* [PATCH 6.0 000/862] 6.0.3-rc1 review
@ 2022-10-19 8:21 Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 001/862] ALSA: oss: Fix potential deadlock at unregistration Greg Kroah-Hartman
` (876 more replies)
0 siblings, 877 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw
This is the start of the stable review cycle for the 6.0.3 release.
There are 862 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Fri, 21 Oct 2022 08:30:19 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.0.3-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.0.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.0.3-rc1
Nathan Chancellor <nathan@kernel.org>
lib/Kconfig.debug: Add check for non-constant .{s,u}leb128 support to DWARF5
Masahiro Yamada <masahiroy@kernel.org>
Kconfig.debug: add toolchain checks for DEBUG_INFO_DWARF_TOOLCHAIN_DEFAULT
Masahiro Yamada <masahiroy@kernel.org>
Kconfig.debug: simplify the dependency of DEBUG_INFO_DWARF4/5
Jens Axboe <axboe@kernel.dk>
io_uring/rw: ensure kiocb_end_write() is always called
Pavel Begunkov <asml.silence@gmail.com>
io_uring: fix fdinfo sqe offsets calculation
Nathan Chancellor <nathan@kernel.org>
drm/amd/display: Fix build breakage with CONFIG_DEBUG_FS=n
Nicholas Piggin <npiggin@gmail.com>
powerpc/64s/interrupt: Fix lost interrupts when returning to soft-masked context
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
net/ieee802154: don't warn zero-sized raw_sendmsg()
Alexander Aring <aahringo@redhat.com>
Revert "net/ieee802154: reject zero-sized raw_sendmsg()"
Aric Cyr <aric.cyr@amd.com>
Revert "drm/amd/display: correct hostvm flag"
Randy Dunlap <rdunlap@infradead.org>
net: ethernet: ti: davinci_mdio: fix build for mdio bitbang uses
Yu Kuai <yukuai3@huawei.com>
blk-wbt: fix that 'rwb->wc' is always set to 1 in wbt_init()
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix last interface check for registration
Alexander Aring <aahringo@redhat.com>
net: ieee802154: return -EINVAL for unknown addr type
Liu Shixin <liushixin2@huawei.com>
mm: hugetlb: fix UAF in hugetlb_handle_userfault
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: fix notif cqe reordering
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: don't skip notifs for failed requests
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: rename io_sendzc()
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: don't lose partial send_zc on fail
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: use io_sr_msg for sendzc
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: refactor io_sr_msg types
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix system_wide dummy event for hybrid
Adrian Hunter <adrian.hunter@intel.com>
perf intel-pt: Fix segfault in intel_pt_print_info() with uClibc
Rob Herring <robh@kernel.org>
perf: Skip and warn on unknown format 'configN' attrs
Ivan T. Ivanov <iivanov@suse.de>
clk: bcm2835: Round UART input clock up
Wayne Chang <waynec@nvidia.com>
usb: typec: ucsi: Don't warn on probe deferral
Manivannan Sadhasivam <mani@kernel.org>
dmaengine: dw-edma: Remove runtime PM support
Lv Ruyi <lv.ruyi@zte.com.cn>
fsi: master-ast-cf: Fix missing of_node_put in fsi_master_acf_probe
Eddie James <eajames@linux.ibm.com>
fsi: occ: Prevent use after free
Eddie James <eajames@linux.ibm.com>
hwmon (occ): Retry for checksum failure
Keith Busch <kbusch@kernel.org>
blk-mq: use quiesced elevator switch when reinitializing queues
Dongliang Mu <mudongliangabcd@gmail.com>
usb: idmouse: fix an uninit-value in idmouse_open
Varun Prakash <varun@chelsio.com>
nvmet-tcp: add bounds check on Transfer Tag
Keith Busch <kbusch@kernel.org>
nvme: copy firmware_rev on each init
Keith Busch <kbusch@kernel.org>
nvme: handle effects after freeing the request
Jan Kara <jack@suse.cz>
ext2: Use kvmalloc() for group descriptor array
Arun Easi <aeasi@marvell.com>
scsi: tracing: Fix compile error in trace_array calls when TRACING is disabled
Xiaoke Wang <xkernel.wang@foxmail.com>
staging: rtl8723bs: fix a potential memory leak in rtw_init_cmd_priv()
Xiaoke Wang <xkernel.wang@foxmail.com>
staging: rtl8723bs: fix potential memory leak in rtw_init_drv_sw()
Pavel Begunkov <asml.silence@gmail.com>
io_uring: fix CQE reordering
sunghwan jung <onenowy@gmail.com>
Revert "usb: storage: Add quirk for Samsung Fit flash"
Piyush Mehta <piyush.mehta@amd.com>
usb: dwc3: core: Enable GUCTL1 bit 10 for fixing termination error after resume bug
Alexander Stein <alexander.stein@ew.tq-group.com>
arm64: dts: imx8mp: Add snps,gfladj-refclk-lpm-sel quirk to USB nodes
Alexander Stein <alexander.stein@ew.tq-group.com>
usb: dwc3: core: add gfladj_refclk_lpm_sel quirk
Robin Guo <guoweibin@inspur.com>
usb: musb: Fix musb_gadget.c rxstate overflow bug
Jianglei Nie <niejianglei2021@163.com>
usb: host: xhci: Fix potential memory leak in xhci_alloc_stream_info()
Logan Gunthorpe <logang@deltatee.com>
md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d
Johnothan King <johnothanking@protonmail.com>
HID: nintendo: check analog user calibration for plausibility
Jianglei Nie <niejianglei2021@163.com>
HSI: ssi_protocol: fix potential resource leak in ssip_pn_open()
Hyunwoo Kim <imv4bel@gmail.com>
HID: roccat: Fix use-after-free in roccat_read()
Harry Stern <harry@harrystern.net>
hid: topre: Add driver fixing report descriptor
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
soundwire: intel: fix error handling on dai registration issues
Richard Fitzgerald <rf@opensource.cirrus.com>
soundwire: cadence: Don't overwrite msg->buf during write commands
Coly Li <colyli@suse.de>
bcache: fix set_at_max_writeback_rate() for multiple attached devices
Serge Semin <Sergey.Semin@baikalelectronics.ru>
ata: libahci_platform: Sanity check the DT child nodes number
Yu Kuai <yukuai3@huawei.com>
blk-throttle: prevent overflow while calculating wait time
Nam Cao <namcaov@gmail.com>
staging: vt6655: fix potential memory leak
Wei Yongjun <weiyongjun1@huawei.com>
power: supply: adp5061: fix out-of-bounds read in adp5061_get_chg_type()
Michael Grzeschik <m.grzeschik@pengutronix.de>
usb: gadget: uvc: increase worker prio to WQ_HIGHPRI
Yicong Yang <yangyicong@hisilicon.com>
iommu/arm-smmu-v3: Make default domain type of HiSilicon PTT device to identity
Shigeru Yoshida <syoshida@redhat.com>
nbd: Fix hung when signal interrupts nbd_start_device_ioctl()
Letu Ren <fantasquex@gmail.com>
scsi: 3w-9xxx: Avoid disabling device if failing to enable it
Vaishnav Achath <vaishnav.a@ti.com>
dmaengine: ti: k3-udma: Reset UDMA_CHAN_RT byte counters to prevent overflow
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix null ndlp ptr dereference in abnormal exit path for GFT_ID
Justin Chen <justinpopo6@gmail.com>
usb: host: xhci-plat: suspend/resume clks for brcm
Justin Chen <justinpopo6@gmail.com>
usb: host: xhci-plat: suspend and resume clocks
Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
RDMA/rxe: Delete error messages triggered by incoming Read requests
Quanyang Wang <quanyang.wang@windriver.com>
clk: zynqmp: pll: rectify rate rounding in zynqmp_pll_round_rate
Hangyu Hua <hbh25y@gmail.com>
media: platform: fix some double free in meson-ge2d and mtk-jpeg and s5p-mfc
Zheyu Ma <zheyuma97@gmail.com>
media: cx88: Fix a null-ptr-deref bug in buffer_prepare()
Ian Nam <young.kwan.nam@xilinx.com>
clk: zynqmp: Fix stack-out-of-bounds in strncpy`
Alex Sverdlin <alexander.sverdlin@nokia.com>
ARM: 9242/1: kasan: Only map modules if CONFIG_KASAN_VMALLOC=n
Li Huafei <lihuafei1@huawei.com>
ARM: 9234/1: stacktrace: Avoid duplicate saving of exception PC value
Li Huafei <lihuafei1@huawei.com>
ARM: 9233/1: stacktrace: Skip frame pointer boundary check for call_with_stack()
Kunihiko Hayashi <hayashi.kunihiko@socionext.com>
arm64: dts: uniphier: Add USB-device support for PXs3 reference board
Josef Bacik <josef@toxicpanda.com>
btrfs: call __btrfs_remove_free_space_cache_locked on cache load failure
Maciej S. Szmigiero <maciej.szmigiero@oracle.com>
btrfs: don't print information about space cache or tree every remount
Qu Wenruo <wqu@suse.com>
btrfs: scrub: try to fix super block errors
Qu Wenruo <wqu@suse.com>
btrfs: scrub: properly report super block errors in system log
Qu Wenruo <wqu@suse.com>
btrfs: dump extra info if one free space cache has more bitmaps than it should
Arnd Bergmann <arnd@arndb.de>
ARM: orion: fix include path
Sebastian Krzyszkowiak <sebastian.krzyszkowiak@puri.sm>
arm64: dts: imx8mq-librem5: Add bq25895 as max17055's power supply
Frieder Schrempf <frieder.schrempf@kontron.de>
arm64: dts: imx8mm-kontron: Use the VSELECT signal to switch SD card IO voltage
Mark Brown <broonie@kernel.org>
kselftest/arm64: Fix validatation termination record after EXTRA_CONTEXT
Marcel Ziswiler <marcel.ziswiler@toradex.com>
ARM: dts: imx6sx-udoo-neo: don't use multiple blank lines
Marcel Ziswiler <marcel.ziswiler@toradex.com>
ARM: dts: imx6sl: use tabs for code indent
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6sx: add missing properties for sram
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6sll: add missing properties for sram
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6sl: add missing properties for sram
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6qp: add missing properties for sram
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6dl: add missing properties for sram
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6q: add missing properties for sram
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sc7280-idp: correct ADC channel node name and unit address
Haibo Chen <haibo.chen@nxp.com>
ARM: dts: imx7d-sdb: config the max pressure for tsc2046
Alexander Stein <alexander.stein@ew.tq-group.com>
ARM: dts: imx6: delete interrupts property if interrupts-extended is set
Felix Kuehling <Felix.Kuehling@amd.com>
drm/amdkfd: Fix UBSAN shift-out-of-bounds warning
Wenjing Liu <wenjing.liu@amd.com>
drm/amd/display: polling vid stream status in hpo dp blank
Aric Cyr <aric.cyr@amd.com>
drm/amd/display: Remove interface for periodic interrupt 1
Khaled Almahallawy <khaled.almahallawy@intel.com>
drm/dp: Don't rewrite link config when setting phy test pattern
Richard Acayan <mailingradian@gmail.com>
mmc: sdhci-msm: add compatible string check for sdm670
Adrián Larumbe <adrian.larumbe@collabora.com>
drm/meson: remove drm bridges at aggregate driver unbind time
Adrián Larumbe <adrian.larumbe@collabora.com>
drm/meson: explicitly remove aggregate driver at module unload time
Adrián Larumbe <adrian.larumbe@collabora.com>
drm/meson: reorder driver deinit sequence to fix use-after-free bug
Mario Limonciello <mario.limonciello@amd.com>
ASoC: amd: yc: Add Lenovo Yoga Slim 7 Pro X to quirks table
Xiaoyan Li <lxy.lixiaoyan@gmail.com>
ASoC: amd: yc: Add ASUS UM5302TA into DMI table
hongao <hongao@uniontech.com>
drm/amdgpu: fix initial connector audio value
Sherry Wang <Yao.Wang1@amd.com>
drm/amd/display: correct hostvm flag
George Shen <george.shen@amd.com>
drm/amd/display: Fix urgent latency override for DCN32/DCN321
Philip Yang <Philip.Yang@amd.com>
drm/amdgpu: SDMA update use unlocked iterator
Pierre-Louis Bossart <pierre-louis.bossart@linux.intel.com>
ASoC: SOF: add quirk to override topology mclk_id
Mikhail Rudenko <mike.rudenko@gmail.com>
ASoC: sunxi: sun4i-codec: set debugfs_prefix for CPU DAI component
Jairaj Arava <jairaj.arava@intel.com>
ASoC: SOF: pci: Change DMI match info to support all Chrome platforms
Muralidhar Reddy <muralidhar.reddy@intel.com>
ALSA: intel-dspconfig: add ES8336 support for AlderLake-PS
Hans de Goede <hdegoede@redhat.com>
platform/x86: msi-laptop: Change DMI match / alias strings to fix module autoloading
Jorge Lopez <jorge.lopez2@hp.com>
platform/x86: hp-wmi: Setting thermal profile fails with 0x06
Jameson Thies <jthies@google.com>
platform/chrome: cros_ec: Notify the PM of wake events during resume
Maya Matuszczyk <maccraft123mc@gmail.com>
drm: panel-orientation-quirks: Add quirk for Aya Neo Air
Maya Matuszczyk <maccraft123mc@gmail.com>
drm: panel-orientation-quirks: Add quirk for Anbernic Win600
Mateusz Kwiatkowski <kfyatek+publicgit@gmail.com>
drm/vc4: vec: Fix timings for VEC modes
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Register card at the last interface
Yifan Zha <Yifan.Zha@amd.com>
drm/admgpu: Skip CG/PG on SOC21 under SRIOV VF
Yifan Zha <Yifan.Zha@amd.com>
drm/amdgpu: Skip the program of MMMC_VM_AGP_* in SRIOV on MMHUB v3_0_0
sunliming <sunliming@kylinos.cn>
drm/amd/display: Fix variable dereferenced before check
Lucas Stach <l.stach@pengutronix.de>
drm: bridge: dw_hdmi: only trigger hotplug event on link change
Bernard Zhao <bernard@vivo.com>
drm/amd: fix potential memory leak
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
platform/x86: pmc_atom: Improve quirk message to be less cryptic
Vivek Kasireddy <vivek.kasireddy@intel.com>
udmabuf: Set ubuf->sg = NULL if the creation of sg table fails
Conner Knox <connerknoxpublic@gmail.com>
ALSA: usb-audio: Add quirk to enable Avid Mbox 3 support
Cezary Rojewski <cezary.rojewski@intel.com>
ALSA: hda: Fix page fault in snd_hda_codec_shutdown()
David Gow <davidgow@google.com>
drm/amd/display: fix overflow on MIN_I64 definition
Zeng Jingxiang <linuszeng@tencent.com>
gpu: lontium-lt9611: Fix NULL pointer dereference in lt9611_connector_init()
Liviu Dudau <liviu.dudau@arm.com>
drm/komeda: Fix handling of atomic commits in the atomic_commit_tail hook
Javier Martinez Canillas <javierm@redhat.com>
drm: Prevent drm_copy_field() to attempt copying a NULL pointer
Javier Martinez Canillas <javierm@redhat.com>
drm: Use size_t type for len variable in drm_copy_field()
Jianglei Nie <niejianglei2021@163.com>
drm/nouveau/nouveau_bo: fix potential memory leak in nouveau_bo_alloc()
Andrew Gaul <gaul@gaul.org>
r8152: Rate limit overflow messages
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
i2c: designware-pci: Group AMD NAVI quirk parts together
Xin Liu <liuxin350@huawei.com>
libbpf: Fix overrun in netlink attribute iteration
Kees Cook <keescook@chromium.org>
net: sched: cls_u32: Avoid memcpy() false-positive warning
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: L2CAP: Fix user-after-free
Song Liu <song@kernel.org>
bpf: use bpf_prog_pack for bpf_dispatcher
Jiri Olsa <jolsa@kernel.org>
bpf: Adjust kprobe_multi entry_ip for CONFIG_X86_KERNEL_IBT
Liu Jian <liujian56@huawei.com>
net: If sock is dead don't access sock's sk_wq in sk_stream_wait_memory
Jason A. Donenfeld <Jason@zx2c4.com>
hwmon: (sht4x) do not overflow clamping operation on 32-bit platforms
Daniel Golle <daniel@makrotopia.org>
wifi: rt2x00: correctly set BBP register 86 for MT7620
Daniel Golle <daniel@makrotopia.org>
wifi: rt2x00: set SoC wmac clock register
Daniel Golle <daniel@makrotopia.org>
wifi: rt2x00: set VGC gain for both chains of MT7620
Daniel Golle <daniel@makrotopia.org>
wifi: rt2x00: set correct TX_SW_CFG1 MAC register for MT7620
Daniel Golle <daniel@makrotopia.org>
wifi: rt2x00: don't run Rt5592 IQ calibration on MT7620
Ziyang Xuan <william.xuanziyang@huawei.com>
can: bcm: check the result of can_send() in bcm_can_tx()
Hou Tao <houtao1@huawei.com>
selftests/bpf: Free the allocated resources after test case succeeds
Vadim Fedorenko <vfedorenko@novek.ru>
bnxt_en: replace reset with config timestamps
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Make sure ISO events don't affect non-ISO connections
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sysfs: Fix attempting to call device_add multiple times
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Bluetooth: L2CAP: initialize delayed works at l2cap_chan_create()
Po-Hao Huang <phhuang@realtek.com>
wifi: rtw89: fix rx filter after scan
Po-Hao Huang <phhuang@realtek.com>
wifi: rtw89: free unused skb to prevent memory leak
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: reset msta->airtime_ac while clearing up hw value
Jianglei Nie <niejianglei2021@163.com>
wifi: ath11k: mhi: fix potential memory leak in ath11k_mhi_register()
Patrick Rudolph <patrick.rudolph@9elements.com>
regulator: core: Prevent integer underflow
Kiran K <kiran.k@intel.com>
Bluetooth: btintel: Mark Intel controller to support LE_STATES quirk
Alexander Coffin <alex.coffin@matician.com>
wifi: brcmfmac: fix use-after-free bug in brcmf_netdev_start_xmit()
Michal Jaron <michalx.jaron@intel.com>
iavf: Fix race between iavf_close and iavf_reset_task
Sergei Antonov <saproj@gmail.com>
net: ftmac100: fix endianness-related issues from 'sparse'
Zong-Zhe Yang <kevin_yang@realtek.com>
rtw89: ser: leave lps with mutex
Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
wifi: ath11k: Register shutdown handler for WCN6750
Khalid Masum <khalid.masum.92@gmail.com>
xfrm: Update ipcomp_scratches with NULL when freed
Richard Gobert <richardbgobert@gmail.com>
net-next: Fix IP_UNICAST_IF option behavior for connected sockets
Robert Hancock <robert.hancock@calian.com>
net: axienet: Switch to 64-bit RX/TX statistics
Daniel Sneddon <daniel.sneddon@linux.intel.com>
x86/apic: Don't disable x2APIC if locked
Mika Westerberg <mika.westerberg@linux.intel.com>
thunderbolt: Add back Intel Falcon Ridge end-to-end flow control workaround
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
wifi: ath9k: avoid uninit memory read in ath9k_htc_rx_msg()
Jane Chu <jane.chu@oracle.com>
x86/mce: Retrieve poison range from hardware
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: accept STA changes without link changes
Jerry Ray <jerry.ray@microchip.com>
micrel: ksz8851: fixes struct pointer issue
Eric Dumazet <edumazet@google.com>
tcp: annotate data-race around tcp_md5sig_pool_populated
Mike Pattrick <mkp@redhat.com>
openvswitch: Fix overreporting of drops in dropwatch
Mike Pattrick <mkp@redhat.com>
openvswitch: Fix double reporting of drops in dropwatch
Ravi Gunasekaran <r-gunasekaran@ti.com>
net: ethernet: ti: davinci_mdio: Add workaround for errata i2329
Quentin Monnet <quentin@isovalent.com>
bpftool: Clear errno after libcap's checks
Wright Feng <wright.feng@cypress.com>
wifi: brcmfmac: fix invalid address access when enabling SCAN log level
Zong-Zhe Yang <kevin_yang@realtek.com>
wifi: rtw88: phy: fix warning of possible buffer overflow
Hengqi Chen <hengqi.chen@gmail.com>
libbpf: Do not require executable permission for shared libraries
James Hilliard <james.hilliard1@gmail.com>
libbpf: Ensure functions with always_inline attribute are inline
Dai Ngo <dai.ngo@oracle.com>
NFSD: fix use-after-free on source server when doing inter-server copy
Anna Schumaker <Anna.Schumaker@Netapp.com>
NFSD: Return nfserr_serverfault if splice_ok but buf->pages have data
Kees Cook <keescook@chromium.org>
x86/entry: Work around Clang __bdos() bug
Mario Limonciello <mario.limonciello@amd.com>
ACPI: x86: Add a quirk for Dell Inspiron 14 2-in-1 for StorageD3Enable
Kees Cook <keescook@chromium.org>
ARM: decompressor: Include .data.rel.ro.local
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
thermal: intel_powerclamp: Use get_cpu() instead of smp_processor_id() to avoid crash
Chao Qin <chao.qin@intel.com>
powercap: intel_rapl: fix UBSAN shift-out-of-bounds issue
Kees Cook <keescook@chromium.org>
MIPS: BCM47XX: Cast memcmp() of function to (void *)
Doug Smythies <dsmythies@telus.net>
cpufreq: intel_pstate: Add Tigerlake support in no-HWP mode
Hans de Goede <hdegoede@redhat.com>
ACPI: tables: FPDT: Don't call acpi_os_map_memory() on invalid phys address
Kees Cook <keescook@chromium.org>
fortify: Fix __compiletime_strlen() under UBSAN_BOUNDS_LOCAL
Arvid Norlander <lkml@vorpal.se>
ACPI: video: Add Toshiba Satellite/Portege Z830 quirk
Perry Yuan <Perry.Yuan@amd.com>
cpufreq: amd_pstate: fix wrong lowest perf fetch
Paul E. McKenney <paulmck@kernel.org>
rcu-tasks: Ensure RCU Tasks Trace loops have quiescent states
Zqiang <qiang1.zhang@intel.com>
rcu-tasks: Convert RCU_LOCKDEP_WARN() to WARN_ONCE()
Michal Hocko <mhocko@suse.com>
rcu: Back off upon fill_page_cache_func() allocation failure
Zqiang <qiang1.zhang@intel.com>
rcu: Avoid triggering strict-GP irq-work when RCU is idle
Alexander Aring <aahringo@redhat.com>
fs: dlm: fix race in lowcomms
Aaron Tomlin <atomlin@redhat.com>
module: tracking: Keep a record of tainted unloaded modules only
Christoph Hellwig <hch@lst.de>
ARM/dma-mappіng: don't override ->dma_coherent when set from a bus notifier
Stefan Berger <stefanb@linux.ibm.com>
selftest: tpm2: Add Client.__del__() to close /dev/tpm* handle
Zhang Rui <rui.zhang@intel.com>
tools/power turbostat: Use standard Energy Unit for SPR Dram RAPL domain
Chao Yu <chao@kernel.org>
f2fs: fix to account FS_CP_DATA_IO correctly
Zhang Qilong <zhangqilong3@huawei.com>
f2fs: fix race condition on setting FI_NO_EXTENT flag
Shuai Xue <xueshuai@linux.alibaba.com>
ACPI: APEI: do not add task_work to kernel thread to avoid memory leak
Vincent Knecht <vincent.knecht@mailoo.org>
thermal/drivers/qcom/tsens-v0_1: Fix MSM8939 fourth sensor hw_id
Jason A. Donenfeld <Jason@zx2c4.com>
random: schedule jitter credit for next jiffy, not in two jiffies
Dan Carpenter <dan.carpenter@oracle.com>
crypto: cavium - prevent integer overflow loading firmware
Dan Carpenter <dan.carpenter@oracle.com>
crypto: marvell/octeontx - prevent integer overflows
Janis Schoetterl-Glausch <scgl@linux.ibm.com>
kbuild: rpm-pkg: fix breakage when V=1 is used
Masahiro Yamada <masahiroy@kernel.org>
linux/export: use inline assembler to populate symbol CRCs
Masahiro Yamada <masahiroy@kernel.org>
kbuild: remove the target in signal traps when interrupted
Song Liu <song@kernel.org>
ftrace: Fix recursive locking direct_mutex in ftrace_modify_direct_caller
Nico Pache <npache@redhat.com>
tracing/osnoise: Fix possible recursive locking in stop_per_cpu_kthreads
Yipeng Zou <zouyipeng@huawei.com>
tracing: kprobe: Make gen test module work in arm and riscv
Yipeng Zou <zouyipeng@huawei.com>
tracing: kprobe: Fix kprobe event gen test module on exit
Robin Murphy <robin.murphy@arm.com>
iommu/iova: Fix module config properly
Enzo Matsumiya <ematsumiya@suse.de>
cifs: return correct error in ->calc_signature()
Lin Yujun <linyujun809@huawei.com>
clocksource/drivers/timer-gxp: Add missing error handling in gxp_timer_probe
Kunkun Jiang <jiangkunkun@huawei.com>
clocksource/drivers/arm_arch_timer: Fix handling of ARM erratum 858921
Damian Muszynski <damian.muszynski@intel.com>
crypto: qat - fix DMA transfer direction
Peter Harliman Liem <pliem@maxlinear.com>
crypto: inside-secure - Change swab to swab32
Koba Ko <koba.ko@canonical.com>
crypto: ccp - Release dma channels before dmaengine unrgister
Ignat Korchagin <ignat@cloudflare.com>
crypto: akcipher - default implementation for setting a private key
Dan Carpenter <dan.carpenter@oracle.com>
iommu/omap: Fix buffer overflow in debugfs
Waiman Long <longman@redhat.com>
cgroup/cpuset: Enable update_tasks_cpumask() on top_cpuset
Weili Qian <qianweili@huawei.com>
crypto: hisilicon/qm - fix missing put dfx access
Lucas Segarra Fernandez <lucas.segarra.fernandez@intel.com>
crypto: qat - fix default value of WDT timer
Kshitiz Varshney <kshitiz.varshney@nxp.com>
hwrng: imx-rngc - Moving IRQ handler registering after imx_rngc_irq_mask_clear()
Martin Kaiser <martin@kaiser.cx>
hwrng: imx-rngc - use devm_clk_get_enabled
Michal Koutný <mkoutny@suse.com>
cgroup: Honor caller's cgroup NS when resolving path
Jacky Li <jackyli@google.com>
crypto: ccp - Fail the PSP initialization when writing psp data file failed
James Cowgill <james.cowgill@blaize.com>
hwrng: arm-smccc-trng - fix NO_ENTROPY handling
Ye Weihua <yeweihua4@huawei.com>
crypto: hisilicon/zip - fix mismatch in get/set sgl_sge_nr
Zhengchao Shao <shaozhengchao@huawei.com>
crypto: sahara - don't sleep when in softirq
Haren Myneni <haren@linux.ibm.com>
powerpc/pseries/vas: Pass hw_cpu_id to node associativity HCALL
Li Huafei <lihuafei1@huawei.com>
powerpc/kprobes: Fix null pointer reference in arch_prepare_kprobe()
Pali Rohár <pali@kernel.org>
powerpc: Fix SPE Power ISA properties for e500v1 platforms
Nicholas Piggin <npiggin@gmail.com>
powerpc/64/interrupt: Fix return to masked context after hard-mask irq becomes pending
Nicholas Piggin <npiggin@gmail.com>
powerpc/64: mark irqs hard disabled in boot paca
Nicholas Piggin <npiggin@gmail.com>
powerpc/64/interrupt: Fix false warning in context tracking due to idle state
Nicholas Piggin <npiggin@gmail.com>
powerpc/64s: Fix GENERIC_CPU build flags for PPC970 / G5
Vitaly Kuznetsov <vkuznets@redhat.com>
x86/hyperv: Fix 'struct hv_enlightened_vmcs' definition
Rohan McLure <rmclure@linux.ibm.com>
powerpc: Fix fallocate and fadvise64_64 compat parameter combination
Pali Rohár <pali@kernel.org>
powerpc: dts: turris1x.dts: Fix labels in DSA cpu port nodes
Pali Rohár <pali@kernel.org>
powerpc: dts: turris1x.dts: Fix NOR partitions labels
Anup Patel <apatel@ventanamicro.com>
cpuidle: riscv-sbi: Fix CPU_PM_CPU_IDLE_ENTER_xyz() macro usage
Zheng Yongjun <zhengyongjun3@huawei.com>
powerpc/powernv: add missing of_node_put() in opal_export_attrs()
Liang He <windhl@126.com>
powerpc/pci_dn: Add missing of_node_put()
Liang He <windhl@126.com>
powerpc/sysdev/fsl_msi: Add missing of_node_put()
Nathan Chancellor <nathan@kernel.org>
powerpc/math_emu/efp: Include module.h
Michael Ellerman <mpe@ellerman.id.au>
powerpc/configs: Properly enable PAPR_SCM in pseries_defconfig
Hangyu Hua <hbh25y@gmail.com>
ipc: mqueue: fix possible memory leak in init_mqueue_fs()
Jack Wang <jinpu.wang@ionos.com>
mailbox: bcm-ferxrm-mailbox: Fix error check for dma_map_sg
Conor Dooley <conor.dooley@microchip.com>
mailbox: mpfs: account for mbox offsets while sending
Conor Dooley <conor.dooley@microchip.com>
mailbox: mpfs: fix handling of the reg property
Peng Fan <peng.fan@nxp.com>
mailbox: imx: fix RST channel support
Joel Stanley <joel@jms.id.au>
clk: ast2600: BCLK comes from EPLL
Miaoqian Lin <linmq006@gmail.com>
clk: ti: dra7-atl: Fix reference leak in of_dra7_atl_clk_probe
Liang He <windhl@126.com>
clk: ti: Balance of_node_get() calls for of_find_node_by_name()
Lin Yujun <linyujun809@huawei.com>
clk: imx: scu: fix memleak on platform_device_add() fails
Peng Fan <peng.fan@nxp.com>
clk: imx8mp: tune the order of enet_qos_root_clk
Stefan Wahren <stefan.wahren@i2se.com>
clk: bcm2835: fix bcm2835_clock_rate_from_divisor declaration
Maxime Ripard <maxime@cerno.tech>
clk: bcm2835: Make peripheral PLLC critical
Serge Semin <Sergey.Semin@baikalelectronics.ru>
clk: baikal-t1: Add SATA internal ref clock buffer
Serge Semin <Sergey.Semin@baikalelectronics.ru>
clk: baikal-t1: Add shared xGMAC ref/ptp clocks internal parent
Serge Semin <Sergey.Semin@baikalelectronics.ru>
clk: baikal-t1: Fix invalid xGMAC PTP clock divider
Serge Semin <Sergey.Semin@baikalelectronics.ru>
clk: vc5: Fix 5P49V6901 outputs disabling when enabling FOD
David Collins <collinsd@codeaurora.org>
spmi: pmic-arb: correct duplicate APID to PPID mapping logic
Chunfeng Yun <chunfeng.yun@mediatek.com>
usb: mtu3: fix failed runtime suspend in host only mode
Basavaraj Natikar <Basavaraj.Natikar@amd.com>
HID: amd_sfh: Handle condition of "no sensors" for SFH1.1
Dave Jiang <dave.jiang@intel.com>
dmaengine: ioat: stop mod_timer from resurrecting deleted timer in __cleanup()
Jens Axboe <axboe@kernel.dk>
io_uring/rw: defer fsnotify calls to task context
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
phy: qcom-qmp-pcie: fix resource mapping for SDM845 QHP PHY
Chen-Yu Tsai <wenst@chromium.org>
clk: mediatek: Migrate remaining clk_unregister_*() to clk_hw_unregister_*()
Chen-Yu Tsai <wenst@chromium.org>
clk: mediatek: fix unregister function in mtk_clk_register_dividers cleanup
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
clk: mediatek: clk-mt8195-mfg: Reparent mfg_bg3d and propagate rate changes
Chen-Yu Tsai <wenst@chromium.org>
clk: mediatek: mt8183: mfgcfg: Propagate rate changes to parent
Jens Hillenstedt <jens.hillenstedt@ise.de>
mfd: da9061: Fix Failed to set Two-Wire Bus Mode.
Jiasheng Jiang <jiasheng@iscas.ac.cn>
mfd: sm501: Add check for platform_driver_register()
Dan Carpenter <dan.carpenter@oracle.com>
mfd: fsl-imx25: Fix check for platform_get_irq() errors
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: lp8788: Fix an error handling path in lp8788_irq_init() and lp8788_irq_init()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: lp8788: Fix an error handling path in lp8788_probe()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: fsl-imx25: Fix an error handling path in mx25_tsadc_setup_irq()
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mfd: intel_soc_pmic: Fix an error handling path in intel_soc_pmic_i2c_probe()
Jiasheng Jiang <jiasheng@iscas.ac.cn>
fsi: core: Check error number after calling ida_simple_get
Bob Pearson <rpearsonhpe@gmail.com>
RDMA/rxe: Fix resize_finish() in rxe_queue.c
Bob Pearson <rpearsonhpe@gmail.com>
RDMA/rxe: Set pd early in mr alloc routines
Christoph Hellwig <hch@lst.de>
nvmet-auth: don't try to cancel a non-initialized work_struct
Adam Skladowski <a_skl39@protonmail.com>
clk: qcom: gcc-sm6115: Override default Alpha PLL regs
Robert Marko <robimarko@gmail.com>
clk: qcom: apss-ipq6018: mark apcs_alias0_core_clk as critical
Mike Christie <michael.christie@oracle.com>
scsi: iscsi: iscsi_tcp: Fix null-ptr-deref while calling getpeername()
John Garry <john.garry@huawei.com>
scsi: pm8001: Fix running_req for internal abort commands
Duoming Zhou <duoming@zju.edu.cn>
scsi: libsas: Fix use-after-free bug in smp_execute_task_sg()
Pali Rohár <pali@kernel.org>
serial: 8250: Fix restoring termios speed after suspend
Guilherme G. Piccoli <gpiccoli@igalia.com>
firmware: google: Test spinlock on panic path to avoid lockups
Lin Yujun <linyujun809@huawei.com>
slimbus: qcom-ngd: Add error handling in of_qcom_slim_ngd_register
Nam Cao <namcaov@gmail.com>
staging: vt6655: fix some erroneous memory clean-up loops
Dongliang Mu <mudongliangabcd@gmail.com>
phy: qualcomm: call clk_disable_unprepare in the error handling
Sherry Sun <sherry.sun@nxp.com>
tty: serial: fsl_lpuart: disable dma rx/tx use flags in lpuart_dma_shutdown
Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
serial: 8250: Toggle IER bits on only after irq has been set up
Dan Carpenter <dan.carpenter@oracle.com>
drivers: serial: jsm: fix some leaks in probe
Dan Carpenter <dan.carpenter@oracle.com>
usb: dwc3: core: fix some leaks in probe
Liang He <windhl@126.com>
usb: typec: anx7411: Use of_get_child_by_name() instead of of_find_node_by_name()
Albert Briscoe <albertsbriscoe@gmail.com>
usb: gadget: function: fix dangling pnp_string in f_printer.c
Mario Limonciello <mario.limonciello@amd.com>
xhci: Don't show warning for reinit on known broken suspend
Daisuke Matsuda <matsuda-daisuke@fujitsu.com>
IB: Set IOVA/LENGTH on IB_MR in core/uverbs layers
Mark Zhang <markzhang@nvidia.com>
RDMA/cm: Use SLID in the work completion as the DLID in responder side
Logan Gunthorpe <logang@deltatee.com>
md: Remove extra mddev_get() in md_seq_start()
David Sloan <david.sloan@eideticom.com>
md/raid5: Remove unnecessary bio_put() in raid5_read_one_chunk()
Logan Gunthorpe <logang@deltatee.com>
md/raid5: Ensure stripe_fill happens on non-read IO with journal
Saurabh Sengar <ssengar@linux.microsoft.com>
md: Replace snprintf with scnprintf
Jens Axboe <axboe@kernel.dk>
io_uring/fdinfo: fix sqe dumping for IORING_SETUP_SQE128
Dylan Yudaken <dylany@fb.com>
eventfd: guard wake_up in eventfd fs calls as well
Bart Van Assche <bvanassche@acm.org>
block: Fix the enum blk_eh_timer_return documentation
Dan Carpenter <dan.carpenter@oracle.com>
mtd: rawnand: meson: fix bit map use in meson_nfc_ecc_correct()
Niklas Cassel <niklas.cassel@wdc.com>
ata: fix ata_id_has_dipm()
Niklas Cassel <niklas.cassel@wdc.com>
ata: fix ata_id_has_ncq_autosense()
Niklas Cassel <niklas.cassel@wdc.com>
ata: fix ata_id_has_devslp()
Niklas Cassel <niklas.cassel@wdc.com>
ata: fix ata_id_sense_reporting_enabled() and ata_id_has_sense_reporting()
Bernard Metzler <bmt@zurich.ibm.com>
RDMA/siw: Fix QP destroy to wait for all references dropped.
Bernard Metzler <bmt@zurich.ibm.com>
RDMA/siw: Always consume all skbuf data in sk_data_ready() upcall.
Bart Van Assche <bvanassche@acm.org>
RDMA/srp: Fix srp_abort()
Shiraz Saleem <shiraz.saleem@intel.com>
RDMA/irdma: Validate udata inlen and outlen
Sindhu-Devale <sindhu.devale@intel.com>
RDMA/irdma: Align AE id codes to correct flush code and event
Pali Rohár <pali@kernel.org>
mtd: rawnand: fsl_elbc: Fix none ECC mode
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
mtd: rawnand: intel: Remove undocumented compatible string
Martin Blumenstingl <martin.blumenstingl@googlemail.com>
mtd: rawnand: intel: Read the chip-select line from the correct OF node
Chunfeng Yun <chunfeng.yun@mediatek.com>
phy: phy-mtk-tphy: fix the phy type setting issue
Liang He <windhl@126.com>
phy: amlogic: phy-meson-axg-mipi-pcie-analog: Hold reference returned by of_get_parent()
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-usb: fix memleak on probe deferral
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-ufs: fix memleak on probe deferral
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-combo: fix memleak on probe deferral
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-pcie-msm8996: fix memleak on probe deferral
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-pcie: fix memleak on probe deferral
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-pcie: add pcs_misc sanity check
Johan Hovold <johan+linaro@kernel.org>
phy: qcom-qmp-usb: disable runtime PM on unbind
Dan Carpenter <dan.carpenter@oracle.com>
remoteproc: Harden rproc_handle_vdev() against integer overflow
William Dean <williamsukatube@gmail.com>
mtd: devices: docg3: check the return value of devm_ioremap() in the probe
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Fix various issues reported by tools
Dang Huynh <danct12@riseup.net>
clk: qcom: sm6115: Select QCOM_GDSC
Jan Kara <jack@suse.cz>
sbitmap: Avoid leaving waitqueue in invalid state in __sbq_wake_up()
Jim Cromie <jim.cromie@gmail.com>
dyndbg: drop EXPORTed dynamic_debug_exec_queries
Jim Cromie <jim.cromie@gmail.com>
dyndbg: let query-modname override actual module name
Jim Cromie <jim.cromie@gmail.com>
dyndbg: fix module.dyndbg handling
Jim Cromie <jim.cromie@gmail.com>
dyndbg: fix static_branch manipulation
Dan Carpenter <dan.carpenter@oracle.com>
usb: gadget: f_fs: stricter integer overflow checks
Vincent Whitchurch <vincent.whitchurch@axis.com>
iio: Use per-device lockdep class for mlock
Jie Hai <haijie1@huawei.com>
dmaengine: hisilicon: Add multi-thread support for a DMA channel
Jie Hai <haijie1@huawei.com>
dmaengine: hisilicon: Fix CQ head update
Jie Hai <haijie1@huawei.com>
dmaengine: hisilicon: Disable channels when unregister hisi_dma
Jerry Snitselaar <jsnitsel@redhat.com>
dmaengine: idxd: avoid deadlock in process_misc_interrupts()
Peter Geis <pgwipeout@gmail.com>
phy: rockchip-inno-usb2: Return zero after otg sync
Dan Carpenter <dan.carpenter@oracle.com>
fpga: prevent integer overflow in dfl_feature_ioctl_set_irq()
Matthew Gerlach <matthew.gerlach@linux.intel.com>
fpga: dfl-pci: Add IDs for Intel N6000, N6001 and C6100 cards
Hangyu Hua <hbh25y@gmail.com>
misc: ocxl: fix possible refcount leak in afu_ioctl()
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
clk: mediatek: mt8195-infra_ao: Set pwrmcu clocks as critical
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
clk: mediatek: clk-mt8195-vdo1: Reparent and set rate on vdo1_dpintf's parent
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
clk: mediatek: clk-mt8195-vdo0: Set rate on vdo0_dp_intf0_dp_intf's parent
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rxe: Fix the error caused by qp->sk
Zhu Yanjun <yanjun.zhu@linux.dev>
RDMA/rxe: Fix "kernel NULL pointer dereference" error
Miaoqian Lin <linmq006@gmail.com>
media: xilinx: vipp: Fix refcount leak in xvip_graph_dma_init
Yunke Cao <yunkec@google.com>
media: uvcvideo: Use entity get_cur in uvc_ctrl_set
José Expósito <jose.exposito89@gmail.com>
media: uvcvideo: Fix memory leak in uvc_gpio_parse
Xu Qiang <xuqiang36@huawei.com>
media: meson: vdec: add missing clk_disable_unprepare on error in vdec_hevc_start()
Ming Qian <ming.qian@nxp.com>
media: amphion: fix a bug that vpu core may not resume after suspend
Ming Qian <ming.qian@nxp.com>
media: amphion: don't change the colorspace reported by decoder.
Ming Qian <ming.qian@nxp.com>
media: amphion: adjust the encoder's value range of gop size
Ming Qian <ming.qian@nxp.com>
media: amphion: insert picture startcode after seek for vc1g format
Hirokazu Honda <hiroh@chromium.org>
media: mediatek: vcodec: Skip non CBR bitrate mode
Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
tty: xilinx_uartps: Fix the ignore_status
Shubhrajyoti Datta <shubhrajyoti.datta@xilinx.com>
tty: xilinx_uartps: Check clk_enable return value
Dongliang Mu <mudongliangabcd@gmail.com>
media: airspy: fix memory leak in airspy probe
Liang He <windhl@126.com>
media: exynos4-is: fimc-is: Add of_node_put() when breaking out of loop
Marijn Suijten <marijn.suijten@somainline.org>
clk: qcom: gcc-sdm660: Use floor ops for SDCC1 clock
Jack Wang <jinpu.wang@ionos.com>
HSI: omap_ssi_port: Fix dma_map_sg error check
Miaoqian Lin <linmq006@gmail.com>
HSI: omap_ssi: Fix refcount leak in ssi_probe
José Expósito <jose.exposito89@gmail.com>
HID: uclogic: Fix warning in uclogic_rdesc_template_apply
José Expósito <jose.exposito89@gmail.com>
HID: uclogic: Add missing suffix for digitalizers
Yu Kuai <yukuai3@huawei.com>
sbitmap: fix possible io hung due to lost wakeup
Chanho Park <chanho61.park@samsung.com>
clk: samsung: exynosautov9: correct register offsets of peric0/c1
Miaoqian Lin <linmq006@gmail.com>
clk: tegra20: Fix refcount leak in tegra20_clock_init
Miaoqian Lin <linmq006@gmail.com>
clk: tegra: Fix refcount leak in tegra114_clock_init
Miaoqian Lin <linmq006@gmail.com>
clk: tegra: Fix refcount leak in tegra210_clock_init
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
coresight: docs: Fix a broken reference
Liang He <windhl@126.com>
clk: sprd: Hold reference returned by of_get_parent()
Liang He <windhl@126.com>
clk: berlin: Add of_node_put() for of_get_parent()
Liang He <windhl@126.com>
clk: qoriq: Hold reference returned by of_get_parent()
Liang He <windhl@126.com>
clk: oxnas: Hold reference returned by of_get_parent()
Liang He <windhl@126.com>
clk: st: Hold reference returned by of_get_parent()
Liang He <windhl@126.com>
clk: meson: Hold reference returned by of_get_parent()
Thinh Nguyen <Thinh.Nguyen@synopsys.com>
usb: common: debug: Check non-standard control requests
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
usb: common: usb-conn-gpio: Simplify some error message
Aharon Landau <aharonl@nvidia.com>
RDMA/mlx5: Don't compare mkey tags in DEVX indirect mkey
Jakob Hauser <jahau@rocketmail.com>
iio: magnetometer: yas530: Change data type of hard_offsets to signed
Jonathan Cameron <Jonathan.Cameron@huawei.com>
iio: ABI: Fix wrong format of differential capacitance channel ABI.
Nuno Sá <nuno.sa@analog.com>
iio: inkern: fix return value in devm_of_iio_channel_get_by_name()
Nuno Sá <nuno.sa@analog.com>
iio: inkern: only release the device node when done with it
Claudiu Beznea <claudiu.beznea@microchip.com>
iio: adc: at91-sama5d2_adc: disable/prepare buffer on suspend/resume
Claudiu Beznea <claudiu.beznea@microchip.com>
iio: adc: at91-sama5d2_adc: lock around oversampling and sample freq
Claudiu Beznea <claudiu.beznea@microchip.com>
iio: adc: at91-sama5d2_adc: check return status for pressure and touch
Claudiu Beznea <claudiu.beznea@microchip.com>
iio: adc: at91-sama5d2_adc: fix AT91_SAMA5D2_MR_TRACKTIM_MAX
Zhao Gongyi <zhaogongyi@huawei.com>
selftests/cpu-hotplug: Reserve one cpu online at least
Zhao Gongyi <zhaogongyi@huawei.com>
selftests/cpu-hotplug: Delete fault injection related code
Zhao Gongyi <zhaogongyi@huawei.com>
selftests/cpu-hotplug: Use return instead of exit
Darrick J. Wong <djwong@kernel.org>
iomap: iomap: fix memory corruption when recording errors during writeback
Dmitry Torokhov <dmitry.torokhov@gmail.com>
ARM: dts: exynos: fix polarity of VBUS GPIO of Origen
Dmitry Torokhov <dmitry.torokhov@gmail.com>
arm64: dts: exynos: fix polarity of "enable" line of NFC chip in TM2
Mark Rutland <mark.rutland@arm.com>
arm64: ftrace: fix module PLTs with mcount
Josh Triplett <josh@joshtriplett.org>
ext4: don't run ext4lazyinit for read-only filesystems
Jerry Lee 李修賢 <jerrylee@qnap.com>
ext4: continue to expand file system when the target size doesn't reach
Geert Uytterhoeven <geert+renesas@glider.be>
ARM: Drop CMDLINE_* dependency on ATAGS
Dmitry Torokhov <dmitry.torokhov@gmail.com>
ARM: dts: exynos: correct s5k6a3 reset polarity on Midas family
Matt Ranostay <mranostay@ti.com>
arm64: dts: ti: k3-j7200: fix main pinmux range
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sm8450: fix UFS PHY serdes size
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: ipq8074: fix PCIe PHY serdes size
Dmitry Osipenko <digetx@gmail.com>
soc/tegra: fuse: Drop Kconfig dependency on TEGRA20_APB_DMA
Liang He <windhl@126.com>
soc/tegra: fuse: Add missing of_node_put() in tegra_init_fuse()
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sm8350-sagami: correct TS pin property
Randy Dunlap <rdunlap@infradead.org>
ia64: export memory_add_physaddr_to_nid to fix cxl build error
Bhupesh Sharma <bhupesh.sharma@linaro.org>
arm64: dts: qcom: sc8280xp-pmics: Remove reg entry & use correct node name for pmc8280c_lpg node
Chris Packham <chris.packham@alliedtelesis.co.nz>
arm64: dts: marvell: 98dx25xx: use correct property for i2c gpios
Michael Walle <michael@walle.cc>
ARM: dts: kirkwood: lsxl: remove first ethernet port
Michael Walle <michael@walle.cc>
ARM: dts: kirkwood: lsxl: fix serial line
Marek Behún <kabel@kernel.org>
ARM: dts: turris-omnia: Fix mpp26 pin name and comment
Stephen Boyd <swboyd@chromium.org>
arm64: dts: qcom: sc7180-trogdor: Keep pm6150_adc enabled for TZ
Bryan O'Donoghue <bryan.odonoghue@linaro.org>
arm64: dts: qcom: pm8350c: Drop PWM reg declaration
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sa8295p-adp: disallow regulator mode switches
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sc8280xp-lenovo-thinkpad-x13s: disallow regulator mode switches
Johan Hovold <johan+linaro@kernel.org>
arm64: dts: qcom: sc8280xp-crd: disallow regulator mode switches
Satya Priya <quic_c_skakit@quicinc.com>
arm64: dts: qcom: sc7280: Update lpasscore node
Satya Priya <quic_c_skakit@quicinc.com>
arm64: dts: qcom: sc7280: Cleanup the lpasscc node
Geert Uytterhoeven <geert+renesas@glider.be>
arm64: dts: qcom: sdm845-xiaomi-polaris: Fix sde_dsi_active pinctrl
Chanho Park <chanho61.park@samsung.com>
dt-bindings: clock: exynosautov9: correct clock numbering of peric0/c1
Biju Das <biju.das.jz@bp.renesas.com>
arm64: dts: renesas: r9a07g043: Fix SCI{Rx,Tx} interrupt types
Biju Das <biju.das.jz@bp.renesas.com>
arm64: dts: renesas: r9a07g054: Fix SCI{Rx,Tx} interrupt types
Biju Das <biju.das.jz@bp.renesas.com>
arm64: dts: renesas: r9a07g044: Fix SCI{Rx,Tx} interrupt types
Lucas Stach <l.stach@pengutronix.de>
ARM: dts: imx6qdl-kontron-samx6i: hook up DDC i2c bus
Liang He <windhl@126.com>
soc: qcom: smem_state: Add refcounting for the 'state->of_node'
Liang He <windhl@126.com>
soc: qcom: smsm: Fix refcount leak bugs in qcom_smsm_probe()
Amir Goldstein <amir73il@gmail.com>
locks: fix TOCTOU race when granting write lease
Liang He <windhl@126.com>
memory: of: Fix refcount leak bug in of_lpddr3_get_ddr_timings()
Liang He <windhl@126.com>
memory: of: Fix refcount leak bug in of_get_ddr_timings()
Liang He <windhl@126.com>
memory: pl353-smc: Fix refcount leak bug in pl353_smc_probe()
Takashi Iwai <tiwai@suse.de>
ALSA: hda/hdmi: Don't skip notification handling during PM operation
Judy Hsiao <judyhsiao@chromium.org>
ASoC: rockchip: i2s: use regmap_read_poll_timeout_atomic to poll I2S_CLR
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: mt6660: Fix PM disable depth imbalance in mt6660_i2c_probe
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: wm5102: Fix PM disable depth imbalance in wm5102_probe
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: wm5110: Fix PM disable depth imbalance in wm5110_probe
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: wm8997: Fix PM disable depth imbalance in wm8997_probe
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: wcd-mbhc-v2: Revert "ASoC: wcd-mbhc-v2: use pm_runtime_resume_and_get()"
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: stm: Fix PM disable depth imbalance in stm32_i2s_probe
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: stm32: spdifrx: Fix PM disable depth imbalance in stm32_spdifrx_probe
Zhang Qilong <zhangqilong3@huawei.com>
ASoC: stm32: dfsdm: Fix PM disable depth imbalance in stm32_adfsdm_probe
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mmc: wmt-sdmmc: Fix an error handling path in wmt_mci_probe()
Andreas Pape <apape@de.adit-jv.com>
ALSA: dmaengine: increment buffer pointer atomically
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
ASoC: da7219: Fix an error handling path in da7219_register_dai_clks()
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
ASoC: codecs: tx-macro: fix kcontrol put
Dan Carpenter <dan.carpenter@oracle.com>
virtio-gpu: fix shift wrapping bug in virtio_gpu_fence_event_create()
Rafael Mendonca <rafaelmendsr@gmail.com>
drm/vmwgfx: Fix memory leak in vmw_mksstat_add_ioctl()
Peter Ujfalusi <peter.ujfalusi@linux.intel.com>
ASoC: SOF: ipc4-topology: Free the ida when IPC fails in sof_ipc4_widget_setup()
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Properly refcounting clock rate
Jaroslav Kysela <perex@perex.cz>
ALSA: hda/hdmi: Fix the converter allocation for the silent stream
Jaroslav Kysela <perex@perex.cz>
ALSA: hda/hdmi: change type for the 'assigned' variable
Kuogee Hsieh <quic_khsieh@quicinc.com>
drm/msm/dp: correct 1.62G link rate at dp_catalog_ctrl_config_msa()
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm/dpu: index dpu_kms->hw_vbif using vbif_idx
Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
drm/msm: lookup the ICC paths in both mdp5/dpu and mdss devices
Liang He <windhl@126.com>
ASoC: eureka-tlv320: Hold reference returned from of_find_xxx API
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
mmc: au1xmmc: Fix an error handling path in au1xmmc_probe()
Judy Hsiao <judyhsiao@chromium.org>
ASoC: rockchip: i2s: use regmap_read_poll_timeout to poll I2S_CLR
Rafael Mendonca <rafaelmendsr@gmail.com>
drm/amdgpu: Fix memory leak in hpd_rx_irq_create_workqueue()
Liang He <windhl@126.com>
drm/omap: dss: Fix refcount leak bugs
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
ASoC: SOF: mediatek: mt8195: Import namespace SND_SOC_SOF_MTK_COMMON
AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
ASoC: mediatek: mt8195-mt6359: Properly register sound card for SOF
Gerd Hoffmann <kraxel@redhat.com>
drm/bochs: fix blanking
Chia-I Wu <olvaffe@gmail.com>
drm/virtio: set fb_modifiers_not_supported
Takashi Iwai <tiwai@suse.de>
ALSA: hda: beep: Simplify keep-power-at-enable behavior
Cristian Ciocaltea <cristian.ciocaltea@collabora.com>
ASoC: wm_adsp: Handle optional legacy support
Jiasheng Jiang <jiasheng@iscas.ac.cn>
ASoC: rsnd: Add check for rsnd_mod_power_on
Pin-yen Lin <treapking@chromium.org>
drm/bridge: it6505: Fix the order of DP_SET_POWER commands
Zheyu Ma <zheyuma97@gmail.com>
drm/bridge: megachips: Fix a null pointer dereference bug
Yang Yingliang <yangyingliang@huawei.com>
drm/amdgpu: add missing pci_disable_device() in amdgpu_pmops_runtime_resume()
Prashant Malani <pmalani@chromium.org>
platform/chrome: cros_ec_typec: Correct alt mode index
Prashant Malani <pmalani@chromium.org>
platform/chrome: cros_ec_typec: Add bit offset for DP VDO
Randy Dunlap <rdunlap@infradead.org>
drm: fix drm_mipi_dbi build errors
Randy Dunlap <rdunlap@infradead.org>
drm/panel: use 'select' for Ili9341 panel driver helpers
Hans de Goede <hdegoede@redhat.com>
platform/x86: msi-laptop: Fix resource cleanup
Hans de Goede <hdegoede@redhat.com>
platform/x86: msi-laptop: Fix old-ec check for backlight registering
Martin Povišer <povik+lin@cutebit.org>
ASoC: tas2764: Fix mute/unmute
Martin Povišer <povik+lin@cutebit.org>
ASoC: tas2764: Drop conflicting set_bias_level power setting
Martin Povišer <povik+lin@cutebit.org>
ASoC: tas2764: Allow mono streams
Kuninori Morimoto <kuninori.morimoto.gx@renesas.com>
ASoC: soc-pcm.c: call __soc_pcm_close() in soc_pcm_close()
Rob Clark <robdclark@chromium.org>
drm/virtio: Fix same-context optimization
Stanislav Lisovskiy <stanislav.lisovskiy@intel.com>
drm/i915/dg2: Bump up CDCLK for DG2
Dan Carpenter <dan.carpenter@oracle.com>
platform/chrome: fix memory corruption in ioctl
Rustam Subkhankulov <subkhankulov@ispras.ru>
platform/chrome: fix double-free in chromeos_laptop_prepare()
Javier Martinez Canillas <javierm@redhat.com>
drm/msm: Make .remove and .shutdown HW shutdown consistent
Yang Yingliang <yangyingliang@huawei.com>
ASoC: amd: acp: add missing platform_device_unregister() in acp_pci_probe()
Dan Carpenter <dan.carpenter@oracle.com>
ASoC: mt6359: fix tests for platform_get_irq() failure
Liang He <windhl@126.com>
drm:pl111: Add of_node_put() when breaking out of for_each_available_child_of_node()
Simon Ser <contact@emersion.fr>
drm/dp_mst: fix drm_dp_dpcd_read return value checks
José Expósito <jose.exposito89@gmail.com>
drm/format-helper: Fix test on big endian architectures
Chen-Yu Tsai <wenst@chromium.org>
drm/bridge: parade-ps8640: Fix regulator supply order
Liang He <windhl@126.com>
drm/bridge: tc358767: Add of_node_put() when breaking out of loop
Liang He <windhl@126.com>
drm/bridge: anx7625: Fix refcount bug in anx7625_parse_dt()
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Correct drm_gem_shmem_get_sg_table() error handling
Thomas Zimmermann <tzimmermann@suse.de>
video/aperture: Disable and unregister sysfb devices via aperture helpers
Pin-Yen Lin <treapking@chromium.org>
drm/bridge: it6505: Power on downstream device in .atomic_enable
Maxime Ripard <maxime@cerno.tech>
drm/vc4: drv: Call component_unbind_all()
Maxime Ripard <maxime@cerno.tech>
drm/mipi-dsi: Detach devices when removing the host
Dan Carpenter <dan.carpenter@oracle.com>
drm/bridge: Avoid uninitialized variable warning
Alvin Šipraga <alsi@bang-olufsen.dk>
drm: bridge: adv7511: unregister cec i2c device after cec adapter
Alvin Šipraga <alsi@bang-olufsen.dk>
drm: bridge: adv7511: fix CEC power down control register offset
Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
net: mvpp2: fix mvpp2 debugfs leak
Eric Dumazet <edumazet@google.com>
once: add DO_ONCE_SLOW() for sleepable contexts
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
net/ieee802154: reject zero-sized raw_sendmsg()
Maxim Mikityanskiy <maxtram95@gmail.com>
net: wwan: iosm: Call mutex_init before locking it
Zheng Wang <zyytlz.wz@163.com>
eth: sp7021: fix use after free bug in spl2sw_nvmem_get_mac_address
Jianglei Nie <niejianglei2021@163.com>
bnx2x: fix potential memory leak in bnx2x_tpa_stop()
Raju Lakkaraju <Raju.Lakkaraju@microchip.com>
eth: lan743x: reject extts for non-pci11x1x devices
Jiasheng Jiang <jiasheng@iscas.ac.cn>
net: prestera: acl: Add check for kmemdup
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Fix memory leaks of the whole sk due to OOB skb.
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
net: rds: don't hold sock lock when cancelling work from rds_tcp_reset_callbacks()
Oleksandr Shamray <oleksandrs@nvidia.com>
hwmon: (pmbus/mp2888) Fix sensors readouts for MPS Multi-phase mp2888 controller
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Fix not indicating power state
Marek Szyprowski <m.szyprowski@samsung.com>
spi: Ensure that sg_table won't be used after being freed
Neal Cardwell <ncardwell@google.com>
tcp: fix tcp_cwnd_validate() to not forget is_cwnd_limited
Xin Long <lucien.xin@gmail.com>
sctp: handle the error returned from sctp_auth_asoc_init_active_key
Duoming Zhou <duoming@zju.edu.cn>
mISDN: fix use-after-free bugs in l1oip timer handlers
Jakub Kicinski <kuba@kernel.org>
eth: alx: take rtnl_lock on resume
Junichi Uekawa <uekawa@chromium.org>
vhost/vsock: Use kvmalloc/kvfree for larger packets.
