/
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20240110003354.2796778-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 844f104790bd69c2e4dbb9ee3eba46fde1fcea7b)
[Harshit: CVE-2024-26596; Resolve conflicts due to missing commit: 6ca80638b90c
("net: dsa: Use conduit and user terms") in 6.6.y, used dsa_slave_to_port()
instead of dsa_user_to_port()]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/dsa/slave.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/net/dsa/slave.c
+++ b/net/dsa/slave.c
@@ -2822,13 +2822,14 @@ EXPORT_SYMBOL_GPL(dsa_slave_dev_check);
static int dsa_slave_changeupper(struct net_device *dev,
struct netdev_notifier_changeupper_info *info)
{
- struct dsa_port *dp = dsa_slave_to_port(dev);
struct netlink_ext_ack *extack;
int err = NOTIFY_DONE;
+ struct dsa_port *dp;
if (!dsa_slave_dev_check(dev))
return err;
+ dp = dsa_slave_to_port(dev);
extack = netdev_notifier_info_to_extack(&info->info);
if (netif_is_bridge_master(info->upper_dev)) {
@@ -2881,11 +2882,13 @@ static int dsa_slave_changeupper(struct
static int dsa_slave_prechangeupper(struct net_device *dev,
struct netdev_notifier_changeupper_info *info)
{
- struct dsa_port *dp = dsa_slave_to_port(dev);
+ struct dsa_port *dp;
if (!dsa_slave_dev_check(dev))
return NOTIFY_DONE;
+ dp = dsa_slave_to_port(dev);
+
if (netif_is_bridge_master(info->upper_dev) && !info->linking)
dsa_port_pre_bridge_leave(dp, info->upper_dev);
else if (netif_is_lag_master(info->upper_dev) && !info->linking)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 372/386] iommufd: Fix protection fault in iommufd_test_syz_conv_iova
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (370 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 371/386] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 373/386] drm/bridge: adv7511: fix crash on irq during probe Greg Kroah-Hartman
` (24 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gunthorpe, Nicolin Chen,
Kevin Tian, Harshit Mogalapalli, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicolin Chen <nicolinc@nvidia.com>
[ Upstream commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48 ]
Syzkaller reported the following bug:
general protection fault, probably for non-canonical address 0xdffffc0000000038: 0000 [#1] SMP KASAN
KASAN: null-ptr-deref in range [0x00000000000001c0-0x00000000000001c7]
Call Trace:
lock_acquire
lock_acquire+0x1ce/0x4f0
down_read+0x93/0x4a0
iommufd_test_syz_conv_iova+0x56/0x1f0
iommufd_test_access_rw.isra.0+0x2ec/0x390
iommufd_test+0x1058/0x1e30
iommufd_fops_ioctl+0x381/0x510
vfs_ioctl
__do_sys_ioctl
__se_sys_ioctl
__x64_sys_ioctl+0x170/0x1e0
do_syscall_x64
do_syscall_64+0x71/0x140
This is because the new iommufd_access_change_ioas() sets access->ioas to
NULL during its process, so the lock might be gone in a concurrent racing
context.
Fix this by doing the same access->ioas sanity as iommufd_access_rw() and
iommufd_access_pin_pages() functions do.
Cc: stable@vger.kernel.org
Fixes: 9227da7816dd ("iommufd: Add iommufd_access_change_ioas(_id) helpers")
Link: https://lore.kernel.org/r/3f1932acaf1dd494d404c04364d73ce8f57f3e5e.1708636627.git.nicolinc@nvidia.com
Reported-by: Jason Gunthorpe <jgg@nvidia.com>
Signed-off-by: Nicolin Chen <nicolinc@nvidia.com>
Reviewed-by: Kevin Tian <kevin.tian@intel.com>
Signed-off-by: Jason Gunthorpe <jgg@nvidia.com>
(cherry picked from commit cf7c2789822db8b5efa34f5ebcf1621bc0008d48)
[Harshit: CVE-2024-26785; Resolve conflicts due to missing commit:
bd7a282650b8 ("iommufd: Add iommufd_ctx to iommufd_put_object()") in
6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iommu/iommufd/selftest.c | 27 +++++++++++++++++++++------
1 file changed, 21 insertions(+), 6 deletions(-)
--- a/drivers/iommu/iommufd/selftest.c
+++ b/drivers/iommu/iommufd/selftest.c
@@ -44,8 +44,8 @@ enum {
* In syzkaller mode the 64 bit IOVA is converted into an nth area and offset
* value. This has a much smaller randomization space and syzkaller can hit it.
*/
-static unsigned long iommufd_test_syz_conv_iova(struct io_pagetable *iopt,
- u64 *iova)
+static unsigned long __iommufd_test_syz_conv_iova(struct io_pagetable *iopt,
+ u64 *iova)
{
struct syz_layout {
__u32 nth_area;
@@ -69,6 +69,21 @@ static unsigned long iommufd_test_syz_co
return 0;
}
+static unsigned long iommufd_test_syz_conv_iova(struct iommufd_access *access,
+ u64 *iova)
+{
+ unsigned long ret;
+
+ mutex_lock(&access->ioas_lock);
+ if (!access->ioas) {
+ mutex_unlock(&access->ioas_lock);
+ return 0;
+ }
+ ret = __iommufd_test_syz_conv_iova(&access->ioas->iopt, iova);
+ mutex_unlock(&access->ioas_lock);
+ return ret;
+}
+
void iommufd_test_syz_conv_iova_id(struct iommufd_ucmd *ucmd,
unsigned int ioas_id, u64 *iova, u32 *flags)
{
@@ -81,7 +96,7 @@ void iommufd_test_syz_conv_iova_id(struc
ioas = iommufd_get_ioas(ucmd->ictx, ioas_id);
if (IS_ERR(ioas))
return;
- *iova = iommufd_test_syz_conv_iova(&ioas->iopt, iova);
+ *iova = __iommufd_test_syz_conv_iova(&ioas->iopt, iova);
iommufd_put_object(&ioas->obj);
}
@@ -852,7 +867,7 @@ static int iommufd_test_access_pages(str
}
if (flags & MOCK_FLAGS_ACCESS_SYZ)
- iova = iommufd_test_syz_conv_iova(&staccess->access->ioas->iopt,
+ iova = iommufd_test_syz_conv_iova(staccess->access,
&cmd->access_pages.iova);
npages = (ALIGN(iova + length, PAGE_SIZE) -
@@ -954,8 +969,8 @@ static int iommufd_test_access_rw(struct
}
if (flags & MOCK_FLAGS_ACCESS_SYZ)
- iova = iommufd_test_syz_conv_iova(&staccess->access->ioas->iopt,
- &cmd->access_rw.iova);
+ iova = iommufd_test_syz_conv_iova(staccess->access,
+ &cmd->access_rw.iova);
rc = iommufd_access_rw(staccess->access, iova, tmp, length, flags);
if (rc)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 373/386] drm/bridge: adv7511: fix crash on irq during probe
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (371 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 372/386] iommufd: Fix protection fault in iommufd_test_syz_conv_iova Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 374/386] efi/unaccepted: touch soft lockup during memory accept Greg Kroah-Hartman
` (23 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mads Bligaard Nielsen,
Alvin Šipraga, Robert Foss, Harshit Mogalapalli,
Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mads Bligaard Nielsen <bli@bang-olufsen.dk>
[ Upstream commit aeedaee5ef5468caf59e2bb1265c2116e0c9a924 ]
Moved IRQ registration down to end of adv7511_probe().
If an IRQ already is pending during adv7511_probe
(before adv7511_cec_init) then cec_received_msg_ts
could crash using uninitialized data:
Unable to handle kernel read from unreadable memory at virtual address 00000000000003d5
Internal error: Oops: 96000004 [#1] PREEMPT_RT SMP
Call trace:
cec_received_msg_ts+0x48/0x990 [cec]
adv7511_cec_irq_process+0x1cc/0x308 [adv7511]
adv7511_irq_process+0xd8/0x120 [adv7511]
adv7511_irq_handler+0x1c/0x30 [adv7511]
irq_thread_fn+0x30/0xa0
irq_thread+0x14c/0x238
kthread+0x190/0x1a8
Fixes: 3b1b975003e4 ("drm: adv7511/33: add HDMI CEC support")
Signed-off-by: Mads Bligaard Nielsen <bli@bang-olufsen.dk>
Signed-off-by: Alvin Šipraga <alsi@bang-olufsen.dk>
Reviewed-by: Robert Foss <rfoss@kernel.org>
Signed-off-by: Robert Foss <rfoss@kernel.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20240219-adv7511-cec-irq-crash-fix-v2-1-245e53c4b96f@bang-olufsen.dk
(cherry picked from commit aeedaee5ef5468caf59e2bb1265c2116e0c9a924)
[Harshit: CVE-2024-26876; Resolve conflicts due to missing commit:
c75551214858 ("drm: adv7511: Add has_dsi variable to struct
adv7511_chip_info") in 6.6.y and adv7511_chip_info struct is also not
defined]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 22 +++++++++++-----------
1 file changed, 11 insertions(+), 11 deletions(-)
--- a/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
+++ b/drivers/gpu/drm/bridge/adv7511/adv7511_drv.c
@@ -1291,17 +1291,6 @@ static int adv7511_probe(struct i2c_clie
INIT_WORK(&adv7511->hpd_work, adv7511_hpd_work);
- if (i2c->irq) {
- init_waitqueue_head(&adv7511->wq);
-
- ret = devm_request_threaded_irq(dev, i2c->irq, NULL,
- adv7511_irq_handler,
- IRQF_ONESHOT, dev_name(dev),
- adv7511);
- if (ret)
- goto err_unregister_cec;
- }
-
adv7511_power_off(adv7511);
i2c_set_clientdata(i2c, adv7511);
@@ -1325,6 +1314,17 @@ static int adv7511_probe(struct i2c_clie
adv7511_audio_init(dev, adv7511);
+ if (i2c->irq) {
+ init_waitqueue_head(&adv7511->wq);
+
+ ret = devm_request_threaded_irq(dev, i2c->irq, NULL,
+ adv7511_irq_handler,
+ IRQF_ONESHOT, dev_name(dev),
+ adv7511);
+ if (ret)
+ goto err_unregister_audio;
+ }
+
if (adv7511->type == ADV7533 || adv7511->type == ADV7535) {
ret = adv7533_attach_dsi(adv7511);
if (ret)
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 374/386] efi/unaccepted: touch soft lockup during memory accept
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (372 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 373/386] drm/bridge: adv7511: fix crash on irq during probe Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 375/386] platform/x86: think-lmi: Fix password opcode ordering for workstations Greg Kroah-Hartman
` (22 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Md Iqbal Hossain, Chen Yu,
Kirill A. Shutemov, Ard Biesheuvel, Harshit Mogalapalli,
Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen Yu <yu.c.chen@intel.com>
[ Upstream commit 1c5a1627f48105cbab81d25ec2f72232bfaa8185 ]
Commit 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused by
parallel memory acceptance") has released the spinlock so other CPUs can
do memory acceptance in parallel and not triggers softlockup on other
CPUs.
However the softlock up was intermittent shown up if the memory of the
TD guest is large, and the timeout of softlockup is set to 1 second:
RIP: 0010:_raw_spin_unlock_irqrestore
Call Trace:
? __hrtimer_run_queues
<IRQ>
? hrtimer_interrupt
? watchdog_timer_fn
? __sysvec_apic_timer_interrupt
? __pfx_watchdog_timer_fn
? sysvec_apic_timer_interrupt
</IRQ>
? __hrtimer_run_queues
<TASK>
? hrtimer_interrupt
? asm_sysvec_apic_timer_interrupt
? _raw_spin_unlock_irqrestore
? __sysvec_apic_timer_interrupt
? sysvec_apic_timer_interrupt
accept_memory
try_to_accept_memory
do_huge_pmd_anonymous_page
get_page_from_freelist
__handle_mm_fault
__alloc_pages
__folio_alloc
? __tdx_hypercall
handle_mm_fault
vma_alloc_folio
do_user_addr_fault
do_huge_pmd_anonymous_page
exc_page_fault
? __do_huge_pmd_anonymous_page
asm_exc_page_fault
__handle_mm_fault
When the local irq is enabled at the end of accept_memory(), the
softlockup detects that the watchdog on single CPU has not been fed for
a while. That is to say, even other CPUs will not be blocked by
spinlock, the current CPU might be stunk with local irq disabled for a
while, which hurts not only nmi watchdog but also softlockup.
Chao Gao pointed out that the memory accept could be time costly and
there was similar report before. Thus to avoid any softlocup detection
during this stage, give the softlockup a flag to skip the timeout check
at the end of accept_memory(), by invoking touch_softlockup_watchdog().
Reported-by: Md Iqbal Hossain <md.iqbal.hossain@intel.com>
Signed-off-by: Chen Yu <yu.c.chen@intel.com>
Reviewed-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Fixes: 50e782a86c98 ("efi/unaccepted: Fix soft lockups caused by parallel memory acceptance")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
(cherry picked from commit 1c5a1627f48105cbab81d25ec2f72232bfaa8185)
[Harshit: CVE-2024-36936; Minor conflict resolution due to header file
differences due to missing commit: 7cd34dd3c9bf ("efi/unaccepted: do not
let /proc/vmcore try to access unaccepted memory") in 6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/unaccepted_memory.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/firmware/efi/unaccepted_memory.c
+++ b/drivers/firmware/efi/unaccepted_memory.c
@@ -3,6 +3,7 @@
#include <linux/efi.h>
#include <linux/memblock.h>
#include <linux/spinlock.h>
+#include <linux/nmi.h>
#include <asm/unaccepted_memory.h>
/* Protects unaccepted memory bitmap and accepting_list */
@@ -148,6 +149,9 @@ retry:
}
list_del(&range.list);
+
+ touch_softlockup_watchdog();
+
spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 375/386] platform/x86: think-lmi: Fix password opcode ordering for workstations
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (373 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 374/386] efi/unaccepted: touch soft lockup during memory accept Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 376/386] null_blk: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
` (21 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Pearson, Ilpo Järvinen,
Hans de Goede, Harshit Mogalapalli, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mark Pearson <mpearson-lenovo@squebb.ca>
[ Upstream commit 6f7d0f5fd8e440c3446560100ac4ff9a55eec340 ]
The Lenovo workstations require the password opcode to be run before
the attribute value is changed (if Admin password is enabled).
Tested on some Thinkpads to confirm they are OK with this order too.
Signed-off-by: Mark Pearson <mpearson-lenovo@squebb.ca>
Fixes: 640a5fa50a42 ("platform/x86: think-lmi: Opcode support")
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20240209152359.528919-1-mpearson-lenovo@squebb.ca
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
(cherry picked from commit 6f7d0f5fd8e440c3446560100ac4ff9a55eec340)
[Harshit: CVE-2024-26836; Resolve conflicts due to missing commit:
318d97849fc2 ("platform/x86: think-lmi: Add bulk save feature") which is
not in 6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/think-lmi.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/platform/x86/think-lmi.c
+++ b/drivers/platform/x86/think-lmi.c
@@ -1021,7 +1021,16 @@ static ssize_t current_value_store(struc
* Note - this sets the variable and then the password as separate
* WMI calls. Function tlmi_save_bios_settings will error if the
* password is incorrect.
+ * Workstation's require the opcode to be set before changing the
+ * attribute.
*/
+ if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
+ ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
+ tlmi_priv.pwd_admin->password);
+ if (ret)
+ goto out;
+ }
+
set_str = kasprintf(GFP_KERNEL, "%s,%s;", setting->display_name,
new_setting);
if (!set_str) {
@@ -1033,13 +1042,6 @@ static ssize_t current_value_store(struc
if (ret)
goto out;
- if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
- ret = tlmi_opcode_setting("WmiOpcodePasswordAdmin",
- tlmi_priv.pwd_admin->password);
- if (ret)
- goto out;
- }
-
ret = tlmi_save_bios_settings("");
} else { /* old non-opcode based authentication method (deprecated) */
if (tlmi_priv.pwd_admin->valid && tlmi_priv.pwd_admin->password[0]) {
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 376/386] null_blk: Remove usage of the deprecated ida_simple_xx() API
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (374 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 375/386] platform/x86: think-lmi: Fix password opcode ordering for workstations Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 377/386] null_blk: fix null-ptr-dereference while configuring power and submit_queues Greg Kroah-Hartman
` (20 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Jens Axboe,
Harshit Mogalapalli, Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 95931a245b44ee04f3359ec432e73614d44d8b38 ]
ida_alloc() and ida_free() should be preferred to the deprecated
ida_simple_get() and ida_simple_remove().
This is less verbose.
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Link: https://lore.kernel.org/r/bf257b1078475a415cdc3344c6a750842946e367.1705222845.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit 95931a245b44ee04f3359ec432e73614d44d8b38)
[Harshit: backport to 6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/null_blk/main.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -1819,7 +1819,7 @@ static void null_del_dev(struct nullb *n
dev = nullb->dev;
- ida_simple_remove(&nullb_indexes, nullb->index);
+ ida_free(&nullb_indexes, nullb->index);
list_del_init(&nullb->list);
@@ -2154,7 +2154,7 @@ static int null_add_dev(struct nullb_dev
blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q);
mutex_lock(&lock);
- rv = ida_simple_get(&nullb_indexes, 0, 0, GFP_KERNEL);
+ rv = ida_alloc(&nullb_indexes, GFP_KERNEL);
if (rv < 0) {
mutex_unlock(&lock);
goto out_cleanup_zone;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 377/386] null_blk: fix null-ptr-dereference while configuring power and submit_queues
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (375 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 376/386] null_blk: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 378/386] net: stmmac: move the EST lock to struct stmmac_priv Greg Kroah-Hartman
` (19 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Yu Kuai, Zhu Yanjun, Jens Axboe,
Harshit Mogalapalli, Vegard Nossum, Yi Zhang
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Yu Kuai <yukuai3@huawei.com>
[ Upstream commit a2db328b0839312c169eb42746ec46fc1ab53ed2 ]
Writing 'power' and 'submit_queues' concurrently will trigger kernel
panic:
Test script:
modprobe null_blk nr_devices=0
mkdir -p /sys/kernel/config/nullb/nullb0
while true; do echo 1 > submit_queues; echo 4 > submit_queues; done &
while true; do echo 1 > power; echo 0 > power; done
Test result:
BUG: kernel NULL pointer dereference, address: 0000000000000148
Oops: 0000 [#1] PREEMPT SMP
RIP: 0010:__lock_acquire+0x41d/0x28f0
Call Trace:
<TASK>
lock_acquire+0x121/0x450
down_write+0x5f/0x1d0
simple_recursive_removal+0x12f/0x5c0
blk_mq_debugfs_unregister_hctxs+0x7c/0x100
blk_mq_update_nr_hw_queues+0x4a3/0x720
nullb_update_nr_hw_queues+0x71/0xf0 [null_blk]
nullb_device_submit_queues_store+0x79/0xf0 [null_blk]
configfs_write_iter+0x119/0x1e0
vfs_write+0x326/0x730
ksys_write+0x74/0x150
This is because del_gendisk() can concurrent with
blk_mq_update_nr_hw_queues():
nullb_device_power_store nullb_apply_submit_queues
null_del_dev
del_gendisk
nullb_update_nr_hw_queues
if (!dev->nullb)
// still set while gendisk is deleted
return 0
blk_mq_update_nr_hw_queues
dev->nullb = NULL
Fix this problem by resuing the global mutex to protect
nullb_device_power_store() and nullb_update_nr_hw_queues() from configfs.
Fixes: 45919fbfe1c4 ("null_blk: Enable modifying 'submit_queues' after an instance has been configured")
Reported-and-tested-by: Yi Zhang <yi.zhang@redhat.com>
Closes: https://lore.kernel.org/all/CAHj4cs9LgsHLnjg8z06LQ3Pr5cax-+Ps+xT7AP7TPnEjStuwZA@mail.gmail.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Zhu Yanjun <yanjun.zhu@linux.dev>
Link: https://lore.kernel.org/r/20240523153934.1937851-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
(cherry picked from commit a2db328b0839312c169eb42746ec46fc1ab53ed2)
[Harshit: CVE-2024-36478; Resolve conflicts due to missing commit:
e440626b1caf ("null_blk: pass queue_limits to blk_mq_alloc_disk") in
6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/null_blk/main.c | 40 ++++++++++++++++++++++++++--------------
1 file changed, 26 insertions(+), 14 deletions(-)
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -392,13 +392,25 @@ static int nullb_update_nr_hw_queues(str
static int nullb_apply_submit_queues(struct nullb_device *dev,
unsigned int submit_queues)
{
- return nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);
+ int ret;
+
+ mutex_lock(&lock);
+ ret = nullb_update_nr_hw_queues(dev, submit_queues, dev->poll_queues);
+ mutex_unlock(&lock);
+
+ return ret;
}
static int nullb_apply_poll_queues(struct nullb_device *dev,
unsigned int poll_queues)
{
- return nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);
+ int ret;
+
+ mutex_lock(&lock);
+ ret = nullb_update_nr_hw_queues(dev, dev->submit_queues, poll_queues);
+ mutex_unlock(&lock);
+
+ return ret;
}
NULLB_DEVICE_ATTR(size, ulong, NULL);
@@ -444,28 +456,31 @@ static ssize_t nullb_device_power_store(
if (ret < 0)
return ret;
+ ret = count;
+ mutex_lock(&lock);
if (!dev->power && newp) {
if (test_and_set_bit(NULLB_DEV_FL_UP, &dev->flags))
- return count;
+ goto out;
+
ret = null_add_dev(dev);
if (ret) {
clear_bit(NULLB_DEV_FL_UP, &dev->flags);
- return ret;
+ goto out;
}
set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
dev->power = newp;
} else if (dev->power && !newp) {
if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
- mutex_lock(&lock);
dev->power = newp;
null_del_dev(dev->nullb);
- mutex_unlock(&lock);
}
clear_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
}
- return count;
+out:
+ mutex_unlock(&lock);
+ return ret;
}
CONFIGFS_ATTR(nullb_device_, power);
@@ -2153,15 +2168,12 @@ static int null_add_dev(struct nullb_dev
nullb->q->queuedata = nullb;
blk_queue_flag_set(QUEUE_FLAG_NONROT, nullb->q);
- mutex_lock(&lock);
rv = ida_alloc(&nullb_indexes, GFP_KERNEL);
- if (rv < 0) {
- mutex_unlock(&lock);
+ if (rv < 0)
goto out_cleanup_zone;
- }
+
nullb->index = rv;
dev->index = rv;
- mutex_unlock(&lock);
blk_queue_logical_block_size(nullb->q, dev->blocksize);
blk_queue_physical_block_size(nullb->q, dev->blocksize);
@@ -2185,9 +2197,7 @@ static int null_add_dev(struct nullb_dev
if (rv)
goto out_ida_free;
- mutex_lock(&lock);
list_add_tail(&nullb->list, &nullb_list);
- mutex_unlock(&lock);
pr_info("disk %s created\n", nullb->disk_name);
@@ -2236,7 +2246,9 @@ static int null_create_dev(void)
if (!dev)
return -ENOMEM;
+ mutex_lock(&lock);
ret = null_add_dev(dev);
+ mutex_unlock(&lock);
if (ret) {
null_free_dev(dev);
return ret;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 378/386] net: stmmac: move the EST lock to struct stmmac_priv
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (376 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 377/386] null_blk: fix null-ptr-dereference while configuring power and submit_queues Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 379/386] rxrpc: Fix a race between socket set up and I/O thread creation Greg Kroah-Hartman
` (18 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xiaolei Wang, Simon Horman,
Serge Semin, Andrew Halaney, Jakub Kicinski, Harshit Mogalapalli,
Vegard Nossum
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xiaolei Wang <xiaolei.wang@windriver.com>
[ Upstream commit 36ac9e7f2e5786bd37c5cd91132e1f39c29b8197 ]
Reinitialize the whole EST structure would also reset the mutex
lock which is embedded in the EST structure, and then trigger
the following warning. To address this, move the lock to struct
stmmac_priv. We also need to reacquire the mutex lock when doing
this initialization.
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 3 PID: 505 at kernel/locking/mutex.c:587 __mutex_lock+0xd84/0x1068
Modules linked in:
CPU: 3 PID: 505 Comm: tc Not tainted 6.9.0-rc6-00053-g0106679839f7-dirty #29
Hardware name: NXP i.MX8MPlus EVK board (DT)
pstate: 60000005 (nZCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : __mutex_lock+0xd84/0x1068
lr : __mutex_lock+0xd84/0x1068
sp : ffffffc0864e3570
x29: ffffffc0864e3570 x28: ffffffc0817bdc78 x27: 0000000000000003
x26: ffffff80c54f1808 x25: ffffff80c9164080 x24: ffffffc080d723ac
x23: 0000000000000000 x22: 0000000000000002 x21: 0000000000000000
x20: 0000000000000000 x19: ffffffc083bc3000 x18: ffffffffffffffff
x17: ffffffc08117b080 x16: 0000000000000002 x15: ffffff80d2d40000
x14: 00000000000002da x13: ffffff80d2d404b8 x12: ffffffc082b5a5c8
x11: ffffffc082bca680 x10: ffffffc082bb2640 x9 : ffffffc082bb2698
x8 : 0000000000017fe8 x7 : c0000000ffffefff x6 : 0000000000000001
x5 : ffffff8178fe0d48 x4 : 0000000000000000 x3 : 0000000000000027
x2 : ffffff8178fe0d50 x1 : 0000000000000000 x0 : 0000000000000000
Call trace:
__mutex_lock+0xd84/0x1068
mutex_lock_nested+0x28/0x34
tc_setup_taprio+0x118/0x68c
stmmac_setup_tc+0x50/0xf0
taprio_change+0x868/0xc9c
Fixes: b2aae654a479 ("net: stmmac: add mutex lock to protect est parameters")
Signed-off-by: Xiaolei Wang <xiaolei.wang@windriver.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Serge Semin <fancer.lancer@gmail.com>
Reviewed-by: Andrew Halaney <ahalaney@redhat.com>
Link: https://lore.kernel.org/r/20240513014346.1718740-2-xiaolei.wang@windriver.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
(cherry picked from commit 36ac9e7f2e5786bd37c5cd91132e1f39c29b8197)
[Harshit: CVE-2024-38594; resolved conflicts due to missing commit:
5ca63ffdb94b ("net: stmmac: Report taprio offload status") in 6.6.y]
Signed-off-by: Harshit Mogalapalli <harshit.m.mogalapalli@oracle.com>
Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/stmicro/stmmac/stmmac.h | 2 ++
drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c | 8 ++++----
drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c | 18 ++++++++++--------
include/linux/stmmac.h | 1 -
4 files changed, 16 insertions(+), 13 deletions(-)
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac.h
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac.h
@@ -248,6 +248,8 @@ struct stmmac_priv {
struct stmmac_extra_stats xstats ____cacheline_aligned_in_smp;
struct stmmac_safety_stats sstats;
struct plat_stmmacenet_data *plat;
+ /* Protect est parameters */
+ struct mutex est_lock;
struct dma_features dma_cap;
struct stmmac_counters mmc;
int hw_cap_support;
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_ptp.c
@@ -70,11 +70,11 @@ static int stmmac_adjust_time(struct ptp
/* If EST is enabled, disabled it before adjust ptp time. */
if (priv->plat->est && priv->plat->est->enable) {
est_rst = true;
- mutex_lock(&priv->plat->est->lock);
+ mutex_lock(&priv->est_lock);
priv->plat->est->enable = false;
stmmac_est_configure(priv, priv->ioaddr, priv->plat->est,
priv->plat->clk_ptp_rate);
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
}
write_lock_irqsave(&priv->ptp_lock, flags);
@@ -87,7 +87,7 @@ static int stmmac_adjust_time(struct ptp
ktime_t current_time_ns, basetime;
u64 cycle_time;
- mutex_lock(&priv->plat->est->lock);
+ mutex_lock(&priv->est_lock);
priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time);
current_time_ns = timespec64_to_ktime(current_time);
time.tv_nsec = priv->plat->est->btr_reserve[0];
@@ -104,7 +104,7 @@ static int stmmac_adjust_time(struct ptp
priv->plat->est->enable = true;
ret = stmmac_est_configure(priv, priv->ioaddr, priv->plat->est,
priv->plat->clk_ptp_rate);
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
if (ret)
netdev_err(priv->dev, "failed to configure EST\n");
}
--- a/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
+++ b/drivers/net/ethernet/stmicro/stmmac/stmmac_tc.c
@@ -984,17 +984,19 @@ static int tc_setup_taprio(struct stmmac
if (!plat->est)
return -ENOMEM;
- mutex_init(&priv->plat->est->lock);
+ mutex_init(&priv->est_lock);
} else {
+ mutex_lock(&priv->est_lock);
memset(plat->est, 0, sizeof(*plat->est));
+ mutex_unlock(&priv->est_lock);
}
size = qopt->num_entries;
- mutex_lock(&priv->plat->est->lock);
+ mutex_lock(&priv->est_lock);
priv->plat->est->gcl_size = size;
priv->plat->est->enable = qopt->cmd == TAPRIO_CMD_REPLACE;
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
for (i = 0; i < size; i++) {
s64 delta_ns = qopt->entries[i].interval;
@@ -1025,7 +1027,7 @@ static int tc_setup_taprio(struct stmmac
priv->plat->est->gcl[i] = delta_ns | (gates << wid);
}
- mutex_lock(&priv->plat->est->lock);
+ mutex_lock(&priv->est_lock);
/* Adjust for real system time */
priv->ptp_clock_ops.gettime64(&priv->ptp_clock_ops, ¤t_time);
current_time_ns = timespec64_to_ktime(current_time);
@@ -1044,7 +1046,7 @@ static int tc_setup_taprio(struct stmmac
priv->plat->est->ctr[1] = (u32)ctr;
if (fpe && !priv->dma_cap.fpesel) {
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
return -EOPNOTSUPP;
}
@@ -1055,7 +1057,7 @@ static int tc_setup_taprio(struct stmmac
ret = stmmac_est_configure(priv, priv->ioaddr, priv->plat->est,
priv->plat->clk_ptp_rate);
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
if (ret) {
netdev_err(priv->dev, "failed to configure EST\n");
goto disable;
@@ -1072,11 +1074,11 @@ static int tc_setup_taprio(struct stmmac
disable:
if (priv->plat->est) {
- mutex_lock(&priv->plat->est->lock);
+ mutex_lock(&priv->est_lock);
priv->plat->est->enable = false;
stmmac_est_configure(priv, priv->ioaddr, priv->plat->est,
priv->plat->clk_ptp_rate);
- mutex_unlock(&priv->plat->est->lock);
+ mutex_unlock(&priv->est_lock);
}
priv->plat->fpe_cfg->enable = false;
--- a/include/linux/stmmac.h
+++ b/include/linux/stmmac.h
@@ -117,7 +117,6 @@ struct stmmac_axi {
#define EST_GCL 1024
struct stmmac_est {
- struct mutex lock;
int enable;
u32 btr_reserve[2];
u32 btr_offset[2];
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 379/386] rxrpc: Fix a race between socket set up and I/O thread creation
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (377 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 378/386] net: stmmac: move the EST lock to struct stmmac_priv Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 380/386] vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Greg Kroah-Hartman
` (17 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Howells, yuxuanzhe,
Marc Dionne, Simon Horman, linux-afs, Eric Dumazet,
Jakub Kicinski
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit bc212465326e8587325f520a052346f0b57360e6 upstream.