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Fix AIFS written to REG_EDCA_*_PARAM
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: gen2: Enable 40 MHz channel width
Abhishek Pandit-Subedi <abhishekpandit@chromium.org>
Bluetooth: Prevent double register of suspend
Vincent Whitchurch <vincent.whitchurch@axis.com>
spi: s3c64xx: Fix large transfers with DMA
Phil Sutter <phil@nwl.cc>
netfilter: nft_fib: Fix for rpath check with VRF devices
Liu Jian <liujian56@huawei.com>
xfrm: Reinject transport-mode packets through workqueue
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: Fix not handling link timeouts propertly
Asmaa Mnebhi <asmaa@nvidia.com>
i2c: mlxbf: support lock mechanism
Andrii Nakryiko <andrii@kernel.org>
libbpf: Don't require full struct enum64 in UAPI headers
Xiaomeng Tong <xiam0nd.tong@gmail.com>
cw1200: fix incorrect check to determine if no element is found in list
Liu Jian <liujian56@huawei.com>
skmsg: Schedule psock work if the cached skb exists on the psock
Zhang Qilong <zhangqilong3@huawei.com>
spi/omap100k:Fix PM disable depth imbalance in omap1_spi100k_probe
Zhang Qilong <zhangqilong3@huawei.com>
spi: dw: Fix PM disable depth imbalance in dw_spi_bt1_probe
Zhang Qilong <zhangqilong3@huawei.com>
spi: cadence-quadspi: Fix PM disable depth imbalance in cqspi_probe
Luciano Leão <lucianorsleao@gmail.com>
x86/cpu: Include the header of init_ia32_feat_ctl()'s prototype
Christian Marangi <ansuelsmth@gmail.com>
wifi: ath11k: fix peer addition/deletion error on sta band migration
Andrii Nakryiko <andrii@kernel.org>
libbpf: restore memory layout of bpf_object_open_opts
Kees Cook <keescook@chromium.org>
x86/microcode/AMD: Track patch allocation size explicitly
Arınç ÜNAL <arinc.unal@arinc9.com>
mips: dts: ralink: mt7621: fix external phy on GB-PC2
Jesus Fernandez Manzano <jesus.manzano@galgus.net>
wifi: ath11k: fix number of VHT beamformee spatial streams
Wen Gong <quic_wgong@quicinc.com>
wifi: ath11k: fix failed to find the peer with peer_id 0 when disconnected
Duoming Zhou <duoming@zju.edu.cn>
mwifiex: fix sleep in atomic context bugs caused by dev_coredumpv
Qingqing Yang <qingqing.yang@broadcom.com>
flow_dissector: Do not count vlan tags inside tunnel payload
Pu Lehui <pulehui@huawei.com>
selftests/bpf: Adapt cgroup effective query uapi change
Pu Lehui <pulehui@huawei.com>
bpftool: Fix wrong cgroup attach flags being assigned to effective progs
Pu Lehui <pulehui@huawei.com>
bpf, cgroup: Reject prog_attach_flags array when effective query
Antoine Tenart <atenart@kernel.org>
netfilter: conntrack: revisit the gc initial rescheduling bias
Antoine Tenart <atenart@kernel.org>
netfilter: conntrack: fix the gc rescheduling delay
Xin Liu <liuxin350@huawei.com>
libbpf: Fix NULL pointer exception in API btf_dump__dump_type_data
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Bluetooth: hci_{ldisc,serdev}: check percpu_init_rwsem() failure
Baochen Qiang <quic_bqiang@quicinc.com>
wifi: ath11k: Include STA_KEEPALIVE_ARP_RESPONSE TLV header by default
Andrii Nakryiko <andrii@kernel.org>
libbpf: Fix crash if SEC("freplace") programs don't have attach_prog_fd set
Lee Jones <lee@kernel.org>
bpf: Ensure correct locking around vulnerable function find_vpid()
Zheng Yongjun <zhengyongjun3@huawei.com>
net: fs_enet: Fix wrong check in do_pd_setup
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: RFCOMM: Fix possible deadlock on socket shutdown/release
Deren Wu <deren.wu@mediatek.com>
wifi: mt76: mt7921e: fix rmmod crash in driver reload test
Howard Hsu <howard-yh.hsu@mediatek.com>
wifi: mt76: mt7915: do not check state before configuring implicit beamform
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: fix uninitialized pointer in mt7921_mac_fill_rx
Howard Hsu <howard-yh.hsu@mediatek.com>
wifi: mt76: mt7915: fix mcs value in ht mode
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: fix the firmware version report
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_sta_set_decap_offload
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921: add mt7921_mutex_acquire at mt7921_[start, stop]_ap
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: connac: fix possible unaligned access in mt76_connac_mcu_add_nested_tlv
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7915: fix possible unaligned access in mt7915_mac_add_twt_setup
Lorenzo Bianconi <lorenzo@kernel.org>
wifi: mt76: mt7615: add mt7615_mutex_acquire/release in mt7615_sta_set_decap_offload
YN Chen <yn.chen@mediatek.com>
wifi: mt76: sdio: fix transmitting packet hangs
Dan Carpenter <dan.carpenter@oracle.com>
wifi: mt76: mt7921: fix use after free in mt7921_acpi_read()
Dan Carpenter <dan.carpenter@oracle.com>
wifi: mt76: mt7915: fix an uninitialized variable bug
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: sdio: poll sta stat when device transmits data
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: sdio: fix the deadlock caused by sdio->stat_work
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921u: fix race issue between reset and suspend/resume
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921s: fix race issue between reset and suspend/resume
Sean Wang <sean.wang@mediatek.com>
wifi: mt76: mt7921e: fix race issue between reset and suspend/resume
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Bluetooth: avoid hci_dev_test_and_set_flag() in mgmt_init_hdev()
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Remove copy-paste leftover in gen2_update_rate_mask
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: gen2: Fix mistake in path B IQ calibration
Lorenz Bauer <oss@lmb.io>
bpf: btf: fix truncated last_member_type_id in btf_struct_resolve
Neil Armstrong <neil.armstrong@linaro.org>
spi: meson-spicc: do not rely on busy flag in pow2 clk ops
Bitterblue Smith <rtl8821cerfe2@gmail.com>
wifi: rtl8xxxu: Fix skb misuse in TX queue selection
Xu Qiang <xuqiang36@huawei.com>
spi: qup: add missing clk_disable_unprepare on error in spi_qup_pm_resume_runtime()
Xu Qiang <xuqiang36@huawei.com>
spi: qup: add missing clk_disable_unprepare on error in spi_qup_resume()
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: mlme: assign link address correctly
Ian Rogers <irogers@google.com>
selftests/xsk: Avoid use-after-free on ctx
Yang Yingliang <yangyingliang@huawei.com>
wifi: rtw88: add missing destroy_workqueue() on error path in rtw_core_init()
Dan Carpenter <dan.carpenter@oracle.com>
wifi: wfx: prevent underflow in wfx_send_pds()
Dan Carpenter <dan.carpenter@oracle.com>
wifi: rtl8xxxu: tighten bounds checking in rtl8xxxu_read_efuse()
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtw89: pci: correct TX resource checking in low power mode
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtw89: pci: fix interrupt stuck after leaving low power mode
Hou Tao <houtao1@huawei.com>
bpf: Only add BTF IDs for socket security hooks when CONFIG_SECURITY_NETWORK is on
Sean Wang <sean.wang@mediatek.com>
Bluetooth: btusb: mediatek: fix WMT failure during runtime suspend
Hou Tao <houtao1@huawei.com>
bpf: Use this_cpu_{inc_return|dec} for prog->active
Hou Tao <houtao1@huawei.com>
bpf: Use this_cpu_{inc|dec|inc_return} for bpf_task_storage_busy
Manikanta Pubbisetty <quic_mpubbise@quicinc.com>
wifi: ath11k: Fix incorrect QMI message ID mappings
Hou Tao <houtao1@huawei.com>
bpf: Propagate error from htab_lock_bucket() to userspace
Hou Tao <houtao1@huawei.com>
bpf: Disable preemption when increasing per-cpu map_locked
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
selftests/xsk: Add missing close() on netns fd
Maciej Fijalkowski <maciej.fijalkowski@intel.com>
xsk: Fix backpressure mechanism on Tx
Kohei Tarumizu <tarumizu.kohei@fujitsu.com>
x86/resctrl: Fix to restore to original value when re-enabling hardware prefetch register
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
spi: mt7621: Fix an error message in mt7621_spi_probe()
Sabrina Dubroca <sd@queasysnail.net>
esp: choose the correct inner protocol for GSO on inter address family tunnels
Richard Guy Briggs <rgb@redhat.com>
audit: free audit_proctitle only on task exit
Richard Guy Briggs <rgb@redhat.com>
audit: explicitly check audit_context->context enum value
Jacob Keller <jacob.e.keller@intel.com>
ice: set tx_tstamps when creating new Tx rings via ethtool
Lam Thai <lamthai@arista.com>
bpftool: Fix a wrong type cast in btf_dumper_int
Hari Chandrakanthan <quic_haric@quicinc.com>
wifi: mac80211: allow bw change during channel switch in mesh
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211_hwsim: fix link change handling
Mordechay Goodstein <mordechay.goodstein@intel.com>
wifi: mac80211: mlme: don't add empty EML capabilities
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix use-after-free
Shaul Triebitz <shaul.triebitz@intel.com>
wifi: cfg80211: get correct AP link chandef
Shaul Triebitz <shaul.triebitz@intel.com>
wifi: mac80211: properly set old_links when removing a link
Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Fix reference state management for synchronous callbacks
Maksym Glubokiy <maksym.glubokiy@plvision.eu>
net: prestera: cache port state for non-phylink ports too
Gerhard Engleder <gerhard@engleder-embedded.com>
tsnep: Fix TSNEP_INFO_TX_TIME register define
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
leds: lm3601x: Don't use mutex after it was destroyed
Joanne Koong <joannelkoong@gmail.com>
bpf: Fix ref_obj_id for dynptr data slices in verifier
Dave Marchevsky <davemarchevsky@fb.com>
bpf: Cleanup check_refcount_ok
Wen Gong <quic_wgong@quicinc.com>
wifi: ath10k: add peer map clean up for peer delete in ath10k_sta_state()
Youghandhar Chintala <quic_youghand@quicinc.com>
wifi: ath10k: Set tx credit to one for WCN3990 snoc based devices
Ping-Ke Shih <pkshih@realtek.com>
wifi: rtlwifi: 8192de: correct checking of IQK reload
Florian Fainelli <f.fainelli@gmail.com>
libbpf: Initialize err in probe_map_create
Jason A. Donenfeld <Jason@zx2c4.com>
m68k: Process bootinfo records before saving them
Bill Wendling <morbo@google.com>
x86/paravirt: add extra clobbers with ZERO_CALL_USED_REGS enabled
Chuck Lever <chuck.lever@oracle.com>
NFSD: Fix handling of oversized NFSv4 COMPOUND requests
Chuck Lever <chuck.lever@oracle.com>
NFSD: Protect against send buffer overflow in NFSv2 READDIR
Chuck Lever <chuck.lever@oracle.com>
SUNRPC: Fix svcxdr_init_encode's buflen calculation
Chuck Lever <chuck.lever@oracle.com>
SUNRPC: Fix svcxdr_init_decode's end-of-buffer calculation
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
nfsd: Fix a memory leak in an error handling path
Sami Tolvanen <samitolvanen@google.com>
objtool: Preserve special st_shndx indexes in elf_update_symbol
Huisong Li <lihuisong@huawei.com>
ACPI: PCC: Fix Tx acknowledge in the PCC address space handler
Huisong Li <lihuisong@huawei.com>
ACPI: PCC: replace wait_for_completion()
Rafael Mendonca <rafaelmendsr@gmail.com>
ACPI: PCC: Release resources on address space setup failure path
Wang Kefeng <wangkefeng.wang@huawei.com>
ARM: 9247/1: mm: set readonly for MT_MEMORY_RO with ARM_LPAE
Wang Kefeng <wangkefeng.wang@huawei.com>
ARM: 9244/1: dump: Fix wrong pg_level in walk_pmd()
Bart Van Assche <bvanassche@acm.org>
ARM: 9243/1: riscpc: Unbreak the build
Jia Zhu <zhujia.zj@bytedance.com>
erofs: use kill_anon_super() to kill super in fscache mode
Gao Xiang <xiang@kernel.org>
erofs: fix order >= MAX_ORDER warning due to crafted negative i_size
Lin Yujun <linyujun809@huawei.com>
MIPS: SGI-IP27: Fix platform-device leak in bridge_platform_create()
Lin Yujun <linyujun809@huawei.com>
MIPS: SGI-IP30: Fix platform-device leak in bridge_platform_create()
Kees Cook <keescook@chromium.org>
sh: machvec: Use char[] for section boundaries
Perry Yuan <Perry.Yuan@amd.com>
cpufreq: amd-pstate: Fix initial highest_perf value
Xuewen Yan <xuewen.yan@unisoc.com>
thermal: cpufreq_cooling: Check the policy first in cpufreq_cooling_register()
Christian Brauner <brauner@kernel.org>
acl: return EOPNOTSUPP in posix_acl_fix_xattr_common()
Christian Brauner <brauner@kernel.org>
ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers
Ondrej Mosnacek <omosnace@redhat.com>
userfaultfd: open userfaultfds with O_RDONLY
Mimi Zohar <zohar@linux.ibm.com>
ima: fix blocking of security.ima xattrs of unsupported algorithms
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
selinux: use "grep -E" instead of "egrep"
Steve French <stfrench@microsoft.com>
smb3: must initialize two ACL struct fields to zero
Ruili Ji <ruiliji2@amd.com>
drm/amdgpu: Enable F32_WPTR_POLL_ENABLE in mqd
Sonny Jiang <sonny.jiang@amd.com>
drm/amdgpu: Enable VCN PG on GC11_0_1
Shirish S <shirish.s@amd.com>
drm/amd/display: explicitly disable psr_feature_enable appropriately
Aurabindo Pillai <aurabindo.pillai@amd.com>
drm/amd/display: Add HUBP surface flip interrupt handler
Yunxiang Li <Yunxiang.Li@amd.com>
drm/amd/display: Fix vblank refcount in vrr transition
Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
drm/amd/display: Enable 2 to 1 ODM policy if supported
Roman Li <roman.li@amd.com>
drm/amd/display: Enable dpia support for dcn314
Fangzhi Zuo <Jerry.Zuo@amd.com>
drm/amd/display: Validate DSC After Enable All New CRTCs
Martin Leung <Martin.Leung@amd.com>
drm/amd/display: zeromem mypipe heap struct before using it
Nicholas Kazlauskas <nicholas.kazlauskas@amd.com>
drm/amd/display: Update PMFW z-state interface for DCN314
Alvin Lee <Alvin.Lee2@amd.com>
drm/amd/display: Fix watermark calculation
Thomas Hellström <thomas.hellstrom@linux.intel.com>
drm/i915: Fix display problems after resume
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Fix watermark calculations for DG2 CCS+CC modifier
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Fix watermark calculations for DG2 CCS modifiers
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Fix watermark calculations for gen12+ CCS+CC modifier
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Fix watermark calculations for gen12+ MC CCS modifier
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Fix watermark calculations for gen12+ RC CCS modifier
Tvrtko Ursulin <tvrtko.ursulin@intel.com>
drm/i915/guc: Fix revocation of non-persistent contexts
Chris Wilson <chris.p.wilson@intel.com>
drm/i915/gt: Use i915_vm_put on ppgtt_create error paths
Jianglei Nie <niejianglei2021@163.com>
drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
Lyude Paul <lyude@redhat.com>
drm/nouveau/kms/nv140-: Disable interlacing
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
staging: greybus: audio_helper: remove unused and wrong debugfs usage
Sean Christopherson <seanjc@google.com>
KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS
Sean Christopherson <seanjc@google.com>
KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1)
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Don't propagate vmcs12's PERF_GLOBAL_CTRL settings to vmcs02
Sean Christopherson <seanjc@google.com>
KVM: nVMX: Unconditionally purge queued/injected events on nested "exit"
Michal Luczaj <mhal@rbox.co>
KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility
Yu Kuai <yukuai3@huawei.com>
blk-wbt: call rq_qos_add() after wb_normal is initialized
Yu Kuai <yukuai3@huawei.com>
blk-throttle: fix that io throttle can only work for single bio
Dmitry Osipenko <dmitry.osipenko@collabora.com>
media: cedrus: Fix endless loop in cedrus_h265_skip_bits()
Dmitry Osipenko <dmitry.osipenko@collabora.com>
media: cedrus: Set the platform driver data earlier
Nicolas Dufresne <nicolas.dufresne@collabora.com>
media: cedrus: Fix watchdog race condition
Ard Biesheuvel <ardb@kernel.org>
efi: libstub: drop pointless get_memory_map() call
Mario Limonciello <mario.limonciello@amd.com>
thunderbolt: Explicitly enable lane adapter hotplug events at startup
Shengjiu Wang <shengjiu.wang@nxp.com>
rpmsg: char: Avoid double destroy of default endpoint
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Fix reading strings from synthetic events
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Add "(fault)" name injection to kernel probes
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Move duplicate code of trace_kprobe/eprobe.c into header
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Do not free snapshot if tracer is on cmdline
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Add ioctl() to force ring buffer waiters to wake up
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Wake up waiters when tracing is disabled
Steven Rostedt (Google) <rostedt@goodmis.org>
tracing: Wake up ring buffer waiters on closing of the file
Waiman Long <longman@redhat.com>
tracing: Disable interrupt or preemption before acquiring arch_spinlock_t
Tao Chen <chentao.kernel@linux.alibaba.com>
tracing/eprobe: Fix alloc event dir failed when event name no set
Steven Rostedt (Google) <rostedt@goodmis.org>
ring-buffer: Fix race between reset page and reading page
Steven Rostedt (Google) <rostedt@goodmis.org>
ring-buffer: Add ring_buffer_wake_waiters()
Steven Rostedt (Google) <rostedt@goodmis.org>
ring-buffer: Check pending waiters when doing wake ups as well
Steven Rostedt (Google) <rostedt@goodmis.org>
ring-buffer: Have the shortest_full queue be the shortest not longest
Steven Rostedt (Google) <rostedt@goodmis.org>
ring-buffer: Allow splice to read previous partially read pages
Steven Rostedt (Google) <rostedt@goodmis.org>
ftrace: Still disable enabled records marked as disabled
Zheng Yejian <zhengyejian1@huawei.com>
ftrace: Properly unset FTRACE_HASH_FL_MOD
Rik van Riel <riel@surriel.com>
livepatch: fix race between fork and KLP transition
Ye Bin <yebin10@huawei.com>
ext4: update 'state->fc_regions_size' after successful memory allocation
Ye Bin <yebin10@huawei.com>
ext4: fix potential memory leak in ext4_fc_record_regions()
Ye Bin <yebin10@huawei.com>
ext4: fix potential memory leak in ext4_fc_record_modified_inode()
Ye Bin <yebin10@huawei.com>
ext4: fix miss release buffer head in ext4_fc_write_inode
Zhihao Cheng <chengzhihao1@huawei.com>
ext4: fix dir corruption when ext4_dx_add_entry() fails
Jeff Layton <jlayton@kernel.org>
ext4: fix i_version handling in ext4
Jinke Han <hanjinke.666@bytedance.com>
ext4: place buffer head allocation before handle start
Zhang Yi <yi.zhang@huawei.com>
ext4: ext4_read_bh_lock() should submit IO if the buffer isn't uptodate
Jeff Layton <jlayton@kernel.org>
ext4: unconditionally enable the i_version counter
Lukas Czerner <lczerner@redhat.com>
ext4: don't increase iversion counter for ea_inodes
Jan Kara <jack@suse.cz>
ext4: fix check for block being out of directory size
Lalith Rajendran <lalithkraj@google.com>
ext4: make ext4_lazyinit_thread freezable
Baokun Li <libaokun1@huawei.com>
ext4: fix null-ptr-deref in ext4_write_info
Jan Kara <jack@suse.cz>
ext4: avoid crash when inline data creation follows DIO write
Jan Kara <jack@suse.cz>
ext2: Add sanity checks for group and filesystem size
Ye Bin <yebin10@huawei.com>
jbd2: add miss release buffer head in fc_do_one_pass()
Ye Bin <yebin10@huawei.com>
jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
Ye Bin <yebin10@huawei.com>
jbd2: fix potential buffer head reference count leak
Andrew Perepechko <anserper@ya.ru>
jbd2: wake up journal waiters in FIFO order, not LIFO
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: allow direct read for zoned device
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on summary info
Chao Yu <chao@kernel.org>
f2fs: fix to do sanity check on destination blkaddr during recovery
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: increase the limit for reserve_root
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: flush pending checkpoints when freezing super
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: complete checkpoints during remount
Jaegeuk Kim <jaegeuk@kernel.org>
f2fs: fix wrong continue condition in GC
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
Filipe Manana <fdmanana@suse.com>
btrfs: fix missed extent on fsync after dropping extent maps
Filipe Manana <fdmanana@suse.com>
btrfs: fix race between quota enable and quota rescan ioctl
Qu Wenruo <wqu@suse.com>
btrfs: enhance unsupported compat RO flags handling
Alexander Zhu <alexlzhu@fb.com>
btrfs: fix alignment of VMA for memory mapped files on THP
Lukas Czerner <lczerner@redhat.com>
fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
Mickaël Salaün <mic@digikod.net>
ksmbd: Fix user namespace mapping
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
ksmbd: Fix wrong return value and message length check in smb2_ioctl()
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix endless loop when encryption for response fails
Namjae Jeon <linkinjeon@kernel.org>
ksmbd: fix incorrect handling of iterate_dir
Steve French <stfrench@microsoft.com>
smb3: do not log confusing message when server returns no network interfaces
Jason A. Donenfeld <Jason@zx2c4.com>
hwrng: core - let sleep be interrupted when unregistering hwrng
Hyunwoo Kim <imv4bel@gmail.com>
fbdev: smscufx: Fix use-after-free in ufx_ops_open()
Quentin Schulz <quentin.schulz@theobroma-systems.com>
pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback
Quentin Schulz <quentin.schulz@theobroma-systems.com>
gpio: rockchip: request GPIO mux to pinctrl when setting direction
Saurav Kashyap <skashyap@marvell.com>
scsi: qedf: Populate sysfs attributes for vport
James Smart <jsmart2021@gmail.com>
scsi: lpfc: Rework MIB Rx Monitor debug info logic
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
slimbus: qcom-ngd: cleanup in probe error path
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure
Pali Rohár <pali@kernel.org>
powerpc/boot: Explicitly disable usage of SPE instructions
Christophe Leroy <christophe.leroy@csgroup.eu>
powerpc/Kconfig: Fix non existing CONFIG_PPC_FSL_BOOKE
Zhang Rui <rui.zhang@intel.com>
powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain
Matthias Kaehlcke <mka@chromium.org>
LoadPin: Fix Kconfig doc about format of file with verity digests
Viresh Kumar <viresh.kumar@linaro.org>
cpufreq: qcom-cpufreq-hw: Fix uninitialized throttled_freq warning
Chuck Lever <chuck.lever@oracle.com>
NFSD: Protect against send buffer overflow in NFSv3 READ
Chuck Lever <chuck.lever@oracle.com>
NFSD: Protect against send buffer overflow in NFSv2 READ
Chuck Lever <chuck.lever@oracle.com>
NFSD: Protect against send buffer overflow in NFSv3 READDIR
Maciej W. Rozycki <macro@orcam.me.uk>
serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices
Maciej W. Rozycki <macro@orcam.me.uk>
serial: 8250: Let drivers request full 16550A feature probing
Lukas Wunner <lukas@wunner.de>
serial: ar933x: Deassert Transmit Enable on ->rs485_config()
Lukas Wunner <lukas@wunner.de>
serial: Deassert Transmit Enable on probe in driver-specific way
Lukas Wunner <lukas@wunner.de>
serial: stm32: Deassert Transmit Enable on ->rs485_config()
Christophe Leroy <christophe.leroy@csgroup.eu>
serial: cpm_uart: Don't request IRQ too early for console port
Maciej W. Rozycki <macro@orcam.me.uk>
PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
M. Vefa Bicakci <m.v.b@runbox.com>
xen/gntdev: Accommodate VMA splitting
M. Vefa Bicakci <m.v.b@runbox.com>
xen/gntdev: Prevent leaking grants
Carlos Llamas <cmllamas@google.com>
mm/mmap: undo ->mmap() when arch_validate_flags() fails
Peter Xu <peterx@redhat.com>
mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in
Baolin Wang <baolin.wang@linux.alibaba.com>
mm/damon: validate if the pmd entry is present before accessing
Baolin Wang <baolin.wang@linux.alibaba.com>
mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
Yang Guo <guoyang2@huawei.com>
clocksource/drivers/arm_arch_timer: Fix CNTPCT_LO and CNTVCT_LO value
James Morse <james.morse@arm.com>
arm64: errata: Add Cortex-A55 to the repeat tlbi list
Catalin Marinas <catalin.marinas@arm.com>
arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
Peter Collingbourne <pcc@google.com>
arm64: mte: move register initialization to C
Takashi Iwai <tiwai@suse.de>
drm/udl: Restore display mode on resume
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Unlock reservations on dma_resv_reserve_fences() error
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error
Dmitry Osipenko <dmitry.osipenko@collabora.com>
drm/virtio: Check whether transferred 2D BO is shmem
Christian Marangi <ansuelsmth@gmail.com>
dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg
Christian Marangi <ansuelsmth@gmail.com>
dmaengine: qcom-adm: fix wrong sizeof config in slave_config
Dario Binacchi <dario.binacchi@amarulasolutions.com>
dmaengine: mxs: use platform_driver_register
Matthias Kaehlcke <mka@chromium.org>
dm: verity-loadpin: Only trust verity targets with enforcement
Hamza Mahfooz <hamza.mahfooz@amd.com>
Revert "drm/amdgpu: use dirty framebuffer helper"
Sagi Grimberg <sagi@grimberg.me>
nvme-multipath: fix possible hang in live ns resize with ANA access
Gaosheng Cui <cuigaosheng1@huawei.com>
nvmem: core: Fix memleak in nvmem_register()
Huacai Chen <chenhuacai@kernel.org>
UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
Fangrui Song <maskray@google.com>
riscv: Pass -mno-relax only on lld < 15.0.0
Wenting Zhang <zephray@outlook.com>
riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb
Andrew Bresticker <abrestic@rivosinc.com>
riscv: Make VM_WRITE imply VM_READ
Andrew Bresticker <abrestic@rivosinc.com>
riscv: Allow PROT_WRITE-only mmap()
Jisheng Zhang <jszhang@kernel.org>
riscv: vdso: fix NULL deference in vdso_join_timens() when vfork
Helge Deller <deller@gmx.de>
parisc: Fix userspace graphics card breakage due to pgtable special bit
Helge Deller <deller@gmx.de>
parisc: fbdev/stifb: Align graphics memory size to 4MB
Maciej W. Rozycki <macro@orcam.me.uk>
RISC-V: Make port I/O string accessors actually work
Palmer Dabbelt <palmer@rivosinc.com>
RISC-V: Re-enable counter access from userspace
Conor Dooley <conor.dooley@microchip.com>
riscv: topology: fix default topology reporting
Conor Dooley <conor.dooley@microchip.com>
arm64: topology: move store_cpu_topology() to shared code
Linus Walleij <linus.walleij@linaro.org>
regulator: qcom_rpm: Fix circular deferral regression
Mika Westerberg <mika.westerberg@linux.intel.com>
net: thunderbolt: Enable DMA paths only after rings are enabled
Liang He <windhl@126.com>
hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: wcd934x: fix order of Slimbus unprepare/disable
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
ASoC: wcd9335: fix order of Slimbus unprepare/disable
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
arm64: dts: qcom: sdm845-mtp: correct ADC settle time
Patryk Duda <pdk@semihalf.com>
platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure
Zhihao Cheng <chengzhihao1@huawei.com>
quota: Check next/prev free block number after reading from quota file
Andri Yngvason <andri@yngvason.is>
HID: multitouch: Add memory barriers
Jan Kara <jack@suse.cz>
mbcache: Avoid nesting of cache->c_list_lock under bit locks
Roberto Sassu <roberto.sassu@huawei.com>
btf: Export bpf_dynptr definition
Alexander Aring <aahringo@redhat.com>
fs: dlm: fix invalid derefence of sb_lvbptr
Alexander Aring <aahringo@redhat.com>
fs: dlm: handle -EBUSY first in lock arg validation
Alexander Aring <aahringo@redhat.com>
fs: dlm: fix race between test_bit() and queue_work()
Jarkko Nikula <jarkko.nikula@linux.intel.com>
i2c: designware: Fix handling of real but unexpected device interrupts
Wenchao Chen <wenchao.chen@unisoc.com>
mmc: sdhci-sprd: Fix minimum clock limit
Prathamesh Shete <pshete@nvidia.com>
mmc: sdhci-tegra: Use actual clock rate for SW tuning correction
Biju Das <biju.das.jz@bp.renesas.com>
mmc: renesas_sdhi: Fix rounding errors
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix CAN state after restart
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix TX queue out of sync after restart
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb_leaf: Fix overread with an invalid command
Anssi Hannula <anssi.hannula@bitwise.fi>
can: kvaser_usb: Fix use of uninitialized completion
Avri Altman <avri.altman@wdc.com>
mmc: core: Add SD card quirk for broken discard
Jean-Francois Le Fillatre <jflf_kernel@gmx.com>
usb: add quirks for Lenovo OneLink+ Dock
Nathan Chancellor <nathan@kernel.org>
usb: gadget: uvc: Fix argument to sizeof() in uvc_register_video()
Rafael Mendonca <rafaelmendsr@gmail.com>
xhci: dbc: Fix memory leak in xhci_alloc_dbc()
Eddie James <eajames@linux.ibm.com>
iio: pressure: dps310: Reset chip after timeout
Eddie James <eajames@linux.ibm.com>
iio: pressure: dps310: Refactor startup procedure
Nuno Sá <nuno.sa@analog.com>
iio: adc: ad7923: fix channel readings for some variants
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
iio: ltc2497: Fix reading conversion results
Michael Hennerich <michael.hennerich@analog.com>
iio: dac: ad5593r: Fix i2c read protocol requirements
Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
Ronnie Sahlberg <lsahlber@redhat.com>
cifs: destage dirty pages before re-reading them for cache=none
Gaurav Kohli <gauravkohli@linux.microsoft.com>
hv_netvsc: Fix race between VF offering and VF association message from host
Pavel Begunkov <asml.silence@gmail.com>
io_uring: correct pinned_vm accounting
Pavel Begunkov <asml.silence@gmail.com>
io_uring/af_unix: defer registered files gc to io_uring release
Jens Axboe <axboe@kernel.dk>
io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT
Pavel Begunkov <asml.silence@gmail.com>
io_uring: limit registration w/ SINGLE_ISSUER
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: don't update msg_name if not provided
Stefan Metzmacher <metze@samba.org>
io_uring/net: fix fast_iov assignment in io_setup_async_msg()
Pavel Begunkov <asml.silence@gmail.com>
io_uring/rw: don't lose short results on io_setup_async_rw()
Pavel Begunkov <asml.silence@gmail.com>
io_uring/rw: fix unexpected link breakage
Pavel Begunkov <asml.silence@gmail.com>
io_uring/net: don't lose partial send/recv on fail
Pavel Begunkov <asml.silence@gmail.com>
io_uring/rw: don't lose partial IO result on fail
Pavel Begunkov <asml.silence@gmail.com>
io_uring: add custom opcode hooks on fail
Tudor Ambarus <tudor.ambarus@microchip.com>
mtd: rawnand: atmel: Unmap streaming DMA mappings
Saranya Gopal <saranya.gopal@intel.com>
ALSA: hda/realtek: Add Intel Reference SSID to support headset keys
Luke D. Jones <luke@ljones.dev>
ALSA: hda/realtek: Add quirk for ASUS GV601R laptop
Luke D. Jones <luke@ljones.dev>
ALSA: hda/realtek: Correct pin configs for ASUS G533Z
Callum Osmotherly <callum.osmotherly@gmail.com>
ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix NULL dererence at error path
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Fix potential memory leaks
Takashi Iwai <tiwai@suse.de>
ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
Takashi Iwai <tiwai@suse.de>
ALSA: oss: Fix potential deadlock at unregistration
-------------
Diffstat:
Documentation/ABI/testing/sysfs-bus-iio | 2 +-
Documentation/admin-guide/kernel-parameters.txt | 4 +
Documentation/arm64/silicon-errata.rst | 2 +
Documentation/filesystems/vfs.rst | 3 +
.../trace/coresight/coresight-cpu-debug.rst | 3 +-
Makefile | 4 +-
arch/arm/Kconfig | 1 -
arch/arm/boot/compressed/misc.c | 2 +
arch/arm/boot/compressed/vmlinux.lds.S | 2 +
arch/arm/boot/dts/armada-385-turris-omnia.dts | 4 +-
arch/arm/boot/dts/exynos4412-midas.dtsi | 2 +-
arch/arm/boot/dts/exynos4412-origen.dts | 2 +-
arch/arm/boot/dts/imx6dl-riotboard.dts | 1 +
arch/arm/boot/dts/imx6dl.dtsi | 3 +
arch/arm/boot/dts/imx6q-arm2.dts | 1 +
arch/arm/boot/dts/imx6q-evi.dts | 1 +
arch/arm/boot/dts/imx6q-mccmon6.dts | 1 +
arch/arm/boot/dts/imx6q.dtsi | 3 +
arch/arm/boot/dts/imx6qdl-kontron-samx6i.dtsi | 6 +-
arch/arm/boot/dts/imx6qdl-nit6xlite.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-nitrogen6_max.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-nitrogen6_som2.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-nitrogen6x.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-sabreauto.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-tqma6a.dtsi | 1 +
arch/arm/boot/dts/imx6qdl-ts7970.dtsi | 1 +
arch/arm/boot/dts/imx6qp.dtsi | 6 +
arch/arm/boot/dts/imx6sl.dtsi | 23 +-
arch/arm/boot/dts/imx6sll.dtsi | 3 +
arch/arm/boot/dts/imx6sx-udoo-neo.dtsi | 14 +-
arch/arm/boot/dts/imx6sx.dtsi | 6 +
arch/arm/boot/dts/imx7d-sdb.dts | 7 +-
arch/arm/boot/dts/kirkwood-lsxl.dtsi | 16 +-
arch/arm/boot/dts/uniphier-pinctrl.dtsi | 10 +
arch/arm/include/asm/stacktrace.h | 6 +
arch/arm/kernel/return_address.c | 1 +
arch/arm/kernel/stacktrace.c | 84 +++--
arch/arm/lib/call_with_stack.S | 2 +
arch/arm/mm/dma-mapping.c | 12 +-
arch/arm/mm/dump.c | 2 +-
arch/arm/mm/kasan_init.c | 9 +-
arch/arm/mm/mmu.c | 4 +
arch/arm/plat-orion/Makefile | 2 +-
arch/arm64/Kconfig | 17 +
.../boot/dts/exynos/exynos5433-tm2-common.dtsi | 2 +-
.../boot/dts/freescale/imx8mm-kontron-n801x-s.dts | 3 +
.../dts/freescale/imx8mm-kontron-n801x-som.dtsi | 2 -
arch/arm64/boot/dts/freescale/imx8mp.dtsi | 4 +-
arch/arm64/boot/dts/freescale/imx8mq-librem5.dtsi | 1 +
arch/arm64/boot/dts/marvell/ac5-98dx25xx.dtsi | 8 +-
arch/arm64/boot/dts/qcom/ipq8074.dtsi | 4 +-
arch/arm64/boot/dts/qcom/pm8350c.dtsi | 3 +-
arch/arm64/boot/dts/qcom/sa8295p-adp.dts | 11 -
.../boot/dts/qcom/sc7180-trogdor-coachz-r1.dts | 2 -
arch/arm64/boot/dts/qcom/sc7180-trogdor-lazor.dtsi | 2 -
arch/arm64/boot/dts/qcom/sc7280-idp.dts | 2 +-
arch/arm64/boot/dts/qcom/sc7280-idp.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sc7280.dtsi | 9 +-
arch/arm64/boot/dts/qcom/sc8280xp-crd.dts | 9 -
.../dts/qcom/sc8280xp-lenovo-thinkpad-x13s.dts | 10 -
arch/arm64/boot/dts/qcom/sc8280xp-pmics.dtsi | 3 +-
arch/arm64/boot/dts/qcom/sdm845-mtp.dts | 12 +-
arch/arm64/boot/dts/qcom/sdm845-xiaomi-polaris.dts | 2 +-
.../boot/dts/qcom/sm8350-sony-xperia-sagami.dtsi | 2 +-
arch/arm64/boot/dts/qcom/sm8450.dtsi | 2 +-
arch/arm64/boot/dts/renesas/r9a07g043.dtsi | 8 +-
arch/arm64/boot/dts/renesas/r9a07g044.dtsi | 8 +-
arch/arm64/boot/dts/renesas/r9a07g054.dtsi | 8 +-
arch/arm64/boot/dts/socionext/Makefile | 4 +-
.../dts/socionext/uniphier-pxs3-ref-gadget0.dts | 41 +++
.../dts/socionext/uniphier-pxs3-ref-gadget1.dts | 40 +++
.../boot/dts/ti/k3-j7200-common-proc-board.dts | 10 +-
arch/arm64/boot/dts/ti/k3-j7200-main.dtsi | 11 +-
arch/arm64/include/asm/mte.h | 5 +
arch/arm64/kernel/cpu_errata.c | 5 +
arch/arm64/kernel/cpufeature.c | 3 +-
arch/arm64/kernel/ftrace.c | 17 +-
arch/arm64/kernel/mte.c | 60 +++-
arch/arm64/kernel/suspend.c | 2 +
arch/arm64/kernel/topology.c | 40 ---
arch/arm64/mm/mteswap.c | 7 +-
arch/arm64/mm/proc.S | 46 +--
arch/ia64/mm/numa.c | 1 +
arch/m68k/kernel/setup_mm.c | 5 +-
arch/mips/bcm47xx/prom.c | 4 +-
arch/mips/boot/dts/ralink/mt7621-gnubee-gb-pc2.dts | 6 +-
arch/mips/sgi-ip27/ip27-xtalk.c | 70 +++--
arch/mips/sgi-ip30/ip30-xtalk.c | 70 +++--
arch/parisc/include/asm/pgtable.h | 7 +-
arch/parisc/kernel/entry.S | 8 +
arch/powerpc/Kconfig | 2 +-
arch/powerpc/Makefile | 2 +-
arch/powerpc/boot/Makefile | 1 +
arch/powerpc/boot/dts/fsl/e500v1_power_isa.dtsi | 51 +++
arch/powerpc/boot/dts/fsl/mpc8540ads.dts | 2 +-
arch/powerpc/boot/dts/fsl/mpc8541cds.dts | 2 +-
arch/powerpc/boot/dts/fsl/mpc8555cds.dts | 2 +-
arch/powerpc/boot/dts/fsl/mpc8560ads.dts | 2 +-
arch/powerpc/boot/dts/turris1x.dts | 14 +-
arch/powerpc/configs/pseries_defconfig | 1 +
arch/powerpc/include/asm/interrupt.h | 3 +-
arch/powerpc/include/asm/syscalls.h | 12 +
arch/powerpc/kernel/interrupt.c | 10 -
arch/powerpc/kernel/interrupt_64.S | 45 ++-
arch/powerpc/kernel/kprobes.c | 8 +-
arch/powerpc/kernel/pci_dn.c | 1 +
arch/powerpc/kernel/setup_64.c | 4 +-
arch/powerpc/kernel/sys_ppc32.c | 14 +-
arch/powerpc/kernel/syscalls.c | 4 +-
arch/powerpc/math-emu/math_efp.c | 1 +
arch/powerpc/platforms/powernv/opal.c | 1 +
arch/powerpc/platforms/pseries/vas.c | 2 +-
arch/powerpc/sysdev/fsl_msi.c | 2 +
arch/riscv/Kconfig | 2 +-
arch/riscv/Makefile | 2 +
arch/riscv/include/asm/io.h | 16 +-
arch/riscv/include/asm/mmu.h | 1 -
arch/riscv/kernel/setup.c | 4 +-
arch/riscv/kernel/smpboot.c | 3 +-
arch/riscv/kernel/sys_riscv.c | 3 -
arch/riscv/kernel/vdso.c | 13 +-
arch/riscv/mm/fault.c | 3 +-
arch/sh/include/asm/sections.h | 2 +-
arch/sh/kernel/machvec.c | 10 +-
arch/um/kernel/um_arch.c | 2 +-
arch/x86/Kconfig | 7 +-
arch/x86/include/asm/cpu.h | 2 +
arch/x86/include/asm/hyperv-tlfs.h | 4 +-
arch/x86/include/asm/microcode.h | 1 +
arch/x86/include/asm/msr-index.h | 13 +
arch/x86/include/asm/paravirt_types.h | 11 +-
arch/x86/kernel/apic/apic.c | 44 ++-
arch/x86/kernel/cpu/feat_ctl.c | 2 +-
arch/x86/kernel/cpu/mce/apei.c | 13 +-
arch/x86/kernel/cpu/microcode/amd.c | 3 +-
arch/x86/kernel/cpu/resctrl/pseudo_lock.c | 12 +-
arch/x86/kvm/emulate.c | 2 +-
arch/x86/kvm/vmx/nested.c | 37 ++-
arch/x86/kvm/vmx/vmx.c | 12 +-
arch/x86/kvm/x86.c | 27 +-
arch/x86/net/bpf_jit_comp.c | 16 +-
arch/x86/xen/enlighten_pv.c | 3 +-
block/bio.c | 2 -
block/blk-mq.c | 6 +-
block/blk-throttle.c | 28 +-
block/blk-throttle.h | 2 +-
block/blk-wbt.c | 10 +-
block/blk.h | 3 +-
block/elevator.c | 4 +-
crypto/akcipher.c | 8 +
drivers/acpi/acpi_fpdt.c | 22 ++
drivers/acpi/acpi_pcc.c | 28 +-
drivers/acpi/acpi_video.c | 16 +
drivers/acpi/apei/ghes.c | 2 +-
drivers/acpi/x86/utils.c | 19 +-
drivers/ata/libahci_platform.c | 14 +-
drivers/base/arch_topology.c | 19 ++
drivers/block/nbd.c | 6 +-
drivers/bluetooth/btintel.c | 17 +-
drivers/bluetooth/btusb.c | 14 +
drivers/bluetooth/hci_ldisc.c | 7 +-
drivers/bluetooth/hci_serdev.c | 10 +-
drivers/char/hw_random/arm_smccc_trng.c | 4 +-
drivers/char/hw_random/core.c | 19 +-
drivers/char/hw_random/imx-rngc.c | 37 +--
drivers/char/random.c | 4 +-
drivers/clk/baikal-t1/ccu-div.c | 65 ++++
drivers/clk/baikal-t1/ccu-div.h | 10 +
drivers/clk/baikal-t1/clk-ccu-div.c | 26 +-
drivers/clk/bcm/clk-bcm2835.c | 43 ++-
drivers/clk/berlin/bg2.c | 5 +-
drivers/clk/berlin/bg2q.c | 6 +-
drivers/clk/clk-ast2600.c | 2 +-
drivers/clk/clk-oxnas.c | 6 +-
drivers/clk/clk-qoriq.c | 10 +-
drivers/clk/clk-versaclock5.c | 2 +-
drivers/clk/imx/clk-imx8mp.c | 2 +-
drivers/clk/imx/clk-scu.c | 6 +-
drivers/clk/mediatek/clk-mt8183-mfgcfg.c | 6 +-
drivers/clk/mediatek/clk-mt8195-infra_ao.c | 13 +-
drivers/clk/mediatek/clk-mt8195-mfg.c | 6 +-
drivers/clk/mediatek/clk-mt8195-vdo0.c | 7 +-
drivers/clk/mediatek/clk-mt8195-vdo1.c | 6 +-
drivers/clk/mediatek/clk-mtk.c | 12 +-
drivers/clk/meson/meson-aoclk.c | 5 +-
drivers/clk/meson/meson-eeclk.c | 5 +-
drivers/clk/meson/meson8b.c | 5 +-
drivers/clk/qcom/Kconfig | 1 +
drivers/clk/qcom/apss-ipq6018.c | 2 +-
drivers/clk/qcom/gcc-sdm660.c | 2 +-
drivers/clk/qcom/gcc-sm6115.c | 46 ++-
drivers/clk/samsung/clk-exynosautov9.c | 20 +-
drivers/clk/sprd/common.c | 9 +-
drivers/clk/st/clkgen-fsyn.c | 5 +-
drivers/clk/st/clkgen-mux.c | 5 +-
drivers/clk/tegra/clk-tegra114.c | 1 +
drivers/clk/tegra/clk-tegra20.c | 1 +
drivers/clk/tegra/clk-tegra210.c | 1 +
drivers/clk/ti/clk-dra7-atl.c | 9 +-
drivers/clk/ti/clk.c | 5 +-
drivers/clk/zynqmp/clkc.c | 7 +
drivers/clk/zynqmp/pll.c | 31 +-
drivers/clocksource/arm_arch_timer.c | 6 +-
drivers/clocksource/timer-gxp.c | 7 +-
drivers/cpufreq/amd-pstate.c | 16 +-
drivers/cpufreq/intel_pstate.c | 1 +
drivers/cpufreq/qcom-cpufreq-hw.c | 10 +-
drivers/cpuidle/cpuidle-riscv-sbi.c | 7 +-
drivers/crypto/cavium/cpt/cptpf_main.c | 6 +-
drivers/crypto/ccp/ccp-dmaengine.c | 6 +-
drivers/crypto/ccp/sev-dev.c | 26 +-
drivers/crypto/hisilicon/qm.c | 6 +-
drivers/crypto/hisilicon/zip/zip_crypto.c | 4 +-
drivers/crypto/inside-secure/safexcel_hash.c | 8 +-
drivers/crypto/marvell/octeontx/otx_cptpf_ucode.c | 18 +-
drivers/crypto/qat/qat_common/adf_gen4_hw_data.h | 2 +-
drivers/crypto/qat/qat_common/qat_algs.c | 18 +-
drivers/crypto/sahara.c | 18 +-
drivers/dma-buf/udmabuf.c | 9 +-
drivers/dma/dw-edma/dw-edma-core.c | 12 -
drivers/dma/hisi_dma.c | 28 +-
drivers/dma/idxd/irq.c | 2 -
drivers/dma/ioat/dma.c | 6 +-
drivers/dma/mxs-dma.c | 11 +-
drivers/dma/qcom/qcom_adm.c | 22 +-
drivers/dma/ti/k3-udma.c | 25 +-
drivers/firmware/efi/libstub/fdt.c | 8 -
drivers/firmware/google/gsmi.c | 9 +
drivers/fpga/dfl-pci.c | 18 ++
drivers/fpga/dfl.c | 2 +-
drivers/fsi/fsi-core.c | 3 +
drivers/fsi/fsi-master-ast-cf.c | 2 +
drivers/fsi/fsi-occ.c | 18 +-
drivers/gpio/gpio-rockchip.c | 7 +
drivers/gpu/drm/Kconfig | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_connectors.c | 7 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 14 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_drv.c | 5 +-
drivers/gpu/drm/amd/amdgpu/amdgpu_vm_sdma.c | 9 +-
drivers/gpu/drm/amd/amdgpu/mmhub_v3_0.c | 10 +-
drivers/gpu/drm/amd/amdgpu/sdma_v6_0.c | 3 +-
drivers/gpu/drm/amd/amdgpu/soc21.c | 5 +
.../gpu/drm/amd/amdkfd/kfd_device_queue_manager.c | 45 ++-
drivers/gpu/drm/amd/amdkfd/kfd_mqd_manager_v11.c | 3 +-
drivers/gpu/drm/amd/display/amdgpu_dm/amdgpu_dm.c | 83 ++---
.../gpu/drm/amd/display/amdgpu_dm/amdgpu_dm_psr.c | 8 +-
.../drm/amd/display/dc/clk_mgr/dcn314/dcn314_smu.c | 11 +-
drivers/gpu/drm/amd/display/dc/core/dc.c | 16 +-
drivers/gpu/drm/amd/display/dc/dc_dmub_srv.c | 6 +-
drivers/gpu/drm/amd/display/dc/dc_stream.h | 6 +-
.../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.c | 35 +--
.../drm/amd/display/dc/dcn10/dcn10_hw_sequencer.h | 3 +-
.../display/dc/dcn31/dcn31_hpo_dp_stream_encoder.c | 6 +-
.../drm/amd/display/dc/dcn314/dcn314_resource.c | 4 +-
drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hubp.c | 1 +
drivers/gpu/drm/amd/display/dc/dcn32/dcn32_hwseq.c | 4 +
.../gpu/drm/amd/display/dc/dml/calcs/bw_fixed.c | 6 +-
.../gpu/drm/amd/display/dc/dml/dcn32/dcn32_fpu.c | 1 +
.../amd/display/dc/dml/dcn32/display_mode_vba_32.c | 2 +
.../gpu/drm/amd/display/dc/dml/dcn321/dcn321_fpu.c | 1 +
drivers/gpu/drm/amd/display/dc/inc/hw_sequencer.h | 8 +-
drivers/gpu/drm/arm/display/komeda/komeda_crtc.c | 4 +-
drivers/gpu/drm/arm/display/komeda/komeda_kms.c | 21 +-
drivers/gpu/drm/arm/display/komeda/komeda_kms.h | 2 +
drivers/gpu/drm/bridge/adv7511/adv7511.h | 5 +-
drivers/gpu/drm/bridge/adv7511/adv7511_cec.c | 4 +-
drivers/gpu/drm/bridge/adv7511/adv7511_drv.c | 5 +-
drivers/gpu/drm/bridge/analogix/anx7625.c | 1 +
drivers/gpu/drm/bridge/ite-it6505.c | 5 +-
drivers/gpu/drm/bridge/lontium-lt9611.c | 3 +-
.../drm/bridge/megachips-stdpxxxx-ge-b850v3-fw.c | 4 +-
drivers/gpu/drm/bridge/parade-ps8640.c | 4 +-
drivers/gpu/drm/bridge/synopsys/dw-hdmi.c | 13 +-
drivers/gpu/drm/bridge/tc358767.c | 5 +-
drivers/gpu/drm/display/drm_dp_helper.c | 9 -
drivers/gpu/drm/display/drm_dp_mst_topology.c | 6 +-
drivers/gpu/drm/drm_bridge.c | 4 +-
drivers/gpu/drm/drm_ioctl.c | 8 +-
drivers/gpu/drm/drm_mipi_dsi.c | 1 +
drivers/gpu/drm/drm_panel_orientation_quirks.c | 18 ++
drivers/gpu/drm/i915/display/intel_cdclk.c | 4 +-
drivers/gpu/drm/i915/gem/i915_gem_context.c | 8 +-
drivers/gpu/drm/i915/gt/gen6_ppgtt.c | 16 +-
drivers/gpu/drm/i915/gt/gen8_ppgtt.c | 58 ++--
drivers/gpu/drm/i915/gt/intel_context.c | 5 +-
drivers/gpu/drm/i915/gt/intel_context.h | 3 +-
drivers/gpu/drm/i915/gt/intel_ggtt.c | 8 +-
drivers/gpu/drm/i915/gt/intel_gtt.c | 3 +
drivers/gpu/drm/i915/gt/uc/intel_guc_submission.c | 26 +-
drivers/gpu/drm/i915/intel_pm.c | 16 +-
drivers/gpu/drm/meson/meson_drv.c | 14 +-
drivers/gpu/drm/meson/meson_drv.h | 7 +
drivers/gpu/drm/meson/meson_encoder_cvbs.c | 13 +
drivers/gpu/drm/meson/meson_encoder_cvbs.h | 1 +
drivers/gpu/drm/meson/meson_encoder_hdmi.c | 13 +
drivers/gpu/drm/meson/meson_encoder_hdmi.h | 1 +
drivers/gpu/drm/msm/disp/dpu1/dpu_kms.c | 19 +-
drivers/gpu/drm/msm/disp/dpu1/dpu_vbif.c | 29 +-
drivers/gpu/drm/msm/disp/mdp5/mdp5_kms.c | 9 +-
drivers/gpu/drm/msm/dp/dp_catalog.c | 2 +-
drivers/gpu/drm/msm/msm_drv.c | 13 +-
drivers/gpu/drm/msm/msm_drv.h | 2 +
drivers/gpu/drm/msm/msm_io_utils.c | 22 ++
drivers/gpu/drm/nouveau/nouveau_bo.c | 4 +-
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 +-
drivers/gpu/drm/nouveau/nouveau_prime.c | 1 -
drivers/gpu/drm/omapdrm/dss/dss.c | 3 +
drivers/gpu/drm/panel/Kconfig | 4 +-
drivers/gpu/drm/pl111/pl111_versatile.c | 1 +
drivers/gpu/drm/tests/drm_format_helper_test.c | 23 +-
drivers/gpu/drm/tiny/bochs.c | 2 +
drivers/gpu/drm/udl/udl_modeset.c | 3 -
drivers/gpu/drm/vc4/vc4_drv.c | 14 +-
drivers/gpu/drm/vc4/vc4_drv.h | 1 +
drivers/gpu/drm/vc4/vc4_vec.c | 4 +-
drivers/gpu/drm/virtio/virtgpu_display.c | 2 +
drivers/gpu/drm/virtio/virtgpu_gem.c | 4 +-
drivers/gpu/drm/virtio/virtgpu_ioctl.c | 4 +-
drivers/gpu/drm/virtio/virtgpu_object.c | 3 +
drivers/gpu/drm/virtio/virtgpu_plane.c | 6 +-
drivers/gpu/drm/virtio/virtgpu_vq.c | 2 +-
drivers/gpu/drm/vmwgfx/vmwgfx_msg.c | 1 +
drivers/hid/Kconfig | 6 +
drivers/hid/Makefile | 1 +
drivers/hid/amd-sfh-hid/sfh1_1/amd_sfh_init.c | 2 +
drivers/hid/hid-ids.h | 3 +
drivers/hid/hid-multitouch.c | 8 +-
drivers/hid/hid-nintendo.c | 55 ++--
drivers/hid/hid-roccat.c | 4 +
drivers/hid/hid-topre.c | 49 +++
drivers/hid/hid-uclogic-core.c | 1 +
drivers/hid/hid-uclogic-rdesc.c | 2 +-
drivers/hsi/clients/ssi_protocol.c | 1 +
drivers/hsi/controllers/omap_ssi_core.c | 1 +
drivers/hsi/controllers/omap_ssi_port.c | 8 +-
drivers/hwmon/gsc-hwmon.c | 1 +
drivers/hwmon/occ/p9_sbe.c | 17 +-
drivers/hwmon/pmbus/mp2888.c | 13 +-
drivers/hwmon/sht4x.c | 2 +-
drivers/i2c/busses/i2c-designware-core.h | 7 +-
drivers/i2c/busses/i2c-designware-master.c | 13 +
drivers/i2c/busses/i2c-designware-pcidrv.c | 30 +-
drivers/i2c/busses/i2c-mlxbf.c | 44 ++-
drivers/iio/adc/ad7923.c | 4 +-
drivers/iio/adc/at91-sama5d2_adc.c | 28 +-
drivers/iio/adc/ltc2497.c | 13 +
drivers/iio/dac/ad5593r.c | 46 +--
drivers/iio/industrialio-core.c | 5 +
drivers/iio/inkern.c | 8 +-
drivers/iio/magnetometer/yamaha-yas530.c | 2 +-
drivers/iio/pressure/dps310.c | 262 ++++++++++------
drivers/infiniband/core/cm.c | 14 +-
drivers/infiniband/core/uverbs_cmd.c | 5 +-
drivers/infiniband/core/verbs.c | 2 +
drivers/infiniband/hw/hns/hns_roce_mr.c | 1 -
drivers/infiniband/hw/irdma/defs.h | 1 +
drivers/infiniband/hw/irdma/hw.c | 51 +--
drivers/infiniband/hw/irdma/type.h | 1 +
drivers/infiniband/hw/irdma/user.h | 1 +
drivers/infiniband/hw/irdma/utils.c | 3 +
drivers/infiniband/hw/irdma/verbs.c | 69 ++++-
drivers/infiniband/hw/mlx4/mr.c | 1 -
drivers/infiniband/hw/mlx5/main.c | 3 +
drivers/infiniband/hw/mlx5/odp.c | 3 +-
drivers/infiniband/sw/rxe/rxe_loc.h | 6 +-
drivers/infiniband/sw/rxe/rxe_mr.c | 11 +-
drivers/infiniband/sw/rxe/rxe_qp.c | 10 +-
drivers/infiniband/sw/rxe/rxe_queue.c | 12 +-
drivers/infiniband/sw/rxe/rxe_resp.c | 10 +-
drivers/infiniband/sw/rxe/rxe_verbs.c | 12 +-
drivers/infiniband/sw/siw/siw.h | 1 +
drivers/infiniband/sw/siw/siw_qp.c | 2 +-
drivers/infiniband/sw/siw/siw_qp_rx.c | 27 +-
drivers/infiniband/sw/siw/siw_verbs.c | 3 +
drivers/infiniband/ulp/srp/ib_srp.c | 4 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 21 ++
drivers/iommu/omap-iommu-debug.c | 6 +-
drivers/isdn/mISDN/l1oip.h | 1 +
drivers/isdn/mISDN/l1oip_core.c | 13 +-
drivers/leds/flash/leds-lm3601x.c | 2 -
drivers/mailbox/bcm-flexrm-mailbox.c | 8 +-
drivers/mailbox/imx-mailbox.c | 10 +-
drivers/mailbox/mailbox-mpfs.c | 25 +-
drivers/md/bcache/writeback.c | 73 +++--
drivers/md/dm-verity-loadpin.c | 8 +
drivers/md/dm-verity-target.c | 16 +
drivers/md/dm-verity.h | 1 +
drivers/md/md.c | 1 -
drivers/md/raid0.c | 2 +-
drivers/md/raid5.c | 15 +-
drivers/media/pci/cx88/cx88-vbi.c | 9 +-
drivers/media/pci/cx88/cx88-video.c | 43 +--
drivers/media/platform/amlogic/meson-ge2d/ge2d.c | 1 -
drivers/media/platform/amphion/vdec.c | 16 +-
drivers/media/platform/amphion/venc.c | 2 +-
drivers/media/platform/amphion/vpu.h | 1 -
drivers/media/platform/amphion/vpu_core.c | 84 ++---
drivers/media/platform/amphion/vpu_core.h | 1 +
drivers/media/platform/amphion/vpu_dbg.c | 9 +-
drivers/media/platform/amphion/vpu_malone.c | 2 +-
.../media/platform/mediatek/jpeg/mtk_jpeg_core.c | 1 -
.../platform/mediatek/vcodec/mtk_vcodec_enc.c | 3 +-
.../media/platform/samsung/exynos4-is/fimc-is.c | 1 +
drivers/media/platform/samsung/s5p-mfc/s5p_mfc.c | 3 +-
drivers/media/platform/xilinx/xilinx-vipp.c | 9 +-
drivers/media/usb/airspy/airspy.c | 4 +
drivers/media/usb/uvc/uvc_ctrl.c | 83 ++---
drivers/media/usb/uvc/uvc_driver.c | 8 +-
drivers/memory/of_memory.c | 2 +
drivers/memory/pl353-smc.c | 1 +
drivers/mfd/da9062-core.c | 1 +
drivers/mfd/fsl-imx25-tsadc.c | 34 +-
drivers/mfd/intel_soc_pmic_core.c | 1 +
drivers/mfd/lp8788-irq.c | 3 +
drivers/mfd/lp8788.c | 12 +-
drivers/mfd/sm501.c | 7 +-
drivers/misc/ocxl/file.c | 2 +
drivers/mmc/core/block.c | 6 +-
drivers/mmc/core/card.h | 6 +
drivers/mmc/core/quirks.h | 6 +
drivers/mmc/host/au1xmmc.c | 3 +-
drivers/mmc/host/renesas_sdhi_core.c | 21 +-
drivers/mmc/host/sdhci-msm.c | 1 +
drivers/mmc/host/sdhci-sprd.c | 2 +-
drivers/mmc/host/sdhci-tegra.c | 2 +-
drivers/mmc/host/wmt-sdmmc.c | 5 +-
drivers/mtd/devices/docg3.c | 7 +-
drivers/mtd/nand/raw/atmel/nand-controller.c | 1 +
drivers/mtd/nand/raw/fsl_elbc_nand.c | 28 +-
drivers/mtd/nand/raw/intel-nand-controller.c | 12 +-
drivers/mtd/nand/raw/meson_nand.c | 4 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 2 +
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 3 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 2 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 79 +++++
drivers/net/ethernet/atheros/alx/main.c | 5 +
drivers/net/ethernet/broadcom/bnx2x/bnx2x_cmn.c | 1 +
drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c | 10 +-
drivers/net/ethernet/engleder/tsnep_hw.h | 3 +-
drivers/net/ethernet/faraday/ftmac100.h | 12 +-
drivers/net/ethernet/freescale/fs_enet/mac-fec.c | 2 +-
drivers/net/ethernet/intel/iavf/iavf_main.c | 177 ++++++++---
drivers/net/ethernet/intel/ice/ice_ethtool.c | 1 +
drivers/net/ethernet/marvell/mvpp2/mvpp2.h | 1 +
drivers/net/ethernet/marvell/mvpp2/mvpp2_debugfs.c | 10 +-
drivers/net/ethernet/marvell/mvpp2/mvpp2_main.c | 13 +-
.../net/ethernet/marvell/prestera/prestera_acl.c | 8 +-
.../net/ethernet/marvell/prestera/prestera_acl.h | 4 +-
.../ethernet/marvell/prestera/prestera_flower.c | 6 +-
.../net/ethernet/marvell/prestera/prestera_main.c | 36 +--
drivers/net/ethernet/micrel/ks8851_spi.c | 5 +-
drivers/net/ethernet/microchip/lan743x_ptp.c | 7 +
drivers/net/ethernet/sunplus/spl2sw_driver.c | 2 +-
drivers/net/ethernet/ti/Kconfig | 1 +
drivers/net/ethernet/ti/davinci_mdio.c | 242 ++++++++++++++-
drivers/net/ethernet/xilinx/xilinx_axienet.h | 12 +
drivers/net/ethernet/xilinx/xilinx_axienet_main.c | 37 ++-
drivers/net/hyperv/hyperv_net.h | 3 +-
drivers/net/hyperv/netvsc.c | 4 +
drivers/net/hyperv/netvsc_drv.c | 19 ++
drivers/net/thunderbolt.c | 28 +-
drivers/net/usb/r8152.c | 4 +-
drivers/net/wireless/ath/ath10k/core.c | 16 +
drivers/net/wireless/ath/ath10k/htc.c | 11 +-
drivers/net/wireless/ath/ath10k/hw.h | 2 +
drivers/net/wireless/ath/ath10k/mac.c | 54 ++--
drivers/net/wireless/ath/ath11k/ahb.c | 58 +++-
drivers/net/wireless/ath/ath11k/core.c | 2 +
drivers/net/wireless/ath/ath11k/dp_rx.c | 3 +-
drivers/net/wireless/ath/ath11k/mac.c | 25 +-
drivers/net/wireless/ath/ath11k/mhi.c | 17 +-
drivers/net/wireless/ath/ath11k/peer.c | 30 +-
drivers/net/wireless/ath/ath11k/qmi.c | 38 ++-
drivers/net/wireless/ath/ath11k/qmi.h | 10 +-
drivers/net/wireless/ath/ath11k/wmi.c | 9 +-
drivers/net/wireless/ath/ath11k/wmi.h | 2 +-
drivers/net/wireless/ath/ath9k/htc_hst.c | 43 ++-
drivers/net/wireless/ath/ath9k/rng.c | 3 +-
.../wireless/broadcom/brcm80211/brcmfmac/core.c | 3 +-
.../net/wireless/broadcom/brcm80211/brcmfmac/pno.c | 12 +-
drivers/net/wireless/mac80211_hwsim.c | 7 +-
drivers/net/wireless/marvell/mwifiex/init.c | 9 +-
drivers/net/wireless/marvell/mwifiex/main.h | 3 +-
drivers/net/wireless/marvell/mwifiex/sta_event.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7615/main.c | 4 +
.../net/wireless/mediatek/mt76/mt76_connac_mcu.c | 10 +-
.../net/wireless/mediatek/mt76/mt7915/debugfs.c | 6 +-
drivers/net/wireless/mediatek/mt76/mt7915/mac.c | 12 +-
drivers/net/wireless/mediatek/mt76/mt7915/mcu.c | 10 +-
.../net/wireless/mediatek/mt76/mt7921/acpi_sar.c | 5 +-
drivers/net/wireless/mediatek/mt76/mt7921/mac.c | 7 +-
drivers/net/wireless/mediatek/mt76/mt7921/main.c | 26 +-
drivers/net/wireless/mediatek/mt76/mt7921/pci.c | 15 +-
drivers/net/wireless/mediatek/mt76/mt7921/sdio.c | 13 +-
drivers/net/wireless/mediatek/mt76/mt7921/usb.c | 28 +-
drivers/net/wireless/mediatek/mt76/sdio.c | 8 +-
drivers/net/wireless/ralink/rt2x00/rt2800lib.c | 34 +-
drivers/net/wireless/realtek/rtl8xxxu/rtl8xxxu.h | 6 +-
.../net/wireless/realtek/rtl8xxxu/rtl8xxxu_core.c | 96 ++++--
.../net/wireless/realtek/rtlwifi/rtl8192de/phy.c | 9 +-
drivers/net/wireless/realtek/rtw88/main.c | 8 +-
drivers/net/wireless/realtek/rtw88/phy.c | 21 +-
drivers/net/wireless/realtek/rtw89/core.c | 1 +
drivers/net/wireless/realtek/rtw89/fw.c | 12 +-
drivers/net/wireless/realtek/rtw89/pci.c | 5 +-
drivers/net/wireless/realtek/rtw89/ser.c | 3 +
drivers/net/wireless/silabs/wfx/main.c | 2 +-
drivers/net/wireless/st/cw1200/queue.c | 18 +-
drivers/net/wwan/iosm/iosm_ipc_wwan.c | 5 +-
drivers/nvme/host/core.c | 20 +-
drivers/nvme/host/ioctl.c | 9 +-
drivers/nvme/host/multipath.c | 1 +
drivers/nvme/host/nvme.h | 4 +-
drivers/nvme/target/core.c | 1 +
drivers/nvme/target/fabrics-cmd-auth.c | 13 +-
drivers/nvme/target/fabrics-cmd.c | 6 +-
drivers/nvme/target/nvmet.h | 7 +-
drivers/nvme/target/passthru.c | 7 +-
drivers/nvme/target/tcp.c | 11 +-
drivers/nvmem/core.c | 15 +-
drivers/pci/setup-res.c | 11 +
drivers/perf/riscv_pmu_sbi.c | 7 +-
.../phy/amlogic/phy-meson-axg-mipi-pcie-analog.c | 6 +-
drivers/phy/mediatek/phy-mtk-tphy.c | 7 +-
drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 32 +-
drivers/phy/qualcomm/phy-qcom-qmp-pcie-msm8996.c | 23 +-
drivers/phy/qualcomm/phy-qcom-qmp-pcie.c | 39 ++-
drivers/phy/qualcomm/phy-qcom-qmp-ufs.c | 30 +-
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 64 ++--
drivers/phy/qualcomm/phy-qcom-usb-hsic.c | 6 +-
drivers/phy/rockchip/phy-rockchip-inno-usb2.c | 10 +-
drivers/pinctrl/pinctrl-rockchip.c | 13 +
drivers/platform/chrome/chromeos_laptop.c | 24 +-
drivers/platform/chrome/cros_ec.c | 8 +-
drivers/platform/chrome/cros_ec_chardev.c | 3 +
drivers/platform/chrome/cros_ec_proto.c | 32 ++
drivers/platform/chrome/cros_ec_typec.c | 5 +-
drivers/platform/x86/hp-wmi.c | 11 +-
drivers/platform/x86/msi-laptop.c | 14 +-
drivers/platform/x86/pmc_atom.c | 2 +-
drivers/power/supply/adp5061.c | 6 +-
drivers/powercap/intel_rapl_common.c | 4 +-
drivers/regulator/core.c | 2 +-
drivers/regulator/qcom_rpm-regulator.c | 24 +-
drivers/remoteproc/remoteproc_core.c | 5 +-
drivers/rpmsg/rpmsg_char.c | 4 +-
drivers/scsi/3w-9xxx.c | 2 +-
drivers/scsi/iscsi_tcp.c | 73 +++--
drivers/scsi/iscsi_tcp.h | 3 +
drivers/scsi/libsas/sas_expander.c | 2 +-
drivers/scsi/lpfc/lpfc.h | 14 +-
drivers/scsi/lpfc/lpfc_crtn.h | 8 +
drivers/scsi/lpfc/lpfc_ct.c | 7 +-
drivers/scsi/lpfc/lpfc_debugfs.c | 61 +---
drivers/scsi/lpfc/lpfc_debugfs.h | 2 +-
drivers/scsi/lpfc/lpfc_hbadisc.c | 4 +-
drivers/scsi/lpfc/lpfc_init.c | 332 ++++++++++----------
drivers/scsi/lpfc/lpfc_mem.c | 9 +-
drivers/scsi/lpfc/lpfc_sli.c | 193 +++++++++++-
drivers/scsi/lpfc/lpfc_sli4.h | 4 +-
drivers/scsi/lpfc/lpfc_vmid.c | 4 +-
drivers/scsi/pm8001/pm8001_hwi.c | 4 +
drivers/scsi/qedf/qedf_main.c | 21 ++