In rxrpc_open_socket(), it sets up the socket and then sets up the I/O
thread that will handle it. This is a problem, however, as there's a gap
between the two phases in which a packet may come into rxrpc_encap_rcv()
from the UDP packet but we oops when trying to wake the not-yet created I/O
thread.
As a quick fix, just make rxrpc_encap_rcv() discard the packet if there's
no I/O thread yet.
A better, but more intrusive fix would perhaps be to rearrange things such
that the socket creation is done by the I/O thread.
Fixes: a275da62e8c1 ("rxrpc: Create a per-local endpoint receive queue and I/O thread")
Signed-off-by: David Howells <dhowells@redhat.com>
cc: yuxuanzhe@outlook.com
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241001132702.3122709-2-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rxrpc/ar-internal.h | 2 +-
net/rxrpc/io_thread.c | 10 ++++++++--
net/rxrpc/local_object.c | 2 +-
3 files changed, 10 insertions(+), 4 deletions(-)
--- a/net/rxrpc/ar-internal.h
+++ b/net/rxrpc/ar-internal.h
@@ -1066,7 +1066,7 @@ bool rxrpc_direct_abort(struct sk_buff *
int rxrpc_io_thread(void *data);
static inline void rxrpc_wake_up_io_thread(struct rxrpc_local *local)
{
- wake_up_process(local->io_thread);
+ wake_up_process(READ_ONCE(local->io_thread));
}
static inline bool rxrpc_protocol_error(struct sk_buff *skb, enum rxrpc_abort_reason why)
--- a/net/rxrpc/io_thread.c
+++ b/net/rxrpc/io_thread.c
@@ -27,11 +27,17 @@ int rxrpc_encap_rcv(struct sock *udp_sk,
{
struct sk_buff_head *rx_queue;
struct rxrpc_local *local = rcu_dereference_sk_user_data(udp_sk);
+ struct task_struct *io_thread;
if (unlikely(!local)) {
kfree_skb(skb);
return 0;
}
+ io_thread = READ_ONCE(local->io_thread);
+ if (!io_thread) {
+ kfree_skb(skb);
+ return 0;
+ }
if (skb->tstamp == 0)
skb->tstamp = ktime_get_real();
@@ -47,7 +53,7 @@ int rxrpc_encap_rcv(struct sock *udp_sk,
#endif
skb_queue_tail(rx_queue, skb);
- rxrpc_wake_up_io_thread(local);
+ wake_up_process(io_thread);
return 0;
}
@@ -554,7 +560,7 @@ int rxrpc_io_thread(void *data)
__set_current_state(TASK_RUNNING);
rxrpc_see_local(local, rxrpc_local_stop);
rxrpc_destroy_local(local);
- local->io_thread = NULL;
+ WRITE_ONCE(local->io_thread, NULL);
rxrpc_see_local(local, rxrpc_local_stopped);
return 0;
}
--- a/net/rxrpc/local_object.c
+++ b/net/rxrpc/local_object.c
@@ -232,7 +232,7 @@ static int rxrpc_open_socket(struct rxrp
}
wait_for_completion(&local->io_thread_ready);
- local->io_thread = io_thread;
+ WRITE_ONCE(local->io_thread, io_thread);
_leave(" = 0");
return 0;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 380/386] vhost/scsi: null-ptr-dereference in vhost_scsi_get_req()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (378 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 379/386] rxrpc: Fix a race between socket set up and I/O thread creation Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 381/386] crypto: octeontx* - Select CRYPTO_AUTHENC Greg Kroah-Hartman
` (16 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haoran Zhang, Mike Christie,
Michael S. Tsirkin
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haoran Zhang <wh1sper@zju.edu.cn>
commit 221af82f606d928ccef19a16d35633c63026f1be upstream.
Since commit 3f8ca2e115e5 ("vhost/scsi: Extract common handling code
from control queue handler") a null pointer dereference bug can be
triggered when guest sends an SCSI AN request.
In vhost_scsi_ctl_handle_vq(), `vc.target` is assigned with
`&v_req.tmf.lun[1]` within a switch-case block and is then passed to
vhost_scsi_get_req() which extracts `vc->req` and `tpg`. However, for
a `VIRTIO_SCSI_T_AN_*` request, tpg is not required, so `vc.target` is
set to NULL in this branch. Later, in vhost_scsi_get_req(),
`vc->target` is dereferenced without being checked, leading to a null
pointer dereference bug. This bug can be triggered from guest.
When this bug occurs, the vhost_worker process is killed while holding
`vq->mutex` and the corresponding tpg will remain occupied
indefinitely.
Below is the KASAN report:
Oops: general protection fault, probably for non-canonical address
0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN NOPTI
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 1 PID: 840 Comm: poc Not tainted 6.10.0+ #1
Hardware name: QEMU Ubuntu 24.04 PC (i440FX + PIIX, 1996), BIOS
1.16.3-debian-1.16.3-2 04/01/2014
RIP: 0010:vhost_scsi_get_req+0x165/0x3a0
Code: 00 fc ff df 48 89 fa 48 c1 ea 03 80 3c 02 00 0f 85 2b 02 00 00
48 b8 00 00 00 00 00 fc ff df 4d 8b 65 30 4c 89 e2 48 c1 ea 03 <0f> b6
04 02 4c 89 e2 83 e2 07 38 d0 7f 08 84 c0 0f 85 be 01 00 00
RSP: 0018:ffff888017affb50 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: ffff88801b000000 RCX: 0000000000000000
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888017affcb8
RBP: ffff888017affb80 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000000000
R13: ffff888017affc88 R14: ffff888017affd1c R15: ffff888017993000
FS: 000055556e076500(0000) GS:ffff88806b100000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00000000200027c0 CR3: 0000000010ed0004 CR4: 0000000000370ef0
Call Trace:
<TASK>
? show_regs+0x86/0xa0
? die_addr+0x4b/0xd0
? exc_general_protection+0x163/0x260
? asm_exc_general_protection+0x27/0x30
? vhost_scsi_get_req+0x165/0x3a0
vhost_scsi_ctl_handle_vq+0x2a4/0xca0
? __pfx_vhost_scsi_ctl_handle_vq+0x10/0x10
? __switch_to+0x721/0xeb0
? __schedule+0xda5/0x5710
? __kasan_check_write+0x14/0x30
? _raw_spin_lock+0x82/0xf0
vhost_scsi_ctl_handle_kick+0x52/0x90
vhost_run_work_list+0x134/0x1b0
vhost_task_fn+0x121/0x350
...
</TASK>
---[ end trace 0000000000000000 ]---
Let's add a check in vhost_scsi_get_req.
Fixes: 3f8ca2e115e5 ("vhost/scsi: Extract common handling code from control queue handler")
Signed-off-by: Haoran Zhang <wh1sper@zju.edu.cn>
[whitespace fixes]
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Message-Id: <b26d7ddd-b098-4361-88f8-17ca7f90adf7@oracle.com>
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/vhost/scsi.c | 25 ++++++++++++++-----------
1 file changed, 14 insertions(+), 11 deletions(-)
--- a/drivers/vhost/scsi.c
+++ b/drivers/vhost/scsi.c
@@ -1018,20 +1018,23 @@ vhost_scsi_get_req(struct vhost_virtqueu
/* virtio-scsi spec requires byte 0 of the lun to be 1 */
vq_err(vq, "Illegal virtio-scsi lun: %u\n", *vc->lunp);
} else {
- struct vhost_scsi_tpg **vs_tpg, *tpg;
+ struct vhost_scsi_tpg **vs_tpg, *tpg = NULL;
- vs_tpg = vhost_vq_get_backend(vq); /* validated at handler entry */
-
- tpg = READ_ONCE(vs_tpg[*vc->target]);
- if (unlikely(!tpg)) {
- vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
- } else {
- if (tpgp)
- *tpgp = tpg;
- ret = 0;
+ if (vc->target) {
+ /* validated at handler entry */
+ vs_tpg = vhost_vq_get_backend(vq);
+ tpg = READ_ONCE(vs_tpg[*vc->target]);
+ if (unlikely(!tpg)) {
+ vq_err(vq, "Target 0x%x does not exist\n", *vc->target);
+ goto out;
+ }
}
- }
+ if (tpgp)
+ *tpgp = tpg;
+ ret = 0;
+ }
+out:
return ret;
}
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 381/386] crypto: octeontx* - Select CRYPTO_AUTHENC
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (379 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 380/386] vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 382/386] drm/amd/display: Revert Avoid overflow assignment Greg Kroah-Hartman
` (15 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, kernel test robot, Herbert Xu
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit c398cb8eb0a263a1b7a18892d9f244751689675c upstream.
Select CRYPTO_AUTHENC as the function crypto_authenec_extractkeys
may not be available without it.
Fixes: 311eea7e37c4 ("crypto: octeontx - Fix authenc setkey")
Fixes: 7ccb750dcac8 ("crypto: octeontx2 - Fix authenc setkey")
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202409042013.gT2ZI4wR-lkp@intel.com/
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/crypto/marvell/Kconfig | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/crypto/marvell/Kconfig b/drivers/crypto/marvell/Kconfig
index a48591af12d0..78217577aa54 100644
--- a/drivers/crypto/marvell/Kconfig
+++ b/drivers/crypto/marvell/Kconfig
@@ -28,6 +28,7 @@ config CRYPTO_DEV_OCTEONTX_CPT
select CRYPTO_SKCIPHER
select CRYPTO_HASH
select CRYPTO_AEAD
+ select CRYPTO_AUTHENC
select CRYPTO_DEV_MARVELL
help
This driver allows you to utilize the Marvell Cryptographic
@@ -47,6 +48,7 @@ config CRYPTO_DEV_OCTEONTX2_CPT
select CRYPTO_SKCIPHER
select CRYPTO_HASH
select CRYPTO_AEAD
+ select CRYPTO_AUTHENC
select NET_DEVLINK
help
This driver allows you to utilize the Marvell Cryptographic
--
2.46.2
^ permalink raw reply related [flat|nested] 408+ messages in thread
* [PATCH 6.6 382/386] drm/amd/display: Revert Avoid overflow assignment
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (380 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 381/386] crypto: octeontx* - Select CRYPTO_AUTHENC Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 383/386] perf report: Fix segfault when sym sort key is not used Greg Kroah-Hartman
` (14 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alex Hung, Gabe Teeger, Wayne Lin,
Daniel Wheeler, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gabe Teeger <Gabe.Teeger@amd.com>
commit e80f8f491df873ea2e07c941c747831234814612 upstream.
This reverts commit a15268787b79 ("drm/amd/display: Avoid overflow assignment in link_dp_cts")
Due to regression causing DPMS hang.
Reviewed-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Gabe Teeger <Gabe.Teeger@amd.com>
Signed-off-by: Wayne Lin <wayne.lin@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/dc_dp_types.h | 2 +-
drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c | 3 +--
drivers/gpu/drm/amd/display/include/dpcd_defs.h | 1 -
3 files changed, 2 insertions(+), 4 deletions(-)
--- a/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
+++ b/drivers/gpu/drm/amd/display/dc/dc_dp_types.h
@@ -721,7 +721,7 @@ struct dp_audio_test_data_flags {
struct dp_audio_test_data {
struct dp_audio_test_data_flags flags;
- uint32_t sampling_rate;
+ uint8_t sampling_rate;
uint8_t channel_count;
uint8_t pattern_type;
uint8_t pattern_period[8];
--- a/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c
+++ b/drivers/gpu/drm/amd/display/dc/link/accessories/link_dp_cts.c
@@ -849,8 +849,7 @@ bool dp_set_test_pattern(
core_link_read_dpcd(link, DP_TRAINING_PATTERN_SET,
&training_pattern.raw,
sizeof(training_pattern));
- if (pattern <= PHY_TEST_PATTERN_END_DP11)
- training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern;
+ training_pattern.v1_3.LINK_QUAL_PATTERN_SET = pattern;
core_link_write_dpcd(link, DP_TRAINING_PATTERN_SET,
&training_pattern.raw,
sizeof(training_pattern));
--- a/drivers/gpu/drm/amd/display/include/dpcd_defs.h
+++ b/drivers/gpu/drm/amd/display/include/dpcd_defs.h
@@ -76,7 +76,6 @@ enum dpcd_phy_test_patterns {
PHY_TEST_PATTERN_D10_2,
PHY_TEST_PATTERN_SYMBOL_ERROR,
PHY_TEST_PATTERN_PRBS7,
- PHY_TEST_PATTERN_END_DP11 = PHY_TEST_PATTERN_PRBS7,
PHY_TEST_PATTERN_80BIT_CUSTOM,/* For DP1.2 only */
PHY_TEST_PATTERN_CP2520_1,
PHY_TEST_PATTERN_CP2520_2,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 383/386] perf report: Fix segfault when sym sort key is not used
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (381 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 382/386] drm/amd/display: Revert Avoid overflow assignment Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 384/386] drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
` (13 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Namhyung Kim, Adrian Hunter,
Ian Rogers, Ingo Molnar, Jiri Olsa, Kan Liang, Matt Fleming,
Peter Zijlstra, Stephane Eranian, Arnaldo Carvalho de Melo
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Namhyung Kim <namhyung@kernel.org>
commit 9af2efee41b27a0f386fb5aa95d8d0b4b5d9fede upstream.
The fields in the hist_entry are filled on-demand which means they only
have meaningful values when relevant sort keys are used.
So if neither of 'dso' nor 'sym' sort keys are used, the map/symbols in
the hist entry can be garbage. So it shouldn't access it
unconditionally.
I got a segfault, when I wanted to see cgroup profiles.
$ sudo perf record -a --all-cgroups --synth=cgroup true
$ sudo perf report -s cgroup
Program received signal SIGSEGV, Segmentation fault.
0x00005555557a8d90 in map__dso (map=0x0) at util/map.h:48
48 return RC_CHK_ACCESS(map)->dso;
(gdb) bt
#0 0x00005555557a8d90 in map__dso (map=0x0) at util/map.h:48
#1 0x00005555557aa39b in map__load (map=0x0) at util/map.c:344
#2 0x00005555557aa592 in map__find_symbol (map=0x0, addr=140736115941088) at util/map.c:385
#3 0x00005555557ef000 in hists__findnew_entry (hists=0x555556039d60, entry=0x7fffffffa4c0, al=0x7fffffffa8c0, sample_self=true)
at util/hist.c:644
#4 0x00005555557ef61c in __hists__add_entry (hists=0x555556039d60, al=0x7fffffffa8c0, sym_parent=0x0, bi=0x0, mi=0x0, ki=0x0,
block_info=0x0, sample=0x7fffffffaa90, sample_self=true, ops=0x0) at util/hist.c:761
#5 0x00005555557ef71f in hists__add_entry (hists=0x555556039d60, al=0x7fffffffa8c0, sym_parent=0x0, bi=0x0, mi=0x0, ki=0x0,
sample=0x7fffffffaa90, sample_self=true) at util/hist.c:779
#6 0x00005555557f00fb in iter_add_single_normal_entry (iter=0x7fffffffa900, al=0x7fffffffa8c0) at util/hist.c:1015
#7 0x00005555557f09a7 in hist_entry_iter__add (iter=0x7fffffffa900, al=0x7fffffffa8c0, max_stack_depth=127, arg=0x7fffffffbce0)
at util/hist.c:1260
#8 0x00005555555ba7ce in process_sample_event (tool=0x7fffffffbce0, event=0x7ffff7c14128, sample=0x7fffffffaa90, evsel=0x555556039ad0,
machine=0x5555560388e8) at builtin-report.c:334
#9 0x00005555557b30c8 in evlist__deliver_sample (evlist=0x555556039010, tool=0x7fffffffbce0, event=0x7ffff7c14128,
sample=0x7fffffffaa90, evsel=0x555556039ad0, machine=0x5555560388e8) at util/session.c:1232
#10 0x00005555557b32bc in machines__deliver_event (machines=0x5555560388e8, evlist=0x555556039010, event=0x7ffff7c14128,
sample=0x7fffffffaa90, tool=0x7fffffffbce0, file_offset=110888, file_path=0x555556038ff0 "perf.data") at util/session.c:1271
#11 0x00005555557b3848 in perf_session__deliver_event (session=0x5555560386d0, event=0x7ffff7c14128, tool=0x7fffffffbce0,
file_offset=110888, file_path=0x555556038ff0 "perf.data") at util/session.c:1354
#12 0x00005555557affaf in ordered_events__deliver_event (oe=0x555556038e60, event=0x555556135aa0) at util/session.c:132
#13 0x00005555557bb605 in do_flush (oe=0x555556038e60, show_progress=false) at util/ordered-events.c:245
#14 0x00005555557bb95c in __ordered_events__flush (oe=0x555556038e60, how=OE_FLUSH__ROUND, timestamp=0) at util/ordered-events.c:324
#15 0x00005555557bba46 in ordered_events__flush (oe=0x555556038e60, how=OE_FLUSH__ROUND) at util/ordered-events.c:342
#16 0x00005555557b1b3b in perf_event__process_finished_round (tool=0x7fffffffbce0, event=0x7ffff7c15bb8, oe=0x555556038e60)
at util/session.c:780
#17 0x00005555557b3b27 in perf_session__process_user_event (session=0x5555560386d0, event=0x7ffff7c15bb8, file_offset=117688,
file_path=0x555556038ff0 "perf.data") at util/session.c:1406
As you can see the entry->ms.map was NULL even if he->ms.map has a
value. This is because 'sym' sort key is not given, so it cannot assume
whether he->ms.sym and entry->ms.sym is the same. I only checked the
'sym' sort key here as it implies 'dso' behavior (so maps are the same).
Fixes: ac01c8c4246546fd ("perf hist: Update hist symbol when updating maps")
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Cc: Adrian Hunter <adrian.hunter@intel.com>
Cc: Ian Rogers <irogers@google.com>
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Jiri Olsa <jolsa@kernel.org>
Cc: Kan Liang <kan.liang@linux.intel.com>
Cc: Matt Fleming <matt@readmodwrite.com>
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Stephane Eranian <eranian@google.com>
Link: https://lore.kernel.org/r/20240826221045.1202305-2-namhyung@kernel.org
Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/hist.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/perf/util/hist.c
+++ b/tools/perf/util/hist.c
@@ -637,7 +637,7 @@ static struct hist_entry *hists__findnew
* mis-adjust symbol addresses when computing
* the history counter to increment.
*/
- if (he->ms.map != entry->ms.map) {
+ if (hists__has(hists, sym) && he->ms.map != entry->ms.map) {
if (he->ms.sym) {
u64 addr = he->ms.sym->start;
he->ms.sym = map__find_symbol(entry->ms.map, addr);
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 384/386] drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (382 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 383/386] perf report: Fix segfault when sym sort key is not used Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 385/386] null_blk: Fix return value of nullb_device_power_store() Greg Kroah-Hartman
` (12 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rodrigo Siqueira, Alex Hung,
Aurabindo Pillai, Alex Deucher
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Alex Hung <alex.hung@amd.com>
commit d925c04d974c657d10471c0c2dba3bc9c7d994ee upstream.
[WHAT & HOW]
Functions dp_enable_link_phy and dp_disable_link_phy can pass link_res
without initializing hpo_dp_link_enc and it is necessary to check for
null before dereferencing.
This fixes 1 FORWARD_NULL issue reported by Coverity.
Fixes: 0beca868cde8 ("drm/amd/display: Check link_res->hpo_dp_link_enc before using it")
Reviewed-by: Rodrigo Siqueira <rodrigo.siqueira@amd.com>
Signed-off-by: Alex Hung <alex.hung@amd.com>
Signed-off-by: Aurabindo Pillai <aurabindo.pillai@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
+++ b/drivers/gpu/drm/amd/display/dc/link/hwss/link_hwss_hpo_dp.c
@@ -110,6 +110,11 @@ void enable_hpo_dp_link_output(struct dc
enum clock_source_id clock_source,
const struct dc_link_settings *link_settings)
{
+ if (!link_res->hpo_dp_link_enc) {
+ DC_LOG_ERROR("%s: invalid hpo_dp_link_enc\n", __func__);
+ return;
+ }
+
if (link->dc->res_pool->dccg->funcs->set_symclk32_le_root_clock_gating)
link->dc->res_pool->dccg->funcs->set_symclk32_le_root_clock_gating(
link->dc->res_pool->dccg,
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 385/386] null_blk: Fix return value of nullb_device_power_store()
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (383 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 384/386] drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 386/386] Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" Greg Kroah-Hartman
` (11 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Yu Kuai,
Kanchan Joshi, Jens Axboe
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
commit d9ff882b54f99f96787fa3df7cd938966843c418 upstream.
When powering on a null_blk device that is not already on, the return
value ret that is initialized to be count is reused to check the return
value of null_add_dev(), leading to nullb_device_power_store() to return
null_add_dev() return value (0 on success) instead of "count".
So make sure to set ret to be equal to count when there are no errors.
Fixes: a2db328b0839 ("null_blk: fix null-ptr-dereference while configuring 'power' and 'submit_queues'")
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Link: https://lore.kernel.org/r/20240527043445.235267-1-dlemoal@kernel.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/block/null_blk/main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -470,6 +470,7 @@ static ssize_t nullb_device_power_store(
set_bit(NULLB_DEV_FL_CONFIGURED, &dev->flags);
dev->power = newp;
+ ret = count;
} else if (dev->power && !newp) {
if (test_and_clear_bit(NULLB_DEV_FL_UP, &dev->flags)) {
dev->power = newp;
^ permalink raw reply [flat|nested] 408+ messages in thread
* [PATCH 6.6 386/386] Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path"
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (384 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 385/386] null_blk: Fix return value of nullb_device_power_store() Greg Kroah-Hartman
@ 2024-10-08 12:10 ` Greg Kroah-Hartman
2024-10-08 14:58 ` [PATCH 6.6 000/386] 6.6.55-rc1 review Harshit Mogalapalli
` (10 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-08 12:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zhihao Cheng, Richard Weinberger
6.6-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 7bed61a1cf166b5c113047fc8f60ff22dcb04893 upstream.
This reverts commit 6379b44cdcd67f5f5d986b73953e99700591edfa. Commit
1e022216dcd2 ("ubifs: ubifs_symlink: Fix memleak of inode->i_link in
error path") is applied again in commit 6379b44cdcd6 ("ubifs:
ubifs_symlink: Fix memleak of inode->i_link in error path"), which
changed ubifs_mknod (It won't become a real problem). Just revert it.
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ubifs/dir.c | 2 --
1 file changed, 2 deletions(-)
--- a/fs/ubifs/dir.c
+++ b/fs/ubifs/dir.c
@@ -1126,8 +1126,6 @@ out_cancel:
dir_ui->ui_size = dir->i_size;
mutex_unlock(&dir_ui->ui_mutex);
out_inode:
- /* Free inode->i_link before inode is marked as bad. */
- fscrypt_free_inode(inode);
make_bad_inode(inode);
iput(inode);
out_fname:
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-08 12:04 ` [PATCH 6.6 028/386] net: fec: Restart PPS after link state change Greg Kroah-Hartman
@ 2024-10-08 13:30 ` Csókás Bence
2024-10-10 9:57 ` Greg Kroah-Hartman
0 siblings, 1 reply; 408+ messages in thread
From: Csókás Bence @ 2024-10-08 13:30 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Paolo Abeni, Sasha Levin, Wei Fang
Hi!
On 2024. 10. 08. 14:04, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Csókás, Bence <csokas.bence@prolan.hu>
>
> [ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
>
> On link state change, the controller gets reset,
> causing PPS to drop out. Re-enable PPS if it was
> enabled before the controller reset.
>
> Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
> Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
> Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu
> Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> Signed-off-by: Sasha Levin <sashal@kernel.org>
There is a patch waiting to be merged that Fixes: this commit.
Link:
https://lore.kernel.org/netdev/20241008061153.1977930-1-wei.fang@nxp.com/
Bence
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (385 preceding siblings ...)
2024-10-08 12:10 ` [PATCH 6.6 386/386] Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" Greg Kroah-Hartman
@ 2024-10-08 14:58 ` Harshit Mogalapalli
2024-10-08 17:55 ` Florian Fainelli
2024-10-10 10:16 ` Greg Kroah-Hartman
2024-10-08 17:05 ` Peter Schneider
` (9 subsequent siblings)
396 siblings, 2 replies; 408+ messages in thread
From: Harshit Mogalapalli @ 2024-10-08 14:58 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Vegard Nossum, Darren Kenny
Hi Greg,
On 08/10/24 17:34, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
...
> Ian Rogers <irogers@google.com>
> perf callchain: Fix stitch LBR memory leaks
>
This patch is causing build failures for tools/perf/
util/machine.c: In function 'save_lbr_cursor_node':
util/machine.c:2540:9: error: implicit declaration of function
'map_symbol__exit'; did you mean 'symbol__exit'?
[-Werror=implicit-function-declaration]
2540 | map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
| ^~~~~~~~~~~~~~~~
| symbol__exit
...
util/thread.c: In function 'thread__free_stitch_list':
util/thread.c:481:17: error: implicit declaration of function
'map_symbol__exit'; did you mean 'symbol__exit'?
[-Werror=implicit-function-declaration]
481 | map_symbol__exit(&pos->cursor.ms);
| ^~~~~~~~~~~~~~~~
| symbol__exit
Thanks,
Harshit
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (386 preceding siblings ...)
2024-10-08 14:58 ` [PATCH 6.6 000/386] 6.6.55-rc1 review Harshit Mogalapalli
@ 2024-10-08 17:05 ` Peter Schneider
2024-10-08 17:29 ` Mark Brown
` (8 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Peter Schneider @ 2024-10-08 17:05 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
Am 08.10.2024 um 14:04 schrieb Greg Kroah-Hartman:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Builds, boots and works on my 2-socket Ivy Bridge Xeon E5-2697 v2 server. No dmesg
oddities or regressions found.