drivers/slimbus/qcom-ngd-ctrl.c | 22 +-
drivers/soc/qcom/smem_state.c | 3 +-
drivers/soc/qcom/smsm.c | 20 +-
drivers/soc/tegra/Kconfig | 1 -
drivers/soc/tegra/fuse/fuse-tegra.c | 1 +
drivers/soundwire/cadence_master.c | 9 +-
drivers/soundwire/intel.c | 1 -
drivers/spi/spi-cadence-quadspi.c | 3 +-
drivers/spi/spi-dw-bt1.c | 4 +-
drivers/spi/spi-meson-spicc.c | 6 +-
drivers/spi/spi-mt7621.c | 8 +-
drivers/spi/spi-omap-100k.c | 1 +
drivers/spi/spi-qup.c | 21 +-
drivers/spi/spi-s3c64xx.c | 9 +
drivers/spi/spi.c | 2 +
drivers/spmi/spmi-pmic-arb.c | 13 +-
drivers/staging/greybus/audio_helper.c | 11 -
drivers/staging/media/meson/vdec/vdec_hevc.c | 6 +-
drivers/staging/media/sunxi/cedrus/cedrus.c | 4 +-
drivers/staging/media/sunxi/cedrus/cedrus_dec.c | 4 +-
drivers/staging/media/sunxi/cedrus/cedrus_h265.c | 5 +-
drivers/staging/rtl8723bs/core/rtw_cmd.c | 16 +-
drivers/staging/rtl8723bs/os_dep/os_intfs.c | 60 ++--
drivers/staging/vt6655/device_main.c | 8 +-
drivers/thermal/cpufreq_cooling.c | 10 +-
drivers/thermal/intel/intel_powerclamp.c | 6 +-
drivers/thermal/qcom/tsens-v0_1.c | 2 +-
drivers/thunderbolt/nhi.c | 49 ++-
drivers/thunderbolt/switch.c | 24 ++
drivers/thunderbolt/tb.h | 1 +
drivers/thunderbolt/tb_regs.h | 1 +
drivers/thunderbolt/usb4.c | 20 ++
drivers/tty/serial/8250/8250_core.c | 16 +-
drivers/tty/serial/8250/8250_omap.c | 3 +
drivers/tty/serial/8250/8250_pci.c | 14 +-
drivers/tty/serial/8250/8250_port.c | 30 +-
drivers/tty/serial/ar933x_uart.c | 7 +
drivers/tty/serial/cpm_uart/cpm_uart_core.c | 22 +-
drivers/tty/serial/fsl_lpuart.c | 12 +-
drivers/tty/serial/imx.c | 8 +-
drivers/tty/serial/jsm/jsm_driver.c | 3 +-
drivers/tty/serial/serial_core.c | 36 ++-
drivers/tty/serial/stm32-usart.c | 100 +++---
drivers/tty/serial/xilinx_uartps.c | 14 +-
drivers/usb/common/debug.c | 96 ++++--
drivers/usb/common/usb-conn-gpio.c | 6 +-
drivers/usb/core/quirks.c | 4 +
drivers/usb/dwc3/core.c | 83 +++--
drivers/usb/dwc3/core.h | 6 +
drivers/usb/gadget/function/f_fs.c | 4 +-
drivers/usb/gadget/function/f_printer.c | 12 +-
drivers/usb/gadget/function/f_uvc.c | 6 +-
drivers/usb/gadget/function/uvc.h | 1 +
drivers/usb/gadget/function/uvc_v4l2.c | 2 +-
drivers/usb/gadget/function/uvc_video.c | 9 +-
drivers/usb/host/xhci-dbgcap.c | 2 +-
drivers/usb/host/xhci-mem.c | 7 +-
drivers/usb/host/xhci-plat.c | 18 +-
drivers/usb/host/xhci.c | 3 +-
drivers/usb/host/xhci.h | 1 +
drivers/usb/misc/idmouse.c | 8 +-
drivers/usb/mtu3/mtu3_core.c | 2 -
drivers/usb/mtu3/mtu3_plat.c | 2 +
drivers/usb/musb/musb_gadget.c | 3 +
drivers/usb/storage/unusual_devs.h | 6 -
drivers/usb/typec/anx7411.c | 4 +-
drivers/usb/typec/ucsi/ucsi.c | 8 +-
drivers/vhost/vsock.c | 2 +-
drivers/video/aperture.c | 14 +
drivers/video/fbdev/core/fbmem.c | 12 -
drivers/video/fbdev/smscufx.c | 14 +-
drivers/video/fbdev/stifb.c | 2 +-
drivers/xen/gntdev-common.h | 3 +-
drivers/xen/gntdev.c | 80 ++---
fs/btrfs/block-group.c | 11 +-
fs/btrfs/extent-tree.c | 3 +
fs/btrfs/file.c | 59 +++-
fs/btrfs/free-space-cache.c | 59 ++--
fs/btrfs/qgroup.c | 15 +
fs/btrfs/scrub.c | 69 +++--
fs/btrfs/super.c | 20 +-
fs/cifs/cifsproto.h | 2 +-
fs/cifs/connect.c | 2 +-
fs/cifs/file.c | 9 +
fs/cifs/smb2ops.c | 23 +-
fs/cifs/smb2pdu.c | 7 +-
fs/cifs/smb2transport.c | 10 +-
fs/dlm/ast.c | 6 +-
fs/dlm/lock.c | 20 +-
fs/dlm/lowcomms.c | 4 +
fs/erofs/inode.c | 2 +-
fs/erofs/super.c | 2 +-
fs/eventfd.c | 10 +-
fs/ext2/super.c | 22 +-
fs/ext4/fast_commit.c | 40 ++-
fs/ext4/file.c | 6 +
fs/ext4/inode.c | 17 +-
fs/ext4/ioctl.c | 4 +
fs/ext4/namei.c | 17 +-
fs/ext4/resize.c | 2 +-
fs/ext4/super.c | 47 +--
fs/ext4/xattr.c | 1 +
fs/f2fs/checkpoint.c | 47 ++-
fs/f2fs/data.c | 4 +-
fs/f2fs/extent_cache.c | 3 +-
fs/f2fs/f2fs.h | 16 +-
fs/f2fs/gc.c | 22 +-
fs/f2fs/recovery.c | 23 +-
fs/f2fs/segment.c | 2 +-
fs/f2fs/super.c | 15 +-
fs/file_table.c | 7 +-
fs/fs-writeback.c | 37 ++-
fs/internal.h | 10 +
fs/iomap/buffered-io.c | 2 +-
fs/jbd2/commit.c | 2 +-
fs/jbd2/journal.c | 10 +-
fs/jbd2/recovery.c | 1 +
fs/jbd2/transaction.c | 6 +-
fs/ksmbd/server.c | 4 +-
fs/ksmbd/smb2pdu.c | 27 +-
fs/ksmbd/smb_common.c | 6 +-
fs/mbcache.c | 17 +-
fs/nfsd/nfs3proc.c | 11 +-
fs/nfsd/nfs4proc.c | 19 +-
fs/nfsd/nfs4recover.c | 4 +-
fs/nfsd/nfs4state.c | 5 +
fs/nfsd/nfs4xdr.c | 14 +-
fs/nfsd/nfsproc.c | 6 +-
fs/nfsd/xdr4.h | 3 +-
fs/ntfs3/inode.c | 2 -
fs/ntfs3/xattr.c | 102 +-----
fs/open.c | 11 +-
fs/posix_acl.c | 25 +-
fs/quota/quota_tree.c | 38 +++
fs/userfaultfd.c | 4 +-
fs/xfs/xfs_super.c | 10 +-
include/dt-bindings/clock/samsung,exynosautov9.h | 56 ++--
include/linux/ata.h | 39 +--
include/linux/bio.h | 2 +-
include/linux/blk-mq.h | 11 +-
include/linux/blk_types.h | 2 +-
include/linux/bpf.h | 3 +-
include/linux/bpf_verifier.h | 11 +
include/linux/dynamic_debug.h | 11 +-
include/linux/eventfd.h | 2 +-
include/linux/export-internal.h | 6 +-
include/linux/filter.h | 5 +
include/linux/fortify-string.h | 3 +-
include/linux/fs.h | 9 +-
include/linux/hugetlb.h | 8 +-
include/linux/hw_random.h | 3 +
include/linux/iio/iio-opaque.h | 2 +
include/linux/iova.h | 2 +-
include/linux/mmc/card.h | 1 +
include/linux/once.h | 28 ++
include/linux/ring_buffer.h | 2 +-
include/linux/sched.h | 2 +-
include/linux/serial_8250.h | 1 +
include/linux/serial_core.h | 4 +-
include/linux/skbuff.h | 2 +
include/linux/sunrpc/svc.h | 19 +-
include/linux/tcp.h | 2 +-
include/linux/trace.h | 36 ++-
include/linux/trace_events.h | 1 +
include/net/ieee802154_netdev.h | 12 +-
include/net/tcp.h | 5 +-
include/uapi/linux/bpf.h | 7 +-
include/uapi/rdma/mlx5-abi.h | 1 +
io_uring/fdinfo.c | 32 +-
io_uring/io_uring.c | 29 +-
io_uring/io_uring.h | 12 +-
io_uring/net.c | 107 ++++---
io_uring/net.h | 9 +-
io_uring/opdef.c | 17 +-
io_uring/opdef.h | 1 +
io_uring/rsrc.c | 1 +
io_uring/rw.c | 47 ++-
io_uring/rw.h | 1 +
ipc/mqueue.c | 1 +
kernel/auditsc.c | 4 +-
kernel/bpf/bpf_local_storage.c | 4 +-
kernel/bpf/bpf_lsm.c | 6 +
kernel/bpf/bpf_task_storage.c | 8 +-
kernel/bpf/btf.c | 2 +-
kernel/bpf/cgroup.c | 28 +-
kernel/bpf/core.c | 9 +-
kernel/bpf/dispatcher.c | 27 +-
kernel/bpf/hashtab.c | 30 +-
kernel/bpf/helpers.c | 2 +
kernel/bpf/syscall.c | 2 +
kernel/bpf/trampoline.c | 8 +-
kernel/bpf/verifier.c | 146 +++++----
kernel/cgroup/cgroup.c | 6 +-
kernel/cgroup/cpuset.c | 18 +-
kernel/livepatch/transition.c | 18 +-
kernel/module/tracking.c | 3 +
kernel/rcu/tasks.h | 5 +-
kernel/rcu/tree.c | 17 +-
kernel/rcu/tree_plugin.h | 3 +-
kernel/trace/bpf_trace.c | 20 +-
kernel/trace/ftrace.c | 34 +-
kernel/trace/kprobe_event_gen_test.c | 49 ++-
kernel/trace/ring_buffer.c | 87 +++++-
kernel/trace/trace.c | 76 ++++-
kernel/trace/trace_eprobe.c | 63 +---
kernel/trace/trace_events_synth.c | 23 +-
kernel/trace/trace_kprobe.c | 60 +---
kernel/trace/trace_osnoise.c | 3 +-
kernel/trace/trace_probe_kernel.h | 115 +++++++
lib/Kconfig.debug | 10 +-
lib/dynamic_debug.c | 45 +--
lib/once.c | 30 ++
lib/sbitmap.c | 69 +++--
mm/damon/vaddr.c | 10 +
mm/gup.c | 14 +-
mm/hugetlb.c | 68 ++--
mm/memory.c | 2 +
mm/mmap.c | 5 +-
mm/mprotect.c | 2 +
net/bluetooth/hci_core.c | 38 ++-
net/bluetooth/hci_event.c | 14 +
net/bluetooth/hci_sock.c | 3 -
net/bluetooth/hci_sync.c | 1 +
net/bluetooth/hci_sysfs.c | 3 +
net/bluetooth/l2cap_core.c | 17 +-
net/bluetooth/mgmt.c | 4 +-
net/bluetooth/rfcomm/sock.c | 3 +
net/can/bcm.c | 7 +-
net/core/flow_dissector.c | 4 +-
net/core/skmsg.c | 12 +-
net/core/stream.c | 3 +-
net/ieee802154/socket.c | 4 +
net/ipv4/datagram.c | 2 +
net/ipv4/esp4_offload.c | 5 +-
net/ipv4/inet_hashtables.c | 4 +-
net/ipv4/netfilter/nft_fib_ipv4.c | 3 +
net/ipv4/tcp.c | 16 +-
net/ipv4/tcp_output.c | 19 +-
net/ipv6/esp6_offload.c | 5 +-
net/ipv6/netfilter/nft_fib_ipv6.c | 6 +-
net/mac80211/cfg.c | 17 +-
net/mac80211/mlme.c | 20 +-
net/mac80211/sta_info.c | 4 +-
net/netfilter/nf_conntrack_core.c | 18 +-
net/openvswitch/datapath.c | 18 +-
net/rds/tcp.c | 2 +-
net/sched/cls_u32.c | 6 +-
net/sctp/auth.c | 18 +-
net/unix/af_unix.c | 13 +-
net/unix/garbage.c | 20 ++
net/vmw_vsock/virtio_transport_common.c | 2 +-
net/wireless/reg.c | 4 +
net/xdp/xsk.c | 22 +-
net/xdp/xsk_queue.h | 22 +-
net/xfrm/xfrm_input.c | 18 +-
net/xfrm/xfrm_ipcomp.c | 1 +
scripts/Kbuild.include | 23 +-
scripts/package/mkspec | 4 +-
scripts/selinux/install_policy.sh | 2 +-
security/integrity/ima/ima_appraise.c | 12 +-
security/loadpin/Kconfig | 2 +-
sound/core/pcm_dmaengine.c | 8 +-
sound/core/rawmidi.c | 2 -
sound/core/sound_oss.c | 13 +-
sound/hda/intel-dsp-config.c | 5 +
sound/pci/hda/hda_beep.c | 15 +-
sound/pci/hda/hda_beep.h | 1 +
sound/pci/hda/hda_codec.c | 41 ++-
sound/pci/hda/patch_hdmi.c | 36 +--
sound/pci/hda/patch_realtek.c | 11 +-
sound/pci/hda/patch_sigmatel.c | 25 +-
sound/soc/amd/acp/acp-pci.c | 1 +
sound/soc/amd/yc/acp6x-mach.c | 14 +
sound/soc/codecs/da7219.c | 5 +-
sound/soc/codecs/lpass-tx-macro.c | 13 +-
sound/soc/codecs/mt6359-accdet.c | 6 +-
sound/soc/codecs/mt6660.c | 8 +-
sound/soc/codecs/tas2764.c | 78 ++---
sound/soc/codecs/wcd-mbhc-v2.c | 10 +-
sound/soc/codecs/wcd9335.c | 2 +-
sound/soc/codecs/wcd934x.c | 2 +-
sound/soc/codecs/wm5102.c | 6 +-
sound/soc/codecs/wm5110.c | 6 +-
sound/soc/codecs/wm8997.c | 6 +-
sound/soc/codecs/wm_adsp.c | 4 +-
sound/soc/fsl/eukrea-tlv320.c | 8 +-
sound/soc/mediatek/mt8195/mt8195-mt6359.c | 6 +
sound/soc/rockchip/rockchip_i2s.c | 41 +--
sound/soc/sh/rcar/ctu.c | 6 +-
sound/soc/sh/rcar/dvc.c | 6 +-
sound/soc/sh/rcar/mix.c | 6 +-
sound/soc/sh/rcar/src.c | 5 +-
sound/soc/sh/rcar/ssi.c | 4 +-
sound/soc/soc-pcm.c | 2 +-
sound/soc/sof/intel/hda.c | 11 +
sound/soc/sof/ipc3-topology.c | 7 +
sound/soc/sof/ipc4-topology.c | 9 +-
sound/soc/sof/mediatek/mt8195/mt8195.c | 1 +
sound/soc/sof/sof-pci-dev.c | 2 +-
sound/soc/sof/sof-priv.h | 4 +
sound/soc/stm/stm32_adfsdm.c | 8 +-
sound/soc/stm/stm32_i2s.c | 4 +-
sound/soc/stm/stm32_spdifrx.c | 4 +-
sound/soc/sunxi/sun4i-codec.c | 3 +
sound/usb/card.c | 32 +-
sound/usb/endpoint.c | 17 +-
sound/usb/quirks-table.h | 76 +++++
sound/usb/quirks.c | 344 ++++++++++++++++++---
sound/usb/quirks.h | 2 -
sound/usb/usbaudio.h | 1 +
tools/bpf/bpftool/btf_dumper.c | 2 +-
tools/bpf/bpftool/cgroup.c | 54 +++-
tools/bpf/bpftool/main.c | 10 +
tools/include/uapi/linux/bpf.h | 7 +-
tools/lib/bpf/bpf_tracing.h | 14 +-
tools/lib/bpf/btf.h | 25 +-
tools/lib/bpf/btf_dump.c | 2 +-
tools/lib/bpf/libbpf.c | 21 +-
tools/lib/bpf/libbpf.h | 4 +-
tools/lib/bpf/libbpf_probes.c | 2 +-
tools/lib/bpf/nlattr.c | 2 +-
tools/lib/bpf/usdt.bpf.h | 4 +-
tools/objtool/elf.c | 7 +-
tools/perf/arch/x86/util/intel-pt.c | 2 +-
tools/perf/util/intel-pt.c | 9 +-
tools/perf/util/parse-events.c | 3 +
tools/perf/util/pmu.c | 17 +
tools/perf/util/pmu.h | 2 +
tools/perf/util/pmu.l | 2 -
tools/perf/util/pmu.y | 15 +-
tools/power/x86/turbostat/turbostat.c | 1 -
.../selftests/arm64/signal/testcases/testcases.c | 2 +-
.../selftests/bpf/map_tests/array_map_batch_ops.c | 2 +
.../selftests/bpf/map_tests/htab_map_batch_ops.c | 2 +
.../bpf/map_tests/lpm_trie_map_batch_ops.c | 2 +
.../testing/selftests/bpf/prog_tests/cgroup_link.c | 11 +-
tools/testing/selftests/bpf/progs/kprobe_multi.c | 4 +-
tools/testing/selftests/bpf/test_maps.c | 24 +-
tools/testing/selftests/bpf/xsk.c | 6 +-
tools/testing/selftests/bpf/xskxceiver.c | 4 +
tools/testing/selftests/cpu-hotplug/config | 1 -
.../selftests/cpu-hotplug/cpu-on-off-test.sh | 138 +++------
tools/testing/selftests/net/fcnal-test.sh | 30 ++
tools/testing/selftests/net/nettest.c | 16 +-
tools/testing/selftests/tpm2/tpm2.py | 4 +
908 files changed, 8789 insertions(+), 4121 deletions(-)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 001/862] ALSA: oss: Fix potential deadlock at unregistration
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 002/862] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() Greg Kroah-Hartman
` (875 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 97d917879d7f92df09c3f21fd54609a8bcd654b2 upstream.
We took sound_oss_mutex around the calls of unregister_sound_special()
at unregistering OSS devices. This may, however, lead to a deadlock,
because we manage the card release via the card's device object, and
the release may happen at unregister_sound_special() call -- which
will take sound_oss_mutex again in turn.
Although the deadlock might be fixed by relaxing the rawmidi mutex in
the previous commit, it's safer to move unregister_sound_special()
calls themselves out of the sound_oss_mutex, too. The call is
race-safe as the function has a spinlock protection by itself.
Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221011070147.7611-2-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/sound_oss.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/sound/core/sound_oss.c
+++ b/sound/core/sound_oss.c
@@ -162,7 +162,6 @@ int snd_unregister_oss_device(int type,
mutex_unlock(&sound_oss_mutex);
return -ENOENT;
}
- unregister_sound_special(minor);
switch (SNDRV_MINOR_OSS_DEVICE(minor)) {
case SNDRV_MINOR_OSS_PCM:
track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_AUDIO);
@@ -174,12 +173,18 @@ int snd_unregister_oss_device(int type,
track2 = SNDRV_MINOR_OSS(cidx, SNDRV_MINOR_OSS_DMMIDI1);
break;
}
- if (track2 >= 0) {
- unregister_sound_special(track2);
+ if (track2 >= 0)
snd_oss_minors[track2] = NULL;
- }
snd_oss_minors[minor] = NULL;
mutex_unlock(&sound_oss_mutex);
+
+ /* call unregister_sound_special() outside sound_oss_mutex;
+ * otherwise may deadlock, as it can trigger the release of a card
+ */
+ unregister_sound_special(minor);
+ if (track2 >= 0)
+ unregister_sound_special(track2);
+
kfree(mptr);
return 0;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 002/862] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 001/862] ALSA: oss: Fix potential deadlock at unregistration Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 003/862] ALSA: usb-audio: Fix potential memory leaks Greg Kroah-Hartman
` (874 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit a70aef7982b012e86dfd39fbb235e76a21ae778a upstream.
The register_mutex taken around the dev_unregister callback call in
snd_rawmidi_free() may potentially lead to a mutex deadlock, when OSS
emulation and a hot unplug are involved.
Since the mutex doesn't protect the actual race (as the registration
itself is already protected by another means), let's drop it.
Link: https://lore.kernel.org/r/CAB7eexJP7w1B0mVgDF0dQ+gWor7UdkiwPczmL7pn91xx8xpzOA@mail.gmail.com
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221011070147.7611-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/core/rawmidi.c | 2 --
1 file changed, 2 deletions(-)
--- a/sound/core/rawmidi.c
+++ b/sound/core/rawmidi.c
@@ -1899,10 +1899,8 @@ static int snd_rawmidi_free(struct snd_r
snd_info_free_entry(rmidi->proc_entry);
rmidi->proc_entry = NULL;
- mutex_lock(®ister_mutex);
if (rmidi->ops && rmidi->ops->dev_unregister)
rmidi->ops->dev_unregister(rmidi);
- mutex_unlock(®ister_mutex);
snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_INPUT]);
snd_rawmidi_free_substreams(&rmidi->streams[SNDRV_RAWMIDI_STREAM_OUTPUT]);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 003/862] ALSA: usb-audio: Fix potential memory leaks
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 001/862] ALSA: oss: Fix potential deadlock at unregistration Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 002/862] ALSA: rawmidi: Drop register_mutex in snd_rawmidi_free() Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 004/862] ALSA: usb-audio: Fix NULL dererence at error path Greg Kroah-Hartman
` (873 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 6382da0828995af87aa8b8bef28cc61aceb4aff3 upstream.
When the driver hits -ENOMEM at allocating a URB or a buffer, it
aborts and goes to the error path that releases the all previously
allocated resources. However, when -ENOMEM hits at the middle of the
sync EP URB allocation loop, the partially allocated URBs might be
left without released, because ep->nurbs is still zero at that point.
Fix it by setting ep->nurbs at first, so that the error handler loops
over the full URB list.
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220930100151.19461-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/endpoint.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -1261,6 +1261,7 @@ static int sync_ep_set_params(struct snd
if (!ep->syncbuf)
return -ENOMEM;
+ ep->nurbs = SYNC_URBS;
for (i = 0; i < SYNC_URBS; i++) {
struct snd_urb_ctx *u = &ep->urb[i];
u->index = i;
@@ -1280,8 +1281,6 @@ static int sync_ep_set_params(struct snd
u->urb->complete = snd_complete_urb;
}
- ep->nurbs = SYNC_URBS;
-
return 0;
out_of_memory:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 004/862] ALSA: usb-audio: Fix NULL dererence at error path
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 003/862] ALSA: usb-audio: Fix potential memory leaks Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 005/862] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 Greg Kroah-Hartman
` (872 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Sabri N. Ferreiro, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 568be8aaf8a535f79c4db76cabe17b035aa2584d upstream.
At an error path to release URB buffers and contexts, the driver might
hit a NULL dererence for u->urb pointer, when u->buffer_size has been
already set but the actual URB allocation failed.
Fix it by adding the NULL check of urb. Also, make sure that
buffer_size is cleared after the error path or the close.
Cc: <stable@vger.kernel.org>
Reported-by: Sabri N. Ferreiro <snferreiro1@gmail.com>
Link: https://lore.kernel.org/r/CAKG+3NRjTey+fFfUEGwuxL-pi_=T4cUskYG9OzpzHytF+tzYng@mail.gmail.com
Link: https://lore.kernel.org/r/20220930100129.19445-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/endpoint.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/sound/usb/endpoint.c
+++ b/sound/usb/endpoint.c
@@ -93,12 +93,13 @@ static inline unsigned get_usb_high_spee
*/
static void release_urb_ctx(struct snd_urb_ctx *u)
{
- if (u->buffer_size)
+ if (u->urb && u->buffer_size)
usb_free_coherent(u->ep->chip->dev, u->buffer_size,
u->urb->transfer_buffer,
u->urb->transfer_dma);
usb_free_urb(u->urb);
u->urb = NULL;
+ u->buffer_size = 0;
}
static const char *usb_error_string(int err)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 005/862] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 004/862] ALSA: usb-audio: Fix NULL dererence at error path Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 006/862] ALSA: hda/realtek: Correct pin configs for ASUS G533Z Greg Kroah-Hartman
` (871 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Callum Osmotherly, Takashi Iwai
From: Callum Osmotherly <callum.osmotherly@gmail.com>
commit 417b9c51f59734d852e47252476fadc293ad994a upstream.
After some feedback from users with Dell Precision 5530 machines, this
patch reverts the previous change to add ALC289_FIXUP_DUAL_SPK.
While it improved the speaker output quality, it caused the headphone
jack to have an audible "pop" sound when power saving was toggled.
Fixes: 1885ff13d4c4 ("ALSA: hda/realtek: Enable 4-speaker output Dell Precision 5530 laptop")
Signed-off-by: Callum Osmotherly <callum.osmotherly@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/Yz0uyN1zwZhnyRD6@piranha
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 -
1 file changed, 1 deletion(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9186,7 +9186,6 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1028, 0x0871, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
SND_PCI_QUIRK(0x1028, 0x0872, "Dell Precision 3630", ALC255_FIXUP_DELL_HEADSET_MIC),
SND_PCI_QUIRK(0x1028, 0x0873, "Dell Precision 3930", ALC255_FIXUP_DUMMY_LINEOUT_VERB),
- SND_PCI_QUIRK(0x1028, 0x087d, "Dell Precision 5530", ALC289_FIXUP_DUAL_SPK),
SND_PCI_QUIRK(0x1028, 0x08ad, "Dell WYSE AIO", ALC225_FIXUP_DELL_WYSE_AIO_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x08ae, "Dell WYSE NB", ALC225_FIXUP_DELL1_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1028, 0x0935, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB),
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 006/862] ALSA: hda/realtek: Correct pin configs for ASUS G533Z
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 005/862] ALSA: hda/realtek: remove ALC289_FIXUP_DUAL_SPK for Dell 5530 Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 007/862] ALSA: hda/realtek: Add quirk for ASUS GV601R laptop Greg Kroah-Hartman
` (870 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luke D. Jones, Takashi Iwai
From: Luke D. Jones <luke@ljones.dev>
commit 66ba7c88507344dee68ad1acbdb630473ab36114 upstream.
The initial fix for ASUS G533Z was based on faulty information. This
fixes the pincfg to values that have been verified with no existing
module options or other hacks enabled.
Enables headphone jack, and 5.1 surround.
[ corrected the indent level by tiwai ]
Fixes: bc2c23549ccd ("ALSA: hda/realtek: Add pincfg for ASUS G533Z HP jack")
Signed-off-by: Luke D. Jones <luke@ljones.dev>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221010065702.35190-1-luke@ljones.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8427,11 +8427,13 @@ static const struct hda_fixup alc269_fix
[ALC285_FIXUP_ASUS_G533Z_PINS] = {
.type = HDA_FIXUP_PINS,
.v.pins = (const struct hda_pintbl[]) {
- { 0x14, 0x90170120 },
+ { 0x14, 0x90170152 }, /* Speaker Surround Playback Switch */
+ { 0x19, 0x03a19020 }, /* Mic Boost Volume */
+ { 0x1a, 0x03a11c30 }, /* Mic Boost Volume */
+ { 0x1e, 0x90170151 }, /* Rear jack, IN OUT EAPD Detect */
+ { 0x21, 0x03211420 },
{ }
},
- .chained = true,
- .chain_id = ALC294_FIXUP_ASUS_G513_PINS,
},
[ALC294_FIXUP_ASUS_COEF_1B] = {
.type = HDA_FIXUP_VERBS,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 007/862] ALSA: hda/realtek: Add quirk for ASUS GV601R laptop
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 006/862] ALSA: hda/realtek: Correct pin configs for ASUS G533Z Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 008/862] ALSA: hda/realtek: Add Intel Reference SSID to support headset keys Greg Kroah-Hartman
` (869 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Luke D. Jones, Takashi Iwai
From: Luke D. Jones <luke@ljones.dev>
commit 2ea8e1297801f7b0220ebf6ae61a5b74ca83981e upstream.
The ASUS ROG X16 (GV601R) series laptop has the same node-to-DAC pairs
as early models and the G14, this includes bass speakers which are by
default mapped incorrectly to the 0x06 node.
Add a quirk to use the same DAC pairs as the G14.
Signed-off-by: Luke D. Jones <luke@ljones.dev>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221010070347.36883-1-luke@ljones.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9411,6 +9411,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1043, 0x1e8e, "ASUS Zephyrus G15", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x1c52, "ASUS Zephyrus G15 2022", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x1f11, "ASUS Zephyrus G14", ALC289_FIXUP_ASUS_GA401),
+ SND_PCI_QUIRK(0x1043, 0x1f92, "ASUS ROG Flow X16", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x3030, "ASUS ZN270IE", ALC256_FIXUP_ASUS_AIO_GPIO2),
SND_PCI_QUIRK(0x1043, 0x831a, "ASUS P901", ALC269_FIXUP_STEREO_DMIC),
SND_PCI_QUIRK(0x1043, 0x834a, "ASUS S101", ALC269_FIXUP_STEREO_DMIC),
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 008/862] ALSA: hda/realtek: Add Intel Reference SSID to support headset keys
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 007/862] ALSA: hda/realtek: Add quirk for ASUS GV601R laptop Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 009/862] mtd: rawnand: atmel: Unmap streaming DMA mappings Greg Kroah-Hartman
` (868 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Saranya Gopal, Ninad Naik, Takashi Iwai
From: Saranya Gopal <saranya.gopal@intel.com>
commit 4f2e56a59b9947b3e698d3cabcb858765c12b1e8 upstream.
This patch fixes the issue with 3.5mm headset keys
on RPL-P platform.
[ Rearranged the entry in SSID order by tiwai ]
Signed-off-by: Saranya Gopal <saranya.gopal@intel.com>
Signed-off-by: Ninad Naik <ninad.naik@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20221011044916.2278867-1-saranya.gopal@intel.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9433,6 +9433,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x10ec, 0x10f2, "Intel Reference board", ALC700_FIXUP_INTEL_REFERENCE),
SND_PCI_QUIRK(0x10ec, 0x118c, "Medion EE4254 MD62100", ALC256_FIXUP_MEDION_HEADSET_NO_PRESENCE),
SND_PCI_QUIRK(0x10ec, 0x1230, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
+ SND_PCI_QUIRK(0x10ec, 0x124c, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
SND_PCI_QUIRK(0x10ec, 0x1252, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
SND_PCI_QUIRK(0x10ec, 0x1254, "Intel Reference board", ALC295_FIXUP_CHROME_BOOK),
SND_PCI_QUIRK(0x10f7, 0x8338, "Panasonic CF-SZ6", ALC269_FIXUP_HEADSET_MODE),
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 009/862] mtd: rawnand: atmel: Unmap streaming DMA mappings
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 008/862] ALSA: hda/realtek: Add Intel Reference SSID to support headset keys Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 010/862] io_uring: add custom opcode hooks on fail Greg Kroah-Hartman
` (867 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Tudor Ambarus, Alexander Dahl,
Peter Rosin, Boris Brezillon, Miquel Raynal
From: Tudor Ambarus <tudor.ambarus@microchip.com>
commit 1161703c9bd664da5e3b2eb1a3bb40c210e026ea upstream.
Every dma_map_single() call should have its dma_unmap_single() counterpart,
because the DMA address space is a shared resource and one could render the
machine unusable by consuming all DMA addresses.
Link: https://lore.kernel.org/lkml/13c6c9a2-6db5-c3bf-349b-4c127ad3496a@axentia.se/
Cc: stable@vger.kernel.org
Fixes: f88fc122cc34 ("mtd: nand: Cleanup/rework the atmel_nand driver")
Signed-off-by: Tudor Ambarus <tudor.ambarus@microchip.com>
Acked-by: Alexander Dahl <ada@thorsis.com>
Reported-by: Peter Rosin <peda@axentia.se>
Tested-by: Alexander Dahl <ada@thorsis.com>
Reviewed-by: Boris Brezillon <boris.brezillon@collabora.com>
Tested-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20220728074014.145406-1-tudor.ambarus@microchip.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/atmel/nand-controller.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/mtd/nand/raw/atmel/nand-controller.c
+++ b/drivers/mtd/nand/raw/atmel/nand-controller.c
@@ -405,6 +405,7 @@ static int atmel_nand_dma_transfer(struc
dma_async_issue_pending(nc->dmac);
wait_for_completion(&finished);
+ dma_unmap_single(nc->dev, buf_dma, len, dir);
return 0;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 010/862] io_uring: add custom opcode hooks on fail
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 009/862] mtd: rawnand: atmel: Unmap streaming DMA mappings Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 011/862] io_uring/rw: dont lose partial IO result " Greg Kroah-Hartman
` (866 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit a47b255e90395bdb481975ab3d9e96fcf8b3165f upstream.
Sometimes we have to do a little bit of a fixup on a request failuer in
io_req_complete_failed(). Add a callback in opdef for that.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/b734cff4e67cb30cca976b9face321023f37549a.1663668091.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 4 ++++
io_uring/opdef.h | 1 +
2 files changed, 5 insertions(+)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -823,8 +823,12 @@ inline void __io_req_complete(struct io_
void io_req_complete_failed(struct io_kiocb *req, s32 res)
{
+ const struct io_op_def *def = &io_op_defs[req->opcode];
+
req_set_fail(req);
io_req_set_res(req, res, io_put_kbuf(req, IO_URING_F_UNLOCKED));
+ if (def->fail)
+ def->fail(req);
io_req_complete_post(req);
}
--- a/io_uring/opdef.h
+++ b/io_uring/opdef.h
@@ -36,6 +36,7 @@ struct io_op_def {
int (*issue)(struct io_kiocb *, unsigned int);
int (*prep_async)(struct io_kiocb *);
void (*cleanup)(struct io_kiocb *);
+ void (*fail)(struct io_kiocb *);
};
extern const struct io_op_def io_op_defs[];
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 011/862] io_uring/rw: dont lose partial IO result on fail
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 010/862] io_uring: add custom opcode hooks on fail Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 012/862] io_uring/net: dont lose partial send/recv " Greg Kroah-Hartman
` (865 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit 47b4c68660752facfa6247b1fc9ca9d722b8b601 upstream.
A partially done read/write may end up in io_req_complete_failed() and
loose the result, make sure we return the number of bytes processed.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/05e0879c226bcd53b441bf92868eadd4bf04e2fc.1663668091.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/opdef.c | 6 ++++++
io_uring/rw.c | 8 ++++++++
io_uring/rw.h | 1 +
3 files changed, 15 insertions(+)
--- a/io_uring/opdef.c
+++ b/io_uring/opdef.c
@@ -69,6 +69,7 @@ const struct io_op_def io_op_defs[] = {
.issue = io_read,
.prep_async = io_readv_prep_async,
.cleanup = io_readv_writev_cleanup,
+ .fail = io_rw_fail,
},
[IORING_OP_WRITEV] = {
.needs_file = 1,
@@ -85,6 +86,7 @@ const struct io_op_def io_op_defs[] = {
.issue = io_write,
.prep_async = io_writev_prep_async,
.cleanup = io_readv_writev_cleanup,
+ .fail = io_rw_fail,
},
[IORING_OP_FSYNC] = {
.needs_file = 1,
@@ -105,6 +107,7 @@ const struct io_op_def io_op_defs[] = {
.name = "READ_FIXED",
.prep = io_prep_rw,
.issue = io_read,
+ .fail = io_rw_fail,
},
[IORING_OP_WRITE_FIXED] = {
.needs_file = 1,
@@ -119,6 +122,7 @@ const struct io_op_def io_op_defs[] = {
.name = "WRITE_FIXED",
.prep = io_prep_rw,
.issue = io_write,
+ .fail = io_rw_fail,
},
[IORING_OP_POLL_ADD] = {
.needs_file = 1,
@@ -273,6 +277,7 @@ const struct io_op_def io_op_defs[] = {
.name = "READ",
.prep = io_prep_rw,
.issue = io_read,
+ .fail = io_rw_fail,
},
[IORING_OP_WRITE] = {
.needs_file = 1,
@@ -287,6 +292,7 @@ const struct io_op_def io_op_defs[] = {
.name = "WRITE",
.prep = io_prep_rw,
.issue = io_write,
+ .fail = io_rw_fail,
},
[IORING_OP_FADVISE] = {
.needs_file = 1,
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -984,6 +984,14 @@ static void io_cqring_ev_posted_iopoll(s
io_cqring_wake(ctx);
}
+void io_rw_fail(struct io_kiocb *req)
+{
+ int res;
+
+ res = io_fixup_rw_res(req, req->cqe.res);
+ io_req_set_res(req, res, req->cqe.flags);
+}
+
int io_do_iopoll(struct io_ring_ctx *ctx, bool force_nonspin)
{
struct io_wq_work_node *pos, *start, *prev;
--- a/io_uring/rw.h
+++ b/io_uring/rw.h
@@ -21,3 +21,4 @@ int io_readv_prep_async(struct io_kiocb
int io_write(struct io_kiocb *req, unsigned int issue_flags);
int io_writev_prep_async(struct io_kiocb *req);
void io_readv_writev_cleanup(struct io_kiocb *req);
+void io_rw_fail(struct io_kiocb *req);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 012/862] io_uring/net: dont lose partial send/recv on fail
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 011/862] io_uring/rw: dont lose partial IO result " Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 013/862] io_uring/rw: fix unexpected link breakage Greg Kroah-Hartman
` (864 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit 7e6b638ed501cced4e472298d6b08dd16346f3a6 upstream.
Just as with rw, partial send/recv may end up in
io_req_complete_failed() and loose the result, make sure we return the
number of bytes processed.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/a4ff95897b5419356fca9ea55db91ac15b2975f9.1663668091.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 10 ++++++++++
io_uring/net.h | 2 ++
io_uring/opdef.c | 4 ++++
3 files changed, 16 insertions(+)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -1087,6 +1087,16 @@ int io_sendzc(struct io_kiocb *req, unsi
return IOU_OK;
}
+void io_sendrecv_fail(struct io_kiocb *req)
+{
+ struct io_sr_msg *sr = io_kiocb_to_cmd(req, struct io_sr_msg);
+ int res = req->cqe.res;
+
+ if (req->flags & REQ_F_PARTIAL_IO)
+ res = sr->done_io;
+ io_req_set_res(req, res, req->cqe.flags);
+}
+
int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe)
{
struct io_accept *accept = io_kiocb_to_cmd(req, struct io_accept);
--- a/io_uring/net.h
+++ b/io_uring/net.h
@@ -43,6 +43,8 @@ int io_recvmsg_prep(struct io_kiocb *req
int io_recvmsg(struct io_kiocb *req, unsigned int issue_flags);
int io_recv(struct io_kiocb *req, unsigned int issue_flags);
+void io_sendrecv_fail(struct io_kiocb *req);
+
int io_accept_prep(struct io_kiocb *req, const struct io_uring_sqe *sqe);
int io_accept(struct io_kiocb *req, unsigned int issue_flags);
--- a/io_uring/opdef.c
+++ b/io_uring/opdef.c
@@ -157,6 +157,7 @@ const struct io_op_def io_op_defs[] = {
.issue = io_sendmsg,
.prep_async = io_sendmsg_prep_async,
.cleanup = io_sendmsg_recvmsg_cleanup,
+ .fail = io_sendrecv_fail,
#else
.prep = io_eopnotsupp_prep,
#endif
@@ -174,6 +175,7 @@ const struct io_op_def io_op_defs[] = {
.issue = io_recvmsg,
.prep_async = io_recvmsg_prep_async,
.cleanup = io_sendmsg_recvmsg_cleanup,
+ .fail = io_sendrecv_fail,
#else
.prep = io_eopnotsupp_prep,
#endif
@@ -316,6 +318,7 @@ const struct io_op_def io_op_defs[] = {
#if defined(CONFIG_NET)
.prep = io_sendmsg_prep,
.issue = io_send,
+ .fail = io_sendrecv_fail,
#else
.prep = io_eopnotsupp_prep,
#endif
@@ -331,6 +334,7 @@ const struct io_op_def io_op_defs[] = {
#if defined(CONFIG_NET)
.prep = io_recvmsg_prep,
.issue = io_recv,
+ .fail = io_sendrecv_fail,
#else
.prep = io_eopnotsupp_prep,
#endif
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 013/862] io_uring/rw: fix unexpected link breakage
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 012/862] io_uring/net: dont lose partial send/recv " Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 014/862] io_uring/rw: dont lose short results on io_setup_async_rw() Greg Kroah-Hartman
` (863 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe, Beld Zhang
From: Pavel Begunkov <asml.silence@gmail.com>
commit bf68b5b34311ee57ed40749a1257a30b46127556 upstream.
req->cqe.res is set in io_read() to the amount of bytes left to be done,
which is used to figure out whether to fail a read or not. However,
io_read() may do another without returning, and we stash the previous
value into ->bytes_done but forget to update cqe.res. Then we ask a read
to do strictly less than cqe.res but expect the return to be exactly
cqe.res.
Fix the bug by updating cqe.res for retries.
Cc: stable@vger.kernel.org
Reported-and-Tested-by: Beld Zhang <beldzhang@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/3a1088440c7be98e5800267af922a67da0ef9f13.1664235732.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/rw.c | 1 +
1 file changed, 1 insertion(+)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -823,6 +823,7 @@ int io_read(struct io_kiocb *req, unsign
return -EAGAIN;
}
+ req->cqe.res = iov_iter_count(&s->iter);
/*
* Now retry read with the IOCB_WAITQ parts set in the iocb. If
* we get -EIOCBQUEUED, then we'll get a notification when the
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 014/862] io_uring/rw: dont lose short results on io_setup_async_rw()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 013/862] io_uring/rw: fix unexpected link breakage Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 015/862] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
` (862 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit c278d9f8ac0db5590909e6d9e85b5ca2b786704f upstream.
If a retry io_setup_async_rw() fails we lose result from the first
io_iter_do_read(), which is a problem mostly for streams/sockets.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/0e8d20cebe5fc9c96ed268463c394237daabc384.1664235732.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/rw.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/io_uring/rw.c
+++ b/io_uring/rw.c
@@ -794,10 +794,12 @@ int io_read(struct io_kiocb *req, unsign
iov_iter_restore(&s->iter, &s->iter_state);
ret2 = io_setup_async_rw(req, iovec, s, true);
- if (ret2)
- return ret2;
-
iovec = NULL;
+ if (ret2) {
+ ret = ret > 0 ? ret : ret2;
+ goto done;
+ }
+
io = req->async_data;
s = &io->s;
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 015/862] io_uring/net: fix fast_iov assignment in io_setup_async_msg()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 014/862] io_uring/rw: dont lose short results on io_setup_async_rw() Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 016/862] io_uring/net: dont update msg_name if not provided Greg Kroah-Hartman
` (861 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stefan Metzmacher, Pavel Begunkov,
Jens Axboe
From: Stefan Metzmacher <metze@samba.org>
commit 3e4cb6ebbb2bad201c1186bc0b7e8cf41dd7f7e6 upstream.
I hit a very bad problem during my tests of SENDMSG_ZC.
BUG(); in first_iovec_segment() triggered very easily.
The problem was io_setup_async_msg() in the partial retry case,
which seems to happen more often with _ZC.
iov_iter_iovec_advance() may change i->iov in order to have i->iov_offset
being only relative to the first element.
Which means kmsg->msg.msg_iter.iov is no longer the
same as kmsg->fast_iov.
But this would rewind the copy to be the start of
async_msg->fast_iov, which means the internal
state of sync_msg->msg.msg_iter is inconsitent.
I tested with 5 vectors with length like this 4, 0, 64, 20, 8388608
and got a short writes with:
- ret=2675244 min_ret=8388692 => remaining 5713448 sr->done_io=2675244
- ret=-EAGAIN => io_uring_poll_arm
- ret=4911225 min_ret=5713448 => remaining 802223 sr->done_io=7586469
- ret=-EAGAIN => io_uring_poll_arm
- ret=802223 min_ret=802223 => res=8388692
While this was easily triggered with SENDMSG_ZC (queued for 6.1),
it was a potential problem starting with 7ba89d2af17aa879dda30f5d5d3f152e587fc551
in 5.18 for IORING_OP_RECVMSG.
And also with 4c3c09439c08b03d9503df0ca4c7619c5842892e in 5.19
for IORING_OP_SENDMSG.
However 257e84a5377fbbc336ff563833a8712619acce56 introduced the critical
code into io_setup_async_msg() in 5.11.
Fixes: 7ba89d2af17aa ("io_uring: ensure recv and recvmsg handle MSG_WAITALL correctly")
Fixes: 257e84a5377fb ("io_uring: refactor sendmsg/recvmsg iov managing")
Cc: stable@vger.kernel.org
Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/b2e7be246e2fb173520862b0c7098e55767567a2.1664436949.git.metze@samba.org
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -165,8 +165,10 @@ static int io_setup_async_msg(struct io_
memcpy(async_msg, kmsg, sizeof(*kmsg));
async_msg->msg.msg_name = &async_msg->addr;
/* if were using fast_iov, set it to the new one */
- if (!async_msg->free_iov)
- async_msg->msg.msg_iter.iov = async_msg->fast_iov;
+ if (!kmsg->free_iov) {
+ size_t fast_idx = kmsg->msg.msg_iter.iov - kmsg->fast_iov;
+ async_msg->msg.msg_iter.iov = &async_msg->fast_iov[fast_idx];
+ }
return -EAGAIN;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 016/862] io_uring/net: dont update msg_name if not provided
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 015/862] io_uring/net: fix fast_iov assignment in io_setup_async_msg() Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 017/862] io_uring: limit registration w/ SINGLE_ISSUER Greg Kroah-Hartman
` (860 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit 6f10ae8a155446248055c7ddd480ef40139af788 upstream.
io_sendmsg_copy_hdr() may clear msg->msg_name if the userspace didn't
provide it, we should retain NULL in this case.
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/97d49f61b5ec76d0900df658cfde3aa59ff22121.1664486545.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -163,7 +163,8 @@ static int io_setup_async_msg(struct io_
}
req->flags |= REQ_F_NEED_CLEANUP;
memcpy(async_msg, kmsg, sizeof(*kmsg));
- async_msg->msg.msg_name = &async_msg->addr;
+ if (async_msg->msg.msg_name)
+ async_msg->msg.msg_name = &async_msg->addr;
/* if were using fast_iov, set it to the new one */
if (!kmsg->free_iov) {
size_t fast_idx = kmsg->msg.msg_iter.iov - kmsg->fast_iov;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 017/862] io_uring: limit registration w/ SINGLE_ISSUER
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 016/862] io_uring/net: dont update msg_name if not provided Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 018/862] io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT Greg Kroah-Hartman
` (859 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit d7cce96c449e35bbfd41e830b341b95973891eed upstream.
IORING_SETUP_SINGLE_ISSUER restricts what tasks can submit requests.
Extend it to registration as well, so non-owning task can't do
registrations. It's not necessary at the moment but might be useful in
the future.
Cc: <stable@vger.kernel.org> # 6.0
Fixes: 97bbdc06a444 ("io_uring: add IORING_SETUP_SINGLE_ISSUER")
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/f52a6a9c8a8990d4a831f73c0571e7406aac2bba.1664237592.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 3 +++
1 file changed, 3 insertions(+)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -3710,6 +3710,9 @@ static int __io_uring_register(struct io
if (WARN_ON_ONCE(percpu_ref_is_dying(&ctx->refs)))
return -ENXIO;
+ if (ctx->submitter_task && ctx->submitter_task != current)
+ return -EEXIST;
+
if (ctx->restricted) {
if (opcode >= IORING_REGISTER_LAST)
return -EINVAL;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 018/862] io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 017/862] io_uring: limit registration w/ SINGLE_ISSUER Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 019/862] io_uring/af_unix: defer registered files gc to io_uring release Greg Kroah-Hartman
` (858 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Aidan Sun, Jens Axboe
From: Jens Axboe <axboe@kernel.dk>
commit 3fb1bd68817288729179444caf1fd5c5c4d2d65d upstream.
We treat EINPROGRESS like EAGAIN, but if we're retrying post getting
EINPROGRESS, then we just need to check the socket for errors and
terminate the request.
This was exposed on a bluetooth connection request which ends up
taking a while and hitting EINPROGRESS, and yields a CQE result of
-EBADFD because we're retrying a connect on a socket that is now
connected.
Cc: stable@vger.kernel.org
Fixes: 87f80d623c6c ("io_uring: handle connect -EINPROGRESS like -EAGAIN")
Link: https://github.com/axboe/liburing/issues/671
Reported-by: Aidan Sun <aidansun05@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/net.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
--- a/io_uring/net.c
+++ b/io_uring/net.c
@@ -46,6 +46,7 @@ struct io_connect {
struct file *file;
struct sockaddr __user *addr;
int addr_len;
+ bool in_progress;
};
struct io_sr_msg {
@@ -1263,6 +1264,7 @@ int io_connect_prep(struct io_kiocb *req
conn->addr = u64_to_user_ptr(READ_ONCE(sqe->addr));
conn->addr_len = READ_ONCE(sqe->addr2);
+ conn->in_progress = false;
return 0;
}
@@ -1274,6 +1276,16 @@ int io_connect(struct io_kiocb *req, uns
int ret;
bool force_nonblock = issue_flags & IO_URING_F_NONBLOCK;
+ if (connect->in_progress) {
+ struct socket *socket;
+
+ ret = -ENOTSOCK;
+ socket = sock_from_file(req->file);
+ if (socket)
+ ret = sock_error(socket->sk);
+ goto out;
+ }
+
if (req_has_async_data(req)) {
io = req->async_data;
} else {
@@ -1290,13 +1302,17 @@ int io_connect(struct io_kiocb *req, uns
ret = __sys_connect_file(req->file, &io->address,
connect->addr_len, file_flags);
if ((ret == -EAGAIN || ret == -EINPROGRESS) && force_nonblock) {
- if (req_has_async_data(req))
- return -EAGAIN;
- if (io_alloc_async_data(req)) {
- ret = -ENOMEM;
- goto out;
+ if (ret == -EINPROGRESS) {
+ connect->in_progress = true;
+ } else {
+ if (req_has_async_data(req))
+ return -EAGAIN;
+ if (io_alloc_async_data(req)) {
+ ret = -ENOMEM;
+ goto out;
+ }
+ memcpy(req->async_data, &__io, sizeof(__io));
}
- memcpy(req->async_data, &__io, sizeof(__io));
return -EAGAIN;
}
if (ret == -ERESTARTSYS)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 019/862] io_uring/af_unix: defer registered files gc to io_uring release
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 018/862] io_uring/net: handle -EINPROGRESS correct for IORING_OP_CONNECT Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 020/862] io_uring: correct pinned_vm accounting Greg Kroah-Hartman
` (857 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pavel Begunkov,
Thadeu Lima de Souza Cascardo, Jens Axboe, David Bouman
From: Pavel Begunkov <asml.silence@gmail.com>
commit 0091bfc81741b8d3aeb3b7ab8636f911b2de6e80 upstream.
Instead of putting io_uring's registered files in unix_gc() we want it
to be done by io_uring itself. The trick here is to consider io_uring
registered files for cycle detection but not actually putting them down.
Because io_uring can't register other ring instances, this will remove
all refs to the ring file triggering the ->release path and clean up
with io_ring_ctx_free().
Cc: stable@vger.kernel.org
Fixes: 6b06314c47e1 ("io_uring: add file set registration")
Reported-and-tested-by: David Bouman <dbouman03@gmail.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
[axboe: add kerneldoc comment to skb, fold in skb leak fix]
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/skbuff.h | 2 ++
io_uring/rsrc.c | 1 +
net/unix/garbage.c | 20 ++++++++++++++++++++
3 files changed, 23 insertions(+)
--- a/include/linux/skbuff.h
+++ b/include/linux/skbuff.h
@@ -796,6 +796,7 @@ typedef unsigned char *sk_buff_data_t;
* @csum_level: indicates the number of consecutive checksums found in
* the packet minus one that have been verified as
* CHECKSUM_UNNECESSARY (max 3)
+ * @scm_io_uring: SKB holds io_uring registered files
* @dst_pending_confirm: need to confirm neighbour
* @decrypted: Decrypted SKB
* @slow_gro: state present at GRO time, slower prepare step required
@@ -975,6 +976,7 @@ struct sk_buff {
#endif
__u8 slow_gro:1;
__u8 csum_not_inet:1;
+ __u8 scm_io_uring:1;
#ifdef CONFIG_NET_SCHED
__u16 tc_index; /* traffic control index */
--- a/io_uring/rsrc.c
+++ b/io_uring/rsrc.c
@@ -855,6 +855,7 @@ int __io_scm_file_account(struct io_ring
UNIXCB(skb).fp = fpl;
skb->sk = sk;
+ skb->scm_io_uring = 1;
skb->destructor = unix_destruct_scm;
refcount_add(skb->truesize, &sk->sk_wmem_alloc);
}
--- a/net/unix/garbage.c
+++ b/net/unix/garbage.c
@@ -204,6 +204,7 @@ void wait_for_unix_gc(void)
/* The external entry point: unix_gc() */
void unix_gc(void)
{
+ struct sk_buff *next_skb, *skb;
struct unix_sock *u;
struct unix_sock *next;
struct sk_buff_head hitlist;
@@ -297,11 +298,30 @@ void unix_gc(void)
spin_unlock(&unix_gc_lock);
+ /* We need io_uring to clean its registered files, ignore all io_uring
+ * originated skbs. It's fine as io_uring doesn't keep references to
+ * other io_uring instances and so killing all other files in the cycle
+ * will put all io_uring references forcing it to go through normal
+ * release.path eventually putting registered files.
+ */
+ skb_queue_walk_safe(&hitlist, skb, next_skb) {
+ if (skb->scm_io_uring) {
+ __skb_unlink(skb, &hitlist);
+ skb_queue_tail(&skb->sk->sk_receive_queue, skb);
+ }
+ }
+
/* Here we are. Hitlist is filled. Die. */
__skb_queue_purge(&hitlist);
spin_lock(&unix_gc_lock);
+ /* There could be io_uring registered files, just push them back to
+ * the inflight list
+ */
+ list_for_each_entry_safe(u, next, &gc_candidates, link)
+ list_move_tail(&u->link, &gc_inflight_list);
+
/* All candidates should have been detached by now. */
BUG_ON(!list_empty(&gc_candidates));
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 020/862] io_uring: correct pinned_vm accounting
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 019/862] io_uring/af_unix: defer registered files gc to io_uring release Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 021/862] hv_netvsc: Fix race between VF offering and VF association message from host Greg Kroah-Hartman
` (856 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Stable, Pavel Begunkov, Jens Axboe
From: Pavel Begunkov <asml.silence@gmail.com>
commit 42b6419d0aba47c5d8644cdc0b68502254671de5 upstream.
->mm_account should be released only after we free all registered
buffers, otherwise __io_sqe_buffers_unregister() will see a NULL
->mm_account and skip locked_vm accounting.
Cc: <Stable@vger.kernel.org>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/6d798f65ed4ab8db3664c4d3397d4af16ca98846.1664849932.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2422,12 +2422,6 @@ static void io_req_caches_free(struct io
static __cold void io_ring_ctx_free(struct io_ring_ctx *ctx)
{
io_sq_thread_finish(ctx);
-
- if (ctx->mm_account) {
- mmdrop(ctx->mm_account);
- ctx->mm_account = NULL;
- }
-
io_rsrc_refs_drop(ctx);
/* __io_rsrc_put_work() may need uring_lock to progress, wait w/o it */
io_wait_rsrc_data(ctx->buf_data);
@@ -2470,6 +2464,10 @@ static __cold void io_ring_ctx_free(stru
WARN_ON_ONCE(!list_empty(&ctx->ltimeout_list));
WARN_ON_ONCE(ctx->notif_slots || ctx->nr_notif_slots);
+ if (ctx->mm_account) {
+ mmdrop(ctx->mm_account);
+ ctx->mm_account = NULL;
+ }
io_mem_free(ctx->rings);
io_mem_free(ctx->sq_sqes);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 021/862] hv_netvsc: Fix race between VF offering and VF association message from host
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 020/862] io_uring: correct pinned_vm accounting Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 022/862] cifs: destage dirty pages before re-reading them for cache=none Greg Kroah-Hartman
` (855 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Haiyang Zhang, Gaurav Kohli, David S. Miller
From: Gaurav Kohli <gauravkohli@linux.microsoft.com>
commit 365e1ececb2905f94cc10a5817c5b644a32a3ae2 upstream.
During vm boot, there might be possibility that vf registration
call comes before the vf association from host to vm.
And this might break netvsc vf path, To prevent the same block
vf registration until vf bind message comes from host.
Cc: stable@vger.kernel.org
Fixes: 00d7ddba11436 ("hv_netvsc: pair VF based on serial number")
Reviewed-by: Haiyang Zhang <haiyangz@microsoft.com>
Signed-off-by: Gaurav Kohli <gauravkohli@linux.microsoft.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/hyperv/hyperv_net.h | 3 ++-
drivers/net/hyperv/netvsc.c | 4 ++++
drivers/net/hyperv/netvsc_drv.c | 19 +++++++++++++++++++
3 files changed, 25 insertions(+), 1 deletion(-)
--- a/drivers/net/hyperv/hyperv_net.h
+++ b/drivers/net/hyperv/hyperv_net.h
@@ -1051,7 +1051,8 @@ struct net_device_context {
u32 vf_alloc;
/* Serial number of the VF to team with */
u32 vf_serial;
-
+ /* completion variable to confirm vf association */
+ struct completion vf_add;
/* Is the current data path through the VF NIC? */
bool data_path_is_vf;
--- a/drivers/net/hyperv/netvsc.c
+++ b/drivers/net/hyperv/netvsc.c
@@ -1580,6 +1580,10 @@ static void netvsc_send_vf(struct net_de
net_device_ctx->vf_alloc = nvmsg->msg.v4_msg.vf_assoc.allocated;
net_device_ctx->vf_serial = nvmsg->msg.v4_msg.vf_assoc.serial;
+
+ if (net_device_ctx->vf_alloc)
+ complete(&net_device_ctx->vf_add);
+
netdev_info(ndev, "VF slot %u %s\n",
net_device_ctx->vf_serial,
net_device_ctx->vf_alloc ? "added" : "removed");
--- a/drivers/net/hyperv/netvsc_drv.c
+++ b/drivers/net/hyperv/netvsc_drv.c
@@ -2313,6 +2313,18 @@ static struct net_device *get_netvsc_bys
}
+ /* Fallback path to check synthetic vf with
+ * help of mac addr
+ */
+ list_for_each_entry(ndev_ctx, &netvsc_dev_list, list) {
+ ndev = hv_get_drvdata(ndev_ctx->device_ctx);
+ if (ether_addr_equal(vf_netdev->perm_addr, ndev->perm_addr)) {
+ netdev_notice(vf_netdev,
+ "falling back to mac addr based matching\n");
+ return ndev;
+ }
+ }
+
netdev_notice(vf_netdev,
"no netdev found for vf serial:%u\n", serial);
return NULL;
@@ -2409,6 +2421,11 @@ static int netvsc_vf_changed(struct net_
if (net_device_ctx->data_path_is_vf == vf_is_up)
return NOTIFY_OK;
+ if (vf_is_up && !net_device_ctx->vf_alloc) {
+ netdev_info(ndev, "Waiting for the VF association from host\n");
+ wait_for_completion(&net_device_ctx->vf_add);
+ }
+
ret = netvsc_switch_datapath(ndev, vf_is_up);
if (ret) {
@@ -2440,6 +2457,7 @@ static int netvsc_unregister_vf(struct n
netvsc_vf_setxdp(vf_netdev, NULL);
+ reinit_completion(&net_device_ctx->vf_add);
netdev_rx_handler_unregister(vf_netdev);
netdev_upper_dev_unlink(vf_netdev, ndev);
RCU_INIT_POINTER(net_device_ctx->vf_netdev, NULL);
@@ -2479,6 +2497,7 @@ static int netvsc_probe(struct hv_device
INIT_DELAYED_WORK(&net_device_ctx->dwork, netvsc_link_change);
+ init_completion(&net_device_ctx->vf_add);
spin_lock_init(&net_device_ctx->lock);
INIT_LIST_HEAD(&net_device_ctx->reconfig_events);
INIT_DELAYED_WORK(&net_device_ctx->vf_takeover, netvsc_vf_setup);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 022/862] cifs: destage dirty pages before re-reading them for cache=none
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 021/862] hv_netvsc: Fix race between VF offering and VF association message from host Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 023/862] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Greg Kroah-Hartman
` (854 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE),
Enzo Matsumiya, Ronnie Sahlberg, Steve French
From: Ronnie Sahlberg <lsahlber@redhat.com>
commit bb44c31cdcac107344dd2fcc3bd0504a53575c51 upstream.
This is the opposite case of kernel bugzilla 216301.
If we mmap a file using cache=none and then proceed to update the mmapped
area these updates are not reflected in a later pread() of that part of the
file.
To fix this we must first destage any dirty pages in the range before
we allow the pread() to proceed.
Cc: stable@vger.kernel.org
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Enzo Matsumiya <ematsumiya@suse.de>
Signed-off-by: Ronnie Sahlberg <lsahlber@redhat.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/file.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/cifs/file.c
+++ b/fs/cifs/file.c
@@ -4271,6 +4271,15 @@ static ssize_t __cifs_readv(
len = ctx->len;
}
+ if (direct) {
+ rc = filemap_write_and_wait_range(file->f_inode->i_mapping,
+ offset, offset + len - 1);
+ if (rc) {
+ kref_put(&ctx->refcount, cifs_aio_ctx_release);
+ return -EAGAIN;
+ }
+ }
+
/* grab a lock here due to read response handlers can access ctx */
mutex_lock(&ctx->aio_mutex);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 023/862] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 022/862] cifs: destage dirty pages before re-reading them for cache=none Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 024/862] iio: dac: ad5593r: Fix i2c read protocol requirements Greg Kroah-Hartman
` (853 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Xiaoxu, Paulo Alcantara (SUSE),
Tom Talpey, Steve French
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
commit e98ecc6e94f4e6d21c06660b0f336df02836694f upstream.
Commit d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
extend the dialects from 3 to 4, but forget to decrease the extended
length when specific the dialect, then the message length is larger
than expected.
This maybe leak some info through network because not initialize the
message body.
After apply this patch, the VALIDATE_NEGOTIATE_INFO message length is
reduced from 28 bytes to 26 bytes.
Fixes: d5c7076b772a ("smb3: add smb3.1.1 to default dialect list")
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Cc: <stable@vger.kernel.org>
Acked-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Reviewed-by: Tom Talpey <tom@talpey.com>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/smb2pdu.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/cifs/smb2pdu.c
+++ b/fs/cifs/smb2pdu.c
@@ -1169,9 +1169,9 @@ int smb3_validate_negotiate(const unsign
pneg_inbuf->Dialects[0] =
cpu_to_le16(server->vals->protocol_id);
pneg_inbuf->DialectCount = cpu_to_le16(1);
- /* structure is big enough for 3 dialects, sending only 1 */
+ /* structure is big enough for 4 dialects, sending only 1 */
inbuflen = sizeof(*pneg_inbuf) -
- sizeof(pneg_inbuf->Dialects[0]) * 2;
+ sizeof(pneg_inbuf->Dialects[0]) * 3;
}
rc = SMB2_ioctl(xid, tcon, NO_FILE_ID, NO_FILE_ID,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 024/862] iio: dac: ad5593r: Fix i2c read protocol requirements
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 023/862] cifs: Fix the error length of VALIDATE_NEGOTIATE_INFO message Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 025/862] iio: ltc2497: Fix reading conversion results Greg Kroah-Hartman
` (852 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michael Hennerich, Nuno Sá,
Stable, Jonathan Cameron
From: Michael Hennerich <michael.hennerich@analog.com>
commit 558a25f903b4af6361b7fbeea08a6446a0745653 upstream.
For reliable operation across the full range of supported
interface rates, the AD5593R needs a STOP condition between
address write, and data read (like show in the datasheet Figure 40)
so in turn i2c_smbus_read_word_swapped cannot be used.
While at it, a simple helper was added to make the code simpler.
Fixes: 56ca9db862bf ("iio: dac: Add support for the AD5592R/AD5593R ADCs/DACs")
Signed-off-by: Michael Hennerich <michael.hennerich@analog.com>
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Cc: <Stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220913073413.140475-2-nuno.sa@analog.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/dac/ad5593r.c | 46 +++++++++++++++++++++++++++-------------------
1 file changed, 27 insertions(+), 19 deletions(-)
--- a/drivers/iio/dac/ad5593r.c
+++ b/drivers/iio/dac/ad5593r.c
@@ -13,6 +13,8 @@
#include <linux/module.h>
#include <linux/mod_devicetable.h>
+#include <asm/unaligned.h>
+
#define AD5593R_MODE_CONF (0 << 4)
#define AD5593R_MODE_DAC_WRITE (1 << 4)
#define AD5593R_MODE_ADC_READBACK (4 << 4)
@@ -20,6 +22,24 @@
#define AD5593R_MODE_GPIO_READBACK (6 << 4)
#define AD5593R_MODE_REG_READBACK (7 << 4)
+static int ad5593r_read_word(struct i2c_client *i2c, u8 reg, u16 *value)
+{
+ int ret;
+ u8 buf[2];
+
+ ret = i2c_smbus_write_byte(i2c, reg);
+ if (ret < 0)
+ return ret;
+
+ ret = i2c_master_recv(i2c, buf, sizeof(buf));
+ if (ret < 0)
+ return ret;
+
+ *value = get_unaligned_be16(buf);
+
+ return 0;
+}
+
static int ad5593r_write_dac(struct ad5592r_state *st, unsigned chan, u16 value)
{
struct i2c_client *i2c = to_i2c_client(st->dev);
@@ -38,13 +58,7 @@ static int ad5593r_read_adc(struct ad559
if (val < 0)
return (int) val;
- val = i2c_smbus_read_word_swapped(i2c, AD5593R_MODE_ADC_READBACK);
- if (val < 0)
- return (int) val;
-
- *value = (u16) val;
-
- return 0;
+ return ad5593r_read_word(i2c, AD5593R_MODE_ADC_READBACK, value);
}
static int ad5593r_reg_write(struct ad5592r_state *st, u8 reg, u16 value)
@@ -58,25 +72,19 @@ static int ad5593r_reg_write(struct ad55
static int ad5593r_reg_read(struct ad5592r_state *st, u8 reg, u16 *value)
{
struct i2c_client *i2c = to_i2c_client(st->dev);
- s32 val;
-
- val = i2c_smbus_read_word_swapped(i2c, AD5593R_MODE_REG_READBACK | reg);
- if (val < 0)
- return (int) val;
- *value = (u16) val;
-
- return 0;
+ return ad5593r_read_word(i2c, AD5593R_MODE_REG_READBACK | reg, value);
}
static int ad5593r_gpio_read(struct ad5592r_state *st, u8 *value)
{
struct i2c_client *i2c = to_i2c_client(st->dev);
- s32 val;
+ u16 val;
+ int ret;
- val = i2c_smbus_read_word_swapped(i2c, AD5593R_MODE_GPIO_READBACK);
- if (val < 0)
- return (int) val;
+ ret = ad5593r_read_word(i2c, AD5593R_MODE_GPIO_READBACK, &val);
+ if (ret)
+ return ret;
*value = (u8) val;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 025/862] iio: ltc2497: Fix reading conversion results
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 024/862] iio: dac: ad5593r: Fix i2c read protocol requirements Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 026/862] iio: adc: ad7923: fix channel readings for some variants Greg Kroah-Hartman
` (851 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Meng Li, Uwe Kleine-König,
Denys Zagorui, Stable, Jonathan Cameron
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
commit 7f4f1096d5921f5d90547596f9ce80e0b924f887 upstream.
After the result of the previous conversion is read the chip
automatically starts a new conversion and doesn't accept new i2c
transfers until this conversion is completed which makes the function
return failure.
So add an early return iff the programming of the new address isn't
needed. Note this will not fix the problem in general, but all cases
that are currently used. Once this changes we get the failure back, but
this can be addressed when the need arises.
Fixes: 69548b7c2c4f ("iio: adc: ltc2497: split protocol independent part in a separate module ")
Reported-by: Meng Li <Meng.Li@windriver.com>
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Tested-by: Denys Zagorui <dzagorui@cisco.com>
Cc: <Stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220815091647.1523532-1-dzagorui@cisco.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ltc2497.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/iio/adc/ltc2497.c
+++ b/drivers/iio/adc/ltc2497.c
@@ -41,6 +41,19 @@ static int ltc2497_result_and_measure(st
}
*val = (be32_to_cpu(st->buf) >> 14) - (1 << 17);
+
+ /*
+ * The part started a new conversion at the end of the above i2c
+ * transfer, so if the address didn't change since the last call
+ * everything is fine and we can return early.
+ * If not (which should only happen when some sort of bulk
+ * conversion is implemented) we have to program the new
+ * address. Note that this probably fails as the conversion that
+ * was triggered above is like not complete yet and the two
+ * operations have to be done in a single transfer.
+ */
+ if (ddata->addr_prev == address)
+ return 0;
}
ret = i2c_smbus_write_byte(st->client,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 026/862] iio: adc: ad7923: fix channel readings for some variants
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 025/862] iio: ltc2497: Fix reading conversion results Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 027/862] iio: pressure: dps310: Refactor startup procedure Greg Kroah-Hartman
` (850 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nuno Sá, Stable, Jonathan Cameron
From: Nuno Sá <nuno.sa@analog.com>
commit f4f43f01cff2f29779343ade755191afd2581c77 upstream.
Some of the supported devices have 4 or 2 LSB trailing bits that should
not be taken into account. Hence we need to shift these bits out which
fits perfectly on the scan type shift property. This change fixes both
raw and buffered reads.
Fixes: f2f7a449707e ("iio:adc:ad7923: Add support for the ad7904/ad7914/ad7924")
Fixes: 851644a60d20 ("iio: adc: ad7923: Add support for the ad7908/ad7918/ad7928")
Signed-off-by: Nuno Sá <nuno.sa@analog.com>
Link: https://lore.kernel.org/r/20220912081223.173584-2-nuno.sa@analog.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/adc/ad7923.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/iio/adc/ad7923.c
+++ b/drivers/iio/adc/ad7923.c
@@ -93,6 +93,7 @@ enum ad7923_id {
.sign = 'u', \
.realbits = (bits), \
.storagebits = 16, \
+ .shift = 12 - (bits), \
.endianness = IIO_BE, \
}, \
}
@@ -268,7 +269,8 @@ static int ad7923_read_raw(struct iio_de
return ret;
if (chan->address == EXTRACT(ret, 12, 4))
- *val = EXTRACT(ret, 0, 12);
+ *val = EXTRACT(ret, chan->scan_type.shift,
+ chan->scan_type.realbits);
else
return -EIO;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 027/862] iio: pressure: dps310: Refactor startup procedure
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 026/862] iio: adc: ad7923: fix channel readings for some variants Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 028/862] iio: pressure: dps310: Reset chip after timeout Greg Kroah-Hartman
` (849 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eddie James, Joel Stanley,
Andy Shevchenko, Jonathan Cameron
From: Eddie James <eajames@linux.ibm.com>
commit c2329717bdd3fa62f8a2f3d8d85ad0bee4556bd7 upstream.
Move the startup procedure into a function, and correct a missing
check on the return code for writing the PRS_CFG register.
Cc: <stable@vger.kernel.org>
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Joel Stanley <joel@jms.id.au>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220915195719.136812-2-eajames@linux.ibm.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/dps310.c | 188 ++++++++++++++++++++++--------------------
1 file changed, 99 insertions(+), 89 deletions(-)
--- a/drivers/iio/pressure/dps310.c
+++ b/drivers/iio/pressure/dps310.c
@@ -159,6 +159,102 @@ static int dps310_get_coefs(struct dps31
return 0;
}
+/*
+ * Some versions of the chip will read temperatures in the ~60C range when
+ * it's actually ~20C. This is the manufacturer recommended workaround
+ * to correct the issue. The registers used below are undocumented.
+ */
+static int dps310_temp_workaround(struct dps310_data *data)
+{
+ int rc;
+ int reg;
+
+ rc = regmap_read(data->regmap, 0x32, ®);
+ if (rc)
+ return rc;
+
+ /*
+ * If bit 1 is set then the device is okay, and the workaround does not
+ * need to be applied
+ */
+ if (reg & BIT(1))
+ return 0;
+
+ rc = regmap_write(data->regmap, 0x0e, 0xA5);
+ if (rc)
+ return rc;
+
+ rc = regmap_write(data->regmap, 0x0f, 0x96);
+ if (rc)
+ return rc;
+
+ rc = regmap_write(data->regmap, 0x62, 0x02);
+ if (rc)
+ return rc;
+
+ rc = regmap_write(data->regmap, 0x0e, 0x00);
+ if (rc)
+ return rc;
+
+ return regmap_write(data->regmap, 0x0f, 0x00);
+}
+
+static int dps310_startup(struct dps310_data *data)
+{
+ int rc;
+ int ready;
+
+ /*
+ * Set up pressure sensor in single sample, one measurement per second
+ * mode
+ */
+ rc = regmap_write(data->regmap, DPS310_PRS_CFG, 0);
+ if (rc)
+ return rc;
+
+ /*
+ * Set up external (MEMS) temperature sensor in single sample, one
+ * measurement per second mode
+ */
+ rc = regmap_write(data->regmap, DPS310_TMP_CFG, DPS310_TMP_EXT);
+ if (rc)
+ return rc;
+
+ /* Temp and pressure shifts are disabled when PRC <= 8 */
+ rc = regmap_write_bits(data->regmap, DPS310_CFG_REG,
+ DPS310_PRS_SHIFT_EN | DPS310_TMP_SHIFT_EN, 0);
+ if (rc)
+ return rc;
+
+ /* MEAS_CFG doesn't update correctly unless first written with 0 */
+ rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG,
+ DPS310_MEAS_CTRL_BITS, 0);
+ if (rc)
+ return rc;
+
+ /* Turn on temperature and pressure measurement in the background */
+ rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG,
+ DPS310_MEAS_CTRL_BITS, DPS310_PRS_EN |
+ DPS310_TEMP_EN | DPS310_BACKGROUND);
+ if (rc)
+ return rc;
+
+ /*
+ * Calibration coefficients required for reporting temperature.
+ * They are available 40ms after the device has started
+ */
+ rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready,
+ ready & DPS310_COEF_RDY, 10000, 40000);
+ if (rc)
+ return rc;
+
+ rc = dps310_get_coefs(data);
+ if (rc)
+ return rc;
+
+ return dps310_temp_workaround(data);
+}
+
static int dps310_get_pres_precision(struct dps310_data *data)
{
int rc;
@@ -677,52 +773,12 @@ static const struct iio_info dps310_info
.write_raw = dps310_write_raw,
};
-/*
- * Some verions of chip will read temperatures in the ~60C range when
- * its actually ~20C. This is the manufacturer recommended workaround
- * to correct the issue. The registers used below are undocumented.
- */
-static int dps310_temp_workaround(struct dps310_data *data)
-{
- int rc;
- int reg;
-
- rc = regmap_read(data->regmap, 0x32, ®);
- if (rc < 0)
- return rc;
-
- /*
- * If bit 1 is set then the device is okay, and the workaround does not
- * need to be applied
- */
- if (reg & BIT(1))
- return 0;
-
- rc = regmap_write(data->regmap, 0x0e, 0xA5);
- if (rc < 0)
- return rc;
-
- rc = regmap_write(data->regmap, 0x0f, 0x96);
- if (rc < 0)
- return rc;
-
- rc = regmap_write(data->regmap, 0x62, 0x02);
- if (rc < 0)
- return rc;
-
- rc = regmap_write(data->regmap, 0x0e, 0x00);
- if (rc < 0)
- return rc;
-
- return regmap_write(data->regmap, 0x0f, 0x00);
-}
-
static int dps310_probe(struct i2c_client *client,
const struct i2c_device_id *id)
{
struct dps310_data *data;
struct iio_dev *iio;
- int rc, ready;
+ int rc;
iio = devm_iio_device_alloc(&client->dev, sizeof(*data));
if (!iio)
@@ -747,54 +803,8 @@ static int dps310_probe(struct i2c_clien
if (rc)
return rc;
- /*
- * Set up pressure sensor in single sample, one measurement per second
- * mode
- */
- rc = regmap_write(data->regmap, DPS310_PRS_CFG, 0);
-
- /*
- * Set up external (MEMS) temperature sensor in single sample, one
- * measurement per second mode
- */
- rc = regmap_write(data->regmap, DPS310_TMP_CFG, DPS310_TMP_EXT);
- if (rc < 0)
- return rc;
-
- /* Temp and pressure shifts are disabled when PRC <= 8 */
- rc = regmap_write_bits(data->regmap, DPS310_CFG_REG,
- DPS310_PRS_SHIFT_EN | DPS310_TMP_SHIFT_EN, 0);
- if (rc < 0)
- return rc;
-
- /* MEAS_CFG doesn't update correctly unless first written with 0 */
- rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG,
- DPS310_MEAS_CTRL_BITS, 0);
- if (rc < 0)
- return rc;
-
- /* Turn on temperature and pressure measurement in the background */
- rc = regmap_write_bits(data->regmap, DPS310_MEAS_CFG,
- DPS310_MEAS_CTRL_BITS, DPS310_PRS_EN |
- DPS310_TEMP_EN | DPS310_BACKGROUND);
- if (rc < 0)
- return rc;
-
- /*
- * Calibration coefficients required for reporting temperature.
- * They are available 40ms after the device has started
- */
- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready,
- ready & DPS310_COEF_RDY, 10000, 40000);
- if (rc < 0)
- return rc;
-
- rc = dps310_get_coefs(data);
- if (rc < 0)
- return rc;
-
- rc = dps310_temp_workaround(data);
- if (rc < 0)
+ rc = dps310_startup(data);
+ if (rc)
return rc;
rc = devm_iio_device_register(&client->dev, iio);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 028/862] iio: pressure: dps310: Reset chip after timeout
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 027/862] iio: pressure: dps310: Refactor startup procedure Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 029/862] xhci: dbc: Fix memory leak in xhci_alloc_dbc() Greg Kroah-Hartman
` (848 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Eddie James, Andy Shevchenko,
Jonathan Cameron
From: Eddie James <eajames@linux.ibm.com>
commit 7b4ab4abcea4c0c10b25187bf2569e5a07e9a20c upstream.
The DPS310 chip has been observed to get "stuck" such that pressure
and temperature measurements are never indicated as "ready" in the
MEAS_CFG register. The only solution is to reset the device and try
again. In order to avoid continual failures, use a boolean flag to
only try the reset after timeout once if errors persist.
Fixes: ba6ec48e76bc ("iio: Add driver for Infineon DPS310")
Cc: <stable@vger.kernel.org>
Signed-off-by: Eddie James <eajames@linux.ibm.com>
Reviewed-by: Andy Shevchenko <andy.shevchenko@gmail.com>
Link: https://lore.kernel.org/r/20220915195719.136812-3-eajames@linux.ibm.com
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/iio/pressure/dps310.c | 74 ++++++++++++++++++++++++++++++++++++------
1 file changed, 64 insertions(+), 10 deletions(-)
--- a/drivers/iio/pressure/dps310.c
+++ b/drivers/iio/pressure/dps310.c
@@ -89,6 +89,7 @@ struct dps310_data {
s32 c00, c10, c20, c30, c01, c11, c21;
s32 pressure_raw;
s32 temp_raw;
+ bool timeout_recovery_failed;
};
static const struct iio_chan_spec dps310_channels[] = {
@@ -393,11 +394,69 @@ static int dps310_get_temp_k(struct dps3
return scale_factors[ilog2(rc)];
}
+static int dps310_reset_wait(struct dps310_data *data)
+{
+ int rc;
+
+ rc = regmap_write(data->regmap, DPS310_RESET, DPS310_RESET_MAGIC);
+ if (rc)
+ return rc;
+
+ /* Wait for device chip access: 2.5ms in specification */
+ usleep_range(2500, 12000);
+ return 0;
+}
+
+static int dps310_reset_reinit(struct dps310_data *data)
+{
+ int rc;
+
+ rc = dps310_reset_wait(data);
+ if (rc)
+ return rc;
+
+ return dps310_startup(data);
+}
+
+static int dps310_ready_status(struct dps310_data *data, int ready_bit, int timeout)
+{
+ int sleep = DPS310_POLL_SLEEP_US(timeout);
+ int ready;
+
+ return regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready, ready & ready_bit,
+ sleep, timeout);
+}
+
+static int dps310_ready(struct dps310_data *data, int ready_bit, int timeout)
+{
+ int rc;
+
+ rc = dps310_ready_status(data, ready_bit, timeout);
+ if (rc) {
+ if (rc == -ETIMEDOUT && !data->timeout_recovery_failed) {
+ /* Reset and reinitialize the chip. */
+ if (dps310_reset_reinit(data)) {
+ data->timeout_recovery_failed = true;
+ } else {
+ /* Try again to get sensor ready status. */
+ if (dps310_ready_status(data, ready_bit, timeout))
+ data->timeout_recovery_failed = true;
+ else
+ return 0;
+ }
+ }
+
+ return rc;
+ }
+
+ data->timeout_recovery_failed = false;
+ return 0;
+}
+
static int dps310_read_pres_raw(struct dps310_data *data)
{
int rc;
int rate;
- int ready;
int timeout;
s32 raw;
u8 val[3];
@@ -409,9 +468,7 @@ static int dps310_read_pres_raw(struct d
timeout = DPS310_POLL_TIMEOUT_US(rate);
/* Poll for sensor readiness; base the timeout upon the sample rate. */
- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready,
- ready & DPS310_PRS_RDY,
- DPS310_POLL_SLEEP_US(timeout), timeout);
+ rc = dps310_ready(data, DPS310_PRS_RDY, timeout);
if (rc)
goto done;
@@ -448,7 +505,6 @@ static int dps310_read_temp_raw(struct d
{
int rc;
int rate;
- int ready;
int timeout;
if (mutex_lock_interruptible(&data->lock))
@@ -458,10 +514,8 @@ static int dps310_read_temp_raw(struct d
timeout = DPS310_POLL_TIMEOUT_US(rate);
/* Poll for sensor readiness; base the timeout upon the sample rate. */
- rc = regmap_read_poll_timeout(data->regmap, DPS310_MEAS_CFG, ready,
- ready & DPS310_TMP_RDY,
- DPS310_POLL_SLEEP_US(timeout), timeout);
- if (rc < 0)
+ rc = dps310_ready(data, DPS310_TMP_RDY, timeout);
+ if (rc)
goto done;
rc = dps310_read_temp_ready(data);
@@ -756,7 +810,7 @@ static void dps310_reset(void *action_da
{
struct dps310_data *data = action_data;
- regmap_write(data->regmap, DPS310_RESET, DPS310_RESET_MAGIC);
+ dps310_reset_wait(data);
}
static const struct regmap_config dps310_regmap_config = {
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 029/862] xhci: dbc: Fix memory leak in xhci_alloc_dbc()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 028/862] iio: pressure: dps310: Reset chip after timeout Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 030/862] usb: gadget: uvc: Fix argument to sizeof() in uvc_register_video() Greg Kroah-Hartman
` (847 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Rafael Mendonca, Mathias Nyman
From: Rafael Mendonca <rafaelmendsr@gmail.com>
commit d591b32e519603524a35b172156db71df9116902 upstream.
If DbC is already in use, then the allocated memory for the xhci_dbc struct
doesn't get freed before returning NULL, which leads to a memleak.
Fixes: 534675942e90 ("xhci: dbc: refactor xhci_dbc_init()")
Cc: stable@vger.kernel.org
Signed-off-by: Rafael Mendonca <rafaelmendsr@gmail.com>
Signed-off-by: Mathias Nyman <mathias.nyman@linux.intel.com>
Link: https://lore.kernel.org/r/20220921123450.671459-3-mathias.nyman@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/xhci-dbgcap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/host/xhci-dbgcap.c
+++ b/drivers/usb/host/xhci-dbgcap.c
@@ -988,7 +988,7 @@ xhci_alloc_dbc(struct device *dev, void
dbc->driver = driver;
if (readl(&dbc->regs->control) & DBC_CTRL_DBC_ENABLE)
- return NULL;
+ goto err;
INIT_DELAYED_WORK(&dbc->event_work, xhci_dbc_handle_events);
spin_lock_init(&dbc->lock);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 030/862] usb: gadget: uvc: Fix argument to sizeof() in uvc_register_video()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 029/862] xhci: dbc: Fix memory leak in xhci_alloc_dbc() Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 031/862] usb: add quirks for Lenovo OneLink+ Dock Greg Kroah-Hartman
` (846 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nathan Chancellor, Laurent Pinchart,
Kees Cook
From: Nathan Chancellor <nathan@kernel.org>
commit a15e17acce5aaae54243f55a7349c2225450b9bc upstream.
When building s390 allmodconfig after commit 9b91a6523078 ("usb: gadget:
uvc: increase worker prio to WQ_HIGHPRI"), the following error occurs:
In file included from ../include/linux/string.h:253,
from ../include/linux/bitmap.h:11,
from ../include/linux/cpumask.h:12,
from ../include/linux/smp.h:13,
from ../include/linux/lockdep.h:14,
from ../include/linux/rcupdate.h:29,
from ../include/linux/rculist.h:11,
from ../include/linux/pid.h:5,
from ../include/linux/sched.h:14,
from ../include/linux/ratelimit.h:6,
from ../include/linux/dev_printk.h:16,
from ../include/linux/device.h:15,
from ../drivers/usb/gadget/function/f_uvc.c:9:
In function ‘fortify_memset_chk’,
inlined from ‘uvc_register_video’ at ../drivers/usb/gadget/function/f_uvc.c:424:2:
../include/linux/fortify-string.h:301:25: error: call to ‘__write_overflow_field’ declared with attribute warning: detected write beyond size of field (1st parameter); maybe use struct_group()? [-Werror=attribute-warning]
301 | __write_overflow_field(p_size_field, size);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
This points to the memset() in uvc_register_video(). It is clear that
the argument to sizeof() is incorrect, as uvc->vdev (a 'struct
video_device') is being zeroed out but the size of uvc->video (a 'struct
uvc_video') is being used as the third arugment to memset().
pahole shows that prior to commit 9b91a6523078 ("usb: gadget: uvc:
increase worker prio to WQ_HIGHPRI"), 'struct video_device' and
'struct ucv_video' had the same size, meaning that the argument to
sizeof() is incorrect semantically but there is no visible issue:
$ pahole -s build/drivers/usb/gadget/function/f_uvc.o | grep -E "(uvc_video|video_device)\s+"
video_device 1400 4
uvc_video 1400 3
After that change, uvc_video becomes slightly larger, meaning that the
memset() will overwrite by 8 bytes:
$ pahole -s build/drivers/usb/gadget/function/f_uvc.o | grep -E "(uvc_video|video_device)\s+"
video_device 1400 4
uvc_video 1408 3
Fix the arugment to sizeof() so that there is no overwrite.
Cc: stable@vger.kernel.org
Fixes: e4ce9ed835bc ("usb: gadget: uvc: ensure the vdev is unset")
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Laurent Pinchart <laurent.pinchart@ideasonboard.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220928201921.3152163-1-nathan@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/f_uvc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/usb/gadget/function/f_uvc.c
+++ b/drivers/usb/gadget/function/f_uvc.c
@@ -421,7 +421,7 @@ uvc_register_video(struct uvc_device *uv
int ret;
/* TODO reference counting. */
- memset(&uvc->vdev, 0, sizeof(uvc->video));
+ memset(&uvc->vdev, 0, sizeof(uvc->vdev));
uvc->vdev.v4l2_dev = &uvc->v4l2_dev;
uvc->vdev.v4l2_dev->dev = &cdev->gadget->dev;
uvc->vdev.fops = &uvc_v4l2_fops;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 031/862] usb: add quirks for Lenovo OneLink+ Dock
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 030/862] usb: gadget: uvc: Fix argument to sizeof() in uvc_register_video() Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:21 ` [PATCH 6.0 032/862] mmc: core: Add SD card quirk for broken discard Greg Kroah-Hartman
` (845 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jean-Francois Le Fillatre, stable
From: Jean-Francois Le Fillatre <jflf_kernel@gmx.com>
commit 37d49519b41405b08748392c6a7f193d9f77ecd2 upstream.
The Lenovo OneLink+ Dock contains two VL812 USB3.0 controllers:
17ef:1018 upstream
17ef:1019 downstream
These hubs suffer from two separate problems:
1) After the host system was suspended and woken up, the hubs appear to
be in a random state. Some downstream ports (both internal to the
built-in audio and network controllers, and external to USB sockets)
may no longer be functional. The exact list of disabled ports (if
any) changes from wakeup to wakeup. Ports remain in that state until
the dock is power-cycled, or until the laptop is rebooted.
Wakeup sources connected to the hubs (keyboard, WoL on the integrated
gigabit controller) will wake the system up from suspend, but they
may no longer work after wakeup (and in that case will no longer work
as wakeup source in a subsequent suspend-wakeup cycle).
This issue appears in the logs with messages such as:
usb 1-6.1-port4: cannot disable (err = -71)
usb 1-6-port2: cannot disable (err = -71)
usb 1-6.1: clear tt 1 (80c0) error -71
usb 1-6-port4: cannot disable (err = -71)
usb 1-6.4: PM: dpm_run_callback(): usb_dev_resume+0x0/0x10 [usbcore] returns -71
usb 1-6.4: PM: failed to resume async: error -71
usb 1-7: reset full-speed USB device number 5 using xhci_hcd
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: Cannot enable. Maybe the USB cable is bad?
usb 1-6.1-port1: cannot disable (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: cannot reset (err = -71)
usb 1-6.1-port1: Cannot enable. Maybe the USB cable is bad?
usb 1-6.1-port1: cannot disable (err = -71)
2) Some USB devices cannot be enumerated properly. So far I have only
seen the issue with USB 3.0 devices. The same devices work without
problem directly connected to the host system, to other systems or to
other hubs (even when those hubs are connected to the OneLink+ dock).
One very reliable reproducer is this USB 3.0 HDD enclosure:
152d:9561 JMicron Technology Corp. / JMicron USA Technology Corp. Mobius
I have seen it happen sporadically with other USB 3.0 enclosures,
with controllers from different manufacturers, all self-powered.
Typical messages in the logs:
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
usb 2-1.4: device not accepting address 6, error -62
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
usb 2-1.4: device not accepting address 7, error -62
usb 2-1-port4: attempt power cycle
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
usb 2-1.4: device not accepting address 8, error -62
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
xhci_hcd 0000:00:14.0: Timeout while waiting for setup device command
usb 2-1.4: device not accepting address 9, error -62
usb 2-1-port4: unable to enumerate USB device
Through trial and error, I found that the USB_QUIRK_RESET_RESUME solved
the second issue. Further testing then uncovered the first issue. Test
results are summarized in this table:
=======================================================================================
Settings USB2 hotplug USB3 hotplug State after waking up
---------------------------------------------------------------------------------------
power/control=auto works fails broken
usbcore.autosuspend=-1 works works broken
OR power/control=on
power/control=auto works (1) works (1) works
and USB_QUIRK_RESET_RESUME
power/control=on works works works
and USB_QUIRK_RESET_RESUME
HUB_QUIRK_DISABLE_AUTOSUSPEND works works works
and USB_QUIRK_RESET_RESUME
=======================================================================================
In those results, the power/control settings are applied to both hubs,
both on the USB2 and USB3 side, before each test.
>From those results, USB_QUIRK_RESET_RESUME is required to reset the hubs
properly after a suspend-wakeup cycle, and the hubs must not autosuspend
to work around the USB3 issue.
A secondary effect of USB_QUIRK_RESET_RESUME is to prevent the hubs'
upstream links from suspending (the downstream ports can still suspend).
This secondary effect is used in results (1). It is enough to solve the
USB3 problem.
Setting USB_QUIRK_RESET_RESUME on those hubs is the smallest patch that
solves both issues.
Prior to creating this patch, I have used the USB_QUIRK_RESET_RESUME via
the kernel command line for over a year without noticing any side
effect.
Thanks to Oliver Neukum @Suse for explanations of the operations of
USB_QUIRK_RESET_RESUME, and requesting more testing.
Signed-off-by: Jean-Francois Le Fillatre <jflf_kernel@gmx.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20220927073407.5672-1-jflf_kernel@gmx.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/quirks.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/core/quirks.c
+++ b/drivers/usb/core/quirks.c
@@ -437,6 +437,10 @@ static const struct usb_device_id usb_qu
{ USB_DEVICE(0x1532, 0x0116), .driver_info =
USB_QUIRK_LINEAR_UFRAME_INTR_BINTERVAL },
+ /* Lenovo ThinkPad OneLink+ Dock twin hub controllers (VIA Labs VL812) */
+ { USB_DEVICE(0x17ef, 0x1018), .driver_info = USB_QUIRK_RESET_RESUME },
+ { USB_DEVICE(0x17ef, 0x1019), .driver_info = USB_QUIRK_RESET_RESUME },
+
/* Lenovo USB-C to Ethernet Adapter RTL8153-04 */
{ USB_DEVICE(0x17ef, 0x720c), .driver_info = USB_QUIRK_NO_LPM },
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 032/862] mmc: core: Add SD card quirk for broken discard
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 031/862] usb: add quirks for Lenovo OneLink+ Dock Greg Kroah-Hartman
@ 2022-10-19 8:21 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 033/862] can: kvaser_usb: Fix use of uninitialized completion Greg Kroah-Hartman
` (844 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:21 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Avri Altman, Ulf Hansson
From: Avri Altman <avri.altman@wdc.com>
commit 07d2872bf4c864eb83d034263c155746a2fb7a3b upstream.
Some SD-cards from Sandisk that are SDA-6.0 compliant reports they supports
discard, while they actually don't. This might cause mk2fs to fail while
trying to format the card and revert it to a read-only mode.
To fix this problem, let's add a card quirk (MMC_QUIRK_BROKEN_SD_DISCARD)
to indicate that we shall fall-back to use the legacy erase command
instead.
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220928095744.16455-1-avri.altman@wdc.com
[Ulf: Updated the commit message]
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/block.c | 6 +++++-
drivers/mmc/core/card.h | 6 ++++++
drivers/mmc/core/quirks.h | 6 ++++++
include/linux/mmc/card.h | 1 +
4 files changed, 18 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -1140,8 +1140,12 @@ static void mmc_blk_issue_discard_rq(str
{
struct mmc_blk_data *md = mq->blkdata;
struct mmc_card *card = md->queue.card;
+ unsigned int arg = card->erase_arg;
- mmc_blk_issue_erase_rq(mq, req, MMC_BLK_DISCARD, card->erase_arg);
+ if (mmc_card_broken_sd_discard(card))
+ arg = SD_ERASE_ARG;
+
+ mmc_blk_issue_erase_rq(mq, req, MMC_BLK_DISCARD, arg);
}
static void mmc_blk_issue_secdiscard_rq(struct mmc_queue *mq,
--- a/drivers/mmc/core/card.h
+++ b/drivers/mmc/core/card.h
@@ -73,6 +73,7 @@ struct mmc_fixup {
#define EXT_CSD_REV_ANY (-1u)
#define CID_MANFID_SANDISK 0x2
+#define CID_MANFID_SANDISK_SD 0x3
#define CID_MANFID_ATP 0x9
#define CID_MANFID_TOSHIBA 0x11
#define CID_MANFID_MICRON 0x13
@@ -258,4 +259,9 @@ static inline int mmc_card_broken_hpi(co
return c->quirks & MMC_QUIRK_BROKEN_HPI;
}
+static inline int mmc_card_broken_sd_discard(const struct mmc_card *c)
+{
+ return c->quirks & MMC_QUIRK_BROKEN_SD_DISCARD;
+}
+
#endif
--- a/drivers/mmc/core/quirks.h
+++ b/drivers/mmc/core/quirks.h
@@ -100,6 +100,12 @@ static const struct mmc_fixup __maybe_un
MMC_FIXUP("V10016", CID_MANFID_KINGSTON, CID_OEMID_ANY, add_quirk_mmc,
MMC_QUIRK_TRIM_BROKEN),
+ /*
+ * Some SD cards reports discard support while they don't
+ */
+ MMC_FIXUP(CID_NAME_ANY, CID_MANFID_SANDISK_SD, 0x5344, add_quirk_sd,
+ MMC_QUIRK_BROKEN_SD_DISCARD),
+
END_FIXUP
};
--- a/include/linux/mmc/card.h
+++ b/include/linux/mmc/card.h
@@ -293,6 +293,7 @@ struct mmc_card {
#define MMC_QUIRK_BROKEN_IRQ_POLLING (1<<11) /* Polling SDIO_CCCR_INTx could create a fake interrupt */
#define MMC_QUIRK_TRIM_BROKEN (1<<12) /* Skip trim */
#define MMC_QUIRK_BROKEN_HPI (1<<13) /* Disable broken HPI support */
+#define MMC_QUIRK_BROKEN_SD_DISCARD (1<<14) /* Disable broken SD discard support */
bool reenable_cmdq; /* Re-enable Command Queue */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 033/862] can: kvaser_usb: Fix use of uninitialized completion
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2022-10-19 8:21 ` [PATCH 6.0 032/862] mmc: core: Add SD card quirk for broken discard Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 034/862] can: kvaser_usb_leaf: Fix overread with an invalid command Greg Kroah-Hartman
` (843 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit cd7f30e174d09a02ca2afa5ef093fb0f0352e0d8 upstream.
flush_comp is initialized when CMD_FLUSH_QUEUE is sent to the device and
completed when the device sends CMD_FLUSH_QUEUE_RESP.
This causes completion of uninitialized completion if the device sends
CMD_FLUSH_QUEUE_RESP before CMD_FLUSH_QUEUE is ever sent (e.g. as a
response to a flush by a previously bound driver, or a misbehaving
device).
Fix that by initializing flush_comp in kvaser_usb_init_one() like the
other completions.
This issue is only triggerable after RX URBs have been set up, i.e. the
interface has been opened at least once.
Cc: stable@vger.kernel.org
Fixes: aec5fb2268b7 ("can: kvaser_usb: Add support for Kvaser USB hydra family")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010150829.199676-3-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 1 +
drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c | 2 +-
2 files changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -729,6 +729,7 @@ static int kvaser_usb_init_one(struct kv
init_usb_anchor(&priv->tx_submitted);
init_completion(&priv->start_comp);
init_completion(&priv->stop_comp);
+ init_completion(&priv->flush_comp);
priv->can.ctrlmode_supported = 0;
priv->dev = dev;
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_hydra.c
@@ -1916,7 +1916,7 @@ static int kvaser_usb_hydra_flush_queue(
{
int err;
- init_completion(&priv->flush_comp);
+ reinit_completion(&priv->flush_comp);
err = kvaser_usb_hydra_send_simple_cmd(priv->dev, CMD_FLUSH_QUEUE,
priv->channel);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 034/862] can: kvaser_usb_leaf: Fix overread with an invalid command
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 033/862] can: kvaser_usb: Fix use of uninitialized completion Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 035/862] can: kvaser_usb_leaf: Fix TX queue out of sync after restart Greg Kroah-Hartman
` (842 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 1499ecaea9d2ba68d5e18d80573b4561a8dc4ee7 upstream.
For command events read from the device,
kvaser_usb_leaf_read_bulk_callback() verifies that cmd->len does not
exceed the size of the received data, but the actual kvaser_cmd handlers
will happily read any kvaser_cmd fields without checking for cmd->len.
This can cause an overread if the last cmd in the buffer is shorter than
expected for the command type (with cmd->len showing the actual short
size).
Maximum overread seems to be 22 bytes (CMD_LEAF_LOG_MESSAGE), some of
which are delivered to userspace as-is.
Fix that by verifying the length of command before handling it.
This issue can only occur after RX URBs have been set up, i.e. the
interface has been opened at least once.
Cc: stable@vger.kernel.org
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010150829.199676-2-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 75 +++++++++++++++++++++++
1 file changed, 75 insertions(+)
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -310,6 +310,38 @@ struct kvaser_cmd {
} u;
} __packed;
+#define CMD_SIZE_ANY 0xff
+#define kvaser_fsize(field) sizeof_field(struct kvaser_cmd, field)
+
+static const u8 kvaser_usb_leaf_cmd_sizes_leaf[] = {
+ [CMD_START_CHIP_REPLY] = kvaser_fsize(u.simple),
+ [CMD_STOP_CHIP_REPLY] = kvaser_fsize(u.simple),
+ [CMD_GET_CARD_INFO_REPLY] = kvaser_fsize(u.cardinfo),
+ [CMD_TX_ACKNOWLEDGE] = kvaser_fsize(u.tx_acknowledge_header),
+ [CMD_GET_SOFTWARE_INFO_REPLY] = kvaser_fsize(u.leaf.softinfo),
+ [CMD_RX_STD_MESSAGE] = kvaser_fsize(u.leaf.rx_can),
+ [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.leaf.rx_can),
+ [CMD_LEAF_LOG_MESSAGE] = kvaser_fsize(u.leaf.log_message),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.leaf.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.leaf.error_event),
+ /* ignored events: */
+ [CMD_FLUSH_QUEUE_REPLY] = CMD_SIZE_ANY,
+};
+
+static const u8 kvaser_usb_leaf_cmd_sizes_usbcan[] = {
+ [CMD_START_CHIP_REPLY] = kvaser_fsize(u.simple),
+ [CMD_STOP_CHIP_REPLY] = kvaser_fsize(u.simple),
+ [CMD_GET_CARD_INFO_REPLY] = kvaser_fsize(u.cardinfo),
+ [CMD_TX_ACKNOWLEDGE] = kvaser_fsize(u.tx_acknowledge_header),
+ [CMD_GET_SOFTWARE_INFO_REPLY] = kvaser_fsize(u.usbcan.softinfo),
+ [CMD_RX_STD_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
+ [CMD_RX_EXT_MESSAGE] = kvaser_fsize(u.usbcan.rx_can),
+ [CMD_CHIP_STATE_EVENT] = kvaser_fsize(u.usbcan.chip_state_event),
+ [CMD_CAN_ERROR_EVENT] = kvaser_fsize(u.usbcan.error_event),
+ /* ignored events: */
+ [CMD_USBCAN_CLOCK_OVERFLOW_EVENT] = CMD_SIZE_ANY,
+};
+
/* Summary of a kvaser error event, for a unified Leaf/Usbcan error
* handling. Some discrepancies between the two families exist:
*
@@ -397,6 +429,43 @@ static const struct kvaser_usb_dev_cfg k
.bittiming_const = &kvaser_usb_flexc_bittiming_const,
};
+static int kvaser_usb_leaf_verify_size(const struct kvaser_usb *dev,
+ const struct kvaser_cmd *cmd)
+{
+ /* buffer size >= cmd->len ensured by caller */
+ u8 min_size = 0;
+
+ switch (dev->driver_info->family) {
+ case KVASER_LEAF:
+ if (cmd->id < ARRAY_SIZE(kvaser_usb_leaf_cmd_sizes_leaf))
+ min_size = kvaser_usb_leaf_cmd_sizes_leaf[cmd->id];
+ break;
+ case KVASER_USBCAN:
+ if (cmd->id < ARRAY_SIZE(kvaser_usb_leaf_cmd_sizes_usbcan))
+ min_size = kvaser_usb_leaf_cmd_sizes_usbcan[cmd->id];
+ break;
+ }
+
+ if (min_size == CMD_SIZE_ANY)
+ return 0;
+
+ if (min_size) {
+ min_size += CMD_HEADER_LEN;
+ if (cmd->len >= min_size)
+ return 0;
+
+ dev_err_ratelimited(&dev->intf->dev,
+ "Received command %u too short (size %u, needed %u)",
+ cmd->id, cmd->len, min_size);
+ return -EIO;
+ }
+
+ dev_warn_ratelimited(&dev->intf->dev,
+ "Unhandled command (%d, size %d)\n",
+ cmd->id, cmd->len);
+ return -EINVAL;
+}
+
static void *
kvaser_usb_leaf_frame_to_cmd(const struct kvaser_usb_net_priv *priv,
const struct sk_buff *skb, int *cmd_len,
@@ -502,6 +571,9 @@ static int kvaser_usb_leaf_wait_cmd(cons
end:
kfree(buf);
+ if (err == 0)
+ err = kvaser_usb_leaf_verify_size(dev, cmd);
+
return err;
}
@@ -1133,6 +1205,9 @@ static void kvaser_usb_leaf_stop_chip_re
static void kvaser_usb_leaf_handle_command(const struct kvaser_usb *dev,
const struct kvaser_cmd *cmd)
{
+ if (kvaser_usb_leaf_verify_size(dev, cmd) < 0)
+ return;
+
switch (cmd->id) {
case CMD_START_CHIP_REPLY:
kvaser_usb_leaf_start_chip_reply(dev, cmd);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 035/862] can: kvaser_usb_leaf: Fix TX queue out of sync after restart
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 034/862] can: kvaser_usb_leaf: Fix overread with an invalid command Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 036/862] can: kvaser_usb_leaf: Fix CAN state " Greg Kroah-Hartman
` (841 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 455561fb618fde40558776b5b8435f9420f335db upstream.
The TX queue seems to be implicitly flushed by the hardware during
bus-off or bus-off recovery, but the driver does not reset the TX
bookkeeping.
Despite not resetting TX bookkeeping the driver still re-enables TX
queue unconditionally, leading to "cannot find free context" /
NETDEV_TX_BUSY errors if the TX queue was full at bus-off time.
Fix that by resetting TX bookkeeping on CAN restart.
Tested with 0bfd:0124 Kvaser Mini PCI Express 2xHS FW 4.18.778.
Cc: stable@vger.kernel.org
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010150829.199676-4-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb.h | 2 ++
drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c | 2 +-
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 2 ++
3 files changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb.h
@@ -178,6 +178,8 @@ struct kvaser_usb_dev_cfg {
extern const struct kvaser_usb_dev_ops kvaser_usb_hydra_dev_ops;
extern const struct kvaser_usb_dev_ops kvaser_usb_leaf_dev_ops;
+void kvaser_usb_unlink_tx_urbs(struct kvaser_usb_net_priv *priv);
+
int kvaser_usb_recv_cmd(const struct kvaser_usb *dev, void *cmd, int len,
int *actual_len);
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_core.c
@@ -477,7 +477,7 @@ static void kvaser_usb_reset_tx_urb_cont
/* This method might sleep. Do not call it in the atomic context
* of URB completions.
*/
-static void kvaser_usb_unlink_tx_urbs(struct kvaser_usb_net_priv *priv)
+void kvaser_usb_unlink_tx_urbs(struct kvaser_usb_net_priv *priv)
{
usb_kill_anchored_urbs(&priv->tx_submitted);
kvaser_usb_reset_tx_urb_contexts(priv);
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -1426,6 +1426,8 @@ static int kvaser_usb_leaf_set_mode(stru
switch (mode) {
case CAN_MODE_START:
+ kvaser_usb_unlink_tx_urbs(priv);
+
err = kvaser_usb_leaf_simple_cmd_async(priv, CMD_START_CHIP);
if (err)
return err;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 036/862] can: kvaser_usb_leaf: Fix CAN state after restart
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 035/862] can: kvaser_usb_leaf: Fix TX queue out of sync after restart Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 037/862] mmc: renesas_sdhi: Fix rounding errors Greg Kroah-Hartman
` (840 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jimmy Assarsson, Anssi Hannula,
Marc Kleine-Budde
From: Anssi Hannula <anssi.hannula@bitwise.fi>
commit 0be1a655fe68c8e6dcadbcbddb69cf2fb29881f5 upstream.
can_restart() expects CMD_START_CHIP to set the error state to
ERROR_ACTIVE as it calls netif_carrier_on() immediately afterwards.
Otherwise the user may immediately trigger restart again and hit a
BUG_ON() in can_restart().
Fix kvaser_usb_leaf set_mode(CMD_START_CHIP) to set the expected state.
Cc: stable@vger.kernel.org
Fixes: 080f40a6fa28 ("can: kvaser_usb: Add support for Kvaser CAN/USB devices")
Tested-by: Jimmy Assarsson <extja@kvaser.com>
Signed-off-by: Anssi Hannula <anssi.hannula@bitwise.fi>
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/all/20221010150829.199676-5-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
+++ b/drivers/net/can/usb/kvaser_usb/kvaser_usb_leaf.c
@@ -1431,6 +1431,8 @@ static int kvaser_usb_leaf_set_mode(stru
err = kvaser_usb_leaf_simple_cmd_async(priv, CMD_START_CHIP);
if (err)
return err;
+
+ priv->can.state = CAN_STATE_ERROR_ACTIVE;
break;
default:
return -EOPNOTSUPP;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 037/862] mmc: renesas_sdhi: Fix rounding errors
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 036/862] can: kvaser_usb_leaf: Fix CAN state " Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 038/862] mmc: sdhci-tegra: Use actual clock rate for SW tuning correction Greg Kroah-Hartman
` (839 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Biju Das, Geert Uytterhoeven,
Wolfram Sang, Ulf Hansson
From: Biju Das <biju.das.jz@bp.renesas.com>
commit f0c00454bf78975925eccc9737faaa4d4951edbf upstream.
Due to clk rounding errors on RZ/G2L platforms, it selects a clock source
with a lower clock rate compared to a higher one.
For eg: The rounding error (533333333 Hz / 4 * 4 = 533333332 Hz < 5333333
33 Hz) selects a clk source of 400 MHz instead of 533.333333 MHz.
This patch fixes this issue by adding a margin of (1/1024) higher to
the clock rate.
Signed-off-by: Biju Das <biju.das.jz@bp.renesas.com>
Reviewed-by: Geert Uytterhoeven <geert+renesas@glider.be>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Tested-by: Wolfram Sang <wsa+renesas@sang-engineering.com>
Fixes: bb6d3fa98a41 ("clk: renesas: rcar-gen3: Switch to new SD clock handling")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220928110755.849275-1-biju.das.jz@bp.renesas.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/renesas_sdhi_core.c | 21 ++++++++++++++++++---
1 file changed, 18 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/renesas_sdhi_core.c
+++ b/drivers/mmc/host/renesas_sdhi_core.c
@@ -128,6 +128,7 @@ static unsigned int renesas_sdhi_clk_upd
struct clk *ref_clk = priv->clk;
unsigned int freq, diff, best_freq = 0, diff_min = ~0;
unsigned int new_clock, clkh_shift = 0;
+ unsigned int new_upper_limit;
int i;
/*
@@ -153,13 +154,20 @@ static unsigned int renesas_sdhi_clk_upd
* greater than, new_clock. As we can divide by 1 << i for
* any i in [0, 9] we want the input clock to be as close as
* possible, but no greater than, new_clock << i.
+ *
+ * Add an upper limit of 1/1024 rate higher to the clock rate to fix
+ * clk rate jumping to lower rate due to rounding error (eg: RZ/G2L has
+ * 3 clk sources 533.333333 MHz, 400 MHz and 266.666666 MHz. The request
+ * for 533.333333 MHz will selects a slower 400 MHz due to rounding
+ * error (533333333 Hz / 4 * 4 = 533333332 Hz < 533333333 Hz)).
*/
for (i = min(9, ilog2(UINT_MAX / new_clock)); i >= 0; i--) {
freq = clk_round_rate(ref_clk, new_clock << i);
- if (freq > (new_clock << i)) {
+ new_upper_limit = (new_clock << i) + ((new_clock << i) >> 10);
+ if (freq > new_upper_limit) {
/* Too fast; look for a slightly slower option */
freq = clk_round_rate(ref_clk, (new_clock << i) / 4 * 3);
- if (freq > (new_clock << i))
+ if (freq > new_upper_limit)
continue;
}
@@ -181,6 +189,7 @@ static unsigned int renesas_sdhi_clk_upd
static void renesas_sdhi_set_clock(struct tmio_mmc_host *host,
unsigned int new_clock)
{
+ unsigned int clk_margin;
u32 clk = 0, clock;
sd_ctrl_write16(host, CTL_SD_CARD_CLK_CTL, ~CLK_CTL_SCLKEN &
@@ -194,7 +203,13 @@ static void renesas_sdhi_set_clock(struc
host->mmc->actual_clock = renesas_sdhi_clk_update(host, new_clock);
clock = host->mmc->actual_clock / 512;
- for (clk = 0x80000080; new_clock >= (clock << 1); clk >>= 1)
+ /*
+ * Add a margin of 1/1024 rate higher to the clock rate in order
+ * to avoid clk variable setting a value of 0 due to the margin
+ * provided for actual_clock in renesas_sdhi_clk_update().
+ */
+ clk_margin = new_clock >> 10;
+ for (clk = 0x80000080; new_clock + clk_margin >= (clock << 1); clk >>= 1)
clock <<= 1;
/* 1/1 clock is option */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 038/862] mmc: sdhci-tegra: Use actual clock rate for SW tuning correction
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 037/862] mmc: renesas_sdhi: Fix rounding errors Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 039/862] mmc: sdhci-sprd: Fix minimum clock limit Greg Kroah-Hartman
` (838 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aniruddha TVS Rao, Prathamesh Shete,
Adrian Hunter, Thierry Reding, Ulf Hansson
From: Prathamesh Shete <pshete@nvidia.com>
commit b78870e7f41534cc719c295d1f8809aca93aeeab upstream.
Ensure tegra_host member "curr_clk_rate" holds the actual clock rate
instead of requested clock rate for proper use during tuning correction
algorithm. Actual clk rate may not be the same as the requested clk
frequency depending on the parent clock source set. Tuning correction
algorithm depends on certain parameters which are sensitive to current
clk rate. If the host clk is selected instead of the actual clock rate,
tuning correction algorithm may end up applying invalid correction,
which could result in errors
Fixes: ea8fc5953e8b ("mmc: tegra: update hw tuning process")
Signed-off-by: Aniruddha TVS Rao <anrao@nvidia.com>
Signed-off-by: Prathamesh Shete <pshete@nvidia.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Acked-by: Thierry Reding <treding@nvidia.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221006130622.22900-4-pshete@nvidia.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-tegra.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-tegra.c
+++ b/drivers/mmc/host/sdhci-tegra.c
@@ -773,7 +773,7 @@ static void tegra_sdhci_set_clock(struct
dev_err(dev, "failed to set clk rate to %luHz: %d\n",
host_clk, err);
- tegra_host->curr_clk_rate = host_clk;
+ tegra_host->curr_clk_rate = clk_get_rate(pltfm_host->clk);
if (tegra_host->ddr_signaling)
host->max_clk = host_clk;
else
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 039/862] mmc: sdhci-sprd: Fix minimum clock limit
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 038/862] mmc: sdhci-tegra: Use actual clock rate for SW tuning correction Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 040/862] i2c: designware: Fix handling of real but unexpected device interrupts Greg Kroah-Hartman
` (837 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wenchao Chen, Adrian Hunter, Ulf Hansson
From: Wenchao Chen <wenchao.chen@unisoc.com>
commit 6e141772e6465f937458b35ddcfd0a981b6f5280 upstream.
The Spreadtrum controller supports 100KHz minimal clock rate, which means
that the current value 400KHz is wrong.
Unfortunately this has also lead to fail to initialize some cards, which
are allowed to require 100KHz to work. So, let's fix the problem by
changing the minimal supported clock rate to 100KHz.
Signed-off-by: Wenchao Chen <wenchao.chen@unisoc.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: fb8bd90f83c4 ("mmc: sdhci-sprd: Add Spreadtrum's initial host controller")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20221011104935.10980-1-wenchao.chen666@gmail.com
[Ulf: Clarified to commit-message]
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-sprd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/host/sdhci-sprd.c
+++ b/drivers/mmc/host/sdhci-sprd.c
@@ -309,7 +309,7 @@ static unsigned int sdhci_sprd_get_max_c
static unsigned int sdhci_sprd_get_min_clock(struct sdhci_host *host)
{
- return 400000;
+ return 100000;
}
static void sdhci_sprd_set_uhs_signaling(struct sdhci_host *host,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 040/862] i2c: designware: Fix handling of real but unexpected device interrupts
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 039/862] mmc: sdhci-sprd: Fix minimum clock limit Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 041/862] fs: dlm: fix race between test_bit() and queue_work() Greg Kroah-Hartman
` (836 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Samuel Clark, Jarkko Nikula,
Andy Shevchenko, Wolfram Sang
From: Jarkko Nikula <jarkko.nikula@linux.intel.com>
commit 301c8f5c32c8fb79c67539bc23972dc3ef48024c upstream.
Commit c7b79a752871 ("mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI
IDs") caused a regression on certain Gigabyte motherboards for Intel
Alder Lake-S where system crashes to NULL pointer dereference in
i2c_dw_xfer_msg() when system resumes from S3 sleep state ("deep").
I was able to debug the issue on Gigabyte Z690 AORUS ELITE and made
following notes:
- Issue happens when resuming from S3 but not when resuming from
"s2idle"
- PCI device 00:15.0 == i2c_designware.0 is already in D0 state when
system enters into pci_pm_resume_noirq() while all other i2c_designware
PCI devices are in D3. Devices were runtime suspended and in D3 prior
entering into suspend
- Interrupt comes after pci_pm_resume_noirq() when device interrupts are
re-enabled
- According to register dump the interrupt really comes from the
i2c_designware.0. Controller is enabled, I2C target address register
points to a one detectable I2C device address 0x60 and the
DW_IC_RAW_INTR_STAT register START_DET, STOP_DET, ACTIVITY and
TX_EMPTY bits are set indicating completed I2C transaction.
My guess is that the firmware uses this controller to communicate with
an on-board I2C device during resume but does not disable the controller
before giving control to an operating system.
I was told the UEFI update fixes this but never the less it revealed the
driver is not ready to handle TX_EMPTY (or RX_FULL) interrupt when device
is supposed to be idle and state variables are not set (especially the
dev->msgs pointer which may point to NULL or stale old data).
Introduce a new software status flag STATUS_ACTIVE indicating when the
controller is active in driver point of view. Now treat all interrupts
that occur when is not set as unexpected and mask all interrupts from
the controller.
Fixes: c7b79a752871 ("mfd: intel-lpss: Add Intel Alder Lake PCH-S PCI IDs")
Reported-by: Samuel Clark <slc2015@gmail.com>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=215907
Cc: stable@vger.kernel.org # v5.12+
Signed-off-by: Jarkko Nikula <jarkko.nikula@linux.intel.com>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/i2c/busses/i2c-designware-core.h | 7 +++++--
drivers/i2c/busses/i2c-designware-master.c | 13 +++++++++++++
2 files changed, 18 insertions(+), 2 deletions(-)
--- a/drivers/i2c/busses/i2c-designware-core.h
+++ b/drivers/i2c/busses/i2c-designware-core.h
@@ -126,8 +126,9 @@
* status codes
*/
#define STATUS_IDLE 0x0
-#define STATUS_WRITE_IN_PROGRESS 0x1
-#define STATUS_READ_IN_PROGRESS 0x2
+#define STATUS_ACTIVE 0x1
+#define STATUS_WRITE_IN_PROGRESS 0x2
+#define STATUS_READ_IN_PROGRESS 0x4
/*
* operation modes
@@ -334,12 +335,14 @@ void i2c_dw_disable_int(struct dw_i2c_de
static inline void __i2c_dw_enable(struct dw_i2c_dev *dev)
{
+ dev->status |= STATUS_ACTIVE;
regmap_write(dev->map, DW_IC_ENABLE, 1);
}
static inline void __i2c_dw_disable_nowait(struct dw_i2c_dev *dev)
{
regmap_write(dev->map, DW_IC_ENABLE, 0);
+ dev->status &= ~STATUS_ACTIVE;
}
void __i2c_dw_disable(struct dw_i2c_dev *dev);
--- a/drivers/i2c/busses/i2c-designware-master.c
+++ b/drivers/i2c/busses/i2c-designware-master.c
@@ -716,6 +716,19 @@ static int i2c_dw_irq_handler_master(str
u32 stat;
stat = i2c_dw_read_clear_intrbits(dev);
+
+ if (!(dev->status & STATUS_ACTIVE)) {
+ /*
+ * Unexpected interrupt in driver point of view. State
+ * variables are either unset or stale so acknowledge and
+ * disable interrupts for suppressing further interrupts if
+ * interrupt really came from this HW (E.g. firmware has left
+ * the HW active).
+ */
+ regmap_write(dev->map, DW_IC_INTR_MASK, 0);
+ return 0;
+ }
+
if (stat & DW_IC_INTR_TX_ABRT) {
dev->cmd_err |= DW_IC_ERR_TX_ABRT;
dev->status = STATUS_IDLE;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 041/862] fs: dlm: fix race between test_bit() and queue_work()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 040/862] i2c: designware: Fix handling of real but unexpected device interrupts Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 042/862] fs: dlm: handle -EBUSY first in lock arg validation Greg Kroah-Hartman
` (835 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland
From: Alexander Aring <aahringo@redhat.com>
commit eef6ec9bf390e836a6c4029f3620fe49528aa1fe upstream.
This patch fixes a race by using ls_cb_mutex around the bit
operations and conditional code blocks for LSFL_CB_DELAY.
The function dlm_callback_stop() expects to stop all callbacks and
flush all currently queued onces. The set_bit() is not enough because
there can still be queue_work() after the workqueue was flushed.
To avoid queue_work() after set_bit(), surround both by ls_cb_mutex.
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/ast.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/dlm/ast.c
+++ b/fs/dlm/ast.c
@@ -200,13 +200,13 @@ void dlm_add_cb(struct dlm_lkb *lkb, uin
if (!prev_seq) {
kref_get(&lkb->lkb_ref);
+ mutex_lock(&ls->ls_cb_mutex);
if (test_bit(LSFL_CB_DELAY, &ls->ls_flags)) {
- mutex_lock(&ls->ls_cb_mutex);
list_add(&lkb->lkb_cb_list, &ls->ls_cb_delay);
- mutex_unlock(&ls->ls_cb_mutex);
} else {
queue_work(ls->ls_callback_wq, &lkb->lkb_cb_work);
}
+ mutex_unlock(&ls->ls_cb_mutex);
}
out:
mutex_unlock(&lkb->lkb_cb_mutex);
@@ -288,7 +288,9 @@ void dlm_callback_stop(struct dlm_ls *ls
void dlm_callback_suspend(struct dlm_ls *ls)
{
+ mutex_lock(&ls->ls_cb_mutex);
set_bit(LSFL_CB_DELAY, &ls->ls_flags);
+ mutex_unlock(&ls->ls_cb_mutex);
if (ls->ls_callback_wq)
flush_workqueue(ls->ls_callback_wq);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 042/862] fs: dlm: handle -EBUSY first in lock arg validation
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 041/862] fs: dlm: fix race between test_bit() and queue_work() Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 043/862] fs: dlm: fix invalid derefence of sb_lvbptr Greg Kroah-Hartman
` (834 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland
From: Alexander Aring <aahringo@redhat.com>
commit 44637ca41d551d409a481117b07fa209b330fca9 upstream.
During lock arg validation, first check for -EBUSY cases, then for
-EINVAL cases. The -EINVAL checks look at lkb state variables
which are not stable when an lkb is busy and would cause an
-EBUSY result, e.g. lkb->lkb_grmode.
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/lock.c | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -2864,17 +2864,9 @@ static int set_unlock_args(uint32_t flag
static int validate_lock_args(struct dlm_ls *ls, struct dlm_lkb *lkb,
struct dlm_args *args)
{
- int rv = -EINVAL;
+ int rv = -EBUSY;
if (args->flags & DLM_LKF_CONVERT) {
- if (lkb->lkb_flags & DLM_IFL_MSTCPY)
- goto out;
-
- if (args->flags & DLM_LKF_QUECVT &&
- !__quecvt_compat_matrix[lkb->lkb_grmode+1][args->mode+1])
- goto out;
-
- rv = -EBUSY;
if (lkb->lkb_status != DLM_LKSTS_GRANTED)
goto out;
@@ -2884,6 +2876,14 @@ static int validate_lock_args(struct dlm
if (is_overlap(lkb))
goto out;
+
+ rv = -EINVAL;
+ if (lkb->lkb_flags & DLM_IFL_MSTCPY)
+ goto out;
+
+ if (args->flags & DLM_LKF_QUECVT &&
+ !__quecvt_compat_matrix[lkb->lkb_grmode+1][args->mode+1])
+ goto out;
}
lkb->lkb_exflags = args->flags;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 043/862] fs: dlm: fix invalid derefence of sb_lvbptr
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 042/862] fs: dlm: handle -EBUSY first in lock arg validation Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 044/862] btf: Export bpf_dynptr definition Greg Kroah-Hartman
` (833 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Aring, David Teigland
From: Alexander Aring <aahringo@redhat.com>
commit 7175e131ebba47afef47e6ac4d5bab474d1e6e49 upstream.