Tested-by: Peter Schneider <pschneider1968@googlemail.com>
Beste Grüße,
Peter Schneider
--
Climb the mountain not to plant your flag, but to embrace the challenge,
enjoy the air and behold the view. Climb it so you can see the world,
not so the world can see you. -- David McCullough Jr.
OpenPGP: 0xA3828BD796CCE11A8CADE8866E3A92C92C3FF244
Download: https://www.peters-netzplatz.de/download/pschneider1968_pub.asc
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@googlemail.com
https://keys.mailvelope.com/pks/lookup?op=get&search=pschneider1968@gmail.com
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (387 preceding siblings ...)
2024-10-08 17:05 ` Peter Schneider
@ 2024-10-08 17:29 ` Mark Brown
2024-10-08 21:59 ` Shuah Khan
` (7 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Mark Brown @ 2024-10-08 17:29 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml
[-- Attachment #1: Type: text/plain, Size: 345 bytes --]
On Tue, Oct 08, 2024 at 02:04:05PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
Tested-by: Mark Brown <broonie@kernel.org>
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 488 bytes --]
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 14:58 ` [PATCH 6.6 000/386] 6.6.55-rc1 review Harshit Mogalapalli
@ 2024-10-08 17:55 ` Florian Fainelli
2024-10-10 10:16 ` Greg Kroah-Hartman
1 sibling, 0 replies; 408+ messages in thread
From: Florian Fainelli @ 2024-10-08 17:55 UTC (permalink / raw)
To: Harshit Mogalapalli, Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor, allen.lkml, broonie, Vegard Nossum, Darren Kenny
On 10/8/24 07:58, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 08/10/24 17:34, Greg Kroah-Hartman wrote:
>> This is the start of the stable review cycle for the 6.6.55 release.
>> There are 386 patches in this series, all will be posted as a response
>> to this one. If anyone has any issues with these being applied, please
>> let me know.
>>
>> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
>> Anything received after that time might be too late.
>>
> ...
>
>
>> Ian Rogers <irogers@google.com>
>> perf callchain: Fix stitch LBR memory leaks
>>
>
> This patch is causing build failures for tools/perf/
Yes, same here.
>
> util/machine.c: In function 'save_lbr_cursor_node':
> util/machine.c:2540:9: error: implicit declaration of function
> 'map_symbol__exit'; did you mean 'symbol__exit'? [-Werror=implicit-
> function-declaration]
> 2540 | map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
> | ^~~~~~~~~~~~~~~~
> | symbol__exit
> ...
>
> util/thread.c: In function 'thread__free_stitch_list':
> util/thread.c:481:17: error: implicit declaration of function
> 'map_symbol__exit'; did you mean 'symbol__exit'? [-Werror=implicit-
> function-declaration]
> 481 | map_symbol__exit(&pos->cursor.ms);
> | ^~~~~~~~~~~~~~~~
> | symbol__exit
>
>
>
> Thanks,
> Harshit
--
Florian
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (388 preceding siblings ...)
2024-10-08 17:29 ` Mark Brown
@ 2024-10-08 21:59 ` Shuah Khan
2024-10-09 6:24 ` Naresh Kamboju
` (6 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Shuah Khan @ 2024-10-08 21:59 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie, Shuah Khan
On 10/8/24 06:04, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my test system. No dmesg regressions.
Tested-by: Shuah Khan <skhan@linuxfoundation.org>
thanks,
-- Shuah
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (389 preceding siblings ...)
2024-10-08 21:59 ` Shuah Khan
@ 2024-10-09 6:24 ` Naresh Kamboju
2024-10-09 6:49 ` Harshit Mogalapalli
2024-10-09 12:48 ` Takeshi Ogasawara
` (5 subsequent siblings)
396 siblings, 1 reply; 408+ messages in thread
From: Naresh Kamboju @ 2024-10-09 6:24 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On Tue, 8 Oct 2024 at 18:40, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
The LTP syscalls fanotify22 test failed (broken).
This regression is noticed on linux.6.6.y, linux.6.10.y and linux.6.11.y.
We are bisecting this issue.
ltp-syscalls
- fanotify22
Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
Test log,
-----------
fanotify16.c:751[ 452.527701] EXT4-fs error (device loop0):
__ext4_remount:6522: comm fanotify22: Abort forced by user
tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
tst_test.c:1106: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts=''
mke2fs 1.47.1 (20-May-2024)
tst_test.c:1120: TINFO: Mounting /dev/loop0 to
/scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=0
tst_test.c:1733: TINFO: LTP version: 20240524
tst_test.c:1617: TINFO: Timeout per run is 0h 02m 30s
fanotify.h:122: TINFO: fid(test_mnt/internal_dir/bad_dir) =
6bd2dab9.86fe4716.7e82.df82837f.0...
fanotify.h:122: TINFO: fid(test_mnt/internal_dir) =
6bd2dab9.86fe4716.7e81.beaa198d.0...
fanotify22.c:278: TINFO: Umounting
/scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt
debugfs 1.47.1 (20-May-2024)
debugfs 1.47.1 (20-May-2024)
fanotify22.c:281: TINFO: Mounting /dev/loop0 to
/scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=0
fanotify.h:122: TINFO: fid(test_mnt) = 6bd2dab9.86fe4716.2.0.0...
fanotify22.c:59: TINFO: Mounting /dev/loop0 to
/scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=21
fanotify22.c:59: TBROK: mount(/dev/loop0, test_mnt, ext4, 33,
0x5659a1d5) failed: EROFS (30)
HINT: You _MAY_ be missing kernel fixes:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=124e7c61deb2
Summary:
passed 0
failed 0
broken 1
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-09 6:24 ` Naresh Kamboju
@ 2024-10-09 6:49 ` Harshit Mogalapalli
0 siblings, 0 replies; 408+ messages in thread
From: Harshit Mogalapalli @ 2024-10-09 6:49 UTC (permalink / raw)
To: Naresh Kamboju, Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
Vegard Nossum, Darren Kenny, Dan Carpenter
Hi,
On 09/10/24 11:54, Naresh Kamboju wrote:
> On Tue, 8 Oct 2024 at 18:40, Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
>>
...
>
> The LTP syscalls fanotify22 test failed (broken).
> This regression is noticed on linux.6.6.y, linux.6.10.y and linux.6.11.y.
>
> We are bisecting this issue.
>
> ltp-syscalls
> - fanotify22
FYI: I remember seeing a discussion thread on this(atleast very similar):
https://lore.kernel.org/all/Zvp6L+oFnfASaoHl@t14s/
So based on that it should be PATCH 178/386:
Jan Kara <jack@suse.cz>
ext4: don't set SB_RDONLY after filesystem errors
Thanks,
Harshit
>
> Reported-by: Linux Kernel Functional Testing <lkft@linaro.org>
>
> Test log,
> -----------
> fanotify16.c:751[ 452.527701] EXT4-fs error (device loop0):
> __ext4_remount:6522: comm fanotify22: Abort forced by user
> tst_device.c:96: TINFO: Found free device 0 '/dev/loop0'
> tst_test.c:1106: TINFO: Formatting /dev/loop0 with ext4 opts='' extra opts=''
> mke2fs 1.47.1 (20-May-2024)
> tst_test.c:1120: TINFO: Mounting /dev/loop0 to
> /scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=0
> tst_test.c:1733: TINFO: LTP version: 20240524
> tst_test.c:1617: TINFO: Timeout per run is 0h 02m 30s
> fanotify.h:122: TINFO: fid(test_mnt/internal_dir/bad_dir) =
> 6bd2dab9.86fe4716.7e82.df82837f.0...
> fanotify.h:122: TINFO: fid(test_mnt/internal_dir) =
> 6bd2dab9.86fe4716.7e81.beaa198d.0...
> fanotify22.c:278: TINFO: Umounting
> /scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt
> debugfs 1.47.1 (20-May-2024)
> debugfs 1.47.1 (20-May-2024)
> fanotify22.c:281: TINFO: Mounting /dev/loop0 to
> /scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=0
> fanotify.h:122: TINFO: fid(test_mnt) = 6bd2dab9.86fe4716.2.0.0...
> fanotify22.c:59: TINFO: Mounting /dev/loop0 to
> /scratch/ltp-6nPLv2EGcV/LTP_fanbDvQcT/test_mnt fstyp=ext4 flags=21
> fanotify22.c:59: TBROK: mount(/dev/loop0, test_mnt, ext4, 33,
> 0x5659a1d5) failed: EROFS (30)
>
> HINT: You _MAY_ be missing kernel fixes:
>
> https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=124e7c61deb2
>
> Summary:
> passed 0
> failed 0
> broken 1
>
> --
> Linaro LKFT
> https://lkft.linaro.org
>
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces
2024-10-08 12:05 ` [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces Greg Kroah-Hartman
@ 2024-10-09 7:39 ` Karol Kosik
0 siblings, 0 replies; 408+ messages in thread
From: Karol Kosik @ 2024-10-09 7:39 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: patches, Takashi Iwai, Sasha Levin
On 10/8/24 05:05, Greg Kroah-Hartman wrote:
> 6.6-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Karol Kosik <k.kosik@outlook.com>
>
> [ Upstream commit 6aa8700150f7dc62f60b4cf5b1624e2e3d9ed78e ]
>
> Registering Numark Party Mix II fails with error 'bogus bTerminalLink 1'.
> The problem stems from the driver not being able to find input/output
> terminals required to configure audio streaming. The information about
> those terminals is stored in AudioControl Interface. Numark device
> contains 2 AudioControl Interfaces and the driver checks only one of them.
Please postpone (or skip) merging my patch to 6.6 due to regression.
I'm sorry for the disruption caused by this commit. Fix for this problem will be sent
for review shortly, after I re-run all tests, and I aim to get it into 6.12-rc3.
Regards,
Karol Kosik
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (390 preceding siblings ...)
2024-10-09 6:24 ` Naresh Kamboju
@ 2024-10-09 12:48 ` Takeshi Ogasawara
2024-10-09 14:58 ` Jon Hunter
` (4 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Takeshi Ogasawara @ 2024-10-09 12:48 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
Hi Greg
On Tue, Oct 8, 2024 at 10:10 PM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
6.6.55-rc1 tested.
Build successfully completed.
Boot successfully completed.
No dmesg regressions.
Video output normal.
Sound output normal.
Lenovo ThinkPad X1 Carbon Gen10(Intel i7-1260P(x86_64) arch linux)
[ 0.000000] Linux version 6.6.55-rc1rv
(takeshi@ThinkPadX1Gen10J0764) (gcc (GCC) 14.2.1 20240910, GNU ld (GNU
Binutils) 2.43.0) #1 SMP PREEMPT_DYNAMIC Wed Oct 9 20:12:56 JST 2024
Thanks
Tested-by: Takeshi Ogasawara <takeshi.ogasawara@futuring-girl.com>
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (391 preceding siblings ...)
2024-10-09 12:48 ` Takeshi Ogasawara
@ 2024-10-09 14:58 ` Jon Hunter
2024-10-09 22:25 ` Kexy Biscuit
` (3 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Jon Hunter @ 2024-10-09 14:58 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
linux-tegra, stable
On Tue, 08 Oct 2024 14:04:05 +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v6.6:
10 builds: 10 pass, 0 fail
26 boots: 26 pass, 0 fail
116 tests: 116 pass, 0 fail
Linux version: 6.6.55-rc1-g75430d7252ba
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (392 preceding siblings ...)
2024-10-09 14:58 ` Jon Hunter
@ 2024-10-09 22:25 ` Kexy Biscuit
2024-10-10 0:14 ` Ron Economos
` (2 subsequent siblings)
396 siblings, 0 replies; 408+ messages in thread
From: Kexy Biscuit @ 2024-10-09 22:25 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
On 10/8/2024 8:04 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Building passed on amd64, arm64, loongarch64, ppc64el, and riscv64.
Smoke testing passed on 9 amd64 and 1 arm64 test systems.
Tested-by: Kexy Biscuit <kexybiscuit@aosc.io>
https://github.com/AOSC-Dev/aosc-os-abbs/pull/8223
--
Best Regards,
Kexy Biscuit
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (393 preceding siblings ...)
2024-10-09 22:25 ` Kexy Biscuit
@ 2024-10-10 0:14 ` Ron Economos
2024-10-10 9:00 ` Muhammad Usama Anjum
2024-10-10 11:13 ` Miguel Ojeda
396 siblings, 0 replies; 408+ messages in thread
From: Ron Economos @ 2024-10-10 0:14 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor, allen.lkml, broonie
On 10/8/24 5:04 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (394 preceding siblings ...)
2024-10-10 0:14 ` Ron Economos
@ 2024-10-10 9:00 ` Muhammad Usama Anjum
2024-10-10 11:13 ` Miguel Ojeda
396 siblings, 0 replies; 408+ messages in thread
From: Muhammad Usama Anjum @ 2024-10-10 9:00 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: Usama.Anjum, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie
On 10/8/24 5:04 PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.6.55-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
>
Hi,
Please find the KernelCI report below :-
OVERVIEW
Builds: 25 passed, 0 failed
Boot tests: 510 passed, 0 failed
CI systems: maestro
REVISION
Commit
name:
hash: 75430d7252ba967f7ca3d11dffa4b90ff5aa0ccd
Checked out from
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.6.y
BUILDS
No new build failures found
BOOT TESTS
No new boot failures found
Tested-by: kernelci.org bot <bot@kernelci.org>
Thanks,
KernelCI team
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-08 13:30 ` Csókás Bence
@ 2024-10-10 9:57 ` Greg Kroah-Hartman
2024-10-11 1:50 ` Wei Fang
0 siblings, 1 reply; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-10 9:57 UTC (permalink / raw)
To: Csókás Bence
Cc: stable, patches, Paolo Abeni, Sasha Levin, Wei Fang
On Tue, Oct 08, 2024 at 03:30:51PM +0200, Csókás Bence wrote:
> Hi!
>
> On 2024. 10. 08. 14:04, Greg Kroah-Hartman wrote:
> > 6.6-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Csókás, Bence <csokas.bence@prolan.hu>
> >
> > [ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
> >
> > On link state change, the controller gets reset,
> > causing PPS to drop out. Re-enable PPS if it was
> > enabled before the controller reset.
> >
> > Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware clock")
> > Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
> > Link: https://patch.msgid.link/20240924093705.2897329-1-csokas.bence@prolan.hu
> > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
>
> There is a patch waiting to be merged that Fixes: this commit.