I experience issues when putting a lkbsb on the stack and have sb_lvbptr
field to a dangled pointer while not using DLM_LKF_VALBLK. It will crash
with the following kernel message, the dangled pointer is here
0xdeadbeef as example:
[ 102.749317] BUG: unable to handle page fault for address: 00000000deadbeef
[ 102.749320] #PF: supervisor read access in kernel mode
[ 102.749323] #PF: error_code(0x0000) - not-present page
[ 102.749325] PGD 0 P4D 0
[ 102.749332] Oops: 0000 [#1] PREEMPT SMP PTI
[ 102.749336] CPU: 0 PID: 1567 Comm: lock_torture_wr Tainted: G W 5.19.0-rc3+ #1565
[ 102.749343] Hardware name: Red Hat KVM/RHEL-AV, BIOS 1.16.0-2.module+el8.7.0+15506+033991b0 04/01/2014
[ 102.749344] RIP: 0010:memcpy_erms+0x6/0x10
[ 102.749353] Code: cc cc cc cc eb 1e 0f 1f 00 48 89 f8 48 89 d1 48 c1 e9 03 83 e2 07 f3 48 a5 89 d1 f3 a4 c3 66 0f 1f 44 00 00 48 89 f8 48 89 d1 <f3> a4 c3 0f 1f 80 00 00 00 00 48 89 f8 48 83 fa 20 72 7e 40 38 fe
[ 102.749355] RSP: 0018:ffff97a58145fd08 EFLAGS: 00010202
[ 102.749358] RAX: ffff901778b77070 RBX: 0000000000000000 RCX: 0000000000000040
[ 102.749360] RDX: 0000000000000040 RSI: 00000000deadbeef RDI: ffff901778b77070
[ 102.749362] RBP: ffff97a58145fd10 R08: ffff901760b67a70 R09: 0000000000000001
[ 102.749364] R10: ffff9017008e2cb8 R11: 0000000000000001 R12: ffff901760b67a70
[ 102.749366] R13: ffff901760b78f00 R14: 0000000000000003 R15: 0000000000000001
[ 102.749368] FS: 0000000000000000(0000) GS:ffff901876e00000(0000) knlGS:0000000000000000
[ 102.749372] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 102.749374] CR2: 00000000deadbeef CR3: 000000017c49a004 CR4: 0000000000770ef0
[ 102.749376] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 102.749378] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 102.749379] PKRU: 55555554
[ 102.749381] Call Trace:
[ 102.749382] <TASK>
[ 102.749383] ? send_args+0xb2/0xd0
[ 102.749389] send_common+0xb7/0xd0
[ 102.749395] _unlock_lock+0x2c/0x90
[ 102.749400] unlock_lock.isra.56+0x62/0xa0
[ 102.749405] dlm_unlock+0x21e/0x330
[ 102.749411] ? lock_torture_stats+0x80/0x80 [dlm_locktorture]
[ 102.749416] torture_unlock+0x5a/0x90 [dlm_locktorture]
[ 102.749419] ? preempt_count_sub+0xba/0x100
[ 102.749427] lock_torture_writer+0xbd/0x150 [dlm_locktorture]
[ 102.786186] kthread+0x10a/0x130
[ 102.786581] ? kthread_complete_and_exit+0x20/0x20
[ 102.787156] ret_from_fork+0x22/0x30
[ 102.787588] </TASK>
[ 102.787855] Modules linked in: dlm_locktorture torture rpcsec_gss_krb5 intel_rapl_msr intel_rapl_common kvm_intel iTCO_wdt iTCO_vendor_support kvm vmw_vsock_virtio_transport qxl irqbypass vmw_vsock_virtio_transport_common drm_ttm_helper crc32_pclmul joydev crc32c_intel ttm vsock virtio_scsi virtio_balloon snd_pcm drm_kms_helper virtio_console snd_timer snd drm soundcore syscopyarea i2c_i801 sysfillrect sysimgblt i2c_smbus pcspkr fb_sys_fops lpc_ich serio_raw
[ 102.792536] CR2: 00000000deadbeef
[ 102.792930] ---[ end trace 0000000000000000 ]---
This patch fixes the issue by checking also on DLM_LKF_VALBLK on exflags
is set when copying the lvbptr array instead of if it's just null which
fixes for me the issue.
I think this patch can fix other dlm users as well, depending how they
handle the init, freeing memory handling of sb_lvbptr and don't set
DLM_LKF_VALBLK for some dlm_lock() calls. It might a there could be a
hidden issue all the time. However with checking on DLM_LKF_VALBLK the
user always need to provide a sb_lvbptr non-null value. There might be
more intelligent handling between per ls lvblen, DLM_LKF_VALBLK and
non-null to report the user the way how DLM API is used is wrong but can
be added for later, this will only fix the current behaviour.
Cc: stable@vger.kernel.org
Signed-off-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: David Teigland <teigland@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/dlm/lock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/dlm/lock.c
+++ b/fs/dlm/lock.c
@@ -3623,7 +3623,7 @@ static void send_args(struct dlm_rsb *r,
case cpu_to_le32(DLM_MSG_REQUEST_REPLY):
case cpu_to_le32(DLM_MSG_CONVERT_REPLY):
case cpu_to_le32(DLM_MSG_GRANT):
- if (!lkb->lkb_lvbptr)
+ if (!lkb->lkb_lvbptr || !(lkb->lkb_exflags & DLM_LKF_VALBLK))
break;
memcpy(ms->m_extra, lkb->lkb_lvbptr, r->res_ls->ls_lvblen);
break;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 044/862] btf: Export bpf_dynptr definition
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 043/862] fs: dlm: fix invalid derefence of sb_lvbptr Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 045/862] mbcache: Avoid nesting of cache->c_list_lock under bit locks Greg Kroah-Hartman
` (832 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Joanne Koong, Roberto Sassu,
Yonghong Song, KP Singh, Alexei Starovoitov
From: Roberto Sassu <roberto.sassu@huawei.com>
commit 00f146413ccb6c84308e559281449755c83f54c5 upstream.
eBPF dynamic pointers is a new feature recently added to upstream. It binds
together a pointer to a memory area and its size. The internal kernel
structure bpf_dynptr_kern is not accessible by eBPF programs in user space.
They instead see bpf_dynptr, which is then translated to the internal
kernel structure by the eBPF verifier.
The problem is that it is not possible to include at the same time the uapi
include linux/bpf.h and the vmlinux BTF vmlinux.h, as they both contain the
definition of some structures/enums. The compiler complains saying that the
structures/enums are redefined.
As bpf_dynptr is defined in the uapi include linux/bpf.h, this makes it
impossible to include vmlinux.h. However, in some cases, e.g. when using
kfuncs, vmlinux.h has to be included. The only option until now was to
include vmlinux.h and add the definition of bpf_dynptr directly in the eBPF
program source code from linux/bpf.h.
Solve the problem by using the same approach as for bpf_timer (which also
follows the same scheme with the _kern suffix for the internal kernel
structure).
Add the following line in one of the dynamic pointer helpers,
bpf_dynptr_from_mem():
BTF_TYPE_EMIT(struct bpf_dynptr);
Cc: stable@vger.kernel.org
Cc: Joanne Koong <joannelkoong@gmail.com>
Fixes: 97e03f521050c ("bpf: Add verifier support for dynptrs")
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Acked-by: Yonghong Song <yhs@fb.com>
Tested-by: KP Singh <kpsingh@kernel.org>
Link: https://lore.kernel.org/r/20220920075951.929132-3-roberto.sassu@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/helpers.c | 2 ++
1 file changed, 2 insertions(+)
--- a/kernel/bpf/helpers.c
+++ b/kernel/bpf/helpers.c
@@ -1468,6 +1468,8 @@ BPF_CALL_4(bpf_dynptr_from_mem, void *,
{
int err;
+ BTF_TYPE_EMIT(struct bpf_dynptr);
+
err = bpf_dynptr_check_size(size);
if (err)
goto error;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 045/862] mbcache: Avoid nesting of cache->c_list_lock under bit locks
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 044/862] btf: Export bpf_dynptr definition Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 046/862] HID: multitouch: Add memory barriers Greg Kroah-Hartman
` (831 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Mike Galbraith, Jan Kara,
Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 5fc4cbd9fde5d4630494fd6ffc884148fb618087 upstream.
Commit 307af6c87937 ("mbcache: automatically delete entries from cache
on freeing") started nesting cache->c_list_lock under the bit locks
protecting hash buckets of the mbcache hash table in
mb_cache_entry_create(). This causes problems for real-time kernels
because there spinlocks are sleeping locks while bitlocks stay atomic.
Luckily the nesting is easy to avoid by holding entry reference until
the entry is added to the LRU list. This makes sure we cannot race with
entry deletion.
Cc: stable@kernel.org
Fixes: 307af6c87937 ("mbcache: automatically delete entries from cache on freeing")
Reported-by: Mike Galbraith <efault@gmx.de>
Signed-off-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220908091032.10513-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/mbcache.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
diff --git a/fs/mbcache.c b/fs/mbcache.c
index 47ccfcbe0a22..e272ad738faf 100644
--- a/fs/mbcache.c
+++ b/fs/mbcache.c
@@ -90,8 +90,14 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
return -ENOMEM;
INIT_LIST_HEAD(&entry->e_list);
- /* Initial hash reference */
- atomic_set(&entry->e_refcnt, 1);
+ /*
+ * We create entry with two references. One reference is kept by the
+ * hash table, the other reference is used to protect us from
+ * mb_cache_entry_delete_or_get() until the entry is fully setup. This
+ * avoids nesting of cache->c_list_lock into hash table bit locks which
+ * is problematic for RT.
+ */
+ atomic_set(&entry->e_refcnt, 2);
entry->e_key = key;
entry->e_value = value;
entry->e_reusable = reusable;
@@ -106,15 +112,12 @@ int mb_cache_entry_create(struct mb_cache *cache, gfp_t mask, u32 key,
}
}
hlist_bl_add_head(&entry->e_hash_list, head);
- /*
- * Add entry to LRU list before it can be found by
- * mb_cache_entry_delete() to avoid races
- */
+ hlist_bl_unlock(head);
spin_lock(&cache->c_list_lock);
list_add_tail(&entry->e_list, &cache->c_list);
cache->c_entry_count++;
spin_unlock(&cache->c_list_lock);
- hlist_bl_unlock(head);
+ mb_cache_entry_put(cache, entry);
return 0;
}
--
2.38.0
^ permalink raw reply related [flat|nested] 909+ messages in thread
* [PATCH 6.0 046/862] HID: multitouch: Add memory barriers
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 045/862] mbcache: Avoid nesting of cache->c_list_lock under bit locks Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 047/862] quota: Check next/prev free block number after reading from quota file Greg Kroah-Hartman
` (830 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andri Yngvason, Benjamin Tissoires
From: Andri Yngvason <andri@yngvason.is>
commit be6e2b5734a425941fcdcdbd2a9337be498ce2cf upstream.
This fixes broken atomic checks which cause a race between the
release-timer and processing of hid input.
I noticed that contacts were sometimes sticking, even with the "sticky
fingers" quirk enabled. This fixes that problem.
Cc: stable@vger.kernel.org
Fixes: 9609827458c3 ("HID: multitouch: optimize the sticky fingers timer")
Signed-off-by: Andri Yngvason <andri@yngvason.is>
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Link: https://lore.kernel.org/r/20220907150159.2285460-1-andri@yngvason.is
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/hid-multitouch.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -1186,7 +1186,7 @@ static void mt_touch_report(struct hid_d
int contact_count = -1;
/* sticky fingers release in progress, abort */
- if (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))
+ if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))
return;
scantime = *app->scantime;
@@ -1267,7 +1267,7 @@ static void mt_touch_report(struct hid_d
del_timer(&td->release_timer);
}
- clear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);
+ clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);
}
static int mt_touch_input_configured(struct hid_device *hdev,
@@ -1699,11 +1699,11 @@ static void mt_expired_timeout(struct ti
* An input report came in just before we release the sticky fingers,
* it will take care of the sticky fingers.
*/
- if (test_and_set_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))
+ if (test_and_set_bit_lock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags))
return;
if (test_bit(MT_IO_FLAGS_PENDING_SLOTS, &td->mt_io_flags))
mt_release_contacts(hdev);
- clear_bit(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);
+ clear_bit_unlock(MT_IO_FLAGS_RUNNING, &td->mt_io_flags);
}
static int mt_probe(struct hid_device *hdev, const struct hid_device_id *id)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 047/862] quota: Check next/prev free block number after reading from quota file
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 046/862] HID: multitouch: Add memory barriers Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 048/862] platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure Greg Kroah-Hartman
` (829 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Zhihao Cheng, Jan Kara
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 6c8ea8b8cd4722efd419f91ca46a2dc81b7d89a3 upstream.
Following process:
Init: v2_read_file_info: <3> dqi_free_blk 0 dqi_free_entry 5 dqi_blks 6
Step 1. chown bin f_a -> dquot_acquire -> v2_write_dquot:
qtree_write_dquot
do_insert_tree
find_free_dqentry
get_free_dqblk
write_blk(info->dqi_blocks) // info->dqi_blocks = 6, failure. The
content in physical block (corresponding to blk 6) is random.
Step 2. chown root f_a -> dquot_transfer -> dqput_all -> dqput ->
ext4_release_dquot -> v2_release_dquot -> qtree_delete_dquot:
dquot_release
remove_tree
free_dqentry
put_free_dqblk(6)
info->dqi_free_blk = blk // info->dqi_free_blk = 6
Step 3. drop cache (buffer head for block 6 is released)
Step 4. chown bin f_b -> dquot_acquire -> commit_dqblk -> v2_write_dquot:
qtree_write_dquot
do_insert_tree
find_free_dqentry
get_free_dqblk
dh = (struct qt_disk_dqdbheader *)buf
blk = info->dqi_free_blk // 6
ret = read_blk(info, blk, buf) // The content of buf is random
info->dqi_free_blk = le32_to_cpu(dh->dqdh_next_free) // random blk
Step 5. chown bin f_c -> notify_change -> ext4_setattr -> dquot_transfer:
dquot = dqget -> acquire_dquot -> ext4_acquire_dquot -> dquot_acquire ->
commit_dqblk -> v2_write_dquot -> dq_insert_tree:
do_insert_tree
find_free_dqentry
get_free_dqblk
blk = info->dqi_free_blk // If blk < 0 and blk is not an error
code, it will be returned as dquot
transfer_to[USRQUOTA] = dquot // A random negative value
__dquot_transfer(transfer_to)
dquot_add_inodes(transfer_to[cnt])
spin_lock(&dquot->dq_dqb_lock) // page fault
, which will lead to kernel page fault:
Quota error (device sda): qtree_write_dquot: Error -8000 occurred
while creating quota
BUG: unable to handle page fault for address: ffffffffffffe120
#PF: supervisor write access in kernel mode
#PF: error_code(0x0002) - not-present page
Oops: 0002 [#1] PREEMPT SMP
CPU: 0 PID: 5974 Comm: chown Not tainted 6.0.0-rc1-00004
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996)
RIP: 0010:_raw_spin_lock+0x3a/0x90
Call Trace:
dquot_add_inodes+0x28/0x270
__dquot_transfer+0x377/0x840
dquot_transfer+0xde/0x540
ext4_setattr+0x405/0x14d0
notify_change+0x68e/0x9f0
chown_common+0x300/0x430
__x64_sys_fchownat+0x29/0x40
In order to avoid accessing invalid quota memory address, this patch adds
block number checking of next/prev free block read from quota file.
Fetch a reproducer in [Link].
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216372
Fixes: 1da177e4c3f4152 ("Linux-2.6.12-rc2")
CC: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220923134555.2623931-2-chengzhihao1@huawei.com
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/quota/quota_tree.c | 38 ++++++++++++++++++++++++++++++++++++++
1 file changed, 38 insertions(+)
--- a/fs/quota/quota_tree.c
+++ b/fs/quota/quota_tree.c
@@ -71,6 +71,35 @@ static ssize_t write_blk(struct qtree_me
return ret;
}
+static inline int do_check_range(struct super_block *sb, const char *val_name,
+ uint val, uint min_val, uint max_val)
+{
+ if (val < min_val || val > max_val) {
+ quota_error(sb, "Getting %s %u out of range %u-%u",
+ val_name, val, min_val, max_val);
+ return -EUCLEAN;
+ }
+
+ return 0;
+}
+
+static int check_dquot_block_header(struct qtree_mem_dqinfo *info,
+ struct qt_disk_dqdbheader *dh)
+{
+ int err = 0;
+
+ err = do_check_range(info->dqi_sb, "dqdh_next_free",
+ le32_to_cpu(dh->dqdh_next_free), 0,
+ info->dqi_blocks - 1);
+ if (err)
+ return err;
+ err = do_check_range(info->dqi_sb, "dqdh_prev_free",
+ le32_to_cpu(dh->dqdh_prev_free), 0,
+ info->dqi_blocks - 1);
+
+ return err;
+}
+
/* Remove empty block from list and return it */
static int get_free_dqblk(struct qtree_mem_dqinfo *info)
{
@@ -85,6 +114,9 @@ static int get_free_dqblk(struct qtree_m
ret = read_blk(info, blk, buf);
if (ret < 0)
goto out_buf;
+ ret = check_dquot_block_header(info, dh);
+ if (ret)
+ goto out_buf;
info->dqi_free_blk = le32_to_cpu(dh->dqdh_next_free);
}
else {
@@ -232,6 +264,9 @@ static uint find_free_dqentry(struct qtr
*err = read_blk(info, blk, buf);
if (*err < 0)
goto out_buf;
+ *err = check_dquot_block_header(info, dh);
+ if (*err)
+ goto out_buf;
} else {
blk = get_free_dqblk(info);
if ((int)blk < 0) {
@@ -424,6 +459,9 @@ static int free_dqentry(struct qtree_mem
goto out_buf;
}
dh = (struct qt_disk_dqdbheader *)buf;
+ ret = check_dquot_block_header(info, dh);
+ if (ret)
+ goto out_buf;
le16_add_cpu(&dh->dqdh_entries, -1);
if (!le16_to_cpu(dh->dqdh_entries)) { /* Block got free? */
ret = remove_free_dqentry(info, buf, blk);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 048/862] platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 047/862] quota: Check next/prev free block number after reading from quota file Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 049/862] arm64: dts: qcom: sdm845-mtp: correct ADC settle time Greg Kroah-Hartman
` (828 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guenter Roeck, Patryk Duda, Tzung-Bi Shih
From: Patryk Duda <pdk@semihalf.com>
commit f74c7557ed0d321947e8bb4e9d47c1013f8b2227 upstream.
Some EC based devices (e.g. Fingerpint MCU) can jump to RO part of the
firmware (intentionally or due to device reboot). The RO part doesn't
change during the device lifecycle, so it won't support newer version
of EC_CMD_GET_NEXT_EVENT command.
Function cros_ec_query_all() is responsible for finding maximum
supported MKBP event version. It's usually called when the device is
running RW part of the firmware, so the command version can be
potentially higher than version supported by the RO.
The problem was fixed by updating maximum supported version when the
device returns EC_RES_INVALID_VERSION (mapped to -ENOPROTOOPT). That way
the kernel will use highest common version supported by RO and RW.
Fixes: 3300fdd630d4 ("platform/chrome: cros_ec: handle MKBP more events flag")
Cc: <stable@vger.kernel.org> # 5.10+
Reviewed-by: Guenter Roeck <groeck@chromium.org>
Signed-off-by: Patryk Duda <pdk@semihalf.com>
Signed-off-by: Tzung-Bi Shih <tzungbi@kernel.org>
Link: https://lore.kernel.org/r/20220802154128.21175-1-pdk@semihalf.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/chrome/cros_ec_proto.c | 32 ++++++++++++++++++++++++++++++++
1 file changed, 32 insertions(+)
--- a/drivers/platform/chrome/cros_ec_proto.c
+++ b/drivers/platform/chrome/cros_ec_proto.c
@@ -773,6 +773,7 @@ int cros_ec_get_next_event(struct cros_e
u8 event_type;
u32 host_event;
int ret;
+ u32 ver_mask;
/*
* Default value for wake_event.
@@ -794,6 +795,37 @@ int cros_ec_get_next_event(struct cros_e
return get_keyboard_state_event(ec_dev);
ret = get_next_event(ec_dev);
+ /*
+ * -ENOPROTOOPT is returned when EC returns EC_RES_INVALID_VERSION.
+ * This can occur when EC based device (e.g. Fingerprint MCU) jumps to
+ * the RO image which doesn't support newer version of the command. In
+ * this case we will attempt to update maximum supported version of the
+ * EC_CMD_GET_NEXT_EVENT.
+ */
+ if (ret == -ENOPROTOOPT) {
+ dev_dbg(ec_dev->dev,
+ "GET_NEXT_EVENT returned invalid version error.\n");
+ ret = cros_ec_get_host_command_version_mask(ec_dev,
+ EC_CMD_GET_NEXT_EVENT,
+ &ver_mask);
+ if (ret < 0 || ver_mask == 0)
+ /*
+ * Do not change the MKBP supported version if we can't
+ * obtain supported version correctly. Please note that
+ * calling EC_CMD_GET_NEXT_EVENT returned
+ * EC_RES_INVALID_VERSION which means that the command
+ * is present.
+ */
+ return -ENOPROTOOPT;
+
+ ec_dev->mkbp_event_supported = fls(ver_mask);
+ dev_dbg(ec_dev->dev, "MKBP support version changed to %u\n",
+ ec_dev->mkbp_event_supported - 1);
+
+ /* Try to get next event with new MKBP support version set. */
+ ret = get_next_event(ec_dev);
+ }
+
if (ret <= 0)
return ret;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 049/862] arm64: dts: qcom: sdm845-mtp: correct ADC settle time
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 048/862] platform/chrome: cros_ec_proto: Update version on GET_NEXT_EVENT failure Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 050/862] ASoC: wcd9335: fix order of Slimbus unprepare/disable Greg Kroah-Hartman
` (827 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Stephen Boyd,
Vinod Koul, David Heidelberg, Bjorn Andersson
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 209a04885ab5f76722a1671d0fbf0a5b4bccacec upstream.
The PMIC's VADC property for settle time is qcom,hw-settle-time, not
qcom,hw-settle-time-us. The latter is used in PMIC's TM ADC.
qcom/sdm845-mtp.dtb: pmic@0: adc@3100:adc-chan@4c: 'qcom,hw-settle-time-us' does not match any of the regexes: 'pinctrl-[0-9]+'
Fixes: d5e12f3823ae ("arm64: dts: qcom: sdm845: mtp: Add vadc channels and thermal zones")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Stephen Boyd <sboyd@kernel.org>
Reviewed-by: Vinod Koul <vkoul@kernel.org>
Reviewed-by: David Heidelberg <david@ixit.cz>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20220828084341.112146-13-krzysztof.kozlowski@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/qcom/sdm845-mtp.dts | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- a/arch/arm64/boot/dts/qcom/sdm845-mtp.dts
+++ b/arch/arm64/boot/dts/qcom/sdm845-mtp.dts
@@ -536,42 +536,42 @@
reg = <ADC5_XO_THERM_100K_PU>;
label = "xo_therm";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
adc-chan@4d {
reg = <ADC5_AMUX_THM1_100K_PU>;
label = "msm_therm";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
adc-chan@4f {
reg = <ADC5_AMUX_THM3_100K_PU>;
label = "pa_therm1";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
adc-chan@51 {
reg = <ADC5_AMUX_THM5_100K_PU>;
label = "quiet_therm";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
adc-chan@83 {
reg = <ADC5_VPH_PWR>;
label = "vph_pwr";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
adc-chan@85 {
reg = <ADC5_VCOIN>;
label = "vcoin";
qcom,ratiometric;
- qcom,hw-settle-time-us = <200>;
+ qcom,hw-settle-time = <200>;
};
};
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 050/862] ASoC: wcd9335: fix order of Slimbus unprepare/disable
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 049/862] arm64: dts: qcom: sdm845-mtp: correct ADC settle time Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 051/862] ASoC: wcd934x: " Greg Kroah-Hartman
` (826 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
Srinivas Kandagatla, Mark Brown
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit ea8ef003aa53ad23e7705c5cab1c4e664faa6c79 upstream.
Slimbus streams are first prepared and then enabled, so the cleanup path
should reverse it. The unprepare sets stream->num_ports to 0 and frees
the stream->ports. Calling disable after unprepare was not really
effective (channels was not deactivated) and could lead to further
issues due to making transfers on unprepared stream.
Fixes: 20aedafdf492 ("ASoC: wcd9335: add support to wcd9335 codec")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220921145354.1683791-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd9335.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd9335.c
+++ b/sound/soc/codecs/wcd9335.c
@@ -1974,8 +1974,8 @@ static int wcd9335_trigger(struct snd_pc
case SNDRV_PCM_TRIGGER_STOP:
case SNDRV_PCM_TRIGGER_SUSPEND:
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
- slim_stream_unprepare(dai_data->sruntime);
slim_stream_disable(dai_data->sruntime);
+ slim_stream_unprepare(dai_data->sruntime);
break;
default:
break;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 051/862] ASoC: wcd934x: fix order of Slimbus unprepare/disable
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 050/862] ASoC: wcd9335: fix order of Slimbus unprepare/disable Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 052/862] hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API Greg Kroah-Hartman
` (825 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski,
Srinivas Kandagatla, Mark Brown
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit e96bca7eaa5747633ec638b065630ff83728982a upstream.
Slimbus streams are first prepared and then enabled, so the cleanup path
should reverse it. The unprepare sets stream->num_ports to 0 and frees
the stream->ports. Calling disable after unprepare was not really
effective (channels was not deactivated) and could lead to further
issues due to making transfers on unprepared stream.
Fixes: a61f3b4f476e ("ASoC: wcd934x: add support to wcd9340/wcd9341 codec")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220921145354.1683791-2-krzysztof.kozlowski@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd934x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd934x.c
+++ b/sound/soc/codecs/wcd934x.c
@@ -1913,8 +1913,8 @@ static int wcd934x_trigger(struct snd_pc
case SNDRV_PCM_TRIGGER_STOP:
case SNDRV_PCM_TRIGGER_SUSPEND:
case SNDRV_PCM_TRIGGER_PAUSE_PUSH:
- slim_stream_unprepare(dai_data->sruntime);
slim_stream_disable(dai_data->sruntime);
+ slim_stream_unprepare(dai_data->sruntime);
break;
default:
break;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 052/862] hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 051/862] ASoC: wcd934x: " Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 053/862] net: thunderbolt: Enable DMA paths only after rings are enabled Greg Kroah-Hartman
` (824 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Liang He, Mengda Chen, Guenter Roeck
From: Liang He <windhl@126.com>
commit 7f62cf781e6567d59c8935dc8c6068ce2bb904b7 upstream.
In gsc_hwmon_get_devtree_pdata(), we should call of_node_get() before
the of_find_compatible_node() which will automatically call
of_node_put() for the 'from' argument.
Fixes: 3bce5377ef66 ("hwmon: Add Gateworks System Controller support")
Signed-off-by: Liang He <windhl@126.com>
Co-developed-by: Mengda Chen <chenmengda2009@163.com>
Signed-off-by: Mengda Chen <chenmengda2009@163.com>
Link: https://lore.kernel.org/r/20220916154708.3084515-1-chenmengda2009@163.com
Cc: stable@vger.kernel.org
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwmon/gsc-hwmon.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/hwmon/gsc-hwmon.c
+++ b/drivers/hwmon/gsc-hwmon.c
@@ -267,6 +267,7 @@ gsc_hwmon_get_devtree_pdata(struct devic
pdata->nchannels = nchannels;
/* fan controller base address */
+ of_node_get(dev->parent->of_node);
fan = of_find_compatible_node(dev->parent->of_node, NULL, "gw,gsc-fan");
if (fan && of_property_read_u32(fan, "reg", &pdata->fan_base)) {
of_node_put(fan);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 053/862] net: thunderbolt: Enable DMA paths only after rings are enabled
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 052/862] hwmon: (gsc-hwmon) Call of_node_get() before of_find_xxx API Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 054/862] regulator: qcom_rpm: Fix circular deferral regression Greg Kroah-Hartman
` (823 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Mika Westerberg, David S. Miller
From: Mika Westerberg <mika.westerberg@linux.intel.com>
commit ff7cd07f306406493f7b78890475e85b6d0811ed upstream.
If the other host starts sending packets early on it is possible that we
are still in the middle of populating the initial Rx ring packets to the
ring. This causes the tbnet_poll() to mess over the queue and causes
list corruption. This happens specifically when connected with macOS as
it seems start sending various IP discovery packets as soon as its side
of the paths are configured.
To prevent this we move the DMA path enabling to happen after we have
primed the Rx ring. This makes sure no incoming packets can arrive
before we are ready to handle them.
Fixes: e69b6c02b4c3 ("net: Add support for networking over Thunderbolt cable")
Cc: stable@vger.kernel.org
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/thunderbolt.c | 28 +++++++++++++++++-----------
1 file changed, 17 insertions(+), 11 deletions(-)
--- a/drivers/net/thunderbolt.c
+++ b/drivers/net/thunderbolt.c
@@ -612,18 +612,13 @@ static void tbnet_connected_work(struct
return;
}
- /* Both logins successful so enable the high-speed DMA paths and
- * start the network device queue.
+ /* Both logins successful so enable the rings, high-speed DMA
+ * paths and start the network device queue.
+ *
+ * Note we enable the DMA paths last to make sure we have primed
+ * the Rx ring before any incoming packets are allowed to
+ * arrive.
*/
- ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
- net->rx_ring.ring->hop,
- net->remote_transmit_path,
- net->tx_ring.ring->hop);
- if (ret) {
- netdev_err(net->dev, "failed to enable DMA paths\n");
- return;
- }
-
tb_ring_start(net->tx_ring.ring);
tb_ring_start(net->rx_ring.ring);
@@ -635,10 +630,21 @@ static void tbnet_connected_work(struct
if (ret)
goto err_free_rx_buffers;
+ ret = tb_xdomain_enable_paths(net->xd, net->local_transmit_path,
+ net->rx_ring.ring->hop,
+ net->remote_transmit_path,
+ net->tx_ring.ring->hop);
+ if (ret) {
+ netdev_err(net->dev, "failed to enable DMA paths\n");
+ goto err_free_tx_buffers;
+ }
+
netif_carrier_on(net->dev);
netif_start_queue(net->dev);
return;
+err_free_tx_buffers:
+ tbnet_free_buffers(&net->tx_ring);
err_free_rx_buffers:
tbnet_free_buffers(&net->rx_ring);
err_stop_rings:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 054/862] regulator: qcom_rpm: Fix circular deferral regression
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 053/862] net: thunderbolt: Enable DMA paths only after rings are enabled Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 055/862] arm64: topology: move store_cpu_topology() to shared code Greg Kroah-Hartman
` (822 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andy Gross, Bjorn Andersson,
Konrad Dybcio, linux-arm-msm, Linus Walleij, Mark Brown
From: Linus Walleij <linus.walleij@linaro.org>
commit 8478ed5844588703a1a4c96a004b1525fbdbdd5e upstream.
On recent kernels, the PM8058 L16 (or any other PM8058 LDO-regulator)
does not come up if they are supplied by an SMPS-regulator. This
is not very strange since the regulators are registered in a long
array and the L-regulators are registered before the S-regulators,
and if an L-regulator defers, it will never get around to registering
the S-regulator that it needs.
See arch/arm/boot/dts/qcom-apq8060-dragonboard.dts:
pm8058-regulators {
(...)
vdd_l13_l16-supply = <&pm8058_s4>;
(...)
Ooops.
Fix this by moving the PM8058 S-regulators first in the array.
Do the same for the PM8901 S-regulators (though this is currently
not causing any problems with out device trees) so that the pattern
of registration order is the same on all PMnnnn chips.
Fixes: 087a1b5cdd55 ("regulator: qcom: Rework to single platform device")
Cc: stable@vger.kernel.org
Cc: Andy Gross <agross@kernel.org>
Cc: Bjorn Andersson <andersson@kernel.org>
Cc: Konrad Dybcio <konrad.dybcio@somainline.org>
Cc: linux-arm-msm@vger.kernel.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Link: https://lore.kernel.org/r/20220909112529.239143-1-linus.walleij@linaro.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/regulator/qcom_rpm-regulator.c | 24 ++++++++++++------------
1 file changed, 12 insertions(+), 12 deletions(-)
--- a/drivers/regulator/qcom_rpm-regulator.c
+++ b/drivers/regulator/qcom_rpm-regulator.c
@@ -802,6 +802,12 @@ static const struct rpm_regulator_data r
};
static const struct rpm_regulator_data rpm_pm8058_regulators[] = {
+ { "s0", QCOM_RPM_PM8058_SMPS0, &pm8058_smps, "vdd_s0" },
+ { "s1", QCOM_RPM_PM8058_SMPS1, &pm8058_smps, "vdd_s1" },
+ { "s2", QCOM_RPM_PM8058_SMPS2, &pm8058_smps, "vdd_s2" },
+ { "s3", QCOM_RPM_PM8058_SMPS3, &pm8058_smps, "vdd_s3" },
+ { "s4", QCOM_RPM_PM8058_SMPS4, &pm8058_smps, "vdd_s4" },
+
{ "l0", QCOM_RPM_PM8058_LDO0, &pm8058_nldo, "vdd_l0_l1_lvs" },
{ "l1", QCOM_RPM_PM8058_LDO1, &pm8058_nldo, "vdd_l0_l1_lvs" },
{ "l2", QCOM_RPM_PM8058_LDO2, &pm8058_pldo, "vdd_l2_l11_l12" },
@@ -829,12 +835,6 @@ static const struct rpm_regulator_data r
{ "l24", QCOM_RPM_PM8058_LDO24, &pm8058_nldo, "vdd_l23_l24_l25" },
{ "l25", QCOM_RPM_PM8058_LDO25, &pm8058_nldo, "vdd_l23_l24_l25" },
- { "s0", QCOM_RPM_PM8058_SMPS0, &pm8058_smps, "vdd_s0" },
- { "s1", QCOM_RPM_PM8058_SMPS1, &pm8058_smps, "vdd_s1" },
- { "s2", QCOM_RPM_PM8058_SMPS2, &pm8058_smps, "vdd_s2" },
- { "s3", QCOM_RPM_PM8058_SMPS3, &pm8058_smps, "vdd_s3" },
- { "s4", QCOM_RPM_PM8058_SMPS4, &pm8058_smps, "vdd_s4" },
-
{ "lvs0", QCOM_RPM_PM8058_LVS0, &pm8058_switch, "vdd_l0_l1_lvs" },
{ "lvs1", QCOM_RPM_PM8058_LVS1, &pm8058_switch, "vdd_l0_l1_lvs" },
@@ -843,6 +843,12 @@ static const struct rpm_regulator_data r
};
static const struct rpm_regulator_data rpm_pm8901_regulators[] = {
+ { "s0", QCOM_RPM_PM8901_SMPS0, &pm8901_ftsmps, "vdd_s0" },
+ { "s1", QCOM_RPM_PM8901_SMPS1, &pm8901_ftsmps, "vdd_s1" },
+ { "s2", QCOM_RPM_PM8901_SMPS2, &pm8901_ftsmps, "vdd_s2" },
+ { "s3", QCOM_RPM_PM8901_SMPS3, &pm8901_ftsmps, "vdd_s3" },
+ { "s4", QCOM_RPM_PM8901_SMPS4, &pm8901_ftsmps, "vdd_s4" },
+
{ "l0", QCOM_RPM_PM8901_LDO0, &pm8901_nldo, "vdd_l0" },
{ "l1", QCOM_RPM_PM8901_LDO1, &pm8901_pldo, "vdd_l1" },
{ "l2", QCOM_RPM_PM8901_LDO2, &pm8901_pldo, "vdd_l2" },
@@ -851,12 +857,6 @@ static const struct rpm_regulator_data r
{ "l5", QCOM_RPM_PM8901_LDO5, &pm8901_pldo, "vdd_l5" },
{ "l6", QCOM_RPM_PM8901_LDO6, &pm8901_pldo, "vdd_l6" },
- { "s0", QCOM_RPM_PM8901_SMPS0, &pm8901_ftsmps, "vdd_s0" },
- { "s1", QCOM_RPM_PM8901_SMPS1, &pm8901_ftsmps, "vdd_s1" },
- { "s2", QCOM_RPM_PM8901_SMPS2, &pm8901_ftsmps, "vdd_s2" },
- { "s3", QCOM_RPM_PM8901_SMPS3, &pm8901_ftsmps, "vdd_s3" },
- { "s4", QCOM_RPM_PM8901_SMPS4, &pm8901_ftsmps, "vdd_s4" },
-
{ "lvs0", QCOM_RPM_PM8901_LVS0, &pm8901_switch, "lvs0_in" },
{ "lvs1", QCOM_RPM_PM8901_LVS1, &pm8901_switch, "lvs1_in" },
{ "lvs2", QCOM_RPM_PM8901_LVS2, &pm8901_switch, "lvs2_in" },
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 055/862] arm64: topology: move store_cpu_topology() to shared code
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 054/862] regulator: qcom_rpm: Fix circular deferral regression Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 056/862] riscv: topology: fix default topology reporting Greg Kroah-Hartman
` (821 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sudeep Holla, Catalin Marinas,
Atish Patra, Conor Dooley
From: Conor Dooley <conor.dooley@microchip.com>
commit 456797da792fa7cbf6698febf275fe9b36691f78 upstream.
arm64's method of defining a default cpu topology requires only minimal
changes to apply to RISC-V also. The current arm64 implementation exits
early in a uniprocessor configuration by reading MPIDR & claiming that
uniprocessor can rely on the default values.
This is appears to be a hangover from prior to '3102bc0e6ac7 ("arm64:
topology: Stop using MPIDR for topology information")', because the
current code just assigns default values for multiprocessor systems.
With the MPIDR references removed, store_cpu_topolgy() can be moved to
the common arch_topology code.
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Acked-by: Catalin Marinas <catalin.marinas@arm.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/topology.c | 40 ----------------------------------------
drivers/base/arch_topology.c | 19 +++++++++++++++++++
2 files changed, 19 insertions(+), 40 deletions(-)
--- a/arch/arm64/kernel/topology.c
+++ b/arch/arm64/kernel/topology.c
@@ -22,46 +22,6 @@
#include <asm/cputype.h>
#include <asm/topology.h>
-void store_cpu_topology(unsigned int cpuid)
-{
- struct cpu_topology *cpuid_topo = &cpu_topology[cpuid];
- u64 mpidr;
-
- if (cpuid_topo->package_id != -1)
- goto topology_populated;
-
- mpidr = read_cpuid_mpidr();
-
- /* Uniprocessor systems can rely on default topology values */
- if (mpidr & MPIDR_UP_BITMASK)
- return;
-
- /*
- * This would be the place to create cpu topology based on MPIDR.
- *
- * However, it cannot be trusted to depict the actual topology; some
- * pieces of the architecture enforce an artificial cap on Aff0 values
- * (e.g. GICv3's ICC_SGI1R_EL1 limits it to 15), leading to an
- * artificial cycling of Aff1, Aff2 and Aff3 values. IOW, these end up
- * having absolutely no relationship to the actual underlying system
- * topology, and cannot be reasonably used as core / package ID.
- *
- * If the MT bit is set, Aff0 *could* be used to define a thread ID, but
- * we still wouldn't be able to obtain a sane core ID. This means we
- * need to entirely ignore MPIDR for any topology deduction.
- */
- cpuid_topo->thread_id = -1;
- cpuid_topo->core_id = cpuid;
- cpuid_topo->package_id = cpu_to_node(cpuid);
-
- pr_debug("CPU%u: cluster %d core %d thread %d mpidr %#016llx\n",
- cpuid, cpuid_topo->package_id, cpuid_topo->core_id,
- cpuid_topo->thread_id, mpidr);
-
-topology_populated:
- update_siblings_masks(cpuid);
-}
-
#ifdef CONFIG_ACPI
static bool __init acpi_cpu_is_threaded(int cpu)
{
--- a/drivers/base/arch_topology.c
+++ b/drivers/base/arch_topology.c
@@ -841,4 +841,23 @@ void __init init_cpu_topology(void)
return;
}
}
+
+void store_cpu_topology(unsigned int cpuid)
+{
+ struct cpu_topology *cpuid_topo = &cpu_topology[cpuid];
+
+ if (cpuid_topo->package_id != -1)
+ goto topology_populated;
+
+ cpuid_topo->thread_id = -1;
+ cpuid_topo->core_id = cpuid;
+ cpuid_topo->package_id = cpu_to_node(cpuid);
+
+ pr_debug("CPU%u: package %d core %d thread %d\n",
+ cpuid, cpuid_topo->package_id, cpuid_topo->core_id,
+ cpuid_topo->thread_id);
+
+topology_populated:
+ update_siblings_masks(cpuid);
+}
#endif
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 056/862] riscv: topology: fix default topology reporting
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 055/862] arm64: topology: move store_cpu_topology() to shared code Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 057/862] RISC-V: Re-enable counter access from userspace Greg Kroah-Hartman
` (820 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Brice Goglin, Sudeep Holla,
Atish Patra, Conor Dooley
From: Conor Dooley <conor.dooley@microchip.com>
commit fbd92809997a391f28075f1c8b5ee314c225557c upstream.
RISC-V has no sane defaults to fall back on where there is no cpu-map
in the devicetree.
Without sane defaults, the package, core and thread IDs are all set to
-1. This causes user-visible inaccuracies for tools like hwloc/lstopo
which rely on the sysfs cpu topology files to detect a system's
topology.
On a PolarFire SoC, which should have 4 harts with a thread each,
lstopo currently reports:
Machine (793MB total)
Package L#0
NUMANode L#0 (P#0 793MB)
Core L#0
L1d L#0 (32KB) + L1i L#0 (32KB) + PU L#0 (P#0)
L1d L#1 (32KB) + L1i L#1 (32KB) + PU L#1 (P#1)
L1d L#2 (32KB) + L1i L#2 (32KB) + PU L#2 (P#2)
L1d L#3 (32KB) + L1i L#3 (32KB) + PU L#3 (P#3)
Adding calls to store_cpu_topology() in {boot,smp} hart bringup code
results in the correct topolgy being reported:
Machine (793MB total)
Package L#0
NUMANode L#0 (P#0 793MB)
L1d L#0 (32KB) + L1i L#0 (32KB) + Core L#0 + PU L#0 (P#0)
L1d L#1 (32KB) + L1i L#1 (32KB) + Core L#1 + PU L#1 (P#1)
L1d L#2 (32KB) + L1i L#2 (32KB) + Core L#2 + PU L#2 (P#2)
L1d L#3 (32KB) + L1i L#3 (32KB) + Core L#3 + PU L#3 (P#3)
CC: stable@vger.kernel.org # 456797da792f: arm64: topology: move store_cpu_topology() to shared code
Fixes: 03f11f03dbfe ("RISC-V: Parse cpu topology during boot.")
Reported-by: Brice Goglin <Brice.Goglin@inria.fr>
Link: https://github.com/open-mpi/hwloc/issues/536
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Conor Dooley <conor.dooley@microchip.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/Kconfig | 2 +-
arch/riscv/kernel/smpboot.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/arch/riscv/Kconfig
+++ b/arch/riscv/Kconfig
@@ -52,7 +52,7 @@ config RISCV
select COMMON_CLK
select CPU_PM if CPU_IDLE
select EDAC_SUPPORT
- select GENERIC_ARCH_TOPOLOGY if SMP
+ select GENERIC_ARCH_TOPOLOGY
select GENERIC_ATOMIC64 if !64BIT
select GENERIC_CLOCKEVENTS_BROADCAST if SMP
select GENERIC_EARLY_IOREMAP
--- a/arch/riscv/kernel/smpboot.c
+++ b/arch/riscv/kernel/smpboot.c
@@ -49,6 +49,7 @@ void __init smp_prepare_cpus(unsigned in
unsigned int curr_cpuid;
curr_cpuid = smp_processor_id();
+ store_cpu_topology(curr_cpuid);
numa_store_cpu_info(curr_cpuid);
numa_add_cpu(curr_cpuid);
@@ -162,9 +163,9 @@ asmlinkage __visible void smp_callin(voi
mmgrab(mm);
current->active_mm = mm;
+ store_cpu_topology(curr_cpuid);
notify_cpu_starting(curr_cpuid);
numa_add_cpu(curr_cpuid);
- update_siblings_masks(curr_cpuid);
set_cpu_online(curr_cpuid, 1);
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 057/862] RISC-V: Re-enable counter access from userspace
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 056/862] riscv: topology: fix default topology reporting Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 058/862] RISC-V: Make port I/O string accessors actually work Greg Kroah-Hartman
` (819 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Conor Dooley, Palmer Dabbelt
From: Palmer Dabbelt <palmer@rivosinc.com>
commit 5a5294fbe0200d1327f0e089135dad77b45aa2ee upstream.
These counters were part of the ISA when we froze the uABI, removing
them breaks userspace.
Link: https://lore.kernel.org/all/YxEhC%2FmDW1lFt36J@aurel32.net/
Fixes: e9991434596f ("RISC-V: Add perf platform driver based on SBI PMU extension")
Tested-by: Conor Dooley <conor.dooley@microchip.com>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20220928131807.30386-1-palmer@rivosinc.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/perf/riscv_pmu_sbi.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/perf/riscv_pmu_sbi.c
+++ b/drivers/perf/riscv_pmu_sbi.c
@@ -645,8 +645,11 @@ static int pmu_sbi_starting_cpu(unsigned
struct riscv_pmu *pmu = hlist_entry_safe(node, struct riscv_pmu, node);
struct cpu_hw_events *cpu_hw_evt = this_cpu_ptr(pmu->hw_events);
- /* Enable the access for TIME csr only from the user mode now */
- csr_write(CSR_SCOUNTEREN, 0x2);
+ /*
+ * Enable the access for CYCLE, TIME, and INSTRET CSRs from userspace,
+ * as is necessary to maintain uABI compatibility.
+ */
+ csr_write(CSR_SCOUNTEREN, 0x7);
/* Stop all the counters so that they can be enabled from perf */
pmu_sbi_stop_all(pmu);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 058/862] RISC-V: Make port I/O string accessors actually work
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 057/862] RISC-V: Re-enable counter access from userspace Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 059/862] parisc: fbdev/stifb: Align graphics memory size to 4MB Greg Kroah-Hartman
` (818 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Arnd Bergmann,
Palmer Dabbelt
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 9cc205e3c17d5716da7ebb7fa0c985555e95d009 upstream.
Fix port I/O string accessors such as `insb', `outsb', etc. which use
the physical PCI port I/O address rather than the corresponding memory
mapping to get at the requested location, which in turn breaks at least
accesses made by our parport driver to a PCIe parallel port such as:
PCI parallel port detected: 1415:c118, I/O at 0x1000(0x1008), IRQ 20
parport0: PC-style at 0x1000 (0x1008), irq 20, using FIFO [PCSPP,TRISTATE,COMPAT,EPP,ECP]
causing a memory access fault:
Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000001008
Oops [#1]
Modules linked in:
CPU: 1 PID: 350 Comm: cat Not tainted 6.0.0-rc2-00283-g10d4879f9ef0-dirty #23
Hardware name: SiFive HiFive Unmatched A00 (DT)
epc : parport_pc_fifo_write_block_pio+0x266/0x416
ra : parport_pc_fifo_write_block_pio+0xb4/0x416
epc : ffffffff80542c3e ra : ffffffff80542a8c sp : ffffffd88899fc60
gp : ffffffff80fa2700 tp : ffffffd882b1e900 t0 : ffffffd883d0b000
t1 : ffffffffff000002 t2 : 4646393043330a38 s0 : ffffffd88899fcf0
s1 : 0000000000001000 a0 : 0000000000000010 a1 : 0000000000000000
a2 : ffffffd883d0a010 a3 : 0000000000000023 a4 : 00000000ffff8fbb
a5 : ffffffd883d0a001 a6 : 0000000100000000 a7 : ffffffc800000000
s2 : ffffffffff000002 s3 : ffffffff80d28880 s4 : ffffffff80fa1f50
s5 : 0000000000001008 s6 : 0000000000000008 s7 : ffffffd883d0a000
s8 : 0004000000000000 s9 : ffffffff80dc1d80 s10: ffffffd8807e4000
s11: 0000000000000000 t3 : 00000000000000ff t4 : 393044410a303930
t5 : 0000000000001000 t6 : 0000000000040000
status: 0000000200000120 badaddr: 0000000000001008 cause: 000000000000000f
[<ffffffff80543212>] parport_pc_compat_write_block_pio+0xfe/0x200
[<ffffffff8053bbc0>] parport_write+0x46/0xf8
[<ffffffff8050530e>] lp_write+0x158/0x2d2
[<ffffffff80185716>] vfs_write+0x8e/0x2c2
[<ffffffff80185a74>] ksys_write+0x52/0xc2
[<ffffffff80185af2>] sys_write+0xe/0x16
[<ffffffff80003770>] ret_from_syscall+0x0/0x2
---[ end trace 0000000000000000 ]---
For simplicity address the problem by adding PCI_IOBASE to the physical
address requested in the respective wrapper macros only, observing that
the raw accessors such as `__insb', `__outsb', etc. are not supposed to
be used other than by said macros. Remove the cast to `long' that is no
longer needed on `addr' now that it is used as an offset from PCI_IOBASE
and add parentheses around `addr' needed for predictable evaluation in
macro expansion. No need to make said adjustments in separate changes
given that current code is gravely broken and does not ever work.
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Fixes: fab957c11efe2 ("RISC-V: Atomic and Locking Code")
Cc: stable@vger.kernel.org # v4.15+
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209220223080.29493@angie.orcam.me.uk
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/io.h | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/arch/riscv/include/asm/io.h
+++ b/arch/riscv/include/asm/io.h
@@ -101,9 +101,9 @@ __io_reads_ins(reads, u32, l, __io_br(),
__io_reads_ins(ins, u8, b, __io_pbr(), __io_par(addr))
__io_reads_ins(ins, u16, w, __io_pbr(), __io_par(addr))
__io_reads_ins(ins, u32, l, __io_pbr(), __io_par(addr))
-#define insb(addr, buffer, count) __insb((void __iomem *)(long)addr, buffer, count)
-#define insw(addr, buffer, count) __insw((void __iomem *)(long)addr, buffer, count)
-#define insl(addr, buffer, count) __insl((void __iomem *)(long)addr, buffer, count)
+#define insb(addr, buffer, count) __insb(PCI_IOBASE + (addr), buffer, count)
+#define insw(addr, buffer, count) __insw(PCI_IOBASE + (addr), buffer, count)
+#define insl(addr, buffer, count) __insl(PCI_IOBASE + (addr), buffer, count)
__io_writes_outs(writes, u8, b, __io_bw(), __io_aw())
__io_writes_outs(writes, u16, w, __io_bw(), __io_aw())
@@ -115,22 +115,22 @@ __io_writes_outs(writes, u32, l, __io_bw
__io_writes_outs(outs, u8, b, __io_pbw(), __io_paw())
__io_writes_outs(outs, u16, w, __io_pbw(), __io_paw())
__io_writes_outs(outs, u32, l, __io_pbw(), __io_paw())
-#define outsb(addr, buffer, count) __outsb((void __iomem *)(long)addr, buffer, count)
-#define outsw(addr, buffer, count) __outsw((void __iomem *)(long)addr, buffer, count)
-#define outsl(addr, buffer, count) __outsl((void __iomem *)(long)addr, buffer, count)
+#define outsb(addr, buffer, count) __outsb(PCI_IOBASE + (addr), buffer, count)
+#define outsw(addr, buffer, count) __outsw(PCI_IOBASE + (addr), buffer, count)
+#define outsl(addr, buffer, count) __outsl(PCI_IOBASE + (addr), buffer, count)
#ifdef CONFIG_64BIT
__io_reads_ins(reads, u64, q, __io_br(), __io_ar(addr))
#define readsq(addr, buffer, count) __readsq(addr, buffer, count)
__io_reads_ins(ins, u64, q, __io_pbr(), __io_par(addr))
-#define insq(addr, buffer, count) __insq((void __iomem *)addr, buffer, count)
+#define insq(addr, buffer, count) __insq(PCI_IOBASE + (addr), buffer, count)
__io_writes_outs(writes, u64, q, __io_bw(), __io_aw())
#define writesq(addr, buffer, count) __writesq(addr, buffer, count)
__io_writes_outs(outs, u64, q, __io_pbr(), __io_paw())
-#define outsq(addr, buffer, count) __outsq((void __iomem *)addr, buffer, count)
+#define outsq(addr, buffer, count) __outsq(PCI_IOBASE + (addr), buffer, count)
#endif
#include <asm-generic/io.h>
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 059/862] parisc: fbdev/stifb: Align graphics memory size to 4MB
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 058/862] RISC-V: Make port I/O string accessors actually work Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 060/862] parisc: Fix userspace graphics card breakage due to pgtable special bit Greg Kroah-Hartman
` (817 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller
From: Helge Deller <deller@gmx.de>
commit aca7c13d3bee81a968337a5515411409ae9d095d upstream.
Independend of the current graphics resolution, adjust the reported
graphics card memory size to the next 4MB boundary.
This fixes the fbtest program which expects a naturally aligned size.
Signed-off-by: Helge Deller <deller@gmx.de>
Cc: <stable@vger.kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/stifb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/video/fbdev/stifb.c
+++ b/drivers/video/fbdev/stifb.c
@@ -1298,7 +1298,7 @@ static int __init stifb_init_fb(struct s
/* limit fbsize to max visible screen size */
if (fix->smem_len > yres*fix->line_length)
- fix->smem_len = yres*fix->line_length;
+ fix->smem_len = ALIGN(yres*fix->line_length, 4*1024*1024);
fix->accel = FB_ACCEL_NONE;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 060/862] parisc: Fix userspace graphics card breakage due to pgtable special bit
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 059/862] parisc: fbdev/stifb: Align graphics memory size to 4MB Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 061/862] riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Greg Kroah-Hartman
` (816 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 70be49f2f6223ddd2fcddb0089a40864c37e1494 upstream.
Commit df24e1783e6e ("parisc: Add vDSO support") introduced the vDSO
support, for which a _PAGE_SPECIAL page table flag was needed. Since we
wanted to keep every page table entry in 32-bits, this patch re-used the
existing - but yet unused - _PAGE_DMB flag (which triggers a hardware break
if a page is accessed) to store the special bit.
But when graphics card memory is mmapped into userspace, the kernel uses
vm_iomap_memory() which sets the the special flag. So, with the DMB bit
set, every access to the graphics memory now triggered a hardware
exception and segfaulted the userspace program.
Fix this breakage by dropping the DMB bit when writing the page
protection bits to the CPU TLB.
In addition this patch adds a small optimization: if huge pages aren't
configured (which is at least the case for 32-bit kernels), then the
special bit is stored in the hpage (HUGE PAGE) bit instead. That way we
can skip to reset the DMB bit.
Fixes: df24e1783e6e ("parisc: Add vDSO support")
Cc: <stable@vger.kernel.org> # 5.18+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/pgtable.h | 7 ++++++-
arch/parisc/kernel/entry.S | 8 ++++++++
2 files changed, 14 insertions(+), 1 deletion(-)
--- a/arch/parisc/include/asm/pgtable.h
+++ b/arch/parisc/include/asm/pgtable.h
@@ -192,6 +192,11 @@ extern void __update_cache(pte_t pte);
#define _PAGE_PRESENT_BIT 22 /* (0x200) Software: translation valid */
#define _PAGE_HPAGE_BIT 21 /* (0x400) Software: Huge Page */
#define _PAGE_USER_BIT 20 /* (0x800) Software: User accessible page */
+#ifdef CONFIG_HUGETLB_PAGE
+#define _PAGE_SPECIAL_BIT _PAGE_DMB_BIT /* DMB feature is currently unused */
+#else
+#define _PAGE_SPECIAL_BIT _PAGE_HPAGE_BIT /* use unused HUGE PAGE bit */
+#endif
/* N.B. The bits are defined in terms of a 32 bit word above, so the */
/* following macro is ok for both 32 and 64 bit. */
@@ -219,7 +224,7 @@ extern void __update_cache(pte_t pte);
#define _PAGE_PRESENT (1 << xlate_pabit(_PAGE_PRESENT_BIT))
#define _PAGE_HUGE (1 << xlate_pabit(_PAGE_HPAGE_BIT))
#define _PAGE_USER (1 << xlate_pabit(_PAGE_USER_BIT))
-#define _PAGE_SPECIAL (_PAGE_DMB)
+#define _PAGE_SPECIAL (1 << xlate_pabit(_PAGE_SPECIAL_BIT))
#define _PAGE_TABLE (_PAGE_PRESENT | _PAGE_READ | _PAGE_WRITE | _PAGE_DIRTY | _PAGE_ACCESSED)
#define _PAGE_CHG_MASK (PAGE_MASK | _PAGE_ACCESSED | _PAGE_DIRTY | _PAGE_SPECIAL)
--- a/arch/parisc/kernel/entry.S
+++ b/arch/parisc/kernel/entry.S
@@ -499,6 +499,10 @@
* Finally, _PAGE_READ goes in the top bit of PL1 (so we
* trigger an access rights trap in user space if the user
* tries to read an unreadable page */
+#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
+ /* need to drop DMB bit, as it's used as SPECIAL flag */
+ depi 0,_PAGE_SPECIAL_BIT,1,\pte
+#endif
depd \pte,8,7,\prot
/* PAGE_USER indicates the page can be read with user privileges,
@@ -529,6 +533,10 @@
* makes the tlb entry for the differently formatted pa11
* insertion instructions */
.macro make_insert_tlb_11 spc,pte,prot
+#if _PAGE_SPECIAL_BIT == _PAGE_DMB_BIT
+ /* need to drop DMB bit, as it's used as SPECIAL flag */
+ depi 0,_PAGE_SPECIAL_BIT,1,\pte
+#endif
zdep \spc,30,15,\prot
dep \pte,8,7,\prot
extru,= \pte,_PAGE_NO_CACHE_BIT,1,%r0
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 061/862] riscv: vdso: fix NULL deference in vdso_join_timens() when vfork
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 060/862] parisc: Fix userspace graphics card breakage due to pgtable special bit Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 062/862] riscv: Allow PROT_WRITE-only mmap() Greg Kroah-Hartman
` (815 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Jisheng Zhang, Palmer Dabbelt
From: Jisheng Zhang <jszhang@kernel.org>
commit a8616d2dc193b6becc36b5f3cfeaa9ac7a5762f9 upstream.
Testing tools/testing/selftests/timens/vfork_exec.c got below
kernel log:
[ 6.838454] Unable to handle kernel access to user memory without uaccess routines at virtual address 0000000000000020
[ 6.842255] Oops [#1]
[ 6.842871] Modules linked in:
[ 6.844249] CPU: 1 PID: 64 Comm: vfork_exec Not tainted 6.0.0-rc3-rt15+ #8
[ 6.845861] Hardware name: riscv-virtio,qemu (DT)
[ 6.848009] epc : vdso_join_timens+0xd2/0x110
[ 6.850097] ra : vdso_join_timens+0xd2/0x110
[ 6.851164] epc : ffffffff8000635c ra : ffffffff8000635c sp : ff6000000181fbf0
[ 6.852562] gp : ffffffff80cff648 tp : ff60000000fdb700 t0 : 3030303030303030
[ 6.853852] t1 : 0000000000000030 t2 : 3030303030303030 s0 : ff6000000181fc40
[ 6.854984] s1 : ff60000001e6c000 a0 : 0000000000000010 a1 : ffffffff8005654c
[ 6.856221] a2 : 00000000ffffefff a3 : 0000000000000000 a4 : 0000000000000000
[ 6.858114] a5 : 0000000000000000 a6 : 0000000000000008 a7 : 0000000000000038
[ 6.859484] s2 : ff60000001e6c068 s3 : ff6000000108abb0 s4 : 0000000000000000
[ 6.860751] s5 : 0000000000001000 s6 : ffffffff8089dc40 s7 : ffffffff8089dc38
[ 6.862029] s8 : ffffffff8089dc30 s9 : ff60000000fdbe38 s10: 000000000000005e
[ 6.863304] s11: ffffffff80cc3510 t3 : ffffffff80d1112f t4 : ffffffff80d1112f
[ 6.864565] t5 : ffffffff80d11130 t6 : ff6000000181fa00
[ 6.865561] status: 0000000000000120 badaddr: 0000000000000020 cause: 000000000000000d
[ 6.868046] [<ffffffff8008dc94>] timens_commit+0x38/0x11a
[ 6.869089] [<ffffffff8008dde8>] timens_on_fork+0x72/0xb4
[ 6.870055] [<ffffffff80190096>] begin_new_exec+0x3c6/0x9f0
[ 6.871231] [<ffffffff801d826c>] load_elf_binary+0x628/0x1214
[ 6.872304] [<ffffffff8018ee7a>] bprm_execve+0x1f2/0x4e4
[ 6.873243] [<ffffffff8018f90c>] do_execveat_common+0x16e/0x1ee
[ 6.874258] [<ffffffff8018f9c8>] sys_execve+0x3c/0x48
[ 6.875162] [<ffffffff80003556>] ret_from_syscall+0x0/0x2
[ 6.877484] ---[ end trace 0000000000000000 ]---
This is because the mm->context.vdso_info is NULL in vfork case. From
another side, mm->context.vdso_info either points to vdso info
for RV64 or vdso info for compat, there's no need to bloat riscv's
mm_context_t, we can handle the difference when setup the additional
page for vdso.
Signed-off-by: Jisheng Zhang <jszhang@kernel.org>
Suggested-by: Palmer Dabbelt <palmer@rivosinc.com>
Fixes: 3092eb456375 ("riscv: compat: vdso: Add setup additional pages implementation")
Link: https://lore.kernel.org/r/20220924070737.3048-1-jszhang@kernel.org
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/include/asm/mmu.h | 1 -
arch/riscv/kernel/vdso.c | 13 ++++++++++---
2 files changed, 10 insertions(+), 4 deletions(-)
--- a/arch/riscv/include/asm/mmu.h
+++ b/arch/riscv/include/asm/mmu.h
@@ -16,7 +16,6 @@ typedef struct {
atomic_long_t id;
#endif
void *vdso;
- void *vdso_info;
#ifdef CONFIG_SMP
/* A local icache flush is needed before user execution can resume. */
cpumask_t icache_stale_mask;
--- a/arch/riscv/kernel/vdso.c
+++ b/arch/riscv/kernel/vdso.c
@@ -60,6 +60,11 @@ struct __vdso_info {
struct vm_special_mapping *cm;
};
+static struct __vdso_info vdso_info;
+#ifdef CONFIG_COMPAT
+static struct __vdso_info compat_vdso_info;
+#endif
+
static int vdso_mremap(const struct vm_special_mapping *sm,
struct vm_area_struct *new_vma)
{
@@ -114,15 +119,18 @@ int vdso_join_timens(struct task_struct
{
struct mm_struct *mm = task->mm;
struct vm_area_struct *vma;
- struct __vdso_info *vdso_info = mm->context.vdso_info;
mmap_read_lock(mm);
for (vma = mm->mmap; vma; vma = vma->vm_next) {
unsigned long size = vma->vm_end - vma->vm_start;
- if (vma_is_special_mapping(vma, vdso_info->dm))
+ if (vma_is_special_mapping(vma, vdso_info.dm))
zap_page_range(vma, vma->vm_start, size);
+#ifdef CONFIG_COMPAT
+ if (vma_is_special_mapping(vma, compat_vdso_info.dm))
+ zap_page_range(vma, vma->vm_start, size);
+#endif
}
mmap_read_unlock(mm);
@@ -264,7 +272,6 @@ static int __setup_additional_pages(stru
vdso_base += VVAR_SIZE;
mm->context.vdso = (void *)vdso_base;
- mm->context.vdso_info = (void *)vdso_info;
ret =
_install_special_mapping(mm, vdso_base, vdso_text_len,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 062/862] riscv: Allow PROT_WRITE-only mmap()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 061/862] riscv: vdso: fix NULL deference in vdso_join_timens() when vfork Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 063/862] riscv: Make VM_WRITE imply VM_READ Greg Kroah-Hartman
` (814 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Atish Patra, Andrew Bresticker,
Palmer Dabbelt
From: Andrew Bresticker <abrestic@rivosinc.com>
commit 9e2e6042a7ec6504fe8e366717afa2f40cf16488 upstream.
Commit 2139619bcad7 ("riscv: mmap with PROT_WRITE but no PROT_READ is
invalid") made mmap() return EINVAL if PROT_WRITE was set wihtout
PROT_READ with the justification that a write-only PTE is considered a
reserved PTE permission bit pattern in the privileged spec. This check
is unnecessary since we let VM_WRITE imply VM_READ on RISC-V, and it is
inconsistent with other architectures that don't support write-only PTEs,
creating a potential software portability issue. Just remove the check
altogether and let PROT_WRITE imply PROT_READ as is the case on other
architectures.
Note that this also allows PROT_WRITE|PROT_EXEC mappings which were
disallowed prior to the aforementioned commit; PROT_READ is implied in
such mappings as well.
Fixes: 2139619bcad7 ("riscv: mmap with PROT_WRITE but no PROT_READ is invalid")
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Andrew Bresticker <abrestic@rivosinc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220915193702.2201018-3-abrestic@rivosinc.com/
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kernel/sys_riscv.c | 3 ---
1 file changed, 3 deletions(-)
--- a/arch/riscv/kernel/sys_riscv.c
+++ b/arch/riscv/kernel/sys_riscv.c
@@ -18,9 +18,6 @@ static long riscv_sys_mmap(unsigned long
if (unlikely(offset & (~PAGE_MASK >> page_shift_offset)))
return -EINVAL;
- if (unlikely((prot & PROT_WRITE) && !(prot & PROT_READ)))
- return -EINVAL;
-
return ksys_mmap_pgoff(addr, len, prot, flags, fd,
offset >> (PAGE_SHIFT - page_shift_offset));
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 063/862] riscv: Make VM_WRITE imply VM_READ
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 062/862] riscv: Allow PROT_WRITE-only mmap() Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 064/862] riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb Greg Kroah-Hartman
` (813 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Atish Patra, Andrew Bresticker,
Palmer Dabbelt
From: Andrew Bresticker <abrestic@rivosinc.com>
commit 7ab72c597356be1e7f0f3d856e54ce78527f43c8 upstream.