>
> Link:
> https://lore.kernel.org/netdev/20241008061153.1977930-1-wei.fang@nxp.com/
Great, we can pick it up once it hits Linus's tree, please let us know
when that happens.
greg k-h
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 14:58 ` [PATCH 6.6 000/386] 6.6.55-rc1 review Harshit Mogalapalli
2024-10-08 17:55 ` Florian Fainelli
@ 2024-10-10 10:16 ` Greg Kroah-Hartman
1 sibling, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-10 10:16 UTC (permalink / raw)
To: Harshit Mogalapalli
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, allen.lkml, broonie,
Vegard Nossum, Darren Kenny
On Tue, Oct 08, 2024 at 08:28:57PM +0530, Harshit Mogalapalli wrote:
> Hi Greg,
>
> On 08/10/24 17:34, Greg Kroah-Hartman wrote:
> > This is the start of the stable review cycle for the 6.6.55 release.
> > There are 386 patches in this series, all will be posted as a response
> > to this one. If anyone has any issues with these being applied, please
> > let me know.
> >
> > Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> > Anything received after that time might be too late.
> >
> ...
>
>
> > Ian Rogers <irogers@google.com>
> > perf callchain: Fix stitch LBR memory leaks
> >
>
> This patch is causing build failures for tools/perf/
>
> util/machine.c: In function 'save_lbr_cursor_node':
> util/machine.c:2540:9: error: implicit declaration of function
> 'map_symbol__exit'; did you mean 'symbol__exit'?
> [-Werror=implicit-function-declaration]
> 2540 | map_symbol__exit(&lbr_stitch->prev_lbr_cursor[idx].ms);
> | ^~~~~~~~~~~~~~~~
> | symbol__exit
> ...
>
> util/thread.c: In function 'thread__free_stitch_list':
> util/thread.c:481:17: error: implicit declaration of function
> 'map_symbol__exit'; did you mean 'symbol__exit'?
> [-Werror=implicit-function-declaration]
> 481 | map_symbol__exit(&pos->cursor.ms);
> | ^~~~~~~~~~~~~~~~
> | symbol__exit
>
Argh, I missed this, let me go revert it in another release now...
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 000/386] 6.6.55-rc1 review
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
` (395 preceding siblings ...)
2024-10-10 9:00 ` Muhammad Usama Anjum
@ 2024-10-10 11:13 ` Miguel Ojeda
396 siblings, 0 replies; 408+ messages in thread
From: Miguel Ojeda @ 2024-10-10 11:13 UTC (permalink / raw)
To: gregkh
Cc: akpm, allen.lkml, broonie, conor, f.fainelli, jonathanh,
linux-kernel, linux, lkft-triage, patches, patches, pavel,
rwarsow, shuah, srw, stable, sudipm.mukherjee, torvalds,
Miguel Ojeda
On Tue, 08 Oct 2024 14:04:05 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 6.6.55 release.
> There are 386 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Thu, 10 Oct 2024 11:55:15 +0000.
> Anything received after that time might be too late.
Boot-tested under QEMU for Rust x86_64:
Tested-by: Miguel Ojeda <ojeda@kernel.org>
Thanks!
Cheers,
Miguel
^ permalink raw reply [flat|nested] 408+ messages in thread
* RE: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-10 9:57 ` Greg Kroah-Hartman
@ 2024-10-11 1:50 ` Wei Fang
2024-10-11 3:20 ` Greg Kroah-Hartman
0 siblings, 1 reply; 408+ messages in thread
From: Wei Fang @ 2024-10-11 1:50 UTC (permalink / raw)
To: Greg Kroah-Hartman, Csókás Bence
Cc: stable@vger.kernel.org, patches@lists.linux.dev, Paolo Abeni,
Sasha Levin
> -----Original Message-----
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Sent: 2024年10月10日 17:58
> To: Csókás Bence <csokas.bence@prolan.hu>
> Cc: stable@vger.kernel.org; patches@lists.linux.dev; Paolo Abeni
> <pabeni@redhat.com>; Sasha Levin <sashal@kernel.org>; Wei Fang
> <wei.fang@nxp.com>
> Subject: Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
>
> On Tue, Oct 08, 2024 at 03:30:51PM +0200, Csókás Bence wrote:
> > Hi!
> >
> > On 2024. 10. 08. 14:04, Greg Kroah-Hartman wrote:
> > > 6.6-stable review patch. If anyone has any objections, please let me know.
> > >
> > > ------------------
> > >
> > > From: Csókás, Bence <csokas.bence@prolan.hu>
> > >
> > > [ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
> > >
> > > On link state change, the controller gets reset, causing PPS to drop
> > > out. Re-enable PPS if it was enabled before the controller reset.
> > >
> > > Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware
> > > clock")
> > > Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
> > > Link:
> > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpa
> > >
> tch.msgid.link%2F20240924093705.2897329-1-csokas.bence%40prolan.hu&d
> > >
> ata=05%7C02%7Cwei.fang%40nxp.com%7C80acbc9bb01544f3e84808dce912
> 01e0%
> > >
> 7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C6386415107715770
> 46%7CUn
> > >
> known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> 1h
> > >
> aWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sQygTTDEvCmMBFcgolXp13
> 8w4XkG3J
> > > e0d5rPLnDrhwM%3D&reserved=0
> > > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> >
> > There is a patch waiting to be merged that Fixes: this commit.
> >
> > Link:
> > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore
> > .kernel.org%2Fnetdev%2F20241008061153.1977930-1-wei.fang%40nxp.co
> m%2F&
> >
> data=05%7C02%7Cwei.fang%40nxp.com%7C80acbc9bb01544f3e84808dce91
> 201e0%7
> >
> C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C63864151077160040
> 3%7CUnkno
> >
> wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> WwiL
> >
> CJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7IXriaU8I%2BO%2F2rxZueqJtf%2B
> VyF4ZQIR
> > PNZvnKMpuctk%3D&reserved=0
>
> Great, we can pick it up once it hits Linus's tree, please let us know when that
> happens.
>
Hi Greg,
The patch has been applied to Linus's tree, thanks.
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-11 1:50 ` Wei Fang
@ 2024-10-11 3:20 ` Greg Kroah-Hartman
2024-10-11 3:34 ` Wei Fang
0 siblings, 1 reply; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-11 3:20 UTC (permalink / raw)
To: Wei Fang
Cc: Csókás Bence, stable@vger.kernel.org,
patches@lists.linux.dev, Paolo Abeni, Sasha Levin
On Fri, Oct 11, 2024 at 01:50:58AM +0000, Wei Fang wrote:
> > -----Original Message-----
> > From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> > Sent: 2024年10月10日 17:58
> > To: Csókás Bence <csokas.bence@prolan.hu>
> > Cc: stable@vger.kernel.org; patches@lists.linux.dev; Paolo Abeni
> > <pabeni@redhat.com>; Sasha Levin <sashal@kernel.org>; Wei Fang
> > <wei.fang@nxp.com>
> > Subject: Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
> >
> > On Tue, Oct 08, 2024 at 03:30:51PM +0200, Csókás Bence wrote:
> > > Hi!
> > >
> > > On 2024. 10. 08. 14:04, Greg Kroah-Hartman wrote:
> > > > 6.6-stable review patch. If anyone has any objections, please let me know.
> > > >
> > > > ------------------
> > > >
> > > > From: Csókás, Bence <csokas.bence@prolan.hu>
> > > >
> > > > [ Upstream commit a1477dc87dc4996dcf65a4893d4e2c3a6b593002 ]
> > > >
> > > > On link state change, the controller gets reset, causing PPS to drop
> > > > out. Re-enable PPS if it was enabled before the controller reset.
> > > >
> > > > Fixes: 6605b730c061 ("FEC: Add time stamping code and a PTP hardware
> > > > clock")
> > > > Signed-off-by: Csókás, Bence <csokas.bence@prolan.hu>
> > > > Link:
> > > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fpa
> > > >
> > tch.msgid.link%2F20240924093705.2897329-1-csokas.bence%40prolan.hu&d
> > > >
> > ata=05%7C02%7Cwei.fang%40nxp.com%7C80acbc9bb01544f3e84808dce912
> > 01e0%
> > > >
> > 7C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C6386415107715770
> > 46%7CUn
> > > >
> > known%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik
> > 1h
> > > >
> > aWwiLCJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=sQygTTDEvCmMBFcgolXp13
> > 8w4XkG3J
> > > > e0d5rPLnDrhwM%3D&reserved=0
> > > > Signed-off-by: Paolo Abeni <pabeni@redhat.com>
> > > > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > >
> > > There is a patch waiting to be merged that Fixes: this commit.
> > >
> > > Link:
> > > https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Flore
> > > .kernel.org%2Fnetdev%2F20241008061153.1977930-1-wei.fang%40nxp.co
> > m%2F&
> > >
> > data=05%7C02%7Cwei.fang%40nxp.com%7C80acbc9bb01544f3e84808dce91
> > 201e0%7
> > >
> > C686ea1d3bc2b4c6fa92cd99c5c301635%7C0%7C0%7C63864151077160040
> > 3%7CUnkno
> > >
> > wn%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1ha
> > WwiL
> > >
> > CJXVCI6Mn0%3D%7C0%7C%7C%7C&sdata=7IXriaU8I%2BO%2F2rxZueqJtf%2B
> > VyF4ZQIR
> > > PNZvnKMpuctk%3D&reserved=0
> >
> > Great, we can pick it up once it hits Linus's tree, please let us know when that
> > happens.
> >
>
> Hi Greg,
>
> The patch has been applied to Linus's tree, thanks.
What is the git id of the commit?
^ permalink raw reply [flat|nested] 408+ messages in thread
* RE: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-11 3:20 ` Greg Kroah-Hartman
@ 2024-10-11 3:34 ` Wei Fang
2024-10-11 4:27 ` Greg Kroah-Hartman
0 siblings, 1 reply; 408+ messages in thread
From: Wei Fang @ 2024-10-11 3:34 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Csókás Bence, stable@vger.kernel.org,
patches@lists.linux.dev, Paolo Abeni, Sasha Levin
> > >
> > > Great, we can pick it up once it hits Linus's tree, please let us
> > > know when that happens.
> > >
> >
> > Hi Greg,
> >
> > The patch has been applied to Linus's tree, thanks.
>
> What is the git id of the commit?
The commit is 6be063071a45 ("net: fec: don't save PTP state if PTP is unsupported")
^ permalink raw reply [flat|nested] 408+ messages in thread
* Re: [PATCH 6.6 028/386] net: fec: Restart PPS after link state change
2024-10-11 3:34 ` Wei Fang
@ 2024-10-11 4:27 ` Greg Kroah-Hartman
0 siblings, 0 replies; 408+ messages in thread
From: Greg Kroah-Hartman @ 2024-10-11 4:27 UTC (permalink / raw)
To: Wei Fang
Cc: Csókás Bence, stable@vger.kernel.org,
patches@lists.linux.dev, Paolo Abeni, Sasha Levin
On Fri, Oct 11, 2024 at 03:34:57AM +0000, Wei Fang wrote:
> > > >
> > > > Great, we can pick it up once it hits Linus's tree, please let us
> > > > know when that happens.
> > > >
> > >
> > > Hi Greg,
> > >
> > > The patch has been applied to Linus's tree, thanks.
> >
> > What is the git id of the commit?
>
> The commit is 6be063071a45 ("net: fec: don't save PTP state if PTP is unsupported")
>
Thanks, now queued up.