RISC-V does not presently have write-only mappings as that PTE bit pattern
is considered reserved in the privileged spec, so allow handling of read
faults in VMAs that have VM_WRITE without VM_READ in order to be consistent
with other architectures that have similar limitations.
Fixes: 2139619bcad7 ("riscv: mmap with PROT_WRITE but no PROT_READ is invalid")
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Andrew Bresticker <abrestic@rivosinc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20220915193702.2201018-2-abrestic@rivosinc.com/
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/mm/fault.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/arch/riscv/mm/fault.c
+++ b/arch/riscv/mm/fault.c
@@ -184,7 +184,8 @@ static inline bool access_error(unsigned
}
break;
case EXC_LOAD_PAGE_FAULT:
- if (!(vma->vm_flags & VM_READ)) {
+ /* Write implies read */
+ if (!(vma->vm_flags & (VM_READ | VM_WRITE))) {
return true;
}
break;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 064/862] riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 063/862] riscv: Make VM_WRITE imply VM_READ Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 065/862] riscv: Pass -mno-relax only on lld < 15.0.0 Greg Kroah-Hartman
` (812 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wenting Zhang, Björn Töpel,
Conor Dooley, Palmer Dabbelt
From: Wenting Zhang <zephray@outlook.com>
commit 10f6913c548b32ecb73801a16b120e761c6957ea upstream.
When CONFIG_CMDLINE_FORCE is enabled, cmdline provided by
CONFIG_CMDLINE are always used. This allows CONFIG_CMDLINE to be
used regardless of the result of device tree scanning.
This especially fixes the case where a device tree without the
chosen node is supplied to the kernel. In such cases,
early_init_dt_scan would return true. But inside
early_init_dt_scan_chosen, the cmdline won't be updated as there
is no chosen node in the device tree. As a result, CONFIG_CMDLINE
is not copied into boot_command_line even if CONFIG_CMDLINE_FORCE
is enabled. This commit allows properly update boot_command_line
in this situation.
Fixes: 8fd6e05c7463 ("arch: riscv: support kernel command line forcing when no DTB passed")
Signed-off-by: Wenting Zhang <zephray@outlook.com>
Reviewed-by: Björn Töpel <bjorn@kernel.org>
Reviewed-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/PSBPR04MB399135DFC54928AB958D0638B1829@PSBPR04MB3991.apcprd04.prod.outlook.com
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/kernel/setup.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/riscv/kernel/setup.c
+++ b/arch/riscv/kernel/setup.c
@@ -252,10 +252,10 @@ static void __init parse_dtb(void)
pr_info("Machine model: %s\n", name);
dump_stack_set_arch_desc("%s (DT)", name);
}
- return;
+ } else {
+ pr_err("No DTB passed to the kernel\n");
}
- pr_err("No DTB passed to the kernel\n");
#ifdef CONFIG_CMDLINE_FORCE
strscpy(boot_command_line, CONFIG_CMDLINE, COMMAND_LINE_SIZE);
pr_info("Forcing kernel command line to: %s\n", boot_command_line);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 065/862] riscv: Pass -mno-relax only on lld < 15.0.0
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 064/862] riscv: always honor the CONFIG_CMDLINE_FORCE when parsing dtb Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 066/862] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
` (811 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Fangrui Song, Nick Desaulniers,
Nathan Chancellor, Conor Dooley, Palmer Dabbelt
From: Fangrui Song <maskray@google.com>
commit 3cebf80e9a0d3adcb174053be32c88a640b3344b upstream.
lld since llvm:6611d58f5bbc ("[ELF] Relax R_RISCV_ALIGN"), which will be
included in the 15.0.0 release, has implemented some RISC-V linker
relaxation. -mno-relax is no longer needed in
KBUILD_CFLAGS/KBUILD_AFLAGS to suppress R_RISCV_ALIGN which older lld
can not handle:
ld.lld: error: capability.c:(.fixup+0x0): relocation R_RISCV_ALIGN
requires unimplemented linker relaxation; recompile with -mno-relax
but the .o is already compiled with -mno-relax
Signed-off-by: Fangrui Song <maskray@google.com>
Link: https://lore.kernel.org/r/20220710071117.446112-1-maskray@google.com/
Link: https://lore.kernel.org/r/20220918092933.19943-1-palmer@rivosinc.com
Reviewed-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nick Desaulniers <ndesaulniers@google.com>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Tested-by: Conor Dooley <conor.dooley@microchip.com>
Cc: stable@vger.kernel.org
Signed-off-by: Palmer Dabbelt <palmer@rivosinc.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/riscv/Makefile | 2 ++
1 file changed, 2 insertions(+)
--- a/arch/riscv/Makefile
+++ b/arch/riscv/Makefile
@@ -37,6 +37,7 @@ else
endif
ifeq ($(CONFIG_LD_IS_LLD),y)
+ifeq ($(shell test $(CONFIG_LLD_VERSION) -lt 150000; echo $$?),0)
KBUILD_CFLAGS += -mno-relax
KBUILD_AFLAGS += -mno-relax
ifndef CONFIG_AS_IS_LLVM
@@ -44,6 +45,7 @@ ifndef CONFIG_AS_IS_LLVM
KBUILD_AFLAGS += -Wa,-mno-relax
endif
endif
+endif
# ISA string setting
riscv-march-$(CONFIG_ARCH_RV32I) := rv32ima
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 066/862] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 065/862] riscv: Pass -mno-relax only on lld < 15.0.0 Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 067/862] nvmem: core: Fix memleak in nvmem_register() Greg Kroah-Hartman
` (810 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Huacai Chen, Richard Weinberger
From: Huacai Chen <chenhuacai@loongson.cn>
commit 16c546e148fa6d14a019431436a6f7b4087dbccd upstream.
When CONFIG_CPUMASK_OFFSTACK and CONFIG_DEBUG_PER_CPU_MAPS is selected,
cpu_max_bits_warn() generates a runtime warning similar as below while
we show /proc/cpuinfo. Fix this by using nr_cpu_ids (the runtime limit)
instead of NR_CPUS to iterate CPUs.
[ 3.052463] ------------[ cut here ]------------
[ 3.059679] WARNING: CPU: 3 PID: 1 at include/linux/cpumask.h:108 show_cpuinfo+0x5e8/0x5f0
[ 3.070072] Modules linked in: efivarfs autofs4
[ 3.076257] CPU: 0 PID: 1 Comm: systemd Not tainted 5.19-rc5+ #1052
[ 3.099465] Stack : 9000000100157b08 9000000000f18530 9000000000cf846c 9000000100154000
[ 3.109127] 9000000100157a50 0000000000000000 9000000100157a58 9000000000ef7430
[ 3.118774] 90000001001578e8 0000000000000040 0000000000000020 ffffffffffffffff
[ 3.128412] 0000000000aaaaaa 1ab25f00eec96a37 900000010021de80 900000000101c890
[ 3.138056] 0000000000000000 0000000000000000 0000000000000000 0000000000aaaaaa
[ 3.147711] ffff8000339dc220 0000000000000001 0000000006ab4000 0000000000000000
[ 3.157364] 900000000101c998 0000000000000004 9000000000ef7430 0000000000000000
[ 3.167012] 0000000000000009 000000000000006c 0000000000000000 0000000000000000
[ 3.176641] 9000000000d3de08 9000000001639390 90000000002086d8 00007ffff0080286
[ 3.186260] 00000000000000b0 0000000000000004 0000000000000000 0000000000071c1c
[ 3.195868] ...
[ 3.199917] Call Trace:
[ 3.203941] [<90000000002086d8>] show_stack+0x38/0x14c
[ 3.210666] [<9000000000cf846c>] dump_stack_lvl+0x60/0x88
[ 3.217625] [<900000000023d268>] __warn+0xd0/0x100
[ 3.223958] [<9000000000cf3c90>] warn_slowpath_fmt+0x7c/0xcc
[ 3.231150] [<9000000000210220>] show_cpuinfo+0x5e8/0x5f0
[ 3.238080] [<90000000004f578c>] seq_read_iter+0x354/0x4b4
[ 3.245098] [<90000000004c2e90>] new_sync_read+0x17c/0x1c4
[ 3.252114] [<90000000004c5174>] vfs_read+0x138/0x1d0
[ 3.258694] [<90000000004c55f8>] ksys_read+0x70/0x100
[ 3.265265] [<9000000000cfde9c>] do_syscall+0x7c/0x94
[ 3.271820] [<9000000000202fe4>] handle_syscall+0xc4/0x160
[ 3.281824] ---[ end trace 8b484262b4b8c24c ]---
Cc: stable@vger.kernel.org
Signed-off-by: Huacai Chen <chenhuacai@loongson.cn>
Signed-off-by: Richard Weinberger <richard@nod.at>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/um/kernel/um_arch.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/um/kernel/um_arch.c
+++ b/arch/um/kernel/um_arch.c
@@ -96,7 +96,7 @@ static int show_cpuinfo(struct seq_file
static void *c_start(struct seq_file *m, loff_t *pos)
{
- return *pos < NR_CPUS ? cpu_data + *pos : NULL;
+ return *pos < nr_cpu_ids ? cpu_data + *pos : NULL;
}
static void *c_next(struct seq_file *m, void *v, loff_t *pos)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 067/862] nvmem: core: Fix memleak in nvmem_register()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 066/862] UM: cpuinfo: Fix a warning for CONFIG_CPUMASK_OFFSTACK Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 068/862] nvme-multipath: fix possible hang in live ns resize with ANA access Greg Kroah-Hartman
` (809 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gaosheng Cui, Srinivas Kandagatla
From: Gaosheng Cui <cuigaosheng1@huawei.com>
commit bd1244561fa2a4531ded40dbf09c9599084f8b29 upstream.
dev_set_name will alloc memory for nvmem->dev.kobj.name in
nvmem_register, when nvmem_validate_keepouts failed, nvmem's
memory will be freed and return, but nobody will free memory
for nvmem->dev.kobj.name, there will be memleak, so moving
nvmem_validate_keepouts() after device_register() and let
the device core deal with cleaning name in error cases.
Fixes: de0534df9347 ("nvmem: core: fix error handling while validating keepout regions")
Cc: stable@vger.kernel.org
Signed-off-by: Gaosheng Cui <cuigaosheng1@huawei.com>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220916120402.38753-1-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvmem/core.c | 15 ++++++---------
1 file changed, 6 insertions(+), 9 deletions(-)
--- a/drivers/nvmem/core.c
+++ b/drivers/nvmem/core.c
@@ -829,21 +829,18 @@ struct nvmem_device *nvmem_register(cons
nvmem->dev.groups = nvmem_dev_groups;
#endif
- if (nvmem->nkeepout) {
- rval = nvmem_validate_keepouts(nvmem);
- if (rval) {
- ida_free(&nvmem_ida, nvmem->id);
- kfree(nvmem);
- return ERR_PTR(rval);
- }
- }
-
dev_dbg(&nvmem->dev, "Registering nvmem device %s\n", config->name);
rval = device_register(&nvmem->dev);
if (rval)
goto err_put_device;
+ if (nvmem->nkeepout) {
+ rval = nvmem_validate_keepouts(nvmem);
+ if (rval)
+ goto err_device_del;
+ }
+
if (config->compat) {
rval = nvmem_sysfs_setup_compat(nvmem, config);
if (rval)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 068/862] nvme-multipath: fix possible hang in live ns resize with ANA access
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 067/862] nvmem: core: Fix memleak in nvmem_register() Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 069/862] Revert "drm/amdgpu: use dirty framebuffer helper" Greg Kroah-Hartman
` (808 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Yogev Cohen, Sagi Grimberg,
Christoph Hellwig
From: Sagi Grimberg <sagi@grimberg.me>
commit 72e3b8883a36e80ebfa41015c7b6926ce31ace05 upstream.
When we revalidate paths as part of ns size change (as of commit
e7d65803e2bb), it is possible that during the path revalidation, the
only paths that is IO capable (i.e. optimized/non-optimized) are the
ones that ns resize was not yet informed to the host, which will cause
inflight requests to be requeued (as we have available paths but none
are IO capable). These requests on the requeue list are waiting for
someone to resubmit them at some point.
The IO capable paths will eventually notify the ns resize change to the
host, but there is nothing that will kick the requeue list to resubmit
the queued requests.
Fix this by always kicking the requeue list, and if no IO capable path
exists, these requests will be queued again.
A typical log that indicates that IOs are requeued:
--
nvme nvme1: creating 4 I/O queues.
nvme nvme1: new ctrl: "testnqn1"
nvme nvme2: creating 4 I/O queues.
nvme nvme2: mapped 4/0/0 default/read/poll queues.
nvme nvme2: new ctrl: NQN "testnqn1", addr 127.0.0.1:8009
nvme nvme1: rescanning namespaces.
nvme1n1: detected capacity change from 2097152 to 4194304
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
block nvme1n1: no usable path - requeuing I/O
nvme nvme2: rescanning namespaces.
--
Reported-by: Yogev Cohen <yogev@lightbitslabs.com>
Fixes: e7d65803e2bb ("nvme-multipath: revalidate paths during rescan")
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Cc: <stable@vger.kernel.org> # v5.15+
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/multipath.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/nvme/host/multipath.c
+++ b/drivers/nvme/host/multipath.c
@@ -182,6 +182,7 @@ void nvme_mpath_revalidate_paths(struct
for_each_node(node)
rcu_assign_pointer(head->current_path[node], NULL);
+ kblockd_schedule_work(&head->requeue_work);
}
static bool nvme_path_is_disabled(struct nvme_ns *ns)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 069/862] Revert "drm/amdgpu: use dirty framebuffer helper"
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 068/862] nvme-multipath: fix possible hang in live ns resize with ANA access Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 070/862] dm: verity-loadpin: Only trust verity targets with enforcement Greg Kroah-Hartman
` (807 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hamza Mahfooz, Alex Deucher
From: Hamza Mahfooz <hamza.mahfooz@amd.com>
commit 17d819e2828cacca2e4c909044eb9798ed379cd2 upstream.
This reverts commit 66f99628eb24409cb8feb5061f78283c8b65f820.
Unfortunately, that commit causes performance regressions on non-PSR
setups. So, just revert it until FB_DAMAGE_CLIPS support can be added.
Cc: stable@vger.kernel.org
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2189
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216554
Fixes: 66f99628eb2440 ("drm/amdgpu: use dirty framebuffer helper")
Fixes: abbc7a3dafb91b ("drm/amdgpu: don't register a dirty callback for non-atomic")
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Acked-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_display.c | 14 ++------------
1 file changed, 2 insertions(+), 12 deletions(-)
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_display.c
@@ -38,8 +38,6 @@
#include <linux/pci.h>
#include <linux/pm_runtime.h>
#include <drm/drm_crtc_helper.h>
-#include <drm/drm_damage_helper.h>
-#include <drm/drm_drv.h>
#include <drm/drm_edid.h>
#include <drm/drm_gem_framebuffer_helper.h>
#include <drm/drm_fb_helper.h>
@@ -500,12 +498,6 @@ static const struct drm_framebuffer_func
.create_handle = drm_gem_fb_create_handle,
};
-static const struct drm_framebuffer_funcs amdgpu_fb_funcs_atomic = {
- .destroy = drm_gem_fb_destroy,
- .create_handle = drm_gem_fb_create_handle,
- .dirty = drm_atomic_helper_dirtyfb,
-};
-
uint32_t amdgpu_display_supported_domains(struct amdgpu_device *adev,
uint64_t bo_flags)
{
@@ -1108,10 +1100,8 @@ static int amdgpu_display_gem_fb_verify_
if (ret)
goto err;
- if (drm_drv_uses_atomic_modeset(dev))
- ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs_atomic);
- else
- ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs);
+ ret = drm_framebuffer_init(dev, &rfb->base, &amdgpu_fb_funcs);
+
if (ret)
goto err;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 070/862] dm: verity-loadpin: Only trust verity targets with enforcement
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 069/862] Revert "drm/amdgpu: use dirty framebuffer helper" Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 071/862] dmaengine: mxs: use platform_driver_register Greg Kroah-Hartman
` (806 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sarthak Kukreti, Matthias Kaehlcke,
Kees Cook
From: Matthias Kaehlcke <mka@chromium.org>
commit 916ef6232cc4b84db7082b4c3d3cf1753d9462ba upstream.
Verity targets can be configured to ignore corrupted data blocks.
LoadPin must only trust verity targets that are configured to
perform some kind of enforcement when data corruption is detected,
like returning an error, restarting the system or triggering a
panic.
Fixes: b6c1c5745ccc ("dm: Add verity helpers for LoadPin")
Reported-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Reviewed-by: Sarthak Kukreti <sarthakkukreti@chromium.org>
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220907133055.1.Ic8a1dafe960dc0f8302e189642bc88ebb785d274@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-verity-loadpin.c | 8 ++++++++
drivers/md/dm-verity-target.c | 16 ++++++++++++++++
drivers/md/dm-verity.h | 1 +
3 files changed, 25 insertions(+)
diff --git a/drivers/md/dm-verity-loadpin.c b/drivers/md/dm-verity-loadpin.c
index 387ec43aef72..4f78cc55c251 100644
--- a/drivers/md/dm-verity-loadpin.c
+++ b/drivers/md/dm-verity-loadpin.c
@@ -14,6 +14,7 @@ LIST_HEAD(dm_verity_loadpin_trusted_root_digests);
static bool is_trusted_verity_target(struct dm_target *ti)
{
+ int verity_mode;
u8 *root_digest;
unsigned int digest_size;
struct dm_verity_loadpin_trusted_root_digest *trd;
@@ -22,6 +23,13 @@ static bool is_trusted_verity_target(struct dm_target *ti)
if (!dm_is_verity_target(ti))
return false;
+ verity_mode = dm_verity_get_mode(ti);
+
+ if ((verity_mode != DM_VERITY_MODE_EIO) &&
+ (verity_mode != DM_VERITY_MODE_RESTART) &&
+ (verity_mode != DM_VERITY_MODE_PANIC))
+ return false;
+
if (dm_verity_get_root_digest(ti, &root_digest, &digest_size))
return false;
diff --git a/drivers/md/dm-verity-target.c b/drivers/md/dm-verity-target.c
index 94b6cb599db4..8a00cc42e498 100644
--- a/drivers/md/dm-verity-target.c
+++ b/drivers/md/dm-verity-target.c
@@ -1446,6 +1446,22 @@ bool dm_is_verity_target(struct dm_target *ti)
return ti->type->module == THIS_MODULE;
}
+/*
+ * Get the verity mode (error behavior) of a verity target.
+ *
+ * Returns the verity mode of the target, or -EINVAL if 'ti' is not a verity
+ * target.
+ */
+int dm_verity_get_mode(struct dm_target *ti)
+{
+ struct dm_verity *v = ti->private;
+
+ if (!dm_is_verity_target(ti))
+ return -EINVAL;
+
+ return v->mode;
+}
+
/*
* Get the root digest of a verity target.
*
diff --git a/drivers/md/dm-verity.h b/drivers/md/dm-verity.h
index 45455de1b4bc..98f306ec6a33 100644
--- a/drivers/md/dm-verity.h
+++ b/drivers/md/dm-verity.h
@@ -134,6 +134,7 @@ extern int verity_hash_for_block(struct dm_verity *v, struct dm_verity_io *io,
sector_t block, u8 *digest, bool *is_zero);
extern bool dm_is_verity_target(struct dm_target *ti);
+extern int dm_verity_get_mode(struct dm_target *ti);
extern int dm_verity_get_root_digest(struct dm_target *ti, u8 **root_digest,
unsigned int *digest_size);
--
2.38.0
^ permalink raw reply related [flat|nested] 909+ messages in thread
* [PATCH 6.0 071/862] dmaengine: mxs: use platform_driver_register
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 070/862] dm: verity-loadpin: Only trust verity targets with enforcement Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 072/862] dmaengine: qcom-adm: fix wrong sizeof config in slave_config Greg Kroah-Hartman
` (805 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michael Trimarchi, Dario Binacchi,
Sascha Hauer, Vinod Koul
From: Dario Binacchi <dario.binacchi@amarulasolutions.com>
commit 26696d4657167112a1079f86cba1739765c1360e upstream.
Driver registration fails on SOC imx8mn as its supplier, the clock
control module, is probed later than subsys initcall level. This driver
uses platform_driver_probe which is not compatible with deferred probing
and won't be probed again later if probe function fails due to clock not
being available at that time.
This patch replaces the use of platform_driver_probe with
platform_driver_register which will allow probing the driver later again
when the clock control module will be available.
The __init annotation has been dropped because it is not compatible with
deferred probing. The code is not executed once and its memory cannot be
freed.
Fixes: a580b8c5429a ("dmaengine: mxs-dma: add dma support for i.MX23/28")
Co-developed-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com>
Signed-off-by: Dario Binacchi <dario.binacchi@amarulasolutions.com>
Acked-by: Sascha Hauer <s.hauer@pengutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Link: https://lore.kernel.org/r/20220921170556.1055962-1-dario.binacchi@amarulasolutions.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
---
drivers/dma/mxs-dma.c | 11 ++++-------
1 file changed, 4 insertions(+), 7 deletions(-)
--- a/drivers/dma/mxs-dma.c
+++ b/drivers/dma/mxs-dma.c
@@ -670,7 +670,7 @@ static enum dma_status mxs_dma_tx_status
return mxs_chan->status;
}
-static int __init mxs_dma_init(struct mxs_dma_engine *mxs_dma)
+static int mxs_dma_init(struct mxs_dma_engine *mxs_dma)
{
int ret;
@@ -741,7 +741,7 @@ static struct dma_chan *mxs_dma_xlate(st
ofdma->of_node);
}
-static int __init mxs_dma_probe(struct platform_device *pdev)
+static int mxs_dma_probe(struct platform_device *pdev)
{
struct device_node *np = pdev->dev.of_node;
const struct mxs_dma_type *dma_type;
@@ -839,10 +839,7 @@ static struct platform_driver mxs_dma_dr
.name = "mxs-dma",
.of_match_table = mxs_dma_dt_ids,
},
+ .probe = mxs_dma_probe,
};
-static int __init mxs_dma_module_init(void)
-{
- return platform_driver_probe(&mxs_dma_driver, mxs_dma_probe);
-}
-subsys_initcall(mxs_dma_module_init);
+builtin_platform_driver(mxs_dma_driver);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 072/862] dmaengine: qcom-adm: fix wrong sizeof config in slave_config
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 071/862] dmaengine: mxs: use platform_driver_register Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 073/862] dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg Greg Kroah-Hartman
` (804 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christian Marangi, Arnd Bergmann,
Dmitry Baryshkov, Vinod Koul
From: Christian Marangi <ansuelsmth@gmail.com>
commit 7c8765308371be30f50c1b5b97618b731514b207 upstream.
Fix broken slave_config function that uncorrectly compare the
peripheral_size with the size of the config pointer instead of the size
of the config struct. This cause the crci value to be ignored and cause
a kernel panic on any slave that use adm driver.
To fix this, compare to the size of the struct and NOT the size of the
pointer.
Fixes: 03de6b273805 ("dmaengine: qcom-adm: stop abusing slave_id config")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Cc: stable@vger.kernel.org # v5.17+
Reviewed-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20220915204844.3838-1-ansuelsmth@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/qcom/qcom_adm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/dma/qcom/qcom_adm.c
+++ b/drivers/dma/qcom/qcom_adm.c
@@ -494,7 +494,7 @@ static int adm_slave_config(struct dma_c
spin_lock_irqsave(&achan->vc.lock, flag);
memcpy(&achan->slave, cfg, sizeof(struct dma_slave_config));
- if (cfg->peripheral_size == sizeof(config))
+ if (cfg->peripheral_size == sizeof(*config))
achan->crci = config->crci;
spin_unlock_irqrestore(&achan->vc.lock, flag);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 073/862] dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 072/862] dmaengine: qcom-adm: fix wrong sizeof config in slave_config Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 074/862] drm/virtio: Check whether transferred 2D BO is shmem Greg Kroah-Hartman
` (803 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christian Marangi, Vinod Koul
From: Christian Marangi <ansuelsmth@gmail.com>
commit b9d2140c3badf4107973ad77c5a0ec3075705c85 upstream.
The calling convention for pre_slave_sg is to return NULL on error and
provide an error log to the system. Qcom-adm instead provide error
pointer when an error occur. This indirectly cause kernel panic for
example for the nandc driver that checks only if the pointer returned by
device_prep_slave_sg is not NULL. Returning an error pointer makes nandc
think the device_prep_slave_sg function correctly completed and makes
the kernel panics later in the code.
While nandc is the one that makes the kernel crash, it was pointed out
that the real problem is qcom-adm not following calling convention for
that function.
To fix this, drop returning error pointer and return NULL with an error
log.
Fixes: 03de6b273805 ("dmaengine: qcom-adm: stop abusing slave_id config")
Fixes: 5c9f8c2dbdbe ("dmaengine: qcom: Add ADM driver")
Signed-off-by: Christian Marangi <ansuelsmth@gmail.com>
Cc: stable@vger.kernel.org # v5.11+
Link: https://lore.kernel.org/r/20220916041256.7104-1-ansuelsmth@gmail.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/dma/qcom/qcom_adm.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
--- a/drivers/dma/qcom/qcom_adm.c
+++ b/drivers/dma/qcom/qcom_adm.c
@@ -379,13 +379,13 @@ static struct dma_async_tx_descriptor *a
if (blk_size < 0) {
dev_err(adev->dev, "invalid burst value: %d\n",
burst);
- return ERR_PTR(-EINVAL);
+ return NULL;
}
crci = achan->crci & 0xf;
if (!crci || achan->crci > 0x1f) {
dev_err(adev->dev, "invalid crci value\n");
- return ERR_PTR(-EINVAL);
+ return NULL;
}
}
@@ -403,8 +403,10 @@ static struct dma_async_tx_descriptor *a
}
async_desc = kzalloc(sizeof(*async_desc), GFP_NOWAIT);
- if (!async_desc)
- return ERR_PTR(-ENOMEM);
+ if (!async_desc) {
+ dev_err(adev->dev, "not enough memory for async_desc struct\n");
+ return NULL;
+ }
async_desc->mux = achan->mux ? ADM_CRCI_CTL_MUX_SEL : 0;
async_desc->crci = crci;
@@ -414,8 +416,10 @@ static struct dma_async_tx_descriptor *a
sizeof(*cple) + 2 * ADM_DESC_ALIGN;
async_desc->cpl = kzalloc(async_desc->dma_len, GFP_NOWAIT);
- if (!async_desc->cpl)
+ if (!async_desc->cpl) {
+ dev_err(adev->dev, "not enough memory for cpl struct\n");
goto free;
+ }
async_desc->adev = adev;
@@ -437,8 +441,10 @@ static struct dma_async_tx_descriptor *a
async_desc->dma_addr = dma_map_single(adev->dev, async_desc->cpl,
async_desc->dma_len,
DMA_TO_DEVICE);
- if (dma_mapping_error(adev->dev, async_desc->dma_addr))
+ if (dma_mapping_error(adev->dev, async_desc->dma_addr)) {
+ dev_err(adev->dev, "dma mapping error for cpl\n");
goto free;
+ }
cple_addr = async_desc->dma_addr + ((void *)cple - async_desc->cpl);
@@ -454,7 +460,7 @@ static struct dma_async_tx_descriptor *a
free:
kfree(async_desc);
- return ERR_PTR(-ENOMEM);
+ return NULL;
}
/**
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 074/862] drm/virtio: Check whether transferred 2D BO is shmem
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 073/862] dmaengine: qcom-adm: fix wrong calling convention for prep_slave_sg Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 075/862] drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error Greg Kroah-Hartman
` (802 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Emil Velikov, Dmitry Osipenko, Gerd Hoffmann
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit e473216b42aa1fd9fc6b94b608b42c210c655908 upstream.
Transferred 2D BO always must be a shmem BO. Add check for that to prevent
NULL dereference if userspace passes a VRAM BO.
Cc: stable@vger.kernel.org
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-3-dmitry.osipenko@collabora.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_vq.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpu/drm/virtio/virtgpu_vq.c
+++ b/drivers/gpu/drm/virtio/virtgpu_vq.c
@@ -597,7 +597,7 @@ void virtio_gpu_cmd_transfer_to_host_2d(
bool use_dma_api = !virtio_has_dma_quirk(vgdev->vdev);
struct virtio_gpu_object_shmem *shmem = to_virtio_gpu_shmem(bo);
- if (use_dma_api)
+ if (virtio_gpu_is_shmem(bo) && use_dma_api)
dma_sync_sgtable_for_device(vgdev->vdev->dev.parent,
shmem->pages, DMA_TO_DEVICE);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 075/862] drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 074/862] drm/virtio: Check whether transferred 2D BO is shmem Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 076/862] drm/virtio: Unlock reservations on dma_resv_reserve_fences() error Greg Kroah-Hartman
` (801 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Emil Velikov, Dmitry Osipenko, Gerd Hoffmann
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit fdf0ff4d12cbcd76b53f27c96ce51ddca400884a upstream.
Unlock reservations in the error code path of virtio_gpu_object_create()
to silence debug warning splat produced by ww_mutex_destroy(&obj->lock)
when GEM is released with the held lock.
Cc: stable@vger.kernel.org
Fixes: 30172efbfb84 ("drm/virtio: blob prep: refactor getting pages and attaching backing")
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-4-dmitry.osipenko@collabora.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_object.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/gpu/drm/virtio/virtgpu_object.c
+++ b/drivers/gpu/drm/virtio/virtgpu_object.c
@@ -248,6 +248,8 @@ int virtio_gpu_object_create(struct virt
ret = virtio_gpu_object_shmem_init(vgdev, bo, &ents, &nents);
if (ret != 0) {
+ if (fence)
+ virtio_gpu_array_unlock_resv(objs);
virtio_gpu_array_put_free(objs);
virtio_gpu_free_object(&shmem_obj->base);
return ret;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 076/862] drm/virtio: Unlock reservations on dma_resv_reserve_fences() error
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 075/862] drm/virtio: Unlock reservations on virtio_gpu_object_shmem_init() error Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 077/862] drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() Greg Kroah-Hartman
` (800 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Thomas Hellström,
Dmitry Osipenko, Gerd Hoffmann
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit 0f877398d30e1df657a31a62f7c7de1869b072b5 upstream.
Unlock reservations on dma_resv_reserve_fences() error to fix recursive
locking of the reservations when this error happens.
Cc: stable@vger.kernel.org
Fixes: c8d4c18bfbc4 ("dma-buf/drivers: make reserving a shared slot mandatory v4")
Reviewed-by: Thomas Hellström <thomas.hellstrom@linux.intel.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-5-dmitry.osipenko@collabora.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_gem.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/virtio/virtgpu_gem.c
+++ b/drivers/gpu/drm/virtio/virtgpu_gem.c
@@ -228,8 +228,10 @@ int virtio_gpu_array_lock_resv(struct vi
for (i = 0; i < objs->nents; ++i) {
ret = dma_resv_reserve_fences(objs->objs[i]->resv, 1);
- if (ret)
+ if (ret) {
+ virtio_gpu_array_unlock_resv(objs);
return ret;
+ }
}
return ret;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 077/862] drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 076/862] drm/virtio: Unlock reservations on dma_resv_reserve_fences() error Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 078/862] drm/udl: Restore display mode on resume Greg Kroah-Hartman
` (799 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Gerd Hoffmann
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit 4656b3a26a9e9fe5f04bfd2ab55b066266ba7f4d upstream.
Make virtio_gpu_plane_cleanup_fb() to clean the state which DRM core
wants to clean up and not the current plane's state. Normally the older
atomic state is cleaned up, but the newer state could also be cleaned up
in case of aborted commits.
Cc: stable@vger.kernel.org
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Link: http://patchwork.freedesktop.org/patch/msgid/20220630200726.1884320-6-dmitry.osipenko@collabora.com
Signed-off-by: Gerd Hoffmann <kraxel@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/virtio/virtgpu_plane.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/gpu/drm/virtio/virtgpu_plane.c
+++ b/drivers/gpu/drm/virtio/virtgpu_plane.c
@@ -266,14 +266,14 @@ static int virtio_gpu_plane_prepare_fb(s
}
static void virtio_gpu_plane_cleanup_fb(struct drm_plane *plane,
- struct drm_plane_state *old_state)
+ struct drm_plane_state *state)
{
struct virtio_gpu_framebuffer *vgfb;
- if (!plane->state->fb)
+ if (!state->fb)
return;
- vgfb = to_virtio_gpu_framebuffer(plane->state->fb);
+ vgfb = to_virtio_gpu_framebuffer(state->fb);
if (vgfb->fence) {
dma_fence_put(&vgfb->fence->f);
vgfb->fence = NULL;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 078/862] drm/udl: Restore display mode on resume
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 077/862] drm/virtio: Use appropriate atomic state in virtio_gpu_plane_cleanup_fb() Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 079/862] arm64: mte: move register initialization to C Greg Kroah-Hartman
` (798 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Vetter, Takashi Iwai,
Thomas Zimmermann
From: Takashi Iwai <tiwai@suse.de>
commit 6d6e732835db92e66c28dbcf258a7e3d3c71420d upstream.
Restore the display mode whne resuming from suspend. Currently, the
display remains dark.
On resume, the CRTC's mode does not change, but the 'active' flag
changes to 'true'. Taking this into account when considering a mode
switch restores the display mode.
The bug is reproducable by using Gnome with udl and observing the
adapter's suspend/resume behavior.
Actually, the whole check added in udl_simple_display_pipe_enable()
about the crtc_state->mode_changed was bogus. We should drop the
whole check and always apply the mode change in this function.
[ tiwai -- Drop the mode_changed check entirely instead, per Daniel's
suggestion ]
Fixes: 997d33c35618 ("drm/udl: Inline DPMS code into CRTC enable and disable functions")
Cc: <stable@vger.kernel.org>
Suggested-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Reviewed-by: Daniel Vetter <daniel.vetter@ffwll.ch>
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Thomas Zimmermann <tzimmermann@suse.de>
Link: https://patchwork.freedesktop.org/patch/msgid/20220908095115.23396-2-tiwai@suse.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/udl/udl_modeset.c | 3 ---
1 file changed, 3 deletions(-)
--- a/drivers/gpu/drm/udl/udl_modeset.c
+++ b/drivers/gpu/drm/udl/udl_modeset.c
@@ -382,9 +382,6 @@ udl_simple_display_pipe_enable(struct dr
udl_handle_damage(fb, &shadow_plane_state->data[0], 0, 0, fb->width, fb->height);
- if (!crtc_state->mode_changed)
- return;
-
/* enable display */
udl_crtc_write_mode_to_hw(crtc);
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 079/862] arm64: mte: move register initialization to C
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 078/862] drm/udl: Restore display mode on resume Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 080/862] arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Greg Kroah-Hartman
` (797 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Collingbourne,
Evgenii Stepanov, Catalin Marinas, kernel test robot
From: Peter Collingbourne <pcc@google.com>
commit 973b9e37330656dec719ede508e4dc40e5c2d80c upstream.
If FEAT_MTE2 is disabled via the arm64.nomte command line argument on a
CPU that claims to support FEAT_MTE2, the kernel will use Tagged Normal
in the MAIR. If we interpret arm64.nomte to mean that the CPU does not
in fact implement FEAT_MTE2, setting the system register like this may
lead to UNSPECIFIED behavior. Fix it by arranging for MAIR to be set
in the C function cpu_enable_mte which is called based on the sanitized
version of the system register.
There is no need for the rest of the MTE-related system register
initialization to happen from assembly, with the exception of TCR_EL1,
which must be set to include at least TBI1 because the secondary CPUs
access KASan-allocated data structures early. Therefore, make the TCR_EL1
initialization unconditional and move the rest of the initialization to
cpu_enable_mte so that we no longer have a dependency on the unsanitized
ID register value.
Co-developed-by: Evgenii Stepanov <eugenis@google.com>
Signed-off-by: Peter Collingbourne <pcc@google.com>
Signed-off-by: Evgenii Stepanov <eugenis@google.com>
Suggested-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: kernel test robot <lkp@intel.com>
Fixes: 3b714d24ef17 ("arm64: mte: CPU feature detection and initial sysreg configuration")
Cc: <stable@vger.kernel.org> # 5.10.x
Link: https://lore.kernel.org/r/20220915222053.3484231-1-eugenis@google.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/mte.h | 5 ++++
arch/arm64/kernel/cpufeature.c | 3 +-
arch/arm64/kernel/mte.c | 51 +++++++++++++++++++++++++++++++++++++++++
arch/arm64/kernel/suspend.c | 2 +
arch/arm64/mm/proc.S | 46 ++++--------------------------------
5 files changed, 65 insertions(+), 42 deletions(-)
--- a/arch/arm64/include/asm/mte.h
+++ b/arch/arm64/include/asm/mte.h
@@ -42,7 +42,9 @@ void mte_sync_tags(pte_t old_pte, pte_t
void mte_copy_page_tags(void *kto, const void *kfrom);
void mte_thread_init_user(void);
void mte_thread_switch(struct task_struct *next);
+void mte_cpu_setup(void);
void mte_suspend_enter(void);
+void mte_suspend_exit(void);
long set_mte_ctrl(struct task_struct *task, unsigned long arg);
long get_mte_ctrl(struct task_struct *task);
int mte_ptrace_copy_tags(struct task_struct *child, long request,
@@ -72,6 +74,9 @@ static inline void mte_thread_switch(str
static inline void mte_suspend_enter(void)
{
}
+static inline void mte_suspend_exit(void)
+{
+}
static inline long set_mte_ctrl(struct task_struct *task, unsigned long arg)
{
return 0;
--- a/arch/arm64/kernel/cpufeature.c
+++ b/arch/arm64/kernel/cpufeature.c
@@ -2034,7 +2034,8 @@ static void bti_enable(const struct arm6
static void cpu_enable_mte(struct arm64_cpu_capabilities const *cap)
{
sysreg_clear_set(sctlr_el1, 0, SCTLR_ELx_ATA | SCTLR_EL1_ATA0);
- isb();
+
+ mte_cpu_setup();
/*
* Clear the tags in the zero page. This needs to be done via the
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c
@@ -285,6 +285,49 @@ void mte_thread_switch(struct task_struc
mte_check_tfsr_el1();
}
+void mte_cpu_setup(void)
+{
+ u64 rgsr;
+
+ /*
+ * CnP must be enabled only after the MAIR_EL1 register has been set
+ * up. Inconsistent MAIR_EL1 between CPUs sharing the same TLB may
+ * lead to the wrong memory type being used for a brief window during
+ * CPU power-up.
+ *
+ * CnP is not a boot feature so MTE gets enabled before CnP, but let's
+ * make sure that is the case.
+ */
+ BUG_ON(read_sysreg(ttbr0_el1) & TTBR_CNP_BIT);
+ BUG_ON(read_sysreg(ttbr1_el1) & TTBR_CNP_BIT);
+
+ /* Normal Tagged memory type at the corresponding MAIR index */
+ sysreg_clear_set(mair_el1,
+ MAIR_ATTRIDX(MAIR_ATTR_MASK, MT_NORMAL_TAGGED),
+ MAIR_ATTRIDX(MAIR_ATTR_NORMAL_TAGGED,
+ MT_NORMAL_TAGGED));
+
+ write_sysreg_s(KERNEL_GCR_EL1, SYS_GCR_EL1);
+
+ /*
+ * If GCR_EL1.RRND=1 is implemented the same way as RRND=0, then
+ * RGSR_EL1.SEED must be non-zero for IRG to produce
+ * pseudorandom numbers. As RGSR_EL1 is UNKNOWN out of reset, we
+ * must initialize it.
+ */
+ rgsr = (read_sysreg(CNTVCT_EL0) & SYS_RGSR_EL1_SEED_MASK) <<
+ SYS_RGSR_EL1_SEED_SHIFT;
+ if (rgsr == 0)
+ rgsr = 1 << SYS_RGSR_EL1_SEED_SHIFT;
+ write_sysreg_s(rgsr, SYS_RGSR_EL1);
+
+ /* clear any pending tag check faults in TFSR*_EL1 */
+ write_sysreg_s(0, SYS_TFSR_EL1);
+ write_sysreg_s(0, SYS_TFSRE0_EL1);
+
+ local_flush_tlb_all();
+}
+
void mte_suspend_enter(void)
{
if (!system_supports_mte())
@@ -301,6 +344,14 @@ void mte_suspend_enter(void)
mte_check_tfsr_el1();
}
+void mte_suspend_exit(void)
+{
+ if (!system_supports_mte())
+ return;
+
+ mte_cpu_setup();
+}
+
long set_mte_ctrl(struct task_struct *task, unsigned long arg)
{
u64 mte_ctrl = (~((arg & PR_MTE_TAG_MASK) >> PR_MTE_TAG_SHIFT) &
--- a/arch/arm64/kernel/suspend.c
+++ b/arch/arm64/kernel/suspend.c
@@ -43,6 +43,8 @@ void notrace __cpu_suspend_exit(void)
{
unsigned int cpu = smp_processor_id();
+ mte_suspend_exit();
+
/*
* We are resuming from reset with the idmap active in TTBR0_EL1.
* We must uninstall the idmap and restore the expected MMU
--- a/arch/arm64/mm/proc.S
+++ b/arch/arm64/mm/proc.S
@@ -48,17 +48,19 @@
#ifdef CONFIG_KASAN_HW_TAGS
#define TCR_MTE_FLAGS TCR_TCMA1 | TCR_TBI1 | TCR_TBID1
-#else
+#elif defined(CONFIG_ARM64_MTE)
/*
* The mte_zero_clear_page_tags() implementation uses DC GZVA, which relies on
* TBI being enabled at EL1.
*/
#define TCR_MTE_FLAGS TCR_TBI1 | TCR_TBID1
+#else
+#define TCR_MTE_FLAGS 0
#endif
/*
* Default MAIR_EL1. MT_NORMAL_TAGGED is initially mapped as Normal memory and
- * changed during __cpu_setup to Normal Tagged if the system supports MTE.
+ * changed during mte_cpu_setup to Normal Tagged if the system supports MTE.
*/
#define MAIR_EL1_SET \
(MAIR_ATTRIDX(MAIR_ATTR_DEVICE_nGnRnE, MT_DEVICE_nGnRnE) | \
@@ -426,46 +428,8 @@ SYM_FUNC_START(__cpu_setup)
mov_q mair, MAIR_EL1_SET
mov_q tcr, TCR_TxSZ(VA_BITS) | TCR_CACHE_FLAGS | TCR_SMP_FLAGS | \
TCR_TG_FLAGS | TCR_KASLR_FLAGS | TCR_ASID16 | \
- TCR_TBI0 | TCR_A1 | TCR_KASAN_SW_FLAGS
-
-#ifdef CONFIG_ARM64_MTE
- /*
- * Update MAIR_EL1, GCR_EL1 and TFSR*_EL1 if MTE is supported
- * (ID_AA64PFR1_EL1[11:8] > 1).
- */
- mrs x10, ID_AA64PFR1_EL1
- ubfx x10, x10, #ID_AA64PFR1_MTE_SHIFT, #4
- cmp x10, #ID_AA64PFR1_MTE
- b.lt 1f
-
- /* Normal Tagged memory type at the corresponding MAIR index */
- mov x10, #MAIR_ATTR_NORMAL_TAGGED
- bfi mair, x10, #(8 * MT_NORMAL_TAGGED), #8
+ TCR_TBI0 | TCR_A1 | TCR_KASAN_SW_FLAGS | TCR_MTE_FLAGS
- mov x10, #KERNEL_GCR_EL1
- msr_s SYS_GCR_EL1, x10
-
- /*
- * If GCR_EL1.RRND=1 is implemented the same way as RRND=0, then
- * RGSR_EL1.SEED must be non-zero for IRG to produce
- * pseudorandom numbers. As RGSR_EL1 is UNKNOWN out of reset, we
- * must initialize it.
- */
- mrs x10, CNTVCT_EL0
- ands x10, x10, #SYS_RGSR_EL1_SEED_MASK
- csinc x10, x10, xzr, ne
- lsl x10, x10, #SYS_RGSR_EL1_SEED_SHIFT
- msr_s SYS_RGSR_EL1, x10
-
- /* clear any pending tag check faults in TFSR*_EL1 */
- msr_s SYS_TFSR_EL1, xzr
- msr_s SYS_TFSRE0_EL1, xzr
-
- /* set the TCR_EL1 bits */
- mov_q x10, TCR_MTE_FLAGS
- orr tcr, tcr, x10
-1:
-#endif
tcr_clear_errata_bits tcr, x9, x5
#ifdef CONFIG_ARM64_VA_BITS_52
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 080/862] arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 079/862] arm64: mte: move register initialization to C Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 081/862] arm64: errata: Add Cortex-A55 to the repeat tlbi list Greg Kroah-Hartman
` (796 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Catalin Marinas,
syzbot+c2c79c6d6eddc5262b77, Steven Price, Andrey Konovalov,
Vincenzo Frascino, Will Deacon
From: Catalin Marinas <catalin.marinas@arm.com>
commit a8e5e5146ad08d794c58252bab00b261045ef16d upstream.
Prior to commit 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE
is untagged"), mte_sync_tags() was only called for pte_tagged() entries
(those mapped with PROT_MTE). Therefore mte_sync_tags() could safely use
test_and_set_bit(PG_mte_tagged, &page->flags) without inadvertently
setting PG_mte_tagged on an untagged page.
The above commit was required as guests may enable MTE without any
control at the stage 2 mapping, nor a PROT_MTE mapping in the VMM.
However, the side-effect was that any page with a PTE that looked like
swap (or migration) was getting PG_mte_tagged set automatically. A
subsequent page copy (e.g. migration) copied the tags to the destination
page even if the tags were owned by KASAN.
This issue was masked by the page_kasan_tag_reset() call introduced in
commit e5b8d9218951 ("arm64: mte: reset the page tag in page->flags").
When this commit was reverted (20794545c146), KASAN started reporting
access faults because the overriding tags in a page did not match the
original page->flags (with CONFIG_KASAN_HW_TAGS=y):
BUG: KASAN: invalid-access in copy_page+0x10/0xd0 arch/arm64/lib/copy_page.S:26
Read at addr f5ff000017f2e000 by task syz-executor.1/2218
Pointer tag: [f5], memory tag: [f2]
Move the PG_mte_tagged bit setting from mte_sync_tags() to the actual
place where tags are cleared (mte_sync_page_tags()) or restored
(mte_restore_tags()).
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Reported-by: syzbot+c2c79c6d6eddc5262b77@syzkaller.appspotmail.com
Fixes: 69e3b846d8a7 ("arm64: mte: Sync tags for pages where PTE is untagged")
Cc: <stable@vger.kernel.org> # 5.14.x
Cc: Steven Price <steven.price@arm.com>
Cc: Andrey Konovalov <andreyknvl@gmail.com>
Cc: Vincenzo Frascino <vincenzo.frascino@arm.com>
Cc: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/0000000000004387dc05e5888ae5@google.com/
Reviewed-by: Steven Price <steven.price@arm.com>
Link: https://lore.kernel.org/r/20221006163354.3194102-1-catalin.marinas@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/kernel/mte.c | 9 +++++++--
arch/arm64/mm/mteswap.c | 7 ++++++-
2 files changed, 13 insertions(+), 3 deletions(-)
--- a/arch/arm64/kernel/mte.c
+++ b/arch/arm64/kernel/mte.c
@@ -48,7 +48,12 @@ static void mte_sync_page_tags(struct pa
if (!pte_is_tagged)
return;
- mte_clear_page_tags(page_address(page));
+ /*
+ * Test PG_mte_tagged again in case it was racing with another
+ * set_pte_at().
+ */
+ if (!test_and_set_bit(PG_mte_tagged, &page->flags))
+ mte_clear_page_tags(page_address(page));
}
void mte_sync_tags(pte_t old_pte, pte_t pte)
@@ -64,7 +69,7 @@ void mte_sync_tags(pte_t old_pte, pte_t
/* if PG_mte_tagged is set, tags have already been initialised */
for (i = 0; i < nr_pages; i++, page++) {
- if (!test_and_set_bit(PG_mte_tagged, &page->flags))
+ if (!test_bit(PG_mte_tagged, &page->flags))
mte_sync_page_tags(page, old_pte, check_swap,
pte_is_tagged);
}
--- a/arch/arm64/mm/mteswap.c
+++ b/arch/arm64/mm/mteswap.c
@@ -53,7 +53,12 @@ bool mte_restore_tags(swp_entry_t entry,
if (!tags)
return false;
- mte_restore_page_tags(page_address(page), tags);
+ /*
+ * Test PG_mte_tagged again in case it was racing with another
+ * set_pte_at().
+ */
+ if (!test_and_set_bit(PG_mte_tagged, &page->flags))
+ mte_restore_page_tags(page_address(page), tags);
return true;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 081/862] arm64: errata: Add Cortex-A55 to the repeat tlbi list
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 080/862] arm64: mte: Avoid setting PG_mte_tagged if no tags cleared or restored Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 082/862] clocksource/drivers/arm_arch_timer: Fix CNTPCT_LO and CNTVCT_LO value Greg Kroah-Hartman
` (795 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, James Morse, Catalin Marinas
From: James Morse <james.morse@arm.com>
commit 171df58028bf4649460fb146a56a58dcb0c8f75a upstream.
Cortex-A55 is affected by an erratum where in rare circumstances the
CPUs may not handle a race between a break-before-make sequence on one
CPU, and another CPU accessing the same page. This could allow a store
to a page that has been unmapped.
Work around this by adding the affected CPUs to the list that needs
TLB sequences to be done twice.
Signed-off-by: James Morse <james.morse@arm.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20220930131959.3082594-1-james.morse@arm.com
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/arm64/silicon-errata.rst | 2 ++
arch/arm64/Kconfig | 17 +++++++++++++++++
arch/arm64/kernel/cpu_errata.c | 5 +++++
3 files changed, 24 insertions(+)
--- a/Documentation/arm64/silicon-errata.rst
+++ b/Documentation/arm64/silicon-errata.rst
@@ -76,6 +76,8 @@ stable kernels.
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A55 | #1530923 | ARM64_ERRATUM_1530923 |
+----------------+-----------------+-----------------+-----------------------------+
+| ARM | Cortex-A55 | #2441007 | ARM64_ERRATUM_2441007 |
++----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A57 | #832075 | ARM64_ERRATUM_832075 |
+----------------+-----------------+-----------------+-----------------------------+
| ARM | Cortex-A57 | #852523 | N/A |
--- a/arch/arm64/Kconfig
+++ b/arch/arm64/Kconfig
@@ -632,6 +632,23 @@ config ARM64_ERRATUM_1530923
config ARM64_WORKAROUND_REPEAT_TLBI
bool
+config ARM64_ERRATUM_2441007
+ bool "Cortex-A55: Completion of affected memory accesses might not be guaranteed by completion of a TLBI"
+ default y
+ select ARM64_WORKAROUND_REPEAT_TLBI
+ help
+ This option adds a workaround for ARM Cortex-A55 erratum #2441007.
+
+ Under very rare circumstances, affected Cortex-A55 CPUs
+ may not handle a race between a break-before-make sequence on one
+ CPU, and another CPU accessing the same page. This could allow a
+ store to a page that has been unmapped.
+
+ Work around this by adding the affected CPUs to the list that needs
+ TLB sequences to be done twice.
+
+ If unsure, say Y.
+
config ARM64_ERRATUM_1286807
bool "Cortex-A76: Modification of the translation table for a virtual address might lead to read-after-read ordering violation"
default y
--- a/arch/arm64/kernel/cpu_errata.c
+++ b/arch/arm64/kernel/cpu_errata.c
@@ -214,6 +214,11 @@ static const struct arm64_cpu_capabiliti
ERRATA_MIDR_RANGE(MIDR_QCOM_KRYO_4XX_GOLD, 0xc, 0xe, 0xf, 0xe),
},
#endif
+#ifdef CONFIG_ARM64_ERRATUM_2441007
+ {
+ ERRATA_MIDR_ALL_VERSIONS(MIDR_CORTEX_A55),
+ },
+#endif
#ifdef CONFIG_ARM64_ERRATUM_2441009
{
/* Cortex-A510 r0p0 -> r1p1. Fixed in r1p2 */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 082/862] clocksource/drivers/arm_arch_timer: Fix CNTPCT_LO and CNTVCT_LO value
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 081/862] arm64: errata: Add Cortex-A55 to the repeat tlbi list Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 083/862] mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page Greg Kroah-Hartman
` (794 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Lezcano, Thomas Gleixner,
Marc Zyngier, Mark Rutland, Yang Guo, Shaokun Zhang
From: Yang Guo <guoyang2@huawei.com>
commit af246cc6d0ed11318223606128bb0b09866c4c08 upstream.
CNTPCT_LO and CNTVCT_LO are defined by mistake in commit '8b82c4f883a7',
so fix them according to the Arm ARM DDI 0487I.a, Table I2-4
"CNTBaseN memory map" as follows:
Offset Register Type Description
0x000 CNTPCT[31:0] RO Physical Count register.
0x004 CNTPCT[63:32] RO
0x008 CNTVCT[31:0] RO Virtual Count register.
0x00C CNTVCT[63:32] RO
Fixes: 8b82c4f883a7 ("clocksource/drivers/arm_arch_timer: Move MMIO timer programming over to CVAL")
Cc: stable@vger.kernel.org
Cc: Daniel Lezcano <daniel.lezcano@linaro.org>
Cc: Thomas Gleixner <tglx@linutronix.de>
Cc: Marc Zyngier <maz@kernel.org>
Cc: Mark Rutland <mark.rutland@arm.com>
Acked-by: Marc Zyngier <maz@kernel.org>
Signed-off-by: Yang Guo <guoyang2@huawei.com>
Signed-off-by: Shaokun Zhang <zhangshaokun@hisilicon.com>
Link: https://lore.kernel.org/r/20220927033221.49589-1-zhangshaokun@hisilicon.com
Signed-off-by: Daniel Lezcano <daniel.lezcano@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/clocksource/arm_arch_timer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/clocksource/arm_arch_timer.c
+++ b/drivers/clocksource/arm_arch_timer.c
@@ -44,8 +44,8 @@
#define CNTACR_RWVT BIT(4)
#define CNTACR_RWPT BIT(5)
-#define CNTVCT_LO 0x00
-#define CNTPCT_LO 0x08
+#define CNTPCT_LO 0x00
+#define CNTVCT_LO 0x08
#define CNTFRQ 0x10
#define CNTP_CVAL_LO 0x20
#define CNTP_CTL 0x2c
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 083/862] mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 082/862] clocksource/drivers/arm_arch_timer: Fix CNTPCT_LO and CNTVCT_LO value Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 084/862] mm/damon: validate if the pmd entry is present before accessing Greg Kroah-Hartman
` (793 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Baolin Wang, Mike Kravetz,
David Hildenbrand, Muchun Song, Andrew Morton
From: Baolin Wang <baolin.wang@linux.alibaba.com>
commit fac35ba763ed07ba93154c95ffc0c4a55023707f upstream.
On some architectures (like ARM64), it can support CONT-PTE/PMD size
hugetlb, which means it can support not only PMD/PUD size hugetlb (2M and
1G), but also CONT-PTE/PMD size(64K and 32M) if a 4K page size specified.
So when looking up a CONT-PTE size hugetlb page by follow_page(), it will
use pte_offset_map_lock() to get the pte entry lock for the CONT-PTE size
hugetlb in follow_page_pte(). However this pte entry lock is incorrect
for the CONT-PTE size hugetlb, since we should use huge_pte_lock() to get
the correct lock, which is mm->page_table_lock.
That means the pte entry of the CONT-PTE size hugetlb under current pte
lock is unstable in follow_page_pte(), we can continue to migrate or
poison the pte entry of the CONT-PTE size hugetlb, which can cause some
potential race issues, even though they are under the 'pte lock'.
For example, suppose thread A is trying to look up a CONT-PTE size hugetlb
page by move_pages() syscall under the lock, however antoher thread B can
migrate the CONT-PTE hugetlb page at the same time, which will cause
thread A to get an incorrect page, if thread A also wants to do page
migration, then data inconsistency error occurs.
Moreover we have the same issue for CONT-PMD size hugetlb in
follow_huge_pmd().
To fix above issues, rename the follow_huge_pmd() as follow_huge_pmd_pte()
to handle PMD and PTE level size hugetlb, which uses huge_pte_lock() to
get the correct pte entry lock to make the pte entry stable.
Mike said:
Support for CONT_PMD/_PTE was added with bb9dd3df8ee9 ("arm64: hugetlb:
refactor find_num_contig()"). Patch series "Support for contiguous pte
hugepages", v4. However, I do not believe these code paths were
executed until migration support was added with 5480280d3f2d ("arm64/mm:
enable HugeTLB migration for contiguous bit HugeTLB pages") I would go
with 5480280d3f2d for the Fixes: targe.
Link: https://lkml.kernel.org/r/635f43bdd85ac2615a58405da82b4d33c6e5eb05.1662017562.git.baolin.wang@linux.alibaba.com
Fixes: 5480280d3f2d ("arm64/mm: enable HugeTLB migration for contiguous bit HugeTLB pages")
Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Suggested-by: Mike Kravetz <mike.kravetz@oracle.com>
Reviewed-by: Mike Kravetz <mike.kravetz@oracle.com>
Cc: David Hildenbrand <david@redhat.com>
Cc: Muchun Song <songmuchun@bytedance.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/hugetlb.h | 8 ++++----
mm/gup.c | 14 +++++++++++++-
mm/hugetlb.c | 27 +++++++++++++--------------
3 files changed, 30 insertions(+), 19 deletions(-)
--- a/include/linux/hugetlb.h
+++ b/include/linux/hugetlb.h
@@ -207,8 +207,8 @@ struct page *follow_huge_addr(struct mm_
struct page *follow_huge_pd(struct vm_area_struct *vma,
unsigned long address, hugepd_t hpd,
int flags, int pdshift);
-struct page *follow_huge_pmd(struct mm_struct *mm, unsigned long address,
- pmd_t *pmd, int flags);
+struct page *follow_huge_pmd_pte(struct vm_area_struct *vma, unsigned long address,
+ int flags);
struct page *follow_huge_pud(struct mm_struct *mm, unsigned long address,
pud_t *pud, int flags);
struct page *follow_huge_pgd(struct mm_struct *mm, unsigned long address,
@@ -312,8 +312,8 @@ static inline struct page *follow_huge_p
return NULL;
}
-static inline struct page *follow_huge_pmd(struct mm_struct *mm,
- unsigned long address, pmd_t *pmd, int flags)
+static inline struct page *follow_huge_pmd_pte(struct vm_area_struct *vma,
+ unsigned long address, int flags)
{
return NULL;
}
--- a/mm/gup.c
+++ b/mm/gup.c
@@ -530,6 +530,18 @@ static struct page *follow_page_pte(stru
if (WARN_ON_ONCE((flags & (FOLL_PIN | FOLL_GET)) ==
(FOLL_PIN | FOLL_GET)))
return ERR_PTR(-EINVAL);
+
+ /*
+ * Considering PTE level hugetlb, like continuous-PTE hugetlb on
+ * ARM64 architecture.
+ */
+ if (is_vm_hugetlb_page(vma)) {
+ page = follow_huge_pmd_pte(vma, address, flags);
+ if (page)
+ return page;
+ return no_page_table(vma, flags);
+ }
+
retry:
if (unlikely(pmd_bad(*pmd)))
return no_page_table(vma, flags);
@@ -662,7 +674,7 @@ static struct page *follow_pmd_mask(stru
if (pmd_none(pmdval))
return no_page_table(vma, flags);
if (pmd_huge(pmdval) && is_vm_hugetlb_page(vma)) {
- page = follow_huge_pmd(mm, address, pmd, flags);
+ page = follow_huge_pmd_pte(vma, address, flags);
if (page)
return page;
return no_page_table(vma, flags);
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -6946,12 +6946,13 @@ follow_huge_pd(struct vm_area_struct *vm
}
struct page * __weak
-follow_huge_pmd(struct mm_struct *mm, unsigned long address,
- pmd_t *pmd, int flags)
+follow_huge_pmd_pte(struct vm_area_struct *vma, unsigned long address, int flags)
{
+ struct hstate *h = hstate_vma(vma);
+ struct mm_struct *mm = vma->vm_mm;
struct page *page = NULL;
spinlock_t *ptl;
- pte_t pte;
+ pte_t *ptep, pte;
/*
* FOLL_PIN is not supported for follow_page(). Ordinary GUP goes via
@@ -6961,17 +6962,15 @@ follow_huge_pmd(struct mm_struct *mm, un
return NULL;
retry:
- ptl = pmd_lockptr(mm, pmd);
- spin_lock(ptl);
- /*
- * make sure that the address range covered by this pmd is not
- * unmapped from other threads.
- */
- if (!pmd_huge(*pmd))
- goto out;
- pte = huge_ptep_get((pte_t *)pmd);
+ ptep = huge_pte_offset(mm, address, huge_page_size(h));
+ if (!ptep)
+ return NULL;
+
+ ptl = huge_pte_lock(h, mm, ptep);
+ pte = huge_ptep_get(ptep);
if (pte_present(pte)) {
- page = pmd_page(*pmd) + ((address & ~PMD_MASK) >> PAGE_SHIFT);
+ page = pte_page(pte) +
+ ((address & ~huge_page_mask(h)) >> PAGE_SHIFT);
/*
* try_grab_page() should always succeed here, because: a) we
* hold the pmd (ptl) lock, and b) we've just checked that the
@@ -6987,7 +6986,7 @@ retry:
} else {
if (is_hugetlb_entry_migration(pte)) {
spin_unlock(ptl);
- __migration_entry_wait_huge((pte_t *)pmd, ptl);
+ __migration_entry_wait_huge(ptep, ptl);
goto retry;
}
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 084/862] mm/damon: validate if the pmd entry is present before accessing
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 083/862] mm/hugetlb: fix races when looking up a CONT-PTE/PMD size hugetlb page Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 085/862] mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in Greg Kroah-Hartman
` (792 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Baolin Wang, SeongJae Park,
Muchun Song, Mike Kravetz, Andrew Morton
From: Baolin Wang <baolin.wang@linux.alibaba.com>
commit c8b9aff419303e4d4219b5ff64b1c7e062dee48e upstream.
pmd_huge() is used to validate if the pmd entry is mapped by a huge page,
also including the case of non-present (migration or hwpoisoned) pmd entry
on arm64 or x86 architectures. This means that pmd_pfn() can not get the
correct pfn number for a non-present pmd entry, which will cause
damon_get_page() to get an incorrect page struct (also may be NULL by
pfn_to_online_page()), making the access statistics incorrect.
This means that the DAMON may make incorrect decision according to the
incorrect statistics, for example, DAMON may can not reclaim cold page
in time due to this cold page was regarded as accessed mistakenly if
DAMOS_PAGEOUT operation is specified.
Moreover it does not make sense that we still waste time to get the page
of the non-present entry. Just treat it as not-accessed and skip it,
which maintains consistency with non-present pte level entries.
So add pmd entry present validation to fix the above issues.
Link: https://lkml.kernel.org/r/58b1d1f5fbda7db49ca886d9ef6783e3dcbbbc98.1660805030.git.baolin.wang@linux.alibaba.com
Fixes: 3f49584b262c ("mm/damon: implement primitives for the virtual memory address spaces")
Signed-off-by: Baolin Wang <baolin.wang@linux.alibaba.com>
Reviewed-by: SeongJae Park <sj@kernel.org>
Reviewed-by: Muchun Song <songmuchun@bytedance.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/damon/vaddr.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/mm/damon/vaddr.c
+++ b/mm/damon/vaddr.c
@@ -304,6 +304,11 @@ static int damon_mkold_pmd_entry(pmd_t *
if (pmd_huge(*pmd)) {
ptl = pmd_lock(walk->mm, pmd);
+ if (!pmd_present(*pmd)) {
+ spin_unlock(ptl);
+ return 0;
+ }
+
if (pmd_huge(*pmd)) {
damon_pmdp_mkold(pmd, walk->mm, addr);
spin_unlock(ptl);
@@ -431,6 +436,11 @@ static int damon_young_pmd_entry(pmd_t *
#ifdef CONFIG_TRANSPARENT_HUGEPAGE
if (pmd_huge(*pmd)) {
ptl = pmd_lock(walk->mm, pmd);
+ if (!pmd_present(*pmd)) {
+ spin_unlock(ptl);
+ return 0;
+ }
+
if (!pmd_huge(*pmd)) {
spin_unlock(ptl);
goto regular_page;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 085/862] mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 084/862] mm/damon: validate if the pmd entry is present before accessing Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 086/862] mm/mmap: undo ->mmap() when arch_validate_flags() fails Greg Kroah-Hartman
` (791 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Xu,
syzbot+2b9b4f0895be09a6dec3, Axel Rasmussen, Brian Geffon,
Edward Liaw, Liu Shixin, Mike Kravetz, Andrew Morton
From: Peter Xu <peterx@redhat.com>
commit 515778e2d790652a38a24554fdb7f21420d91efc upstream.