greg k-h
^ permalink raw reply [flat|nested] 408+ messages in thread
end of thread, other threads:[~2024-10-11 4:40 UTC | newest]
Thread overview: 408+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-08 12:04 [PATCH 6.6 000/386] 6.6.55-rc1 review Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 001/386] static_call: Handle module init failure correctly in static_call_del_module() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 002/386] static_call: Replace pointless WARN_ON() in static_call_module_notify() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 003/386] jump_label: Simplify and clarify static_key_fast_inc_cpus_locked() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 004/386] jump_label: Fix static_key_slow_dec() yet again Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 005/386] scsi: st: Fix input/output error on empty drive reset Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 006/386] scsi: pm8001: Do not overwrite PCI queue mapping Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 007/386] drm/amdgpu: Fix get each xcp macro Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 008/386] mailbox: rockchip: fix a typo in module autoloading Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 009/386] mailbox: bcm2835: Fix timeout during suspend mode Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 010/386] ceph: remove the incorrect Fw reference check when dirtying pages Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 011/386] ieee802154: Fix build error Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 012/386] net: sparx5: Fix invalid timestamps Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 013/386] net/mlx5: Fix error path in multi-packet WQE transmit Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 014/386] net/mlx5: Added cond_resched() to crdump collection Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 015/386] net/mlx5e: Fix NULL deref in mlx5e_tir_builder_alloc() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 016/386] net/mlx5e: Fix crash caused by calling __xfrm_state_delete() twice Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 017/386] netfilter: uapi: NFTA_FLOWTABLE_HOOK is NLA_NESTED Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 018/386] net: ieee802154: mcr20a: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 019/386] net: wwan: qcom_bam_dmux: Fix missing pm_runtime_disable() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 020/386] selftests: netfilter: Fix nft_audit.sh for newer nft binaries Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 021/386] netfilter: nf_tables: prevent nf_skb_duplicated corruption Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 022/386] Bluetooth: MGMT: Fix possible crash on mgmt_index_removed Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 023/386] Bluetooth: L2CAP: Fix uaf in l2cap_connect Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 024/386] Bluetooth: btmrvl: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 025/386] net: Add netif_get_gro_max_size helper for GRO Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 026/386] net: Fix gso_features_check to check for both dev->gso_{ipv4_,}max_size Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 027/386] net: ethernet: lantiq_etop: fix memory disclosure Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 028/386] net: fec: Restart PPS after link state change Greg Kroah-Hartman
2024-10-08 13:30 ` Csókás Bence
2024-10-10 9:57 ` Greg Kroah-Hartman
2024-10-11 1:50 ` Wei Fang
2024-10-11 3:20 ` Greg Kroah-Hartman
2024-10-11 3:34 ` Wei Fang
2024-10-11 4:27 ` Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 029/386] net: fec: Reload PTP registers after link-state change Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 030/386] net: avoid potential underflow in qdisc_pkt_len_init() with UFO Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 031/386] net: add more sanity checks to qdisc_pkt_len_init() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 032/386] net: stmmac: dwmac4: extend timeout for VLAN Tag register busy bit check Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 033/386] ipv4: ip_gre: Fix drops of small packets in ipgre_xmit Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 034/386] net: test for not too small csum_start in virtio_net_hdr_to_skb() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 035/386] ppp: do not assume bh is held in ppp_channel_bridge_input() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 036/386] iomap: constrain the file range passed to iomap_file_unshare Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 037/386] dt-bindings: net: xlnx,axi-ethernet: Add missing reg minItems Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 038/386] sctp: set sk_state back to CLOSED if autobind fails in sctp_listen_start Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 039/386] i2c: xiic: improve error message when transfer fails to start Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 040/386] i2c: xiic: Try re-initialization on bus busy timeout Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 041/386] loop: dont set QUEUE_FLAG_NOMERGES Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 042/386] Bluetooth: hci_sock: Fix not validating setsockopt user input Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 043/386] media: usbtv: Remove useless locks in usbtv_video_free() Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 044/386] Bluetooth: ISO: Fix not validating setsockopt user input Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 045/386] Bluetooth: L2CAP: " Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 046/386] ASoC: atmel: mchp-pdmc: Skip ALSA restoration if substream runtime is uninitialized Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 047/386] ALSA: mixer_oss: Remove some incorrect kfree_const() usages Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 048/386] ALSA: hda/realtek: Fix the push button function for the ALC257 Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 049/386] cifs: Remove intermediate object of failed create reparse call Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 050/386] ALSA: hda/generic: Unconditionally prefer preferred_dacs pairs Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 051/386] ASoC: imx-card: Set card.owner to avoid a warning calltrace if SND=m Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 052/386] cifs: Fix buffer overflow when parsing NFS reparse points Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 053/386] cifs: Do not convert delimiter when parsing NFS-style symlinks Greg Kroah-Hartman
2024-10-08 12:04 ` [PATCH 6.6 054/386] ALSA: gus: Fix some error handling paths related to get_bpos() usage Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 055/386] ALSA: hda/conexant: Fix conflicting quirk for System76 Pangolin Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 056/386] wifi: ath9k: fix possible integer overflow in ath9k_get_et_stats() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 057/386] wifi: rtw89: avoid to add interface to list twice when SER Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 058/386] wifi: ath9k_htc: Use __skb_set_length() for resetting urb before resubmit Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 059/386] crypto: x86/sha256 - Add parentheses around macros single arguments Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 060/386] crypto: octeontx - Fix authenc setkey Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 061/386] crypto: octeontx2 " Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 062/386] ice: Adjust over allocation of memory in ice_sched_add_root_node() and ice_sched_add_node() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 063/386] wifi: iwlwifi: mvm: Fix a race in scan abort flow Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 064/386] wifi: iwlwifi: mvm: drop wrong STA selection in TX Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 065/386] wifi: cfg80211: Set correct chandef when starting CAC Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 066/386] net/xen-netback: prevent UAF in xenvif_flush_hash() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 067/386] net: hisilicon: hip04: fix OF node leak in probe() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 068/386] net: hisilicon: hns_dsaf_mac: fix OF node leak in hns_mac_get_info() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 069/386] net: hisilicon: hns_mdio: fix OF node leak in probe() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 070/386] ACPI: PAD: fix crash in exit_round_robin() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 071/386] ACPICA: Fix memory leak if acpi_ps_get_next_namepath() fails Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 072/386] ACPICA: Fix memory leak if acpi_ps_get_next_field() fails Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 073/386] e1000e: avoid failing the system during pm_suspend Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 074/386] wifi: mt76: mt7915: disable tx worker during tx BA session enable/disable Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 075/386] net: sched: consistently use rcu_replace_pointer() in taprio_change() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 076/386] Bluetooth: btusb: Add Realtek RTL8852C support ID 0x0489:0xe122 Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 077/386] Bluetooth: btrtl: Set msft ext address filter quirk for RTL8852B Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 078/386] ACPI: video: Add force_vendor quirk for Panasonic Toughbook CF-18 Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 079/386] ACPI: CPPC: Add support for setting EPP register in FFH Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 080/386] blk_iocost: fix more out of bound shifts Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 081/386] wifi: ath12k: fix array out-of-bound access in SoC stats Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 082/386] wifi: ath11k: " Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 083/386] wifi: rtw88: select WANT_DEV_COREDUMP Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 084/386] ACPI: EC: Do not release locks during operation region accesses Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 085/386] ACPICA: check null return of ACPI_ALLOCATE_ZEROED() in acpi_db_convert_to_package() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 086/386] tipc: guard against string buffer overrun Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 087/386] net: mvpp2: Increase size of queue_name buffer Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 088/386] bnxt_en: Extend maximum length of version string by 1 byte Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 089/386] ipv4: Check !in_dev earlier for ioctl(SIOCSIFADDR) Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 090/386] wifi: rtw89: correct base HT rate mask for firmware Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 091/386] ipv4: Mask upper DSCP bits and ECN bits in NETLINK_FIB_LOOKUP family Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 092/386] net: atlantic: Avoid warning about potential string truncation Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 093/386] crypto: simd - Do not call crypto_alloc_tfm during registration Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 094/386] netpoll: Ensure clean state on setup failures Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 095/386] tcp: avoid reusing FIN_WAIT2 when trying to find port in connect() process Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 096/386] wifi: iwlwifi: mvm: use correct key iteration Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 097/386] wifi: iwlwifi: mvm: avoid NULL pointer dereference Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 098/386] wifi: mac80211: fix RCU list iterations Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 099/386] ACPICA: iasl: handle empty connection_node Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 100/386] proc: add config & param to block forcing mem writes Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 101/386] drivers/perf: arm_spe: Use perf_allow_kernel() for permissions Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 102/386] can: netlink: avoid call to do_set_data_bittiming callback with stale can_priv::ctrlmode Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 103/386] wifi: mt76: mt7915: add dummy HW offload of IEEE 802.11 fragmentation Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 104/386] wifi: mt76: mt7915: hold dev->mt76.mutex while disabling tx worker Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 105/386] wifi: mwifiex: Fix memcpy() field-spanning write warning in mwifiex_cmd_802_11_scan_ext() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 106/386] nfp: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 107/386] ALSA: usb-audio: Add input value sanity checks for standard types Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 108/386] x86/ioapic: Handle allocation failures gracefully Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 109/386] ALSA: usb-audio: Support multiple control interfaces Greg Kroah-Hartman
2024-10-09 7:39 ` Karol Kosik
2024-10-08 12:05 ` [PATCH 6.6 110/386] ALSA: usb-audio: Define macros for quirk table entries Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 111/386] ALSA: usb-audio: Replace complex quirk lines with macros Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 112/386] ALSA: usb-audio: Add logitech Audio profile quirk Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 113/386] ASoC: codecs: wsa883x: Handle reading version failure Greg Kroah-Hartman
2024-10-08 12:05 ` [PATCH 6.6 114/386] tools/x86/kcpuid: Protect against faulty "max subleaf" values Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 115/386] x86/pkeys: Add PKRU as a parameter in signal handling functions Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 116/386] x86/pkeys: Restore altstack access in sigreturn() Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 117/386] x86/kexec: Add EFI config table identity mapping for kexec kernel Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 118/386] ALSA: asihpi: Fix potential OOB array access Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 119/386] ALSA: hdsp: Break infinite MIDI input flush loop Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 120/386] tools/nolibc: powerpc: limit stack-protector workaround to GCC Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 121/386] selftests/nolibc: avoid passing NULL to printf("%s") Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 122/386] x86/syscall: Avoid memcpy() for ia32 syscall_get_arguments() Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 123/386] hwmon: (nct6775) add G15CF to ASUS WMI monitoring list Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 124/386] fbdev: efifb: Register sysfs groups through driver core Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 125/386] fbdev: pxafb: Fix possible use after free in pxafb_task() Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 126/386] rcuscale: Provide clear error when async specified without primitives Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 127/386] power: reset: brcmstb: Do not go into infinite loop if reset fails Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 128/386] iommu/vt-d: Always reserve a domain ID for identity setup Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 129/386] iommu/vt-d: Fix potential lockup if qi_submit_sync called with 0 count Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 130/386] cgroup: Disallow mounting v1 hierarchies without controller implementation Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 131/386] drm/stm: Avoid use-after-free issues with crtc and plane Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 132/386] drm/amdgpu: disallow multiple BO_HANDLES chunks in one submit Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 133/386] drm/amdkfd: amdkfd_free_gtt_mem clear the correct pointer Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 134/386] drm/amd/display: Add null check for top_pipe_to_program in commit_planes_for_stream Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 135/386] ata: pata_serverworks: Do not use the term blacklist Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 136/386] ata: sata_sil: Rename sil_blacklist to sil_quirks Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 137/386] HID: Ignore battery for all ELAN I2C-HID devices Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 138/386] drm/amd/display: Handle null stream_status in planes_changed_for_existing_stream Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 139/386] drm/amd/display: Check null pointers before using dc->clk_mgr Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 140/386] drm/amd/display: Add null check for afb in amdgpu_dm_plane_handle_cursor_update (v2) Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 141/386] drm/amd/display: fix double free issue during amdgpu module unload Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 142/386] jfs: UBSAN: shift-out-of-bounds in dbFindBits Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 143/386] jfs: Fix uaf in dbFreeBits Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 144/386] jfs: check if leafidx greater than num leaves per dmap tree Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 145/386] scsi: smartpqi: correct stream detection Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 146/386] drm/msm/adreno: Assign msm_gpu->pdev earlier to avoid nullptrs Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 147/386] jfs: Fix uninit-value access of new_ea in ea_buffer Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 148/386] drm/amdgpu: add raven1 gfxoff quirk Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 149/386] drm/amdgpu: enable gfxoff quirk on HP 705G4 Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 150/386] drm/amdkfd: Fix resource leak in criu restore queue Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 151/386] HID: multitouch: Add support for Thinkpad X12 Gen 2 Kbd Portfolio Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 152/386] platform/x86: touchscreen_dmi: add nanote-next quirk Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 153/386] drm/stm: ltdc: reset plane transparency after plane disable Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 154/386] drm/amd/display: Check stream before comparing them Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 155/386] drm/amd/display: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 156/386] drm/amd/display: Fix index out of bounds in DCN30 degamma hardware format translation Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 157/386] drm/amd/display: Fix index out of bounds in " Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 158/386] drm/amd/display: Fix index out of bounds in DCN30 color transformation Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 159/386] drm/amd/display: Avoid overflow assignment in link_dp_cts Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 160/386] drm/amd/display: Initialize get_bytes_per_elements default to 1 Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 161/386] drm/printer: Allow NULL data in devcoredump printer Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 162/386] perf,x86: avoid missing caller address in stack traces captured in uprobe Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 163/386] scsi: aacraid: Rearrange order of struct aac_srb_unit Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 164/386] scsi: lpfc: Update PRLO handling in direct attached topology Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 165/386] drm/amdgpu: fix unchecked return value warning for amdgpu_gfx Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 166/386] perf: Fix event_function_call() locking Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 167/386] scsi: NCR5380: Initialize buffer for MSG IN and STATUS transfers Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 168/386] drm/radeon/r100: Handle unknown family in r100_cp_init_microcode() Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 169/386] drm/amdgpu: Block MMR_READ IOCTL in reset Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 170/386] drm/amdgpu/gfx9: use rlc safe mode for soft recovery Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 171/386] drm/amd/pm: ensure the fw_info is not null before using it Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 172/386] of/irq: Refer to actual buffer size in of_irq_parse_one() Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 173/386] powerpc/pseries: Use correct data types from pseries_hp_errorlog struct Greg Kroah-Hartman