When PTE_MARKER_UFFD_WP not configured, it's still possible to reach pte
marker code and trigger an warning. Add a few CONFIG_PTE_MARKER_UFFD_WP
ifdefs to make sure the code won't be reached when not compiled in.
Link: https://lkml.kernel.org/r/YzeR+R6b4bwBlBHh@x1n
Fixes: b1f9e876862d ("mm/uffd: enable write protection for shmem & hugetlbfs")
Signed-off-by: Peter Xu <peterx@redhat.com>
Reported-by: <syzbot+2b9b4f0895be09a6dec3@syzkaller.appspotmail.com>
Cc: Axel Rasmussen <axelrasmussen@google.com>
Cc: Brian Geffon <bgeffon@google.com>
Cc: Edward Liaw <edliaw@google.com>
Cc: Liu Shixin <liushixin2@huawei.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/hugetlb.c | 4 ++++
mm/memory.c | 2 ++
mm/mprotect.c | 2 ++
3 files changed, 8 insertions(+)
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5059,6 +5059,7 @@ static void __unmap_hugepage_range(struc
* unmapped and its refcount is dropped, so just clear pte here.
*/
if (unlikely(!pte_present(pte))) {
+#ifdef CONFIG_PTE_MARKER_UFFD_WP
/*
* If the pte was wr-protected by uffd-wp in any of the
* swap forms, meanwhile the caller does not want to
@@ -5070,6 +5071,7 @@ static void __unmap_hugepage_range(struc
set_huge_pte_at(mm, address, ptep,
make_pte_marker(PTE_MARKER_UFFD_WP));
else
+#endif
huge_pte_clear(mm, address, ptep, sz);
spin_unlock(ptl);
continue;
@@ -5098,11 +5100,13 @@ static void __unmap_hugepage_range(struc
tlb_remove_huge_tlb_entry(h, tlb, ptep, address);
if (huge_pte_dirty(pte))
set_page_dirty(page);
+#ifdef CONFIG_PTE_MARKER_UFFD_WP
/* Leave a uffd-wp pte marker if needed */
if (huge_pte_uffd_wp(pte) &&
!(zap_flags & ZAP_FLAG_DROP_MARKER))
set_huge_pte_at(mm, address, ptep,
make_pte_marker(PTE_MARKER_UFFD_WP));
+#endif
hugetlb_count_sub(pages_per_huge_page(h), mm);
page_remove_rmap(page, vma, true);
--- a/mm/memory.c
+++ b/mm/memory.c
@@ -1393,10 +1393,12 @@ zap_install_uffd_wp_if_needed(struct vm_
unsigned long addr, pte_t *pte,
struct zap_details *details, pte_t pteval)
{
+#ifdef CONFIG_PTE_MARKER_UFFD_WP
if (zap_drop_file_uffd_wp(details))
return;
pte_install_uffd_wp_if_needed(vma, addr, pte, pteval);
+#endif
}
static unsigned long zap_pte_range(struct mmu_gather *tlb,
--- a/mm/mprotect.c
+++ b/mm/mprotect.c
@@ -260,6 +260,7 @@ static unsigned long change_pte_range(st
} else {
/* It must be an none page, or what else?.. */
WARN_ON_ONCE(!pte_none(oldpte));
+#ifdef CONFIG_PTE_MARKER_UFFD_WP
if (unlikely(uffd_wp && !vma_is_anonymous(vma))) {
/*
* For file-backed mem, we need to be able to
@@ -271,6 +272,7 @@ static unsigned long change_pte_range(st
make_pte_marker(PTE_MARKER_UFFD_WP));
pages++;
}
+#endif
}
} while (pte++, addr += PAGE_SIZE, addr != end);
arch_leave_lazy_mmu_mode();
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 086/862] mm/mmap: undo ->mmap() when arch_validate_flags() fails
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 085/862] mm/uffd: fix warning without PTE_MARKER_UFFD_WP compiled in Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 087/862] xen/gntdev: Prevent leaking grants Greg Kroah-Hartman
` (790 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Carlos Llamas, Catalin Marinas,
Andrii Nakryiko, Liam Howlett, Christian Brauner (Microsoft),
Michal Hocko, Suren Baghdasaryan, Andrew Morton
From: Carlos Llamas <cmllamas@google.com>
commit deb0f6562884b5b4beb883d73e66a7d3a1b96d99 upstream.
Commit c462ac288f2c ("mm: Introduce arch_validate_flags()") added a late
check in mmap_region() to let architectures validate vm_flags. The check
needs to happen after calling ->mmap() as the flags can potentially be
modified during this callback.
If arch_validate_flags() check fails we unmap and free the vma. However,
the error path fails to undo the ->mmap() call that previously succeeded
and depending on the specific ->mmap() implementation this translates to
reference increments, memory allocations and other operations what will
not be cleaned up.
There are several places (mainly device drivers) where this is an issue.
However, one specific example is bpf_map_mmap() which keeps count of the
mappings in map->writecnt. The count is incremented on ->mmap() and then
decremented on vm_ops->close(). When arch_validate_flags() fails this
count is off since bpf_map_mmap_close() is never called.
One can reproduce this issue in arm64 devices with MTE support. Here the
vm_flags are checked to only allow VM_MTE if VM_MTE_ALLOWED has been set
previously. From userspace then is enough to pass the PROT_MTE flag to
mmap() syscall to trigger the arch_validate_flags() failure.
The following program reproduces this issue:
#include <stdio.h>
#include <unistd.h>
#include <linux/unistd.h>
#include <linux/bpf.h>
#include <sys/mman.h>
int main(void)
{
union bpf_attr attr = {
.map_type = BPF_MAP_TYPE_ARRAY,
.key_size = sizeof(int),
.value_size = sizeof(long long),
.max_entries = 256,
.map_flags = BPF_F_MMAPABLE,
};
int fd;
fd = syscall(__NR_bpf, BPF_MAP_CREATE, &attr, sizeof(attr));
mmap(NULL, 4096, PROT_WRITE | PROT_MTE, MAP_SHARED, fd, 0);
return 0;
}
By manually adding some log statements to the vm_ops callbacks we can
confirm that when passing PROT_MTE to mmap() the map->writecnt is off upon
->release():
With PROT_MTE flag:
root@debian:~# ./bpf-test
[ 111.263874] bpf_map_write_active_inc: map=9 writecnt=1
[ 111.288763] bpf_map_release: map=9 writecnt=1
Without PROT_MTE flag:
root@debian:~# ./bpf-test
[ 157.816912] bpf_map_write_active_inc: map=10 writecnt=1
[ 157.830442] bpf_map_write_active_dec: map=10 writecnt=0
[ 157.832396] bpf_map_release: map=10 writecnt=0
This patch fixes the above issue by calling vm_ops->close() when the
arch_validate_flags() check fails, after this we can proceed to unmap and
free the vma on the error path.
Link: https://lkml.kernel.org/r/20220930003844.1210987-1-cmllamas@google.com
Fixes: c462ac288f2c ("mm: Introduce arch_validate_flags()")
Signed-off-by: Carlos Llamas <cmllamas@google.com>
Reviewed-by: Catalin Marinas <catalin.marinas@arm.com>
Acked-by: Andrii Nakryiko <andrii@kernel.org>
Reviewed-by: Liam Howlett <liam.howlett@oracle.com>
Cc: Christian Brauner (Microsoft) <brauner@kernel.org>
Cc: Michal Hocko <mhocko@suse.com>
Cc: Suren Baghdasaryan <surenb@google.com>
Cc: <stable@vger.kernel.org> [5.10+]
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/mmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/mm/mmap.c
+++ b/mm/mmap.c
@@ -1797,7 +1797,7 @@ unsigned long mmap_region(struct file *f
if (!arch_validate_flags(vma->vm_flags)) {
error = -EINVAL;
if (file)
- goto unmap_and_free_vma;
+ goto close_and_free_vma;
else
goto free_vma;
}
@@ -1844,6 +1844,9 @@ out:
return addr;
+close_and_free_vma:
+ if (vma->vm_ops && vma->vm_ops->close)
+ vma->vm_ops->close(vma);
unmap_and_free_vma:
fput(vma->vm_file);
vma->vm_file = NULL;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 087/862] xen/gntdev: Prevent leaking grants
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 086/862] mm/mmap: undo ->mmap() when arch_validate_flags() fails Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 088/862] xen/gntdev: Accommodate VMA splitting Greg Kroah-Hartman
` (789 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, M. Vefa Bicakci, Demi Marie Obenour,
Juergen Gross
From: M. Vefa Bicakci <m.v.b@runbox.com>
commit 0991028cd49567d7016d1b224fe0117c35059f86 upstream.
Prior to this commit, if a grant mapping operation failed partially,
some of the entries in the map_ops array would be invalid, whereas all
of the entries in the kmap_ops array would be valid. This in turn would
cause the following logic in gntdev_map_grant_pages to become invalid:
for (i = 0; i < map->count; i++) {
if (map->map_ops[i].status == GNTST_okay) {
map->unmap_ops[i].handle = map->map_ops[i].handle;
if (!use_ptemod)
alloced++;
}
if (use_ptemod) {
if (map->kmap_ops[i].status == GNTST_okay) {
if (map->map_ops[i].status == GNTST_okay)
alloced++;
map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
}
}
}
...
atomic_add(alloced, &map->live_grants);
Assume that use_ptemod is true (i.e., the domain mapping the granted
pages is a paravirtualized domain). In the code excerpt above, note that
the "alloced" variable is only incremented when both kmap_ops[i].status
and map_ops[i].status are set to GNTST_okay (i.e., both mapping
operations are successful). However, as also noted above, there are
cases where a grant mapping operation fails partially, breaking the
assumption of the code excerpt above.
The aforementioned causes map->live_grants to be incorrectly set. In
some cases, all of the map_ops mappings fail, but all of the kmap_ops
mappings succeed, meaning that live_grants may remain zero. This in turn
makes it impossible to unmap the successfully grant-mapped pages pointed
to by kmap_ops, because unmap_grant_pages has the following snippet of
code at its beginning:
if (atomic_read(&map->live_grants) == 0)
return; /* Nothing to do */
In other cases where only some of the map_ops mappings fail but all
kmap_ops mappings succeed, live_grants is made positive, but when the
user requests unmapping the grant-mapped pages, __unmap_grant_pages_done
will then make map->live_grants negative, because the latter function
does not check if all of the pages that were requested to be unmapped
were actually unmapped, and the same function unconditionally subtracts
"data->count" (i.e., a value that can be greater than map->live_grants)
from map->live_grants. The side effects of a negative live_grants value
have not been studied.
The net effect of all of this is that grant references are leaked in one
of the above conditions. In Qubes OS v4.1 (which uses Xen's grant
mechanism extensively for X11 GUI isolation), this issue manifests
itself with warning messages like the following to be printed out by the
Linux kernel in the VM that had granted pages (that contain X11 GUI
window data) to dom0: "g.e. 0x1234 still pending", especially after the
user rapidly resizes GUI VM windows (causing some grant-mapping
operations to partially or completely fail, due to the fact that the VM
unshares some of the pages as part of the window resizing, making the
pages impossible to grant-map from dom0).
The fix for this issue involves counting all successful map_ops and
kmap_ops mappings separately, and then adding the sum to live_grants.
During unmapping, only the number of successfully unmapped grants is
subtracted from live_grants. The code is also modified to check for
negative live_grants values after the subtraction and warn the user.
Link: https://github.com/QubesOS/qubes-issues/issues/7631
Fixes: dbe97cff7dd9 ("xen/gntdev: Avoid blocking in unmap_grant_pages()")
Cc: stable@vger.kernel.org
Signed-off-by: M. Vefa Bicakci <m.v.b@runbox.com>
Acked-by: Demi Marie Obenour <demi@invisiblethingslab.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221002222006.2077-2-m.v.b@runbox.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/gntdev.c | 22 +++++++++++++++++-----
1 file changed, 17 insertions(+), 5 deletions(-)
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -367,8 +367,7 @@ int gntdev_map_grant_pages(struct gntdev
for (i = 0; i < map->count; i++) {
if (map->map_ops[i].status == GNTST_okay) {
map->unmap_ops[i].handle = map->map_ops[i].handle;
- if (!use_ptemod)
- alloced++;
+ alloced++;
} else if (!err)
err = -EINVAL;
@@ -377,8 +376,7 @@ int gntdev_map_grant_pages(struct gntdev
if (use_ptemod) {
if (map->kmap_ops[i].status == GNTST_okay) {
- if (map->map_ops[i].status == GNTST_okay)
- alloced++;
+ alloced++;
map->kunmap_ops[i].handle = map->kmap_ops[i].handle;
} else if (!err)
err = -EINVAL;
@@ -394,8 +392,14 @@ static void __unmap_grant_pages_done(int
unsigned int i;
struct gntdev_grant_map *map = data->data;
unsigned int offset = data->unmap_ops - map->unmap_ops;
+ int successful_unmaps = 0;
+ int live_grants;
for (i = 0; i < data->count; i++) {
+ if (map->unmap_ops[offset + i].status == GNTST_okay &&
+ map->unmap_ops[offset + i].handle != INVALID_GRANT_HANDLE)
+ successful_unmaps++;
+
WARN_ON(map->unmap_ops[offset + i].status != GNTST_okay &&
map->unmap_ops[offset + i].handle != INVALID_GRANT_HANDLE);
pr_debug("unmap handle=%d st=%d\n",
@@ -403,6 +407,10 @@ static void __unmap_grant_pages_done(int
map->unmap_ops[offset+i].status);
map->unmap_ops[offset+i].handle = INVALID_GRANT_HANDLE;
if (use_ptemod) {
+ if (map->kunmap_ops[offset + i].status == GNTST_okay &&
+ map->kunmap_ops[offset + i].handle != INVALID_GRANT_HANDLE)
+ successful_unmaps++;
+
WARN_ON(map->kunmap_ops[offset + i].status != GNTST_okay &&
map->kunmap_ops[offset + i].handle != INVALID_GRANT_HANDLE);
pr_debug("kunmap handle=%u st=%d\n",
@@ -411,11 +419,15 @@ static void __unmap_grant_pages_done(int
map->kunmap_ops[offset+i].handle = INVALID_GRANT_HANDLE;
}
}
+
/*
* Decrease the live-grant counter. This must happen after the loop to
* prevent premature reuse of the grants by gnttab_mmap().
*/
- atomic_sub(data->count, &map->live_grants);
+ live_grants = atomic_sub_return(successful_unmaps, &map->live_grants);
+ if (WARN_ON(live_grants < 0))
+ pr_err("%s: live_grants became negative (%d) after unmapping %d pages!\n",
+ __func__, live_grants, successful_unmaps);
/* Release reference taken by __unmap_grant_pages */
gntdev_put_map(NULL, map);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 088/862] xen/gntdev: Accommodate VMA splitting
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 087/862] xen/gntdev: Prevent leaking grants Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 089/862] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge Greg Kroah-Hartman
` (788 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, M. Vefa Bicakci, Juergen Gross
From: M. Vefa Bicakci <m.v.b@runbox.com>
commit 5c13a4a0291b30191eff9ead8d010e1ca43a4d0c upstream.
Prior to this commit, the gntdev driver code did not handle the
following scenario correctly with paravirtualized (PV) Xen domains:
* User process sets up a gntdev mapping composed of two grant mappings
(i.e., two pages shared by another Xen domain).
* User process munmap()s one of the pages.
* User process munmap()s the remaining page.
* User process exits.
In the scenario above, the user process would cause the kernel to log
the following messages in dmesg for the first munmap(), and the second
munmap() call would result in similar log messages:
BUG: Bad page map in process doublemap.test pte:... pmd:...
page:0000000057c97bff refcount:1 mapcount:-1 \
mapping:0000000000000000 index:0x0 pfn:...
...
page dumped because: bad pte
...
file:gntdev fault:0x0 mmap:gntdev_mmap [xen_gntdev] readpage:0x0
...
Call Trace:
<TASK>
dump_stack_lvl+0x46/0x5e
print_bad_pte.cold+0x66/0xb6
unmap_page_range+0x7e5/0xdc0
unmap_vmas+0x78/0xf0
unmap_region+0xa8/0x110
__do_munmap+0x1ea/0x4e0
__vm_munmap+0x75/0x120
__x64_sys_munmap+0x28/0x40
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x61/0xcb
...
For each munmap() call, the Xen hypervisor (if built with CONFIG_DEBUG)
would print out the following and trigger a general protection fault in
the affected Xen PV domain:
(XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...
(XEN) d0v... Attempt to implicitly unmap d0's grant PTE ...
As of this writing, gntdev_grant_map structure's vma field (referred to
as map->vma below) is mainly used for checking the start and end
addresses of mappings. However, with split VMAs, these may change, and
there could be more than one VMA associated with a gntdev mapping.
Hence, remove the use of map->vma and rely on map->pages_vm_start for
the original start address and on (map->count << PAGE_SHIFT) for the
original mapping size. Let the invalidate() and find_special_page()
hooks use these.
Also, given that there can be multiple VMAs associated with a gntdev
mapping, move the "mmu_interval_notifier_remove(&map->notifier)" call to
the end of gntdev_put_map, so that the MMU notifier is only removed
after the closing of the last remaining VMA.
Finally, use an atomic to prevent inadvertent gntdev mapping re-use,
instead of using the map->live_grants atomic counter and/or the map->vma
pointer (the latter of which is now removed). This prevents the
userspace from mmap()'ing (with MAP_FIXED) a gntdev mapping over the
same address range as a previously set up gntdev mapping. This scenario
can be summarized with the following call-trace, which was valid prior
to this commit:
mmap
gntdev_mmap
mmap (repeat mmap with MAP_FIXED over the same address range)
gntdev_invalidate
unmap_grant_pages (sets 'being_removed' entries to true)
gnttab_unmap_refs_async
unmap_single_vma
gntdev_mmap (maps the shared pages again)
munmap
gntdev_invalidate
unmap_grant_pages
(no-op because 'being_removed' entries are true)
unmap_single_vma (For PV domains, Xen reports that a granted page
is being unmapped and triggers a general protection fault in the
affected domain, if Xen was built with CONFIG_DEBUG)
The fix for this last scenario could be worth its own commit, but we
opted for a single commit, because removing the gntdev_grant_map
structure's vma field requires guarding the entry to gntdev_mmap(), and
the live_grants atomic counter is not sufficient on its own to prevent
the mmap() over a pre-existing mapping.
Link: https://github.com/QubesOS/qubes-issues/issues/7631
Fixes: ab31523c2fca ("xen/gntdev: allow usermode to map granted pages")
Cc: stable@vger.kernel.org
Signed-off-by: M. Vefa Bicakci <m.v.b@runbox.com>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/20221002222006.2077-3-m.v.b@runbox.com
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/gntdev-common.h | 3 +-
drivers/xen/gntdev.c | 58 ++++++++++++++++++--------------------------
2 files changed, 27 insertions(+), 34 deletions(-)
--- a/drivers/xen/gntdev-common.h
+++ b/drivers/xen/gntdev-common.h
@@ -44,9 +44,10 @@ struct gntdev_unmap_notify {
};
struct gntdev_grant_map {
+ atomic_t in_use;
struct mmu_interval_notifier notifier;
+ bool notifier_init;
struct list_head next;
- struct vm_area_struct *vma;
int index;
int count;
int flags;
--- a/drivers/xen/gntdev.c
+++ b/drivers/xen/gntdev.c
@@ -286,6 +286,9 @@ void gntdev_put_map(struct gntdev_priv *
*/
}
+ if (use_ptemod && map->notifier_init)
+ mmu_interval_notifier_remove(&map->notifier);
+
if (map->notify.flags & UNMAP_NOTIFY_SEND_EVENT) {
notify_remote_via_evtchn(map->notify.event);
evtchn_put(map->notify.event);
@@ -298,7 +301,7 @@ void gntdev_put_map(struct gntdev_priv *
static int find_grant_ptes(pte_t *pte, unsigned long addr, void *data)
{
struct gntdev_grant_map *map = data;
- unsigned int pgnr = (addr - map->vma->vm_start) >> PAGE_SHIFT;
+ unsigned int pgnr = (addr - map->pages_vm_start) >> PAGE_SHIFT;
int flags = map->flags | GNTMAP_application_map | GNTMAP_contains_pte |
(1 << _GNTMAP_guest_avail0);
u64 pte_maddr;
@@ -508,11 +511,7 @@ static void gntdev_vma_close(struct vm_a
struct gntdev_priv *priv = file->private_data;
pr_debug("gntdev_vma_close %p\n", vma);
- if (use_ptemod) {
- WARN_ON(map->vma != vma);
- mmu_interval_notifier_remove(&map->notifier);
- map->vma = NULL;
- }
+
vma->vm_private_data = NULL;
gntdev_put_map(priv, map);
}
@@ -540,29 +539,30 @@ static bool gntdev_invalidate(struct mmu
struct gntdev_grant_map *map =
container_of(mn, struct gntdev_grant_map, notifier);
unsigned long mstart, mend;
+ unsigned long map_start, map_end;
if (!mmu_notifier_range_blockable(range))
return false;
+ map_start = map->pages_vm_start;
+ map_end = map->pages_vm_start + (map->count << PAGE_SHIFT);
+
/*
* If the VMA is split or otherwise changed the notifier is not
* updated, but we don't want to process VA's outside the modified
* VMA. FIXME: It would be much more understandable to just prevent
* modifying the VMA in the first place.
*/
- if (map->vma->vm_start >= range->end ||
- map->vma->vm_end <= range->start)
+ if (map_start >= range->end || map_end <= range->start)
return true;
- mstart = max(range->start, map->vma->vm_start);
- mend = min(range->end, map->vma->vm_end);
+ mstart = max(range->start, map_start);
+ mend = min(range->end, map_end);
pr_debug("map %d+%d (%lx %lx), range %lx %lx, mrange %lx %lx\n",
- map->index, map->count,
- map->vma->vm_start, map->vma->vm_end,
- range->start, range->end, mstart, mend);
- unmap_grant_pages(map,
- (mstart - map->vma->vm_start) >> PAGE_SHIFT,
- (mend - mstart) >> PAGE_SHIFT);
+ map->index, map->count, map_start, map_end,
+ range->start, range->end, mstart, mend);
+ unmap_grant_pages(map, (mstart - map_start) >> PAGE_SHIFT,
+ (mend - mstart) >> PAGE_SHIFT);
return true;
}
@@ -1042,18 +1042,15 @@ static int gntdev_mmap(struct file *flip
return -EINVAL;
pr_debug("map %d+%d at %lx (pgoff %lx)\n",
- index, count, vma->vm_start, vma->vm_pgoff);
+ index, count, vma->vm_start, vma->vm_pgoff);
mutex_lock(&priv->lock);
map = gntdev_find_map_index(priv, index, count);
if (!map)
goto unlock_out;
- if (use_ptemod && map->vma)
- goto unlock_out;
- if (atomic_read(&map->live_grants)) {
- err = -EAGAIN;
+ if (!atomic_add_unless(&map->in_use, 1, 1))
goto unlock_out;
- }
+
refcount_inc(&map->users);
vma->vm_ops = &gntdev_vmops;
@@ -1074,15 +1071,16 @@ static int gntdev_mmap(struct file *flip
map->flags |= GNTMAP_readonly;
}
+ map->pages_vm_start = vma->vm_start;
+
if (use_ptemod) {
- map->vma = vma;
err = mmu_interval_notifier_insert_locked(
&map->notifier, vma->vm_mm, vma->vm_start,
vma->vm_end - vma->vm_start, &gntdev_mmu_ops);
- if (err) {
- map->vma = NULL;
+ if (err)
goto out_unlock_put;
- }
+
+ map->notifier_init = true;
}
mutex_unlock(&priv->lock);
@@ -1099,7 +1097,6 @@ static int gntdev_mmap(struct file *flip
*/
mmu_interval_read_begin(&map->notifier);
- map->pages_vm_start = vma->vm_start;
err = apply_to_page_range(vma->vm_mm, vma->vm_start,
vma->vm_end - vma->vm_start,
find_grant_ptes, map);
@@ -1128,13 +1125,8 @@ unlock_out:
out_unlock_put:
mutex_unlock(&priv->lock);
out_put_map:
- if (use_ptemod) {
+ if (use_ptemod)
unmap_grant_pages(map, 0, map->count);
- if (map->vma) {
- mmu_interval_notifier_remove(&map->notifier);
- map->vma = NULL;
- }
- }
gntdev_put_map(priv, map);
return err;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 089/862] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 088/862] xen/gntdev: Accommodate VMA splitting Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 090/862] serial: cpm_uart: Dont request IRQ too early for console port Greg Kroah-Hartman
` (787 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Maciej W. Rozycki, Bjorn Helgaas
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 0e32818397426a688f598f35d3bc762eca6d7592 upstream.
When pci_assign_resource() is unable to assign resources to a BAR, it uses
pci_revert_fw_address() to fall back to a firmware assignment (if any).
Previously pci_revert_fw_address() assumed all addresses could reach the
device, but this is not true if the device is below a bridge that only
forwards addresses within its windows.
This problem was observed on a Tyan Tomcat IV S1564D system where the BIOS
did not assign valid addresses to several bridges and USB devices:
pci 0000:00:11.0: PCI-to-PCIe bridge to [bus 01-ff]
pci 0000:00:11.0: bridge window [io 0xe000-0xefff]
pci 0000:01:00.0: PCIe Upstream Port to [bus 02-ff]
pci 0000:01:00.0: bridge window [io 0x0000-0x0fff] # unreachable
pci 0000:02:02.0: PCIe Downstream Port to [bus 05-ff]
pci 0000:02:02.0: bridge window [io 0x0000-0x0fff] # unreachable
pci 0000:05:00.0: PCIe-to-PCI bridge to [bus 06-ff]
pci 0000:05:00.0: bridge window [io 0x0000-0x0fff] # unreachable
pci 0000:06:08.0: USB UHCI 1.1
pci 0000:06:08.0: BAR 4: [io 0xfce0-0xfcff] # unreachable
pci 0000:06:08.1: USB UHCI 1.1
pci 0000:06:08.1: BAR 4: [io 0xfce0-0xfcff] # unreachable
pci 0000:06:08.0: can't claim BAR 4 [io 0xfce0-0xfcff]: no compatible bridge window
pci 0000:06:08.1: can't claim BAR 4 [io 0xfce0-0xfcff]: no compatible bridge window
During the first pass of assigning unassigned resources, there was not
enough I/O space available, so we couldn't assign the 06:08.0 BAR and
reverted to the firmware assignment (still unreachable). Reverting the
06:08.1 assignment failed because it conflicted with 06:08.0:
pci 0000:00:11.0: bridge window [io 0xe000-0xefff]
pci 0000:01:00.0: no space for bridge window [io size 0x2000]
pci 0000:02:02.0: no space for bridge window [io size 0x1000]
pci 0000:05:00.0: no space for bridge window [io size 0x1000]
pci 0000:06:08.0: BAR 4: no space for [io size 0x0020]
pci 0000:06:08.0: BAR 4: trying firmware assignment [io 0xfce0-0xfcff]
pci 0000:06:08.1: BAR 4: no space for [io size 0x0020]
pci 0000:06:08.1: BAR 4: trying firmware assignment [io 0xfce0-0xfcff]
pci 0000:06:08.1: BAR 4: [io 0xfce0-0xfcff] conflicts with 0000:06:08.0 [io 0xfce0-0xfcff]
A subsequent pass assigned valid bridge windows and a valid 06:08.1 BAR,
but left the 06:08.0 BAR alone, so the UHCI device was still unusable:
pci 0000:00:11.0: bridge window [io 0xe000-0xefff] released
pci 0000:00:11.0: bridge window [io 0x1000-0x2fff] # reassigned
pci 0000:01:00.0: bridge window [io 0x1000-0x2fff] # reassigned
pci 0000:02:02.0: bridge window [io 0x2000-0x2fff] # reassigned
pci 0000:05:00.0: bridge window [io 0x2000-0x2fff] # reassigned
pci 0000:06:08.0: BAR 4: assigned [io 0xfce0-0xfcff] # left alone
pci 0000:06:08.1: BAR 4: assigned [io 0x2000-0x201f]
...
uhci_hcd 0000:06:08.0: host system error, PCI problems?
uhci_hcd 0000:06:08.0: host controller process error, something bad happened!
uhci_hcd 0000:06:08.0: host controller halted, very bad!
uhci_hcd 0000:06:08.0: HCRESET not completed yet!
uhci_hcd 0000:06:08.0: HC died; cleaning up
If the address assigned by firmware is not reachable because it's not
within upstream bridge windows, fail instead of assigning the unusable
address from firmware.
[bhelgaas: commit log, use pci_upstream_bridge()]
Link: https://bugzilla.kernel.org/show_bug.cgi?id=16263
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2203012338460.46819@angie.orcam.me.uk
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209211921250.29493@angie.orcam.me.uk
Fixes: 58c84eda0756 ("PCI: fall back to original BIOS BAR addresses")
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Signed-off-by: Bjorn Helgaas <bhelgaas@google.com>
Cc: stable@vger.kernel.org # v2.6.35+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pci/setup-res.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/pci/setup-res.c
+++ b/drivers/pci/setup-res.c
@@ -214,6 +214,17 @@ static int pci_revert_fw_address(struct
root = pci_find_parent_resource(dev, res);
if (!root) {
+ /*
+ * If dev is behind a bridge, accesses will only reach it
+ * if res is inside the relevant bridge window.
+ */
+ if (pci_upstream_bridge(dev))
+ return -ENXIO;
+
+ /*
+ * On the root bus, assume the host bridge will forward
+ * everything.
+ */
if (res->flags & IORESOURCE_IO)
root = &ioport_resource;
else
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 090/862] serial: cpm_uart: Dont request IRQ too early for console port
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 089/862] PCI: Sanitise firmware BAR assignments behind a PCI-PCI bridge Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 091/862] serial: stm32: Deassert Transmit Enable on ->rs485_config() Greg Kroah-Hartman
` (786 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Christophe Leroy
From: Christophe Leroy <christophe.leroy@csgroup.eu>
commit 30963b2f75bfdbbcf1cc5d80bf88fec7aaba808d upstream.
The following message is seen during boot and the activation of
console port gets delayed until normal serial ports activation.
[ 0.001346] irq: no irq domain found for pic@930 !
The console port doesn't need irq, perform irq reservation later,
during cpm_uart probe.
While at it, don't use NO_IRQ but 0 which is the value returned
by irq_of_parse_and_map() in case of error. By chance powerpc's
NO_IRQ has value 0 but on some architectures it is -1.
Fixes: 14d893fc6846 ("powerpc/8xx: Convert CPM1 interrupt controller to platform_device")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://lore.kernel.org/r/8bed0f30c2e9ef16ae64fb1243a16d54a48eb8da.1664526717.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/cpm_uart/cpm_uart_core.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/drivers/tty/serial/cpm_uart/cpm_uart_core.c
+++ b/drivers/tty/serial/cpm_uart/cpm_uart_core.c
@@ -1214,12 +1214,6 @@ static int cpm_uart_init_port(struct dev
pinfo->port.fifosize = pinfo->tx_nrfifos * pinfo->tx_fifosize;
spin_lock_init(&pinfo->port.lock);
- pinfo->port.irq = irq_of_parse_and_map(np, 0);
- if (pinfo->port.irq == NO_IRQ) {
- ret = -EINVAL;
- goto out_pram;
- }
-
for (i = 0; i < NUM_GPIOS; i++) {
struct gpio_desc *gpiod;
@@ -1229,7 +1223,7 @@ static int cpm_uart_init_port(struct dev
if (IS_ERR(gpiod)) {
ret = PTR_ERR(gpiod);
- goto out_irq;
+ goto out_pram;
}
if (gpiod) {
@@ -1255,8 +1249,6 @@ static int cpm_uart_init_port(struct dev
return cpm_uart_request_port(&pinfo->port);
-out_irq:
- irq_dispose_mapping(pinfo->port.irq);
out_pram:
cpm_uart_unmap_pram(pinfo, pram);
out_mem:
@@ -1436,11 +1428,17 @@ static int cpm_uart_probe(struct platfor
/* initialize the device pointer for the port */
pinfo->port.dev = &ofdev->dev;
+ pinfo->port.irq = irq_of_parse_and_map(ofdev->dev.of_node, 0);
+ if (!pinfo->port.irq)
+ return -EINVAL;
+
ret = cpm_uart_init_port(ofdev->dev.of_node, pinfo);
- if (ret)
- return ret;
+ if (!ret)
+ return uart_add_one_port(&cpm_reg, &pinfo->port);
+
+ irq_dispose_mapping(pinfo->port.irq);
- return uart_add_one_port(&cpm_reg, &pinfo->port);
+ return ret;
}
static int cpm_uart_remove(struct platform_device *ofdev)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 091/862] serial: stm32: Deassert Transmit Enable on ->rs485_config()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 090/862] serial: cpm_uart: Dont request IRQ too early for console port Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:22 ` [PATCH 6.0 092/862] serial: Deassert Transmit Enable on probe in driver-specific way Greg Kroah-Hartman
` (785 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Marek Vasut, Ilpo Järvinen,
Lukas Wunner
From: Lukas Wunner <lukas@wunner.de>
commit adafbbf6895eb0ce41a313c6ee68870ab9aa93cd upstream.
The STM32 USART can control RS-485 Transmit Enable in hardware. Since
commit 7df5081cbf5e ("serial: stm32: Add RS485 RTS GPIO control"),
it can alternatively be controlled in software. That was done to allow
RS-485 even if the RTS pin is unavailable because it's pinmuxed to a
different function.
However the commit neglected to deassert Transmit Enable upon invocation
of the ->rs485_config() callback. Fix it.
Avoid forward declarations by moving stm32_usart_tx_empty(),
stm32_usart_rs485_rts_enable() and stm32_usart_rs485_rts_disable()
further up in the driver.
Fixes: 7df5081cbf5e ("serial: stm32: Add RS485 RTS GPIO control")
Cc: stable@vger.kernel.org # v5.9+
Cc: Marek Vasut <marex@denx.de>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://lore.kernel.org/r/6059eab35dba394468335ef640df8b0050fd9dbd.1662886616.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/stm32-usart.c | 100 ++++++++++++++++++++-------------------
1 file changed, 53 insertions(+), 47 deletions(-)
--- a/drivers/tty/serial/stm32-usart.c
+++ b/drivers/tty/serial/stm32-usart.c
@@ -131,6 +131,53 @@ static void stm32_usart_clr_bits(struct
writel_relaxed(val, port->membase + reg);
}
+static unsigned int stm32_usart_tx_empty(struct uart_port *port)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
+
+ if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
+ return TIOCSER_TEMT;
+
+ return 0;
+}
+
+static void stm32_usart_rs485_rts_enable(struct uart_port *port)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ struct serial_rs485 *rs485conf = &port->rs485;
+
+ if (stm32_port->hw_flow_control ||
+ !(rs485conf->flags & SER_RS485_ENABLED))
+ return;
+
+ if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+ mctrl_gpio_set(stm32_port->gpios,
+ stm32_port->port.mctrl | TIOCM_RTS);
+ } else {
+ mctrl_gpio_set(stm32_port->gpios,
+ stm32_port->port.mctrl & ~TIOCM_RTS);
+ }
+}
+
+static void stm32_usart_rs485_rts_disable(struct uart_port *port)
+{
+ struct stm32_port *stm32_port = to_stm32_port(port);
+ struct serial_rs485 *rs485conf = &port->rs485;
+
+ if (stm32_port->hw_flow_control ||
+ !(rs485conf->flags & SER_RS485_ENABLED))
+ return;
+
+ if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
+ mctrl_gpio_set(stm32_port->gpios,
+ stm32_port->port.mctrl & ~TIOCM_RTS);
+ } else {
+ mctrl_gpio_set(stm32_port->gpios,
+ stm32_port->port.mctrl | TIOCM_RTS);
+ }
+}
+
static void stm32_usart_config_reg_rs485(u32 *cr1, u32 *cr3, u32 delay_ADE,
u32 delay_DDE, u32 baud)
{
@@ -214,6 +261,12 @@ static int stm32_usart_config_rs485(stru
stm32_usart_set_bits(port, ofs->cr1, BIT(cfg->uart_enable_bit));
+ /* Adjust RTS polarity in case it's driven in software */
+ if (stm32_usart_tx_empty(port))
+ stm32_usart_rs485_rts_disable(port);
+ else
+ stm32_usart_rs485_rts_enable(port);
+
return 0;
}
@@ -529,42 +582,6 @@ static void stm32_usart_tc_interrupt_dis
stm32_usart_clr_bits(port, ofs->cr1, USART_CR1_TCIE);
}
-static void stm32_usart_rs485_rts_enable(struct uart_port *port)
-{
- struct stm32_port *stm32_port = to_stm32_port(port);
- struct serial_rs485 *rs485conf = &port->rs485;
-
- if (stm32_port->hw_flow_control ||
- !(rs485conf->flags & SER_RS485_ENABLED))
- return;
-
- if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
- mctrl_gpio_set(stm32_port->gpios,
- stm32_port->port.mctrl | TIOCM_RTS);
- } else {
- mctrl_gpio_set(stm32_port->gpios,
- stm32_port->port.mctrl & ~TIOCM_RTS);
- }
-}
-
-static void stm32_usart_rs485_rts_disable(struct uart_port *port)
-{
- struct stm32_port *stm32_port = to_stm32_port(port);
- struct serial_rs485 *rs485conf = &port->rs485;
-
- if (stm32_port->hw_flow_control ||
- !(rs485conf->flags & SER_RS485_ENABLED))
- return;
-
- if (rs485conf->flags & SER_RS485_RTS_ON_SEND) {
- mctrl_gpio_set(stm32_port->gpios,
- stm32_port->port.mctrl & ~TIOCM_RTS);
- } else {
- mctrl_gpio_set(stm32_port->gpios,
- stm32_port->port.mctrl | TIOCM_RTS);
- }
-}
-
static void stm32_usart_transmit_chars_pio(struct uart_port *port)
{
struct stm32_port *stm32_port = to_stm32_port(port);
@@ -807,17 +824,6 @@ static irqreturn_t stm32_usart_threaded_
return IRQ_HANDLED;
}
-static unsigned int stm32_usart_tx_empty(struct uart_port *port)
-{
- struct stm32_port *stm32_port = to_stm32_port(port);
- const struct stm32_usart_offsets *ofs = &stm32_port->info->ofs;
-
- if (readl_relaxed(port->membase + ofs->isr) & USART_SR_TC)
- return TIOCSER_TEMT;
-
- return 0;
-}
-
static void stm32_usart_set_mctrl(struct uart_port *port, unsigned int mctrl)
{
struct stm32_port *stm32_port = to_stm32_port(port);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 092/862] serial: Deassert Transmit Enable on probe in driver-specific way
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 091/862] serial: stm32: Deassert Transmit Enable on ->rs485_config() Greg Kroah-Hartman
@ 2022-10-19 8:22 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 093/862] serial: ar933x: Deassert Transmit Enable on ->rs485_config() Greg Kroah-Hartman
` (784 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:22 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Matthias Schiffer, Roosen Henri,
Ilpo Järvinen, Lukas Wunner
From: Lukas Wunner <lukas@wunner.de>
commit 7c7f9bc986e698873b489c371a08f206979d06b7 upstream.
When a UART port is newly registered, uart_configure_port() seeks to
deassert RS485 Transmit Enable by setting the RTS bit in port->mctrl.
However a number of UART drivers interpret a set RTS bit as *assertion*
instead of deassertion: Affected drivers include those using
serial8250_em485_config() (except 8250_bcm2835aux.c) and some using
mctrl_gpio (e.g. imx.c).
Since the interpretation of the RTS bit is driver-specific, it is not
suitable as a means to centrally deassert Transmit Enable in the serial
core. Instead, the serial core must call on drivers to deassert it in
their driver-specific way. One way to achieve that is to call
->rs485_config(). It implicitly deasserts Transmit Enable.
So amend uart_configure_port() and uart_resume_port() to invoke
uart_rs485_config(). That allows removing calls to uart_rs485_config()
from drivers' ->probe() hooks and declaring the function static.
Skip any invocation of ->set_mctrl() if RS485 is enabled. RS485 has no
hardware flow control, so the modem control lines are irrelevant and
need not be touched. When leaving RS485 mode, reset the modem control
lines to the state stored in port->mctrl. That way, UARTs which are
muxed between RS485 and RS232 transceivers drive the lines correctly
when switched to RS232. (serial8250_do_startup() historically raises
the OUT1 modem signal because otherwise interrupts are not signaled on
ancient PC UARTs, but I believe that no longer applies to modern,
RS485-capable UARTs and is thus safe to be skipped.)
imx.c modifies port->mctrl whenever Transmit Enable is asserted and
deasserted. Stop it from doing that so port->mctrl reflects the RS232
line state.
8250_omap.c deasserts Transmit Enable on ->runtime_resume() by calling
->set_mctrl(). Because that is now a no-op in RS485 mode, amend the
function to call serial8250_em485_stop_tx().
fsl_lpuart.c retrieves and applies the RS485 device tree properties
after registering the UART port. Because applying now happens on
registration in uart_configure_port(), move retrieval of the properties
ahead of uart_add_one_port().
Link: https://lore.kernel.org/all/20220329085050.311408-1-matthias.schiffer@ew.tq-group.com/
Link: https://lore.kernel.org/all/8f538a8903795f22f9acc94a9a31b03c9c4ccacb.camel@ginzinger.com/
Fixes: d3b3404df318 ("serial: Fix incorrect rs485 polarity on uart open")
Cc: stable@vger.kernel.org # v4.14+
Reported-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Reported-by: Roosen Henri <Henri.Roosen@ginzinger.com>
Tested-by: Matthias Schiffer <matthias.schiffer@ew.tq-group.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://lore.kernel.org/r/2de36eba3fbe11278d5002e4e501afe0ceaca039.1663863805.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_omap.c | 3 +++
drivers/tty/serial/8250/8250_pci.c | 9 +--------
drivers/tty/serial/8250/8250_port.c | 12 +++++++-----
drivers/tty/serial/fsl_lpuart.c | 10 ++++------
drivers/tty/serial/imx.c | 8 ++------
drivers/tty/serial/serial_core.c | 36 ++++++++++++++++++++----------------
include/linux/serial_core.h | 1 -
7 files changed, 37 insertions(+), 42 deletions(-)
--- a/drivers/tty/serial/8250/8250_omap.c
+++ b/drivers/tty/serial/8250/8250_omap.c
@@ -342,6 +342,9 @@ static void omap8250_restore_regs(struct
omap8250_update_mdr1(up, priv);
up->port.ops->set_mctrl(&up->port, up->port.mctrl);
+
+ if (up->port.rs485.flags & SER_RS485_ENABLED)
+ serial8250_em485_stop_tx(up);
}
/*
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1627,7 +1627,6 @@ static int pci_fintek_init(struct pci_de
resource_size_t bar_data[3];
u8 config_base;
struct serial_private *priv = pci_get_drvdata(dev);
- struct uart_8250_port *port;
if (!(pci_resource_flags(dev, 5) & IORESOURCE_IO) ||
!(pci_resource_flags(dev, 4) & IORESOURCE_IO) ||
@@ -1674,13 +1673,7 @@ static int pci_fintek_init(struct pci_de
pci_write_config_byte(dev, config_base + 0x06, dev->irq);
- if (priv) {
- /* re-apply RS232/485 mode when
- * pciserial_resume_ports()
- */
- port = serial8250_get_port(priv->line[i]);
- uart_rs485_config(&port->port);
- } else {
+ if (!priv) {
/* First init without port data
* force init to RS232 Mode
*/
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -600,7 +600,7 @@ EXPORT_SYMBOL_GPL(serial8250_rpm_put);
static int serial8250_em485_init(struct uart_8250_port *p)
{
if (p->em485)
- return 0;
+ goto deassert_rts;
p->em485 = kmalloc(sizeof(struct uart_8250_em485), GFP_ATOMIC);
if (!p->em485)
@@ -616,7 +616,9 @@ static int serial8250_em485_init(struct
p->em485->active_timer = NULL;
p->em485->tx_stopped = true;
- p->rs485_stop_tx(p);
+deassert_rts:
+ if (p->em485->tx_stopped)
+ p->rs485_stop_tx(p);
return 0;
}
@@ -2042,6 +2044,9 @@ EXPORT_SYMBOL_GPL(serial8250_do_set_mctr
static void serial8250_set_mctrl(struct uart_port *port, unsigned int mctrl)
{
+ if (port->rs485.flags & SER_RS485_ENABLED)
+ return;
+
if (port->set_mctrl)
port->set_mctrl(port, mctrl);
else
@@ -3187,9 +3192,6 @@ static void serial8250_config_port(struc
if (flags & UART_CONFIG_TYPE)
autoconfig(up);
- if (port->rs485.flags & SER_RS485_ENABLED)
- uart_rs485_config(port);
-
/* if access method is AU, it is a 16550 with a quirk */
if (port->type == PORT_16550A && port->iotype == UPIO_AU)
up->bugs |= UART_BUG_NOMSR;
--- a/drivers/tty/serial/fsl_lpuart.c
+++ b/drivers/tty/serial/fsl_lpuart.c
@@ -2729,15 +2729,13 @@ static int lpuart_probe(struct platform_
if (ret)
goto failed_reset;
- ret = uart_add_one_port(&lpuart_reg, &sport->port);
- if (ret)
- goto failed_attach_port;
-
ret = uart_get_rs485_mode(&sport->port);
if (ret)
goto failed_get_rs485;
- uart_rs485_config(&sport->port);
+ ret = uart_add_one_port(&lpuart_reg, &sport->port);
+ if (ret)
+ goto failed_attach_port;
ret = devm_request_irq(&pdev->dev, sport->port.irq, handler, 0,
DRIVER_NAME, sport);
@@ -2747,9 +2745,9 @@ static int lpuart_probe(struct platform_
return 0;
failed_irq_request:
-failed_get_rs485:
uart_remove_one_port(&lpuart_reg, &sport->port);
failed_attach_port:
+failed_get_rs485:
failed_reset:
lpuart_disable_clks(sport);
return ret;
--- a/drivers/tty/serial/imx.c
+++ b/drivers/tty/serial/imx.c
@@ -380,8 +380,7 @@ static void imx_uart_rts_active(struct i
{
*ucr2 &= ~(UCR2_CTSC | UCR2_CTS);
- sport->port.mctrl |= TIOCM_RTS;
- mctrl_gpio_set(sport->gpios, sport->port.mctrl);
+ mctrl_gpio_set(sport->gpios, sport->port.mctrl | TIOCM_RTS);
}
/* called with port.lock taken and irqs caller dependent */
@@ -390,8 +389,7 @@ static void imx_uart_rts_inactive(struct
*ucr2 &= ~UCR2_CTSC;
*ucr2 |= UCR2_CTS;
- sport->port.mctrl &= ~TIOCM_RTS;
- mctrl_gpio_set(sport->gpios, sport->port.mctrl);
+ mctrl_gpio_set(sport->gpios, sport->port.mctrl & ~TIOCM_RTS);
}
static void start_hrtimer_ms(struct hrtimer *hrt, unsigned long msec)
@@ -2347,8 +2345,6 @@ static int imx_uart_probe(struct platfor
dev_err(&pdev->dev,
"low-active RTS not possible when receiver is off, enabling receiver\n");
- uart_rs485_config(&sport->port);
-
/* Disable interrupts before requesting them */
ucr1 = imx_uart_readl(sport, UCR1);
ucr1 &= ~(UCR1_ADEN | UCR1_TRDYEN | UCR1_IDEN | UCR1_RRDYEN | UCR1_RTSDEN);
--- a/drivers/tty/serial/serial_core.c
+++ b/drivers/tty/serial/serial_core.c
@@ -158,15 +158,10 @@ uart_update_mctrl(struct uart_port *port
unsigned long flags;
unsigned int old;
- if (port->rs485.flags & SER_RS485_ENABLED) {
- set &= ~TIOCM_RTS;
- clear &= ~TIOCM_RTS;
- }
-
spin_lock_irqsave(&port->lock, flags);
old = port->mctrl;
port->mctrl = (old & ~clear) | set;
- if (old != port->mctrl)
+ if (old != port->mctrl && !(port->rs485.flags & SER_RS485_ENABLED))
port->ops->set_mctrl(port, port->mctrl);
spin_unlock_irqrestore(&port->lock, flags);
}
@@ -1391,7 +1386,7 @@ static void uart_set_rs485_termination(s
!!(rs485->flags & SER_RS485_TERMINATE_BUS));
}
-int uart_rs485_config(struct uart_port *port)
+static int uart_rs485_config(struct uart_port *port)
{
struct serial_rs485 *rs485 = &port->rs485;
int ret;
@@ -1405,7 +1400,6 @@ int uart_rs485_config(struct uart_port *
return ret;
}
-EXPORT_SYMBOL_GPL(uart_rs485_config);
static int uart_get_rs485_config(struct uart_port *port,
struct serial_rs485 __user *rs485)
@@ -1444,8 +1438,13 @@ static int uart_set_rs485_config(struct
spin_lock_irqsave(&port->lock, flags);
ret = port->rs485_config(port, &tty->termios, &rs485);
- if (!ret)
+ if (!ret) {
port->rs485 = rs485;
+
+ /* Reset RTS and other mctrl lines when disabling RS485 */
+ if (!(rs485.flags & SER_RS485_ENABLED))
+ port->ops->set_mctrl(port, port->mctrl);
+ }
spin_unlock_irqrestore(&port->lock, flags);
if (ret)
return ret;
@@ -2352,7 +2351,8 @@ int uart_suspend_port(struct uart_driver
spin_lock_irq(&uport->lock);
ops->stop_tx(uport);
- ops->set_mctrl(uport, 0);
+ if (!(uport->rs485.flags & SER_RS485_ENABLED))
+ ops->set_mctrl(uport, 0);
/* save mctrl so it can be restored on resume */
mctrl = uport->mctrl;
uport->mctrl = 0;
@@ -2440,7 +2440,8 @@ int uart_resume_port(struct uart_driver
uart_change_pm(state, UART_PM_STATE_ON);
spin_lock_irq(&uport->lock);
- ops->set_mctrl(uport, 0);
+ if (!(uport->rs485.flags & SER_RS485_ENABLED))
+ ops->set_mctrl(uport, 0);
spin_unlock_irq(&uport->lock);
if (console_suspend_enabled || !uart_console(uport)) {
/* Protected by port mutex for now */
@@ -2451,7 +2452,10 @@ int uart_resume_port(struct uart_driver
if (tty)
uart_change_speed(tty, state, NULL);
spin_lock_irq(&uport->lock);
- ops->set_mctrl(uport, uport->mctrl);
+ if (!(uport->rs485.flags & SER_RS485_ENABLED))
+ ops->set_mctrl(uport, uport->mctrl);
+ else
+ uart_rs485_config(uport);
ops->start_tx(uport);
spin_unlock_irq(&uport->lock);
tty_port_set_initialized(port, 1);
@@ -2558,10 +2562,10 @@ uart_configure_port(struct uart_driver *
*/
spin_lock_irqsave(&port->lock, flags);
port->mctrl &= TIOCM_DTR;
- if (port->rs485.flags & SER_RS485_ENABLED &&
- !(port->rs485.flags & SER_RS485_RTS_AFTER_SEND))
- port->mctrl |= TIOCM_RTS;
- port->ops->set_mctrl(port, port->mctrl);
+ if (!(port->rs485.flags & SER_RS485_ENABLED))
+ port->ops->set_mctrl(port, port->mctrl);
+ else
+ uart_rs485_config(port);
spin_unlock_irqrestore(&port->lock, flags);
/*
--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -950,5 +950,4 @@ static inline int uart_handle_break(stru
!((cflag) & CLOCAL))
int uart_get_rs485_mode(struct uart_port *port);
-int uart_rs485_config(struct uart_port *port);
#endif /* LINUX_SERIAL_CORE_H */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 093/862] serial: ar933x: Deassert Transmit Enable on ->rs485_config()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2022-10-19 8:22 ` [PATCH 6.0 092/862] serial: Deassert Transmit Enable on probe in driver-specific way Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 094/862] serial: 8250: Let drivers request full 16550A feature probing Greg Kroah-Hartman
` (783 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Daniel Golle, Ilpo Järvinen,
Lukas Wunner
From: Lukas Wunner <lukas@wunner.de>
commit 3a939433ddc1bab98be028903aaa286e5e7461d7 upstream.
The ar933x_uart driver neglects to deassert Transmit Enable when
->rs485_config() is invoked. Fix it.
Fixes: 9be1064fe524 ("serial: ar933x_uart: add RS485 support")
Cc: stable@vger.kernel.org # v5.7+
Cc: Daniel Golle <daniel@makrotopia.org>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Signed-off-by: Lukas Wunner <lukas@wunner.de>
Link: https://lore.kernel.org/r/5b36af26e57553f084334666e7d24c7fd131a01e.1662887231.git.lukas@wunner.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/ar933x_uart.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/tty/serial/ar933x_uart.c
+++ b/drivers/tty/serial/ar933x_uart.c
@@ -583,6 +583,13 @@ static const struct uart_ops ar933x_uart
static int ar933x_config_rs485(struct uart_port *port, struct ktermios *termios,
struct serial_rs485 *rs485conf)
{
+ struct ar933x_uart_port *up =
+ container_of(port, struct ar933x_uart_port, port);
+
+ if (port->rs485.flags & SER_RS485_ENABLED)
+ gpiod_set_value(up->rts_gpiod,
+ !!(rs485conf->flags & SER_RS485_RTS_AFTER_SEND));
+
return 0;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 094/862] serial: 8250: Let drivers request full 16550A feature probing
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 093/862] serial: ar933x: Deassert Transmit Enable on ->rs485_config() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 095/862] serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices Greg Kroah-Hartman
` (782 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anders Blomdell, Maciej W. Rozycki
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 9906890c89e4dbd900ed87ad3040080339a7f411 upstream.
A SERIAL_8250_16550A_VARIANTS configuration option has been recently
defined that lets one request the 8250 driver not to probe for 16550A
device features so as to reduce the driver's device startup time in
virtual machines.
Some actual hardware devices require these features to have been fully
determined however for their driver to work correctly, so define a flag
to let drivers request full 16550A feature probing on a device-by-device
basis if required regardless of the SERIAL_8250_16550A_VARIANTS option
setting chosen.
Fixes: dc56ecb81a0a ("serial: 8250: Support disabling mdelay-filled probes of 16550A variants")
Cc: stable@vger.kernel.org # v5.6+
Reported-by: Anders Blomdell <anders.blomdell@control.lth.se>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209202357520.41633@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_port.c | 3 ++-
include/linux/serial_core.h | 3 ++-
2 files changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/tty/serial/8250/8250_port.c
+++ b/drivers/tty/serial/8250/8250_port.c
@@ -1023,7 +1023,8 @@ static void autoconfig_16550a(struct uar
up->port.type = PORT_16550A;
up->capabilities |= UART_CAP_FIFO;
- if (!IS_ENABLED(CONFIG_SERIAL_8250_16550A_VARIANTS))
+ if (!IS_ENABLED(CONFIG_SERIAL_8250_16550A_VARIANTS) &&
+ !(up->port.flags & UPF_FULL_PROBE))
return;
/*
--- a/include/linux/serial_core.h
+++ b/include/linux/serial_core.h
@@ -422,7 +422,7 @@ struct uart_icount {
__u32 buf_overrun;
};
-typedef unsigned int __bitwise upf_t;
+typedef u64 __bitwise upf_t;
typedef unsigned int __bitwise upstat_t;
struct uart_port {
@@ -530,6 +530,7 @@ struct uart_port {
#define UPF_FIXED_PORT ((__force upf_t) (1 << 29))
#define UPF_DEAD ((__force upf_t) (1 << 30))
#define UPF_IOREMAP ((__force upf_t) (1 << 31))
+#define UPF_FULL_PROBE ((__force upf_t) (1ULL << 32))
#define __UPF_CHANGE_MASK 0x17fff
#define UPF_CHANGE_MASK ((__force upf_t) __UPF_CHANGE_MASK)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 095/862] serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 094/862] serial: 8250: Let drivers request full 16550A feature probing Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 096/862] NFSD: Protect against send buffer overflow in NFSv3 READDIR Greg Kroah-Hartman
` (781 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anders Blomdell, Maciej W. Rozycki
From: Maciej W. Rozycki <macro@orcam.me.uk>
commit 00b7a4d4ee42be1c515e56cb1e8ba0f25e271d8e upstream.
Oxford Semiconductor PCIe (Tornado) 950 serial port devices need to
operate in the enhanced mode via the EFR register for the Divide-by-M
N/8 baud rate generator prescaler to be used in their native UART mode.
Otherwise the prescaler is fixed at 1 causing grossly incorrect baud
rates to be programmed.
Accessing the EFR register requires 16550A features to have been probed
for, so request this to happen regardless of SERIAL_8250_16550A_VARIANTS
by setting UPF_FULL_PROBE in port flags.
Fixes: 366f6c955d4d ("serial: 8250: Add proper clock handling for OxSemi PCIe devices")
Cc: stable@vger.kernel.org # v5.19+
Reported-by: Anders Blomdell <anders.blomdell@control.lth.se>
Signed-off-by: Maciej W. Rozycki <macro@orcam.me.uk>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2209210005040.41633@angie.orcam.me.uk
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1232,6 +1232,10 @@ static void pci_oxsemi_tornado_set_mctrl
serial8250_do_set_mctrl(port, mctrl);
}
+/*
+ * We require EFR features for clock programming, so set UPF_FULL_PROBE
+ * for full probing regardless of CONFIG_SERIAL_8250_16550A_VARIANTS setting.
+ */
static int pci_oxsemi_tornado_setup(struct serial_private *priv,
const struct pciserial_board *board,
struct uart_8250_port *up, int idx)
@@ -1239,6 +1243,7 @@ static int pci_oxsemi_tornado_setup(stru
struct pci_dev *dev = priv->dev;
if (pci_oxsemi_tornado_p(dev)) {
+ up->port.flags |= UPF_FULL_PROBE;
up->port.get_divisor = pci_oxsemi_tornado_get_divisor;
up->port.set_divisor = pci_oxsemi_tornado_set_divisor;
up->port.set_mctrl = pci_oxsemi_tornado_set_mctrl;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 096/862] NFSD: Protect against send buffer overflow in NFSv3 READDIR
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 095/862] serial: 8250: Request full 16550A feature probing for OxSemi PCIe devices Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 097/862] NFSD: Protect against send buffer overflow in NFSv2 READ Greg Kroah-Hartman
` (780 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ben Ronallo, Chuck Lever, Jeff Layton
From: Chuck Lever <chuck.lever@oracle.com>
commit 640f87c190e0d1b2a0fcb2ecf6d2cd53b1c41991 upstream.
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply message at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Thanks to Aleksi Illikainen and Kari Hulkko for uncovering this
issue.
Reported-by: Ben Ronallo <Benjamin.Ronallo@synopsys.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs3proc.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -563,13 +563,14 @@ static void nfsd3_init_dirlist_pages(str
{
struct xdr_buf *buf = &resp->dirlist;
struct xdr_stream *xdr = &resp->xdr;
-
- count = clamp(count, (u32)(XDR_UNIT * 2), svc_max_payload(rqstp));
+ unsigned int sendbuf = min_t(unsigned int, rqstp->rq_res.buflen,
+ svc_max_payload(rqstp));
memset(buf, 0, sizeof(*buf));
/* Reserve room for the NULL ptr & eof flag (-2 words) */
- buf->buflen = count - XDR_UNIT * 2;
+ buf->buflen = clamp(count, (u32)(XDR_UNIT * 2), sendbuf);
+ buf->buflen -= XDR_UNIT * 2;
buf->pages = rqstp->rq_next_page;
rqstp->rq_next_page += (buf->buflen + PAGE_SIZE - 1) >> PAGE_SHIFT;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 097/862] NFSD: Protect against send buffer overflow in NFSv2 READ
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 096/862] NFSD: Protect against send buffer overflow in NFSv3 READDIR Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 098/862] NFSD: Protect against send buffer overflow in NFSv3 READ Greg Kroah-Hartman
` (779 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, Jeff Layton
From: Chuck Lever <chuck.lever@oracle.com>
commit 401bc1f90874280a80b93f23be33a0e7e2d1f912 upstream.
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfsproc.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/nfsd/nfsproc.c
+++ b/fs/nfsd/nfsproc.c
@@ -185,6 +185,7 @@ nfsd_proc_read(struct svc_rqst *rqstp)
argp->count, argp->offset);
argp->count = min_t(u32, argp->count, NFSSVC_MAXBLKSIZE_V2);
+ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
v = 0;
len = argp->count;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 098/862] NFSD: Protect against send buffer overflow in NFSv3 READ
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 097/862] NFSD: Protect against send buffer overflow in NFSv2 READ Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 099/862] cpufreq: qcom-cpufreq-hw: Fix uninitialized throttled_freq warning Greg Kroah-Hartman
` (778 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chuck Lever, Jeff Layton
From: Chuck Lever <chuck.lever@oracle.com>
commit fa6be9cc6e80ec79892ddf08a8c10cabab9baf38 upstream.
Since before the git era, NFSD has conserved the number of pages
held by each nfsd thread by combining the RPC receive and send
buffers into a single array of pages. This works because there are
no cases where an operation needs a large RPC Call message and a
large RPC Reply at the same time.
Once an RPC Call has been received, svc_process() updates
svc_rqst::rq_res to describe the part of rq_pages that can be
used for constructing the Reply. This means that the send buffer
(rq_res) shrinks when the received RPC record containing the RPC
Call is large.
A client can force this shrinkage on TCP by sending a correctly-
formed RPC Call header contained in an RPC record that is
excessively large. The full maximum payload size cannot be
constructed in that case.
Cc: <stable@vger.kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfsd/nfs3proc.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/nfsd/nfs3proc.c
+++ b/fs/nfsd/nfs3proc.c
@@ -150,7 +150,6 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
{
struct nfsd3_readargs *argp = rqstp->rq_argp;
struct nfsd3_readres *resp = rqstp->rq_resp;
- u32 max_blocksize = svc_max_payload(rqstp);
unsigned int len;
int v;
@@ -159,7 +158,8 @@ nfsd3_proc_read(struct svc_rqst *rqstp)
(unsigned long) argp->count,
(unsigned long long) argp->offset);
- argp->count = min_t(u32, argp->count, max_blocksize);
+ argp->count = min_t(u32, argp->count, svc_max_payload(rqstp));
+ argp->count = min_t(u32, argp->count, rqstp->rq_res.buflen);
if (argp->offset > (u64)OFFSET_MAX)
argp->offset = (u64)OFFSET_MAX;
if (argp->offset + argp->count > (u64)OFFSET_MAX)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 099/862] cpufreq: qcom-cpufreq-hw: Fix uninitialized throttled_freq warning
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 098/862] NFSD: Protect against send buffer overflow in NFSv3 READ Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 100/862] LoadPin: Fix Kconfig doc about format of file with verity digests Greg Kroah-Hartman
` (777 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, kernel test robot, Dan Carpenter,
Neil Armstrong, Viresh Kumar
From: Viresh Kumar <viresh.kumar@linaro.org>
commit 91dc90fdb8b8199519a3aac9c46a433b02223c5b upstream.
Commit 6240aaad75e1 was supposed to drop the reference count to the OPP,
instead it avoided more stuff if the OPP isn't found. This isn't
entirely correct. We already have a frequency value available, we just
couldn't align it with an OPP in case of IS_ERR(opp).
Lets continue with updating thermal pressure, etc, even if we aren't
able to find an OPP here.
This fixes warning generated by the 'smatch' tool.