2024-10-08 12:06 ` [PATCH 6.6 174/386] drm/amdgpu/gfx11: use rlc safe mode for soft recovery Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 175/386] drm/amdgpu/gfx10: " Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 176/386] platform/x86: lenovo-ymc: Ignore the 0x0 state Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 177/386] ksmbd: add refcnt to ksmbd_conn struct Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 178/386] ext4: dont set SB_RDONLY after filesystem errors Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 179/386] bpf: Make the pointer returned by iter next method valid Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 180/386] ext4: ext4_search_dir should return a proper error Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 181/386] ext4: avoid use-after-free in ext4_ext_show_leaf() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 182/386] ext4: fix i_data_sem unlock order in ext4_ind_migrate() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 183/386] bpftool: Fix undefined behavior caused by shifting into the sign bit Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 184/386] iomap: handle a post-direct I/O invalidate race in iomap_write_delalloc_release Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 185/386] bpftool: Fix undefined behavior in qsort(NULL, 0, ...) Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 186/386] spi: spi-imx: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 187/386] spi: spi-cadence: Use helper function devm_clk_get_enabled() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 188/386] spi: spi-cadence: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 189/386] spi: spi-cadence: Fix missing spi_controller_is_target() check Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 190/386] selftest: hid: add missing run-hid-tools-tests.sh Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 191/386] spi: s3c64xx: fix timeout counters in flush_fifo Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 192/386] selftests: breakpoints: use remaining time to check if suspend succeed Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 193/386] accel/ivpu: Add missing MODULE_FIRMWARE metadata Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 194/386] spi: rpc-if: Add missing MODULE_DEVICE_TABLE Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 195/386] perf callchain: Fix stitch LBR memory leaks Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 196/386] perf: Really fix event_function_call() locking Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 197/386] selftests: vDSO: fix vDSO name for powerpc Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 198/386] selftests: vDSO: fix vdso_config " Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 199/386] selftests: vDSO: fix vDSO symbols lookup for powerpc64 Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 200/386] selftests/mm: fix charge_reserved_hugetlb.sh test Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 201/386] powerpc/vdso: Fix VDSO data access when running in a non-root time namespace Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 202/386] selftests: vDSO: fix ELF hash table entry size for s390x Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 203/386] selftests: vDSO: fix vdso_config for s390 Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 204/386] Revert "ALSA: hda: Conditionally use snooping for AMD HDMI" Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 205/386] platform/x86: ISST: Fix the KASAN report slab-out-of-bounds bug Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 206/386] i2c: stm32f7: Do not prepare/unprepare clock during runtime suspend/resume Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 207/386] i2c: qcom-geni: Use IRQF_NO_AUTOEN flag in request_irq() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 208/386] i2c: xiic: Wait for TX empty to avoid missed TX NAKs Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 209/386] media: i2c: ar0521: Use cansleep version of gpiod_set_value() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 210/386] i2c: xiic: Fix pm_runtime_set_suspended() with runtime pm enabled Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 211/386] i2c: designware: fix controller is holding SCL low while ENABLE bit is disabled Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 212/386] rust: sync: require `T: Sync` for `LockedBy::access` Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 213/386] ovl: fail if trusted xattrs are needed but caller lacks permission Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 214/386] firmware: tegra: bpmp: Drop unused mbox_client_to_bpmp() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 215/386] memory: tegra186-emc: drop unused to_tegra186_emc() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 216/386] dt-bindings: clock: exynos7885: Fix duplicated binding Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 217/386] spi: bcm63xx: Fix module autoloading Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 218/386] spi: bcm63xx: Fix missing pm_runtime_disable() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 219/386] power: supply: hwmon: Fix missing temp1_max_alarm attribute Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 220/386] perf/core: Fix small negative period being ignored Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 221/386] parisc: Fix itlb miss handler for 64-bit programs Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 222/386] drm/mediatek: ovl_adaptor: Add missing of_node_put() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 223/386] drm: Consistently use struct drm_mode_rect for FB_DAMAGE_CLIPS Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 224/386] ALSA: hda/tas2781: Add new quirk for Lenovo Y990 Laptop Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 225/386] ALSA: core: add isascii() check to card ID generator Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 226/386] ALSA: usb-audio: Add delay quirk for VIVO USB-C HEADSET Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 227/386] ALSA: usb-audio: Add native DSD support for Luxman D-08u Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 228/386] ALSA: line6: add hw monitor volume control to POD HD500X Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 229/386] ALSA: hda/realtek: Add quirk for Huawei MateBook 13 KLV-WX9 Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 230/386] ALSA: hda/realtek: Add a quirk for HP Pavilion 15z-ec200 Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 231/386] ext4: no need to continue when the number of entries is 1 Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 232/386] ext4: correct encrypted dentry name hash when not casefolded Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 233/386] ext4: fix slab-use-after-free in ext4_split_extent_at() Greg Kroah-Hartman
2024-10-08 12:07 ` [PATCH 6.6 234/386] ext4: propagate errors from ext4_find_extent() in ext4_insert_range() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 235/386] ext4: fix incorrect tid assumption in ext4_fc_mark_ineligible() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 236/386] ext4: dax: fix overflowing extents beyond inode size when partially writing Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 237/386] ext4: fix incorrect tid assumption in __jbd2_log_wait_for_space() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 238/386] ext4: drop ppath from ext4_ext_replay_update_ex() to avoid double-free Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 239/386] ext4: aovid use-after-free in ext4_ext_insert_extent() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 240/386] ext4: fix double brelse() the buffer of the extents path Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 241/386] ext4: fix timer use-after-free on failed mount Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 242/386] ext4: update orig_path in ext4_find_extent() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 243/386] ext4: fix incorrect tid assumption in ext4_wait_for_tail_page_commit() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 244/386] ext4: fix incorrect tid assumption in jbd2_journal_shrink_checkpoint_list() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 245/386] ext4: fix fast commit inode enqueueing during a full journal commit Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 246/386] ext4: use handle to mark fc as ineligible in __track_dentry_update() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 247/386] ext4: mark fc as ineligible using an handle in ext4_xattr_set() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 248/386] parisc: Fix 64-bit userspace syscall path Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 249/386] parisc: Allow mmap(MAP_STACK) memory to automatically expand upwards Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 250/386] parisc: Fix stack start for ADDR_NO_RANDOMIZE personality Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 251/386] drm/rockchip: vop: clear DMA stop bit on RK3066 Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 252/386] of: address: Report error on resource bounds overflow Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 253/386] of/irq: Support #msi-cells=<0> in of_msi_get_domain Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 254/386] drm: omapdrm: Add missing check for alloc_ordered_workqueue Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 255/386] resource: fix region_intersects() vs add_memory_driver_managed() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 256/386] jbd2: stop waiting for space when jbd2_cleanup_journal_tail() returns error Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 257/386] jbd2: correctly compare tids with tid_geq function in jbd2_fc_begin_commit Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 258/386] mm: krealloc: consider spare memory for __GFP_ZERO Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 259/386] ocfs2: fix the la space leak when unmounting an ocfs2 volume Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 260/386] ocfs2: fix uninit-value in ocfs2_get_block() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 261/386] ocfs2: reserve space for inline xattr before attaching reflink tree Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 262/386] ocfs2: cancel dqi_sync_work before freeing oinfo Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 263/386] ocfs2: remove unreasonable unlock in ocfs2_read_blocks Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 264/386] ocfs2: fix null-ptr-deref when journal load failed Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 265/386] ocfs2: fix possible null-ptr-deref in ocfs2_set_buffer_uptodate Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 266/386] arm64: fix selection of HAVE_DYNAMIC_FTRACE_WITH_ARGS Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 267/386] arm64: Subscribe Microsoft Azure Cobalt 100 to erratum 3194386 Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 268/386] riscv: define ILLEGAL_POINTER_VALUE for 64bit Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 269/386] exfat: fix memory leak in exfat_load_bitmap() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 270/386] perf python: Disable -Wno-cast-function-type-mismatch if present on clang Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 271/386] perf hist: Update hist symbol when updating maps Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 272/386] nfsd: fix delegation_blocked() to block correctly for at least 30 seconds Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 273/386] nfsd: map the EBADMSG to nfserr_io to avoid warning Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 274/386] NFSD: Fix NFSv4s PUTPUBFH operation Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 275/386] i3c: master: svc: Fix use after free vulnerability in svc_i3c_master Driver Due to Race Condition Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 276/386] RDMA/mana_ib: use the correct page size for mapping user-mode doorbell page Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 277/386] riscv: Fix kernel stack size when KASAN is enabled Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 278/386] aoe: fix the potential use-after-free problem in more places Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 279/386] media: ov5675: Fix power on/off delay timings Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 280/386] clk: rockchip: fix error for unknown clocks Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 281/386] remoteproc: k3-r5: Fix error handling when power-up failed Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 282/386] clk: qcom: dispcc-sm8250: use CLK_SET_RATE_PARENT for branch clocks Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 283/386] media: sun4i_csi: Implement link validate for sun4i_csi subdev Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 284/386] clk: qcom: gcc-sm8450: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 285/386] media: uapi/linux/cec.h: cec_msg_set_reply_to: zero flags Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 286/386] clk: qcom: clk-rpmh: Fix overflow in BCM vote Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 287/386] clk: samsung: exynos7885: Update CLKS_NR_FSYS after bindings fix Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 288/386] clk: qcom: gcc-sm8150: De-register gcc_cpuss_ahb_clk_src Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 289/386] media: venus: fix use after free bug in venus_remove due to race condition Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 290/386] clk: qcom: gcc-sm8250: Do not turn off PCIe GDSCs during gdsc_disable() Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 291/386] media: qcom: camss: Remove use_count guard in stop_streaming Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 292/386] media: qcom: camss: Fix ordering of pm_runtime_enable Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 293/386] clk: qcom: gcc-sc8180x: Fix the sdcc2 and sdcc4 clocks freq table Greg Kroah-Hartman
2024-10-08 12:08 ` [PATCH 6.6 294/386] clk: qcom: clk-alpha-pll: Fix CAL_L_VAL override for LUCID EVO PLL Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 295/386] smb: client: use actual path when queryfs Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 296/386] smb3: fix incorrect mode displayed for read-only files Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 297/386] iio: magnetometer: ak8975: Fix reading for ak099xx sensors Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 298/386] vrf: revert "vrf: Remove unnecessary RCU-bh critical section" Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 299/386] gso: fix udp gso fraglist segmentation after pull from frag_list Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 300/386] tomoyo: fallback to realpath if symlinks pathname does not exist Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 301/386] net: stmmac: Fix zero-division error when disabling tc cbs Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 302/386] rtc: at91sam9: fix OF node leak in probe() error path Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 303/386] Input: adp5589-keys - fix NULL pointer dereference Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 304/386] Input: adp5589-keys - fix adp5589_gpio_get_value() Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 305/386] cachefiles: fix dentry leak in cachefiles_open_file() Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 306/386] ACPI: resource: Add Asus Vivobook X1704VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 307/386] ACPI: resource: Add Asus ExpertBook B2502CVA " Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 308/386] btrfs: fix a NULL pointer dereference when failed to start a new trasacntion Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 309/386] btrfs: send: fix invalid clone operation for file that got its size decreased Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 310/386] btrfs: wait for fixup workers before stopping cleaner kthread during umount Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 311/386] cpufreq: Avoid a bad reference count on CPU node Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 312/386] gpio: davinci: fix lazy disable Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 313/386] net: pcs: xpcs: fix the wrong register that was written back Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 314/386] Bluetooth: hci_event: Align BR/EDR JUST_WORKS paring with LE Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 315/386] mac802154: Fix potential RCU dereference issue in mac802154_scan_worker Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 316/386] ceph: fix cap ref leak via netfs init_request Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 317/386] tracing/hwlat: Fix a race during cpuhp processing Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 318/386] tracing/timerlat: Drop interface_lock in stop_kthread() Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 319/386] tracing/timerlat: Fix a race during cpuhp processing Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 320/386] tracing/timerlat: Fix duplicated kthread creation due to CPU online/offline Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 321/386] rtla: Fix the help text in osnoise and timerlat top tools Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 322/386] close_range(): fix the logics in descriptor table trimming Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 323/386] drm/i915/gem: fix bitwise and logical AND mixup Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 324/386] drm/sched: Add locking to drm_sched_entity_modify_sched Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 325/386] drm/amd/display: Add HDR workaround for specific eDP Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 326/386] drm/amd/display: Fix system hang while resume with TBT monitor Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 327/386] cpufreq: intel_pstate: Make hwp_notify_lock a raw spinlock Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 328/386] kconfig: qconf: fix buffer overflow in debug links Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 329/386] platform/x86: x86-android-tablets: Create a platform_device from module_init() Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 330/386] platform/x86: x86-android-tablets: Fix use after free on platform_device_register() errors Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 331/386] i2c: create debugfs entry per adapter Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 332/386] i2c: core: Lock address during client device instantiation Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 333/386] i2c: synquacer: Remove a clk reference from struct synquacer_i2c Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 334/386] i2c: synquacer: Deal with optional PCLK correctly Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 335/386] arm64: cputype: Add Neoverse-N3 definitions Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 336/386] arm64: errata: Expand speculative SSBS workaround once more Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 337/386] io_uring/net: harden multishot termination case for recv Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 338/386] uprobes: fix kernel info leak via "[uprobes]" vma Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 339/386] mm: z3fold: deprecate CONFIG_Z3FOLD Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 340/386] drm/amd/display: Allow backlight to go below `AMDGPU_DM_DEFAULT_MIN_BACKLIGHT` Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 341/386] build-id: require program headers to be right after ELF header Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 342/386] lib/buildid: harden build ID parsing logic Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 343/386] sched: psi: fix bogus pressure spikes from aggregation race Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 344/386] net: mana: Enable MANA driver on ARM64 with 4K page size Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 345/386] net: mana: Add support for page sizes other than 4KB on ARM64 Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 346/386] RDMA/mana_ib: use the correct page table index based on hardware page size Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 347/386] media: i2c: imx335: Enable regulator supplies Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 348/386] media: imx335: Fix reset-gpio handling Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 349/386] remoteproc: k3-r5: Acquire mailbox handle during probe routine Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 350/386] remoteproc: k3-r5: Delay notification of wakeup event Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 351/386] dt-bindings: clock: qcom: Add missing UFS QREF clocks Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 352/386] dt-bindings: clock: qcom: Add GPLL9 support on gcc-sc8180x Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 353/386] iio: pressure: bmp280: Allow multiple chips id per family of devices Greg Kroah-Hartman
2024-10-08 12:09 ` [PATCH 6.6 354/386] iio: pressure: bmp280: Improve indentation and line wrapping Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 355/386] iio: pressure: bmp280: Use BME prefix for BME280 specifics Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 356/386] iio: pressure: bmp280: Fix regmap for BMP280 device Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 357/386] iio: pressure: bmp280: Fix waiting time for BMP3xx configuration Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 358/386] r8169: Fix spelling mistake: "tx_underun" -> "tx_underrun" Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 359/386] r8169: add tally counter fields added with RTL8125 Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 360/386] clk: qcom: gcc-sc8180x: Add GPLL9 support Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 361/386] ACPI: battery: Simplify battery hook locking Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 362/386] ACPI: battery: Fix possible crash when unregistering a battery hook Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 363/386] btrfs: relocation: return bool from btrfs_should_ignore_reloc_root Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 364/386] btrfs: relocation: constify parameters where possible Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 365/386] btrfs: drop the backref cache during relocation if we commit Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 366/386] drm/rockchip: vop: enable VOP_FEATURE_INTERNAL_RGB on RK3066 Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 367/386] Revert "drm/amd/display: Skip Recompute DSC Params if no Stream on Link" Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 368/386] ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 369/386] netfilter: nf_tables: fix memleak in map from abort path Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 370/386] netfilter: nf_tables: restore set elements when delete set fails Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 371/386] net: dsa: fix netdev_priv() dereference before check on non-DSA netdevice events Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 372/386] iommufd: Fix protection fault in iommufd_test_syz_conv_iova Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 373/386] drm/bridge: adv7511: fix crash on irq during probe Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 374/386] efi/unaccepted: touch soft lockup during memory accept Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 375/386] platform/x86: think-lmi: Fix password opcode ordering for workstations Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 376/386] null_blk: Remove usage of the deprecated ida_simple_xx() API Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 377/386] null_blk: fix null-ptr-dereference while configuring power and submit_queues Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 378/386] net: stmmac: move the EST lock to struct stmmac_priv Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 379/386] rxrpc: Fix a race between socket set up and I/O thread creation Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 380/386] vhost/scsi: null-ptr-dereference in vhost_scsi_get_req() Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 381/386] crypto: octeontx* - Select CRYPTO_AUTHENC Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 382/386] drm/amd/display: Revert Avoid overflow assignment Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 383/386] perf report: Fix segfault when sym sort key is not used Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 384/386] drm/amd/display: enable_hpo_dp_link_output: Check link_res->hpo_dp_link_enc before using it Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 385/386] null_blk: Fix return value of nullb_device_power_store() Greg Kroah-Hartman
2024-10-08 12:10 ` [PATCH 6.6 386/386] Revert "ubifs: ubifs_symlink: Fix memleak of inode->i_link in error path" Greg Kroah-Hartman
2024-10-08 14:58 ` [PATCH 6.6 000/386] 6.6.55-rc1 review Harshit Mogalapalli
2024-10-08 17:55 ` Florian Fainelli
2024-10-10 10:16 ` Greg Kroah-Hartman
2024-10-08 17:05 ` Peter Schneider
2024-10-08 17:29 ` Mark Brown
2024-10-08 21:59 ` Shuah Khan
2024-10-09 6:24 ` Naresh Kamboju
2024-10-09 6:49 ` Harshit Mogalapalli
2024-10-09 12:48 ` Takeshi Ogasawara
2024-10-09 14:58 ` Jon Hunter
2024-10-09 22:25 ` Kexy Biscuit
2024-10-10 0:14 ` Ron Economos
2024-10-10 9:00 ` Muhammad Usama Anjum
2024-10-10 11:13 ` Miguel Ojeda
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).