Fixes: 6240aaad75e1 ("cpufreq: qcom-hw: fix the opp entries refcounting")
Cc: v5.18+ <stable@vger.kernel.org> # v5.18+
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Signed-off-by: Viresh Kumar <viresh.kumar@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/cpufreq/qcom-cpufreq-hw.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/cpufreq/qcom-cpufreq-hw.c
+++ b/drivers/cpufreq/qcom-cpufreq-hw.c
@@ -316,14 +316,14 @@ static void qcom_lmh_dcvs_notify(struct
if (IS_ERR(opp)) {
dev_warn(dev, "Can't find the OPP for throttling: %pe!\n", opp);
} else {
- throttled_freq = freq_hz / HZ_PER_KHZ;
-
- /* Update thermal pressure (the boost frequencies are accepted) */
- arch_update_thermal_pressure(policy->related_cpus, throttled_freq);
-
dev_pm_opp_put(opp);
}
+ throttled_freq = freq_hz / HZ_PER_KHZ;
+
+ /* Update thermal pressure (the boost frequencies are accepted) */
+ arch_update_thermal_pressure(policy->related_cpus, throttled_freq);
+
/*
* In the unlikely case policy is unregistered do not enable
* polling or h/w interrupt
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 100/862] LoadPin: Fix Kconfig doc about format of file with verity digests
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 099/862] cpufreq: qcom-cpufreq-hw: Fix uninitialized throttled_freq warning Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 101/862] powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain Greg Kroah-Hartman
` (776 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jae Hoon Kim, Matthias Kaehlcke, Kees Cook
From: Matthias Kaehlcke <mka@chromium.org>
commit aafc203bbad4bf6cf394a34ea698c2b0b8affae0 upstream.
The doc for CONFIG_SECURITY_LOADPIN_VERITY says that the file with verity
digests must contain a comma separated list of digests. That was the case
at some stage of the development, but was changed during the review
process to one digest per line. Update the Kconfig doc accordingly.
Reported-by: Jae Hoon Kim <kimjae@chromium.org>
Signed-off-by: Matthias Kaehlcke <mka@chromium.org>
Fixes: 3f805f8cc23b ("LoadPin: Enable loading from trusted dm-verity devices")
Cc: stable@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Link: https://lore.kernel.org/r/20220829174557.1.I5d202d1344212a3800d9828f936df6511eb2d0d1@changeid
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
security/loadpin/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/security/loadpin/Kconfig
+++ b/security/loadpin/Kconfig
@@ -33,4 +33,4 @@ config SECURITY_LOADPIN_VERITY
on the LoadPin securityfs entry 'dm-verity'. The ioctl
expects a file descriptor of a file with verity digests as
parameter. The file must be located on the pinned root and
- contain a comma separated list of digests.
+ contain one digest per line.
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 101/862] powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 100/862] LoadPin: Fix Kconfig doc about format of file with verity digests Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 102/862] powerpc/Kconfig: Fix non existing CONFIG_PPC_FSL_BOOKE Greg Kroah-Hartman
` (775 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Rui, Wang Wendy, Rafael J. Wysocki
From: Zhang Rui <rui.zhang@intel.com>
commit 4c081324df5608b73428662ca54d5221ea03a6bd upstream.
Intel Xeon servers used to use a fixed energy resolution (15.3uj) for
Dram RAPL domain. But on SPR, Dram RAPL domain follows the standard
energy resolution as described in MSR_RAPL_POWER_UNIT.
Remove the SPR dram_domain_energy_unit quirk.
Fixes: 2d798d9f5967 ("powercap: intel_rapl: add support for Sapphire Rapids")
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Tested-by: Wang Wendy <wendy.wang@intel.com>
Cc: 5.9+ <stable@vger.kernel.org> # 5.9+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/powercap/intel_rapl_common.c | 1 -
1 file changed, 1 deletion(-)
--- a/drivers/powercap/intel_rapl_common.c
+++ b/drivers/powercap/intel_rapl_common.c
@@ -1035,7 +1035,6 @@ static const struct rapl_defaults rapl_d
.check_unit = rapl_check_unit_core,
.set_floor_freq = set_floor_freq_default,
.compute_time_window = rapl_compute_time_window_core,
- .dram_domain_energy_unit = 15300,
.psys_domain_energy_unit = 1000000000,
.spr_psys_bits = true,
};
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 102/862] powerpc/Kconfig: Fix non existing CONFIG_PPC_FSL_BOOKE
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 101/862] powercap: intel_rapl: Use standard Energy Unit for SPR Dram RAPL domain Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 103/862] powerpc/boot: Explicitly disable usage of SPE instructions Greg Kroah-Hartman
` (774 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Christophe Leroy, Michael Ellerman
From: Christophe Leroy <christophe.leroy@csgroup.eu>
commit d1203f32d86987a3ccd7de9ba2448ba12d86d125 upstream.
CONFIG_PPC_FSL_BOOKE doesn't exist. Should be CONFIG_FSL_BOOKE.
Fixes: 49e3d8ea6248 ("powerpc/fsl_booke: Enable STRICT_KERNEL_RWX")
Cc: stable@vger.kernel.org
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/828f6a64eeb51ce9abfa1d4e84c521a02fecebb8.1663606875.git.christophe.leroy@csgroup.eu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -828,7 +828,7 @@ config DATA_SHIFT
default 24 if STRICT_KERNEL_RWX && PPC64
range 17 28 if (STRICT_KERNEL_RWX || DEBUG_PAGEALLOC || KFENCE) && PPC_BOOK3S_32
range 19 23 if (STRICT_KERNEL_RWX || DEBUG_PAGEALLOC || KFENCE) && PPC_8xx
- range 20 24 if (STRICT_KERNEL_RWX || DEBUG_PAGEALLOC || KFENCE) && PPC_FSL_BOOKE
+ range 20 24 if (STRICT_KERNEL_RWX || DEBUG_PAGEALLOC || KFENCE) && FSL_BOOKE
default 22 if STRICT_KERNEL_RWX && PPC_BOOK3S_32
default 18 if (DEBUG_PAGEALLOC || KFENCE) && PPC_BOOK3S_32
default 23 if STRICT_KERNEL_RWX && PPC_8xx
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 103/862] powerpc/boot: Explicitly disable usage of SPE instructions
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 102/862] powerpc/Kconfig: Fix non existing CONFIG_PPC_FSL_BOOKE Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 104/862] slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure Greg Kroah-Hartman
` (773 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Pali Rohár, Michael Ellerman
From: Pali Rohár <pali@kernel.org>
commit 110a58b9f91c66f743c01a2c217243d94c899c23 upstream.
uImage boot wrapper should not use SPE instructions, like kernel itself.
Boot wrapper has already disabled Altivec and VSX instructions but not SPE.
Options -mno-spe and -mspe=no already set when compilation of kernel, but
not when compiling uImage wrapper yet. Fix it.
Cc: stable@vger.kernel.org
Signed-off-by: Pali Rohár <pali@kernel.org>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://lore.kernel.org/r/20220827134454.17365-1-pali@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/boot/Makefile | 1 +
1 file changed, 1 insertion(+)
--- a/arch/powerpc/boot/Makefile
+++ b/arch/powerpc/boot/Makefile
@@ -34,6 +34,7 @@ endif
BOOTCFLAGS := -Wall -Wundef -Wstrict-prototypes -Wno-trigraphs \
-fno-strict-aliasing -O2 -msoft-float -mno-altivec -mno-vsx \
+ $(call cc-option,-mno-spe) $(call cc-option,-mspe=no) \
-pipe -fomit-frame-pointer -fno-builtin -fPIC -nostdinc \
$(LINUXINCLUDE)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 104/862] slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 103/862] powerpc/boot: Explicitly disable usage of SPE instructions Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 105/862] slimbus: qcom-ngd: cleanup in probe error path Greg Kroah-Hartman
` (772 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Srinivas Kandagatla
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 5038d21dde818fe74ba1fcb6f2cee35b8c2ebbf2 upstream.
Use correct error code, instead of previous 'ret' value, when printing
error from pdr_add_lookup() failure.
Fixes: e1ae85e1830e ("slimbus: qcom-ngd-ctrl: add Protection Domain Restart Support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220916122910.170730-2-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1581,8 +1581,9 @@ static int qcom_slim_ngd_ctrl_probe(stru
pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
+ ret = PTR_ERR(pds);
dev_err(dev, "pdr add lookup failed: %d\n", ret);
- return PTR_ERR(pds);
+ return ret;
}
platform_driver_register(&qcom_slim_ngd_driver);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 105/862] slimbus: qcom-ngd: cleanup in probe error path
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 104/862] slimbus: qcom-ngd: use correct error in message of pdr_add_lookup() failure Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 106/862] scsi: lpfc: Rework MIB Rx Monitor debug info logic Greg Kroah-Hartman
` (771 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Krzysztof Kozlowski, Srinivas Kandagatla
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 16f14551d0df9e7cd283545d7d748829594d912f upstream.
Add proper error path in probe() to cleanup resources previously
acquired/allocated to fix warnings visible during probe deferral:
notifier callback qcom_slim_ngd_ssr_notify already registered
WARNING: CPU: 6 PID: 70 at kernel/notifier.c:28 notifier_chain_register+0x5c/0x90
Modules linked in:
CPU: 6 PID: 70 Comm: kworker/u16:1 Not tainted 6.0.0-rc3-next-20220830 #380
Call trace:
notifier_chain_register+0x5c/0x90
srcu_notifier_chain_register+0x44/0x90
qcom_register_ssr_notifier+0x38/0x4c
qcom_slim_ngd_ctrl_probe+0xd8/0x400
platform_probe+0x6c/0xe0
really_probe+0xbc/0x2d4
__driver_probe_device+0x78/0xe0
driver_probe_device+0x3c/0x12c
__device_attach_driver+0xb8/0x120
bus_for_each_drv+0x78/0xd0
__device_attach+0xa8/0x1c0
device_initial_probe+0x18/0x24
bus_probe_device+0xa0/0xac
deferred_probe_work_func+0x88/0xc0
process_one_work+0x1d4/0x320
worker_thread+0x2cc/0x44c
kthread+0x110/0x114
ret_from_fork+0x10/0x20
Fixes: e1ae85e1830e ("slimbus: qcom-ngd-ctrl: add Protection Domain Restart Support")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Link: https://lore.kernel.org/r/20220916122910.170730-3-srinivas.kandagatla@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/slimbus/qcom-ngd-ctrl.c | 13 +++++++++++--
1 file changed, 11 insertions(+), 2 deletions(-)
--- a/drivers/slimbus/qcom-ngd-ctrl.c
+++ b/drivers/slimbus/qcom-ngd-ctrl.c
@@ -1576,18 +1576,27 @@ static int qcom_slim_ngd_ctrl_probe(stru
ctrl->pdr = pdr_handle_alloc(slim_pd_status, ctrl);
if (IS_ERR(ctrl->pdr)) {
dev_err(dev, "Failed to init PDR handle\n");
- return PTR_ERR(ctrl->pdr);
+ ret = PTR_ERR(ctrl->pdr);
+ goto err_pdr_alloc;
}
pds = pdr_add_lookup(ctrl->pdr, "avs/audio", "msm/adsp/audio_pd");
if (IS_ERR(pds) && PTR_ERR(pds) != -EALREADY) {
ret = PTR_ERR(pds);
dev_err(dev, "pdr add lookup failed: %d\n", ret);
- return ret;
+ goto err_pdr_lookup;
}
platform_driver_register(&qcom_slim_ngd_driver);
return of_qcom_slim_ngd_register(dev, ctrl);
+
+err_pdr_alloc:
+ qcom_unregister_ssr_notifier(ctrl->notifier, &ctrl->nb);
+
+err_pdr_lookup:
+ pdr_handle_release(ctrl->pdr);
+
+ return ret;
}
static int qcom_slim_ngd_ctrl_remove(struct platform_device *pdev)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 106/862] scsi: lpfc: Rework MIB Rx Monitor debug info logic
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 105/862] slimbus: qcom-ngd: cleanup in probe error path Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 107/862] scsi: qedf: Populate sysfs attributes for vport Greg Kroah-Hartman
` (770 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Justin Tee, James Smart, Martin K. Petersen
From: James Smart <jsmart2021@gmail.com>
commit bd269188ea94e40ab002cad7b0df8f12b8f0de54 upstream.
The kernel test robot reported the following sparse warning:
arch/arm64/include/asm/cmpxchg.h:88:1: sparse: sparse: cast truncates
bits from constant value (369 becomes 69)
On arm64, atomic_xchg only works on 8-bit byte fields. Thus, the macro
usage of LPFC_RXMONITOR_TABLE_IN_USE can be unintentionally truncated
leading to all logic involving the LPFC_RXMONITOR_TABLE_IN_USE macro to not
work properly.
Replace the Rx Table atomic_t indexing logic with a new
lpfc_rx_info_monitor structure that holds a circular ring buffer. For
locking semantics, a spinlock_t is used.
Link: https://lore.kernel.org/r/20220819011736.14141-4-jsmart2021@gmail.com
Fixes: 17b27ac59224 ("scsi: lpfc: Add rx monitoring statistics")
Cc: <stable@vger.kernel.org> # v5.15+
Co-developed-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: James Smart <jsmart2021@gmail.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/lpfc/lpfc.h | 14 +-
drivers/scsi/lpfc/lpfc_crtn.h | 8 +
drivers/scsi/lpfc/lpfc_debugfs.c | 59 ++----------
drivers/scsi/lpfc/lpfc_debugfs.h | 2
drivers/scsi/lpfc/lpfc_init.c | 83 ++++-------------
drivers/scsi/lpfc/lpfc_mem.c | 9 +
drivers/scsi/lpfc/lpfc_sli.c | 190 +++++++++++++++++++++++++++++++++++++--
7 files changed, 240 insertions(+), 125 deletions(-)
--- a/drivers/scsi/lpfc/lpfc.h
+++ b/drivers/scsi/lpfc/lpfc.h
@@ -1570,10 +1570,7 @@ struct lpfc_hba {
u32 cgn_acqe_cnt;
/* RX monitor handling for CMF */
- struct rxtable_entry *rxtable; /* RX_monitor information */
- atomic_t rxtable_idx_head;
-#define LPFC_RXMONITOR_TABLE_IN_USE (LPFC_MAX_RXMONITOR_ENTRY + 73)
- atomic_t rxtable_idx_tail;
+ struct lpfc_rx_info_monitor *rx_monitor;
atomic_t rx_max_read_cnt; /* Maximum read bytes */
uint64_t rx_block_cnt;
@@ -1622,7 +1619,7 @@ struct lpfc_hba {
#define LPFC_MAX_RXMONITOR_ENTRY 800
#define LPFC_MAX_RXMONITOR_DUMP 32
-struct rxtable_entry {
+struct rx_info_entry {
uint64_t cmf_bytes; /* Total no of read bytes for CMF_SYNC_WQE */
uint64_t total_bytes; /* Total no of read bytes requested */
uint64_t rcv_bytes; /* Total no of read bytes completed */
@@ -1637,6 +1634,13 @@ struct rxtable_entry {
uint32_t timer_interval;
};
+struct lpfc_rx_info_monitor {
+ struct rx_info_entry *ring; /* info organized in a circular buffer */
+ u32 head_idx, tail_idx; /* index to head/tail of ring */
+ spinlock_t lock; /* spinlock for ring */
+ u32 entries; /* storing number entries/size of ring */
+};
+
static inline struct Scsi_Host *
lpfc_shost_from_vport(struct lpfc_vport *vport)
{
--- a/drivers/scsi/lpfc/lpfc_crtn.h
+++ b/drivers/scsi/lpfc/lpfc_crtn.h
@@ -92,6 +92,14 @@ void lpfc_cgn_dump_rxmonitor(struct lpfc
void lpfc_cgn_update_stat(struct lpfc_hba *phba, uint32_t dtag);
void lpfc_unblock_requests(struct lpfc_hba *phba);
void lpfc_block_requests(struct lpfc_hba *phba);
+int lpfc_rx_monitor_create_ring(struct lpfc_rx_info_monitor *rx_monitor,
+ u32 entries);
+void lpfc_rx_monitor_destroy_ring(struct lpfc_rx_info_monitor *rx_monitor);
+void lpfc_rx_monitor_record(struct lpfc_rx_info_monitor *rx_monitor,
+ struct rx_info_entry *entry);
+u32 lpfc_rx_monitor_report(struct lpfc_hba *phba,
+ struct lpfc_rx_info_monitor *rx_monitor, char *buf,
+ u32 buf_len, u32 max_read_entries);
void lpfc_mbx_cmpl_local_config_link(struct lpfc_hba *, LPFC_MBOXQ_t *);
void lpfc_mbx_cmpl_reg_login(struct lpfc_hba *, LPFC_MBOXQ_t *);
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -5531,7 +5531,7 @@ lpfc_rx_monitor_open(struct inode *inode
if (!debug)
goto out;
- debug->buffer = vmalloc(MAX_DEBUGFS_RX_TABLE_SIZE);
+ debug->buffer = vmalloc(MAX_DEBUGFS_RX_INFO_SIZE);
if (!debug->buffer) {
kfree(debug);
goto out;
@@ -5552,57 +5552,18 @@ lpfc_rx_monitor_read(struct file *file,
struct lpfc_rx_monitor_debug *debug = file->private_data;
struct lpfc_hba *phba = (struct lpfc_hba *)debug->i_private;
char *buffer = debug->buffer;
- struct rxtable_entry *entry;
- int i, len = 0, head, tail, last, start;
- head = atomic_read(&phba->rxtable_idx_head);
- while (head == LPFC_RXMONITOR_TABLE_IN_USE) {
- /* Table is getting updated */
- msleep(20);
- head = atomic_read(&phba->rxtable_idx_head);
+ if (!phba->rx_monitor) {
+ scnprintf(buffer, MAX_DEBUGFS_RX_INFO_SIZE,
+ "Rx Monitor Info is empty.\n");
+ } else {
+ lpfc_rx_monitor_report(phba, phba->rx_monitor, buffer,
+ MAX_DEBUGFS_RX_INFO_SIZE,
+ LPFC_MAX_RXMONITOR_ENTRY);
}
- tail = atomic_xchg(&phba->rxtable_idx_tail, head);
- if (!phba->rxtable || head == tail) {
- len += scnprintf(buffer + len, MAX_DEBUGFS_RX_TABLE_SIZE - len,
- "Rxtable is empty\n");
- goto out;
- }
- last = (head > tail) ? head : LPFC_MAX_RXMONITOR_ENTRY;
- start = tail;
-
- len += scnprintf(buffer + len, MAX_DEBUGFS_RX_TABLE_SIZE - len,
- " MaxBPI Tot_Data_CMF Tot_Data_Cmd "
- "Tot_Data_Cmpl Lat(us) Avg_IO Max_IO "
- "Bsy IO_cnt Info BWutil(ms)\n");
-get_table:
- for (i = start; i < last; i++) {
- entry = &phba->rxtable[i];
- len += scnprintf(buffer + len, MAX_DEBUGFS_RX_TABLE_SIZE - len,
- "%3d:%12lld %12lld %12lld %12lld "
- "%7lldus %8lld %7lld "
- "%2d %4d %2d %2d(%2d)\n",
- i, entry->max_bytes_per_interval,
- entry->cmf_bytes,
- entry->total_bytes,
- entry->rcv_bytes,
- entry->avg_io_latency,
- entry->avg_io_size,
- entry->max_read_cnt,
- entry->cmf_busy,
- entry->io_cnt,
- entry->cmf_info,
- entry->timer_utilization,
- entry->timer_interval);
- }
-
- if (head != last) {
- start = 0;
- last = head;
- goto get_table;
- }
-out:
- return simple_read_from_buffer(buf, nbytes, ppos, buffer, len);
+ return simple_read_from_buffer(buf, nbytes, ppos, buffer,
+ strlen(buffer));
}
static int
--- a/drivers/scsi/lpfc/lpfc_debugfs.h
+++ b/drivers/scsi/lpfc/lpfc_debugfs.h
@@ -282,7 +282,7 @@ struct lpfc_idiag {
void *ptr_private;
};
-#define MAX_DEBUGFS_RX_TABLE_SIZE (128 * LPFC_MAX_RXMONITOR_ENTRY)
+#define MAX_DEBUGFS_RX_INFO_SIZE (128 * LPFC_MAX_RXMONITOR_ENTRY)
struct lpfc_rx_monitor_debug {
char *i_private;
char *buffer;
--- a/drivers/scsi/lpfc/lpfc_init.c
+++ b/drivers/scsi/lpfc/lpfc_init.c
@@ -5569,38 +5569,12 @@ lpfc_async_link_speed_to_read_top(struct
void
lpfc_cgn_dump_rxmonitor(struct lpfc_hba *phba)
{
- struct rxtable_entry *entry;
- int cnt = 0, head, tail, last, start;
-
- head = atomic_read(&phba->rxtable_idx_head);
- tail = atomic_read(&phba->rxtable_idx_tail);
- if (!phba->rxtable || head == tail) {
- lpfc_printf_log(phba, KERN_ERR, LOG_CGN_MGMT,
- "4411 Rxtable is empty\n");
- return;
- }
- last = tail;
- start = head;
-
- /* Display the last LPFC_MAX_RXMONITOR_DUMP entries from the rxtable */
- while (start != last) {
- if (start)
- start--;
- else
- start = LPFC_MAX_RXMONITOR_ENTRY - 1;
- entry = &phba->rxtable[start];
+ if (!phba->rx_monitor) {
lpfc_printf_log(phba, KERN_INFO, LOG_CGN_MGMT,
- "4410 %02d: MBPI %lld Xmit %lld Cmpl %lld "
- "Lat %lld ASz %lld Info %02d BWUtil %d "
- "Int %d slot %d\n",
- cnt, entry->max_bytes_per_interval,
- entry->total_bytes, entry->rcv_bytes,
- entry->avg_io_latency, entry->avg_io_size,
- entry->cmf_info, entry->timer_utilization,
- entry->timer_interval, start);
- cnt++;
- if (cnt >= LPFC_MAX_RXMONITOR_DUMP)
- return;
+ "4411 Rx Monitor Info is empty.\n");
+ } else {
+ lpfc_rx_monitor_report(phba, phba->rx_monitor, NULL, 0,
+ LPFC_MAX_RXMONITOR_DUMP);
}
}
@@ -6007,9 +5981,8 @@ lpfc_cmf_timer(struct hrtimer *timer)
{
struct lpfc_hba *phba = container_of(timer, struct lpfc_hba,
cmf_timer);
- struct rxtable_entry *entry;
+ struct rx_info_entry entry;
uint32_t io_cnt;
- uint32_t head, tail;
uint32_t busy, max_read;
uint64_t total, rcv, lat, mbpi, extra, cnt;
int timer_interval = LPFC_CMF_INTERVAL;
@@ -6129,40 +6102,30 @@ lpfc_cmf_timer(struct hrtimer *timer)
}
/* Save rxmonitor information for debug */
- if (phba->rxtable) {
- head = atomic_xchg(&phba->rxtable_idx_head,
- LPFC_RXMONITOR_TABLE_IN_USE);
- entry = &phba->rxtable[head];
- entry->total_bytes = total;
- entry->cmf_bytes = total + extra;
- entry->rcv_bytes = rcv;
- entry->cmf_busy = busy;
- entry->cmf_info = phba->cmf_active_info;
+ if (phba->rx_monitor) {
+ entry.total_bytes = total;
+ entry.cmf_bytes = total + extra;
+ entry.rcv_bytes = rcv;
+ entry.cmf_busy = busy;
+ entry.cmf_info = phba->cmf_active_info;
if (io_cnt) {
- entry->avg_io_latency = div_u64(lat, io_cnt);
- entry->avg_io_size = div_u64(rcv, io_cnt);
+ entry.avg_io_latency = div_u64(lat, io_cnt);
+ entry.avg_io_size = div_u64(rcv, io_cnt);
} else {
- entry->avg_io_latency = 0;
- entry->avg_io_size = 0;
+ entry.avg_io_latency = 0;
+ entry.avg_io_size = 0;
}
- entry->max_read_cnt = max_read;
- entry->io_cnt = io_cnt;
- entry->max_bytes_per_interval = mbpi;
+ entry.max_read_cnt = max_read;
+ entry.io_cnt = io_cnt;
+ entry.max_bytes_per_interval = mbpi;
if (phba->cmf_active_mode == LPFC_CFG_MANAGED)
- entry->timer_utilization = phba->cmf_last_ts;
+ entry.timer_utilization = phba->cmf_last_ts;
else
- entry->timer_utilization = ms;
- entry->timer_interval = ms;
+ entry.timer_utilization = ms;
+ entry.timer_interval = ms;
phba->cmf_last_ts = 0;
- /* Increment rxtable index */
- head = (head + 1) % LPFC_MAX_RXMONITOR_ENTRY;
- tail = atomic_read(&phba->rxtable_idx_tail);
- if (head == tail) {
- tail = (tail + 1) % LPFC_MAX_RXMONITOR_ENTRY;
- atomic_set(&phba->rxtable_idx_tail, tail);
- }
- atomic_set(&phba->rxtable_idx_head, head);
+ lpfc_rx_monitor_record(phba->rx_monitor, &entry);
}
if (phba->cmf_active_mode == LPFC_CFG_MONITOR) {
--- a/drivers/scsi/lpfc/lpfc_mem.c
+++ b/drivers/scsi/lpfc/lpfc_mem.c
@@ -344,9 +344,12 @@ lpfc_mem_free_all(struct lpfc_hba *phba)
phba->cgn_i = NULL;
}
- /* Free RX table */
- kfree(phba->rxtable);
- phba->rxtable = NULL;
+ /* Free RX Monitor */
+ if (phba->rx_monitor) {
+ lpfc_rx_monitor_destroy_ring(phba->rx_monitor);
+ kfree(phba->rx_monitor);
+ phba->rx_monitor = NULL;
+ }
/* Free the iocb lookup array */
kfree(psli->iocbq_lookup);
--- a/drivers/scsi/lpfc/lpfc_sli.c
+++ b/drivers/scsi/lpfc/lpfc_sli.c
@@ -7960,6 +7960,172 @@ static void lpfc_sli4_dip(struct lpfc_hb
}
/**
+ * lpfc_rx_monitor_create_ring - Initialize ring buffer for rx_monitor
+ * @rx_monitor: Pointer to lpfc_rx_info_monitor object
+ * @entries: Number of rx_info_entry objects to allocate in ring
+ *
+ * Return:
+ * 0 - Success
+ * ENOMEM - Failure to kmalloc
+ **/
+int lpfc_rx_monitor_create_ring(struct lpfc_rx_info_monitor *rx_monitor,
+ u32 entries)
+{
+ rx_monitor->ring = kmalloc_array(entries, sizeof(struct rx_info_entry),
+ GFP_KERNEL);
+ if (!rx_monitor->ring)
+ return -ENOMEM;
+
+ rx_monitor->head_idx = 0;
+ rx_monitor->tail_idx = 0;
+ spin_lock_init(&rx_monitor->lock);
+ rx_monitor->entries = entries;
+
+ return 0;
+}
+
+/**
+ * lpfc_rx_monitor_destroy_ring - Free ring buffer for rx_monitor
+ * @rx_monitor: Pointer to lpfc_rx_info_monitor object
+ **/
+void lpfc_rx_monitor_destroy_ring(struct lpfc_rx_info_monitor *rx_monitor)
+{
+ spin_lock(&rx_monitor->lock);
+ kfree(rx_monitor->ring);
+ rx_monitor->ring = NULL;
+ rx_monitor->entries = 0;
+ rx_monitor->head_idx = 0;
+ rx_monitor->tail_idx = 0;
+ spin_unlock(&rx_monitor->lock);
+}
+
+/**
+ * lpfc_rx_monitor_record - Insert an entry into rx_monitor's ring
+ * @rx_monitor: Pointer to lpfc_rx_info_monitor object
+ * @entry: Pointer to rx_info_entry
+ *
+ * Used to insert an rx_info_entry into rx_monitor's ring. Note that this is a
+ * deep copy of rx_info_entry not a shallow copy of the rx_info_entry ptr.
+ *
+ * This is called from lpfc_cmf_timer, which is in timer/softirq context.
+ *
+ * In cases of old data overflow, we do a best effort of FIFO order.
+ **/
+void lpfc_rx_monitor_record(struct lpfc_rx_info_monitor *rx_monitor,
+ struct rx_info_entry *entry)
+{
+ struct rx_info_entry *ring = rx_monitor->ring;
+ u32 *head_idx = &rx_monitor->head_idx;
+ u32 *tail_idx = &rx_monitor->tail_idx;
+ spinlock_t *ring_lock = &rx_monitor->lock;
+ u32 ring_size = rx_monitor->entries;
+
+ spin_lock(ring_lock);
+ memcpy(&ring[*tail_idx], entry, sizeof(*entry));
+ *tail_idx = (*tail_idx + 1) % ring_size;
+
+ /* Best effort of FIFO saved data */
+ if (*tail_idx == *head_idx)
+ *head_idx = (*head_idx + 1) % ring_size;
+
+ spin_unlock(ring_lock);
+}
+
+/**
+ * lpfc_rx_monitor_report - Read out rx_monitor's ring
+ * @phba: Pointer to lpfc_hba object
+ * @rx_monitor: Pointer to lpfc_rx_info_monitor object
+ * @buf: Pointer to char buffer that will contain rx monitor info data
+ * @buf_len: Length buf including null char
+ * @max_read_entries: Maximum number of entries to read out of ring
+ *
+ * Used to dump/read what's in rx_monitor's ring buffer.
+ *
+ * If buf is NULL || buf_len == 0, then it is implied that we want to log the
+ * information to kmsg instead of filling out buf.
+ *
+ * Return:
+ * Number of entries read out of the ring
+ **/
+u32 lpfc_rx_monitor_report(struct lpfc_hba *phba,
+ struct lpfc_rx_info_monitor *rx_monitor, char *buf,
+ u32 buf_len, u32 max_read_entries)
+{
+ struct rx_info_entry *ring = rx_monitor->ring;
+ struct rx_info_entry *entry;
+ u32 *head_idx = &rx_monitor->head_idx;
+ u32 *tail_idx = &rx_monitor->tail_idx;
+ spinlock_t *ring_lock = &rx_monitor->lock;
+ u32 ring_size = rx_monitor->entries;
+ u32 cnt = 0;
+ char tmp[DBG_LOG_STR_SZ] = {0};
+ bool log_to_kmsg = (!buf || !buf_len) ? true : false;
+
+ if (!log_to_kmsg) {
+ /* clear the buffer to be sure */
+ memset(buf, 0, buf_len);
+
+ scnprintf(buf, buf_len, "\t%-16s%-16s%-16s%-16s%-8s%-8s%-8s"
+ "%-8s%-8s%-8s%-16s\n",
+ "MaxBPI", "Tot_Data_CMF",
+ "Tot_Data_Cmd", "Tot_Data_Cmpl",
+ "Lat(us)", "Avg_IO", "Max_IO", "Bsy",
+ "IO_cnt", "Info", "BWutil(ms)");
+ }
+
+ /* Needs to be _bh because record is called from timer interrupt
+ * context
+ */
+ spin_lock_bh(ring_lock);
+ while (*head_idx != *tail_idx) {
+ entry = &ring[*head_idx];
+
+ /* Read out this entry's data. */
+ if (!log_to_kmsg) {
+ /* If !log_to_kmsg, then store to buf. */
+ scnprintf(tmp, sizeof(tmp),
+ "%03d:\t%-16llu%-16llu%-16llu%-16llu%-8llu"
+ "%-8llu%-8llu%-8u%-8u%-8u%u(%u)\n",
+ *head_idx, entry->max_bytes_per_interval,
+ entry->cmf_bytes, entry->total_bytes,
+ entry->rcv_bytes, entry->avg_io_latency,
+ entry->avg_io_size, entry->max_read_cnt,
+ entry->cmf_busy, entry->io_cnt,
+ entry->cmf_info, entry->timer_utilization,
+ entry->timer_interval);
+
+ /* Check for buffer overflow */
+ if ((strlen(buf) + strlen(tmp)) >= buf_len)
+ break;
+
+ /* Append entry's data to buffer */
+ strlcat(buf, tmp, buf_len);
+ } else {
+ lpfc_printf_log(phba, KERN_INFO, LOG_CGN_MGMT,
+ "4410 %02u: MBPI %llu Xmit %llu "
+ "Cmpl %llu Lat %llu ASz %llu Info %02u "
+ "BWUtil %u Int %u slot %u\n",
+ cnt, entry->max_bytes_per_interval,
+ entry->total_bytes, entry->rcv_bytes,
+ entry->avg_io_latency,
+ entry->avg_io_size, entry->cmf_info,
+ entry->timer_utilization,
+ entry->timer_interval, *head_idx);
+ }
+
+ *head_idx = (*head_idx + 1) % ring_size;
+
+ /* Don't feed more than max_read_entries */
+ cnt++;
+ if (cnt >= max_read_entries)
+ break;
+ }
+ spin_unlock_bh(ring_lock);
+
+ return cnt;
+}
+
+/**
* lpfc_cmf_setup - Initialize idle_stat tracking
* @phba: Pointer to HBA context object.
*
@@ -8133,19 +8299,29 @@ no_cmf:
phba->cmf_interval_rate = LPFC_CMF_INTERVAL;
/* Allocate RX Monitor Buffer */
- if (!phba->rxtable) {
- phba->rxtable = kmalloc_array(LPFC_MAX_RXMONITOR_ENTRY,
- sizeof(struct rxtable_entry),
- GFP_KERNEL);
- if (!phba->rxtable) {
+ if (!phba->rx_monitor) {
+ phba->rx_monitor = kzalloc(sizeof(*phba->rx_monitor),
+ GFP_KERNEL);
+
+ if (!phba->rx_monitor) {
lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
"2644 Failed to alloc memory "
"for RX Monitor Buffer\n");
return -ENOMEM;
}
+
+ /* Instruct the rx_monitor object to instantiate its ring */
+ if (lpfc_rx_monitor_create_ring(phba->rx_monitor,
+ LPFC_MAX_RXMONITOR_ENTRY)) {
+ kfree(phba->rx_monitor);
+ phba->rx_monitor = NULL;
+ lpfc_printf_log(phba, KERN_ERR, LOG_INIT,
+ "2645 Failed to alloc memory "
+ "for RX Monitor's Ring\n");
+ return -ENOMEM;
+ }
}
- atomic_set(&phba->rxtable_idx_head, 0);
- atomic_set(&phba->rxtable_idx_tail, 0);
+
return 0;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 107/862] scsi: qedf: Populate sysfs attributes for vport
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 106/862] scsi: lpfc: Rework MIB Rx Monitor debug info logic Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 108/862] gpio: rockchip: request GPIO mux to pinctrl when setting direction Greg Kroah-Hartman
` (769 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Guangwu Zhang, John Meneghini,
Saurav Kashyap, Nilesh Javali, Martin K. Petersen
From: Saurav Kashyap <skashyap@marvell.com>
commit 592642e6b11e620e4b43189f8072752429fc8dc3 upstream.
Few vport parameters were displayed by systool as 'Unknown' or 'NULL'.
Copy speed, supported_speed, frame_size and update port_type for NPIV port.
Link: https://lore.kernel.org/r/20220919134434.3513-1-njavali@marvell.com
Cc: stable@vger.kernel.org
Tested-by: Guangwu Zhang <guazhang@redhat.com>
Reviewed-by: John Meneghini <jmeneghi@redhat.com>
Signed-off-by: Saurav Kashyap <skashyap@marvell.com>
Signed-off-by: Nilesh Javali <njavali@marvell.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/scsi/qedf/qedf_main.c | 21 +++++++++++++++++++++
1 file changed, 21 insertions(+)
--- a/drivers/scsi/qedf/qedf_main.c
+++ b/drivers/scsi/qedf/qedf_main.c
@@ -1921,6 +1921,27 @@ static int qedf_vport_create(struct fc_v
fc_vport_setlink(vn_port);
}
+ /* Set symbolic node name */
+ if (base_qedf->pdev->device == QL45xxx)
+ snprintf(fc_host_symbolic_name(vn_port->host), 256,
+ "Marvell FastLinQ 45xxx FCoE v%s", QEDF_VERSION);
+
+ if (base_qedf->pdev->device == QL41xxx)
+ snprintf(fc_host_symbolic_name(vn_port->host), 256,
+ "Marvell FastLinQ 41xxx FCoE v%s", QEDF_VERSION);
+
+ /* Set supported speed */
+ fc_host_supported_speeds(vn_port->host) = n_port->link_supported_speeds;
+
+ /* Set speed */
+ vn_port->link_speed = n_port->link_speed;
+
+ /* Set port type */
+ fc_host_port_type(vn_port->host) = FC_PORTTYPE_NPIV;
+
+ /* Set maxframe size */
+ fc_host_maxframe_size(vn_port->host) = n_port->mfs;
+
QEDF_INFO(&(base_qedf->dbg_ctx), QEDF_LOG_NPIV, "vn_port=%p.\n",
vn_port);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 108/862] gpio: rockchip: request GPIO mux to pinctrl when setting direction
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 107/862] scsi: qedf: Populate sysfs attributes for vport Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 109/862] pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback Greg Kroah-Hartman
` (768 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Heiko Stuebner, Quentin Schulz,
Linus Walleij
From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
commit 8ea8af6c8469156ac2042d83d73f6b74eb4b4b45 upstream.
Before the split of gpio and pinctrl sections in their own driver,
rockchip_set_mux was called in pinmux_ops.gpio_set_direction for
configuring a pin in its GPIO function.
This is essential for cases where pinctrl is "bypassed" by gpio
consumers otherwise the GPIO function is not configured for the pin and
it does not work. Such was the case for the sysfs/libgpiod userspace
GPIO handling.
Let's call pinctrl_gpio_direction_input/output when setting the
direction of a GPIO so that the pinctrl core requests from the rockchip
pinctrl driver to put the pin in its GPIO function.
Fixes: 9ce9a02039de ("pinctrl/rockchip: drop the gpio related codes")
Fixes: 936ee2675eee ("gpio/rockchip: add driver for rockchip gpio")
Cc: stable@vger.kernel.org
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Link: https://lore.kernel.org/r/20220930132033.4003377-3-foss+kernel@0leil.net
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-rockchip.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/drivers/gpio/gpio-rockchip.c
+++ b/drivers/gpio/gpio-rockchip.c
@@ -19,6 +19,7 @@
#include <linux/of_address.h>
#include <linux/of_device.h>
#include <linux/of_irq.h>
+#include <linux/pinctrl/consumer.h>
#include <linux/pinctrl/pinconf-generic.h>
#include <linux/regmap.h>
@@ -156,6 +157,12 @@ static int rockchip_gpio_set_direction(s
unsigned long flags;
u32 data = input ? 0 : 1;
+
+ if (input)
+ pinctrl_gpio_direction_input(bank->pin_base + offset);
+ else
+ pinctrl_gpio_direction_output(bank->pin_base + offset);
+
raw_spin_lock_irqsave(&bank->slock, flags);
rockchip_gpio_writel_bit(bank, offset, data, bank->gpio_regs->port_ddr);
raw_spin_unlock_irqrestore(&bank->slock, flags);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 109/862] pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 108/862] gpio: rockchip: request GPIO mux to pinctrl when setting direction Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 110/862] fbdev: smscufx: Fix use-after-free in ufx_ops_open() Greg Kroah-Hartman
` (767 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Heiko Stuebner, Quentin Schulz,
Linus Walleij
From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
commit 4635c0e2a7f7f3568cbfccae70121f9835efa62c upstream.
Before the split of gpio and pinctrl sections in their own driver,
rockchip_set_mux was called in pinmux_ops.gpio_set_direction for
configuring a pin in its GPIO function.
This is essential for cases where pinctrl is "bypassed" by gpio
consumers otherwise the GPIO function is not configured for the pin and
it does not work. Such was the case for the sysfs/libgpiod userspace
GPIO handling.
Let's re-implement the pinmux_ops.gpio_set_direction callback so that
the gpio subsystem can request from the pinctrl driver to put the pin in
its GPIO function.
Fixes: 9ce9a02039de ("pinctrl/rockchip: drop the gpio related codes")
Cc: stable@vger.kernel.org
Reviewed-by: Heiko Stuebner <heiko@sntech.de>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
Link: https://lore.kernel.org/r/20220930132033.4003377-2-foss+kernel@0leil.net
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/pinctrl-rockchip.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/drivers/pinctrl/pinctrl-rockchip.c
+++ b/drivers/pinctrl/pinctrl-rockchip.c
@@ -2393,11 +2393,24 @@ static int rockchip_pmx_set(struct pinct
return 0;
}
+static int rockchip_pmx_gpio_set_direction(struct pinctrl_dev *pctldev,
+ struct pinctrl_gpio_range *range,
+ unsigned offset,
+ bool input)
+{
+ struct rockchip_pinctrl *info = pinctrl_dev_get_drvdata(pctldev);
+ struct rockchip_pin_bank *bank;
+
+ bank = pin_to_bank(info, offset);
+ return rockchip_set_mux(bank, offset - bank->pin_base, RK_FUNC_GPIO);
+}
+
static const struct pinmux_ops rockchip_pmx_ops = {
.get_functions_count = rockchip_pmx_get_funcs_count,
.get_function_name = rockchip_pmx_get_func_name,
.get_function_groups = rockchip_pmx_get_groups,
.set_mux = rockchip_pmx_set,
+ .gpio_set_direction = rockchip_pmx_gpio_set_direction,
};
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 110/862] fbdev: smscufx: Fix use-after-free in ufx_ops_open()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 109/862] pinctrl: rockchip: add pinmux_ops.gpio_set_direction callback Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 111/862] hwrng: core - let sleep be interrupted when unregistering hwrng Greg Kroah-Hartman
` (766 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Hyunwoo Kim, Helge Deller
From: Hyunwoo Kim <imv4bel@gmail.com>
commit 5610bcfe8693c02e2e4c8b31427f1bdbdecc839c upstream.
A race condition may occur if the user physically removes the
USB device while calling open() for this device node.
This is a race condition between the ufx_ops_open() function and
the ufx_usb_disconnect() function, which may eventually result in UAF.
So, add a mutex to the ufx_ops_open() and ufx_usb_disconnect() functions
to avoid race contidion of krefs.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/smscufx.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/video/fbdev/smscufx.c
+++ b/drivers/video/fbdev/smscufx.c
@@ -137,6 +137,8 @@ static int ufx_submit_urb(struct ufx_dat
static int ufx_alloc_urb_list(struct ufx_data *dev, int count, size_t size);
static void ufx_free_urb_list(struct ufx_data *dev);
+static DEFINE_MUTEX(disconnect_mutex);
+
/* reads a control register */
static int ufx_reg_read(struct ufx_data *dev, u32 index, u32 *data)
{
@@ -1071,9 +1073,13 @@ static int ufx_ops_open(struct fb_info *
if (user == 0 && !console)
return -EBUSY;
+ mutex_lock(&disconnect_mutex);
+
/* If the USB device is gone, we don't accept new opens */
- if (dev->virtualized)
+ if (dev->virtualized) {
+ mutex_unlock(&disconnect_mutex);
return -ENODEV;
+ }
dev->fb_count++;
@@ -1097,6 +1103,8 @@ static int ufx_ops_open(struct fb_info *
pr_debug("open /dev/fb%d user=%d fb_info=%p count=%d",
info->node, user, info, dev->fb_count);
+ mutex_unlock(&disconnect_mutex);
+
return 0;
}
@@ -1741,6 +1749,8 @@ static void ufx_usb_disconnect(struct us
{
struct ufx_data *dev;
+ mutex_lock(&disconnect_mutex);
+
dev = usb_get_intfdata(interface);
pr_debug("USB disconnect starting\n");
@@ -1761,6 +1771,8 @@ static void ufx_usb_disconnect(struct us
kref_put(&dev->kref, ufx_free);
/* consider ufx_data freed */
+
+ mutex_unlock(&disconnect_mutex);
}
static struct usb_driver ufx_driver = {
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 111/862] hwrng: core - let sleep be interrupted when unregistering hwrng
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 110/862] fbdev: smscufx: Fix use-after-free in ufx_ops_open() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 112/862] smb3: do not log confusing message when server returns no network interfaces Greg Kroah-Hartman
` (765 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Gregory Erwin, Jason A. Donenfeld,
Herbert Xu, Toke Høiland-Jørgensen, Kalle Valo
From: Jason A. Donenfeld <Jason@zx2c4.com>
commit 36cb6494429bd64b27b7ff8b4af56f8e526da2b4 upstream.
There are two deadlock scenarios that need addressing, which cause
problems when the computer goes to sleep, the interface is set down, and
hwrng_unregister() is called. When the deadlock is hit, sleep is delayed
for tens of seconds, causing it to fail. These scenarios are:
1) The hwrng kthread can't be stopped while it's sleeping, because it
uses msleep_interruptible() which does not react to kthread_stop.
2) A normal user thread can't be interrupted by hwrng_unregister() while
it's sleeping, because hwrng_unregister() is called from elsewhere.
We solve both issues by add a completion object called dying that
fulfils waiters once we have started the process in hwrng_unregister.
At the same time, we should cleanup a common and useless dmesg splat
in the same area.
Cc: <stable@vger.kernel.org>
Reported-by: Gregory Erwin <gregerwin256@gmail.com>
Fixes: fcd09c90c3c5 ("ath9k: use hw_random API instead of directly dumping into random.c")
Link: https://lore.kernel.org/all/CAO+Okf6ZJC5-nTE_EJUGQtd8JiCkiEHytGgDsFGTEjs0c00giw@mail.gmail.com/
Link: https://lore.kernel.org/lkml/CAO+Okf5k+C+SE6pMVfPf-d8MfVPVq4PO7EY8Hys_DVXtent3HA@mail.gmail.com/
Link: https://bugs.archlinux.org/task/75138
Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Toke Høiland-Jørgensen <toke@toke.dk>
Acked-by: Kalle Valo <kvalo@kernel.org>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/hw_random/core.c | 19 +++++++++++++++----
drivers/net/wireless/ath/ath9k/rng.c | 3 ++-
include/linux/hw_random.h | 3 +++
3 files changed, 20 insertions(+), 5 deletions(-)
--- a/drivers/char/hw_random/core.c
+++ b/drivers/char/hw_random/core.c
@@ -507,16 +507,17 @@ static int hwrng_fillfn(void *unused)
rng->quality = current_quality; /* obsolete */
quality = rng->quality;
mutex_unlock(&reading_mutex);
+
+ if (rc <= 0)
+ hwrng_msleep(rng, 10000);
+
put_rng(rng);
if (!quality)
break;
- if (rc <= 0) {
- pr_warn("hwrng: no data available\n");
- msleep_interruptible(10000);
+ if (rc <= 0)
continue;
- }
/* If we cannot credit at least one bit of entropy,
* keep track of the remainder for the next iteration
@@ -570,6 +571,7 @@ int hwrng_register(struct hwrng *rng)
init_completion(&rng->cleanup_done);
complete(&rng->cleanup_done);
+ init_completion(&rng->dying);
if (!current_rng ||
(!cur_rng_set_by_user && rng->quality > current_rng->quality)) {
@@ -617,6 +619,7 @@ void hwrng_unregister(struct hwrng *rng)
old_rng = current_rng;
list_del(&rng->list);
+ complete_all(&rng->dying);
if (current_rng == rng) {
err = enable_best_rng();
if (err) {
@@ -685,6 +688,14 @@ void devm_hwrng_unregister(struct device
}
EXPORT_SYMBOL_GPL(devm_hwrng_unregister);
+long hwrng_msleep(struct hwrng *rng, unsigned int msecs)
+{
+ unsigned long timeout = msecs_to_jiffies(msecs) + 1;
+
+ return wait_for_completion_interruptible_timeout(&rng->dying, timeout);
+}
+EXPORT_SYMBOL_GPL(hwrng_msleep);
+
static int __init hwrng_modinit(void)
{
int ret;
--- a/drivers/net/wireless/ath/ath9k/rng.c
+++ b/drivers/net/wireless/ath/ath9k/rng.c
@@ -83,7 +83,8 @@ static int ath9k_rng_read(struct hwrng *
if (!wait || !max || likely(bytes_read) || fail_stats > 110)
break;
- msleep_interruptible(ath9k_rng_delay_get(++fail_stats));
+ if (hwrng_msleep(rng, ath9k_rng_delay_get(++fail_stats)))
+ break;
}
if (wait && !bytes_read && max)
--- a/include/linux/hw_random.h
+++ b/include/linux/hw_random.h
@@ -50,6 +50,7 @@ struct hwrng {
struct list_head list;
struct kref ref;
struct completion cleanup_done;
+ struct completion dying;
};
struct device;
@@ -61,4 +62,6 @@ extern int devm_hwrng_register(struct de
extern void hwrng_unregister(struct hwrng *rng);
extern void devm_hwrng_unregister(struct device *dve, struct hwrng *rng);
+extern long hwrng_msleep(struct hwrng *rng, unsigned int msecs);
+
#endif /* LINUX_HWRANDOM_H_ */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 112/862] smb3: do not log confusing message when server returns no network interfaces
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 111/862] hwrng: core - let sleep be interrupted when unregistering hwrng Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 113/862] ksmbd: fix incorrect handling of iterate_dir Greg Kroah-Hartman
` (764 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Paulo Alcantara (SUSE), Steve French
From: Steve French <stfrench@microsoft.com>
commit 4659f01e3cd94f64d9bd06764ace2ef8fe1b6227 upstream.
Some servers can return an empty network interface list so, unless
multichannel is requested, no need to log an error for this, and
when multichannel is requested on mount but no interfaces, log
something less confusing. For this case change
parse_server_interfaces: malformed interface info
to
empty network interface list returned by server localhost
Also do not relog this error every ten minutes (only log on mount, once)
Cc: <stable@vger.kernel.org>
Reviewed-by: Paulo Alcantara (SUSE) <pc@cjr.nz>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cifs/cifsproto.h | 2 +-
fs/cifs/connect.c | 2 +-
fs/cifs/smb2ops.c | 23 ++++++++++++++++++-----
3 files changed, 20 insertions(+), 7 deletions(-)
--- a/fs/cifs/cifsproto.h
+++ b/fs/cifs/cifsproto.h
@@ -639,7 +639,7 @@ cifs_chan_is_iface_active(struct cifs_se
int
cifs_chan_update_iface(struct cifs_ses *ses, struct TCP_Server_Info *server);
int
-SMB3_request_interfaces(const unsigned int xid, struct cifs_tcon *tcon);
+SMB3_request_interfaces(const unsigned int xid, struct cifs_tcon *tcon, bool in_mount);
void extract_unc_hostname(const char *unc, const char **h, size_t *len);
int copy_path_name(char *dst, const char *src);
--- a/fs/cifs/connect.c
+++ b/fs/cifs/connect.c
@@ -155,7 +155,7 @@ static void smb2_query_server_interfaces
/*
* query server network interfaces, in case they change
*/
- rc = SMB3_request_interfaces(0, tcon);
+ rc = SMB3_request_interfaces(0, tcon, false);
if (rc) {
cifs_dbg(FYI, "%s: failed to query server interfaces: %d\n",
__func__, rc);
--- a/fs/cifs/smb2ops.c
+++ b/fs/cifs/smb2ops.c
@@ -512,8 +512,7 @@ smb3_negotiate_rsize(struct cifs_tcon *t
static int
parse_server_interfaces(struct network_interface_info_ioctl_rsp *buf,
- size_t buf_len,
- struct cifs_ses *ses)
+ size_t buf_len, struct cifs_ses *ses, bool in_mount)
{
struct network_interface_info_ioctl_rsp *p;
struct sockaddr_in *addr4;
@@ -543,6 +542,20 @@ parse_server_interfaces(struct network_i
}
spin_unlock(&ses->iface_lock);
+ /*
+ * Samba server e.g. can return an empty interface list in some cases,
+ * which would only be a problem if we were requesting multichannel
+ */
+ if (bytes_left == 0) {
+ /* avoid spamming logs every 10 minutes, so log only in mount */
+ if ((ses->chan_max > 1) && in_mount)
+ cifs_dbg(VFS,
+ "empty network interface list returned by server %s\n",
+ ses->server->hostname);
+ rc = -EINVAL;
+ goto out;
+ }
+
while (bytes_left >= sizeof(*p)) {
memset(&tmp_iface, 0, sizeof(tmp_iface));
tmp_iface.speed = le64_to_cpu(p->LinkSpeed);
@@ -673,7 +686,7 @@ out:
}
int
-SMB3_request_interfaces(const unsigned int xid, struct cifs_tcon *tcon)
+SMB3_request_interfaces(const unsigned int xid, struct cifs_tcon *tcon, bool in_mount)
{
int rc;
unsigned int ret_data_len = 0;
@@ -693,7 +706,7 @@ SMB3_request_interfaces(const unsigned i
goto out;
}
- rc = parse_server_interfaces(out_buf, ret_data_len, ses);
+ rc = parse_server_interfaces(out_buf, ret_data_len, ses, in_mount);
if (rc)
goto out;
@@ -729,7 +742,7 @@ smb3_qfs_tcon(const unsigned int xid, st
if (rc)
return;
- SMB3_request_interfaces(xid, tcon);
+ SMB3_request_interfaces(xid, tcon, true /* called during mount */);
SMB2_QFS_attr(xid, tcon, fid.persistent_fid, fid.volatile_fid,
FS_ATTRIBUTE_INFORMATION);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 113/862] ksmbd: fix incorrect handling of iterate_dir
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 112/862] smb3: do not log confusing message when server returns no network interfaces Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 114/862] ksmbd: fix endless loop when encryption for response fails Greg Kroah-Hartman
` (763 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hyunchul Lee, Namjae Jeon, Steve French
From: Namjae Jeon <linkinjeon@kernel.org>
commit 88541cb414b7a2450c45fc9c131b37b5753b7679 upstream.
if iterate_dir() returns non-negative value, caller has to treat it
as normal and check there is any error while populating dentry
information. ksmbd doesn't have to do anything because ksmbd already
checks too small OutputBufferLength to store one file information.
And because ctx->pos is set to file->f_pos when iterative_dir is called,
remove restart_ctx(). And if iterate_dir() return -EIO, which mean
directory entry is corrupted, return STATUS_FILE_CORRUPT_ERROR error
response.
This patch fixes some failure of SMB2_QUERY_DIRECTORY, which happens when
ntfs3 is local filesystem.
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: stable@vger.kernel.org
Signed-off-by: Hyunchul Lee <hyc.lee@gmail.com>
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2pdu.c | 14 ++++----------
1 file changed, 4 insertions(+), 10 deletions(-)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -3808,11 +3808,6 @@ static int __query_dir(struct dir_contex
return 0;
}
-static void restart_ctx(struct dir_context *ctx)
-{
- ctx->pos = 0;
-}
-
static int verify_info_level(int info_level)
{
switch (info_level) {
@@ -3921,7 +3916,6 @@ int smb2_query_dir(struct ksmbd_work *wo
if (srch_flag & SMB2_REOPEN || srch_flag & SMB2_RESTART_SCANS) {
ksmbd_debug(SMB, "Restart directory scan\n");
generic_file_llseek(dir_fp->filp, 0, SEEK_SET);
- restart_ctx(&dir_fp->readdir_data.ctx);
}
memset(&d_info, 0, sizeof(struct ksmbd_dir_info));
@@ -3968,11 +3962,9 @@ int smb2_query_dir(struct ksmbd_work *wo
*/
if (!d_info.out_buf_len && !d_info.num_entry)
goto no_buf_len;
- if (rc == 0)
- restart_ctx(&dir_fp->readdir_data.ctx);
- if (rc == -ENOSPC)
+ if (rc > 0 || rc == -ENOSPC)
rc = 0;
- if (rc)
+ else if (rc)
goto err_out;
d_info.wptr = d_info.rptr;
@@ -4029,6 +4021,8 @@ err_out2:
rsp->hdr.Status = STATUS_NO_MEMORY;
else if (rc == -EFAULT)
rsp->hdr.Status = STATUS_INVALID_INFO_CLASS;
+ else if (rc == -EIO)
+ rsp->hdr.Status = STATUS_FILE_CORRUPT_ERROR;
if (!rsp->hdr.Status)
rsp->hdr.Status = STATUS_UNEXPECTED_IO_ERROR;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 114/862] ksmbd: fix endless loop when encryption for response fails
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 113/862] ksmbd: fix incorrect handling of iterate_dir Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 115/862] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Greg Kroah-Hartman
` (762 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Namjae Jeon, Steve French
From: Namjae Jeon <linkinjeon@kernel.org>
commit 360c8ee6fefdb496fffd2c18bb9a96a376a1a804 upstream.
If ->encrypt_resp return error, goto statement cause endless loop.
It send an error response immediately after removing it.
Fixes: 0626e6641f6b ("cifsd: add server handler for central processing and tranport layers")
Cc: stable@vger.kernel.org
Signed-off-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/server.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/fs/ksmbd/server.c
+++ b/fs/ksmbd/server.c
@@ -235,10 +235,8 @@ send:
if (work->sess && work->sess->enc && work->encrypted &&
conn->ops->encrypt_resp) {
rc = conn->ops->encrypt_resp(work);
- if (rc < 0) {
+ if (rc < 0)
conn->ops->set_rsp_status(work, STATUS_DATA_ERROR);
- goto send;
- }
}
ksmbd_conn_write(work);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 115/862] ksmbd: Fix wrong return value and message length check in smb2_ioctl()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 114/862] ksmbd: fix endless loop when encryption for response fails Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 116/862] ksmbd: Fix user namespace mapping Greg Kroah-Hartman
` (761 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhang Xiaoxu, Namjae Jeon, Steve French
From: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
commit b1763d265af62800ec96eeb79803c4c537dcef3a upstream.
Commit c7803b05f74b ("smb3: fix ksmbd bigendian bug in oplock
break, and move its struct to smbfs_common") use the defination
of 'struct validate_negotiate_info_req' in smbfs_common, the
array length of 'Dialects' changed from 1 to 4, but the protocol
does not require the client to send all 4. This lead the request
which satisfied with protocol and server to fail.
So just ensure the request payload has the 'DialectCount' in
smb2_ioctl(), then fsctl_validate_negotiate_info() will use it
to validate the payload length and each dialect.
Also when the {in, out}_buf_len is less than the required, should
goto out to initialize the status in the response header.
Fixes: f7db8fd03a4b ("ksmbd: add validation in smb2_ioctl")
Cc: stable@vger.kernel.org
Signed-off-by: Zhang Xiaoxu <zhangxiaoxu5@huawei.com>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb2pdu.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/fs/ksmbd/smb2pdu.c
+++ b/fs/ksmbd/smb2pdu.c
@@ -7637,11 +7637,16 @@ int smb2_ioctl(struct ksmbd_work *work)
goto out;
}
- if (in_buf_len < sizeof(struct validate_negotiate_info_req))
- return -EINVAL;
+ if (in_buf_len < offsetof(struct validate_negotiate_info_req,
+ Dialects)) {
+ ret = -EINVAL;
+ goto out;
+ }
- if (out_buf_len < sizeof(struct validate_negotiate_info_rsp))
- return -EINVAL;
+ if (out_buf_len < sizeof(struct validate_negotiate_info_rsp)) {
+ ret = -EINVAL;
+ goto out;
+ }
ret = fsctl_validate_negotiate_info(conn,
(struct validate_negotiate_info_req *)&req->Buffer[0],
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 116/862] ksmbd: Fix user namespace mapping
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 115/862] ksmbd: Fix wrong return value and message length check in smb2_ioctl() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 117/862] fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE Greg Kroah-Hartman
` (760 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Hyunchul Lee, Steve French,
Mickaël Salaün, Christian Brauner (Microsoft),
Namjae Jeon, Steve French
From: Mickaël Salaün <mic@digikod.net>
commit 7c88c1e0ab1704bacb751341ee6431c3be34b834 upstream.
A kernel daemon should not rely on the current thread, which is unknown
and might be malicious. Before this security fix,
ksmbd_override_fsids() didn't correctly override FS UID/GID which means
that arbitrary user space threads could trick the kernel to impersonate
arbitrary users or groups for file system access checks, leading to
file system access bypass.
This was found while investigating truncate support for Landlock:
https://lore.kernel.org/r/CAKYAXd8fpMJ7guizOjHgxEyyjoUwPsx3jLOPZP=wPYcbhkVXqA@mail.gmail.com
Fixes: e2f34481b24d ("cifsd: add server-side procedures for SMB3")
Cc: Hyunchul Lee <hyc.lee@gmail.com>
Cc: Steve French <smfrench@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Mickaël Salaün <mic@digikod.net>
Link: https://lore.kernel.org/r/20220929100447.108468-1-mic@digikod.net
Acked-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Acked-by: Namjae Jeon <linkinjeon@kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ksmbd/smb_common.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/fs/ksmbd/smb_common.c
+++ b/fs/ksmbd/smb_common.c
@@ -4,6 +4,8 @@
* Copyright (C) 2018 Namjae Jeon <linkinjeon@kernel.org>
*/
+#include <linux/user_namespace.h>
+
#include "smb_common.h"
#include "server.h"
#include "misc.h"
@@ -625,8 +627,8 @@ int ksmbd_override_fsids(struct ksmbd_wo
if (!cred)
return -ENOMEM;
- cred->fsuid = make_kuid(current_user_ns(), uid);
- cred->fsgid = make_kgid(current_user_ns(), gid);
+ cred->fsuid = make_kuid(&init_user_ns, uid);
+ cred->fsgid = make_kgid(&init_user_ns, gid);
gi = groups_alloc(0);
if (!gi) {
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 117/862] fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 116/862] ksmbd: Fix user namespace mapping Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 118/862] btrfs: fix alignment of VMA for memory mapped files on THP Greg Kroah-Hartman
` (759 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dave Chinner, Christoph Hellwig,
stable, Lukas Czerner, Jan Kara, Theodore Tso
From: Lukas Czerner <lczerner@redhat.com>
commit cbfecb927f429a6fa613d74b998496bd71e4438a upstream.
Currently the I_DIRTY_TIME will never get set if the inode already has
I_DIRTY_INODE with assumption that it supersedes I_DIRTY_TIME. That's
true, however ext4 will only update the on-disk inode in
->dirty_inode(), not on actual writeback. As a result if the inode
already has I_DIRTY_INODE state by the time we get to
__mark_inode_dirty() only with I_DIRTY_TIME, the time was already filled
into on-disk inode and will not get updated until the next I_DIRTY_INODE
update, which might never come if we crash or get a power failure.
The problem can be reproduced on ext4 by running xfstest generic/622
with -o iversion mount option.
Fix it by allowing I_DIRTY_TIME to be set even if the inode already has
I_DIRTY_INODE. Also make sure that the case is properly handled in
writeback_single_inode() as well. Additionally changes in
xfs_fs_dirty_inode() was made to accommodate for I_DIRTY_TIME in flag.
Thanks Jan Kara for suggestions on how to make this work properly.
Cc: Dave Chinner <david@fromorbit.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: stable@kernel.org
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Suggested-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220825100657.44217-1-lczerner@redhat.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/filesystems/vfs.rst | 3 +++
fs/fs-writeback.c | 37 +++++++++++++++++++++++++------------
fs/xfs/xfs_super.c | 10 ++++++++--
include/linux/fs.h | 9 +++++----
4 files changed, 41 insertions(+), 18 deletions(-)
--- a/Documentation/filesystems/vfs.rst
+++ b/Documentation/filesystems/vfs.rst
@@ -274,6 +274,9 @@ or bottom half).
This is specifically for the inode itself being marked dirty,
not its data. If the update needs to be persisted by fdatasync(),
then I_DIRTY_DATASYNC will be set in the flags argument.
+ I_DIRTY_TIME will be set in the flags in case lazytime is enabled
+ and struct inode has times updated since the last ->dirty_inode
+ call.
``write_inode``
this method is called when the VFS needs to write an inode to
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1718,9 +1718,14 @@ static int writeback_single_inode(struct
*/
if (!(inode->i_state & I_DIRTY_ALL))
inode_cgwb_move_to_attached(inode, wb);
- else if (!(inode->i_state & I_SYNC_QUEUED) &&
- (inode->i_state & I_DIRTY))
- redirty_tail_locked(inode, wb);
+ else if (!(inode->i_state & I_SYNC_QUEUED)) {
+ if ((inode->i_state & I_DIRTY))
+ redirty_tail_locked(inode, wb);
+ else if (inode->i_state & I_DIRTY_TIME) {
+ inode->dirtied_when = jiffies;
+ inode_io_list_move_locked(inode, wb, &wb->b_dirty_time);
+ }
+ }
spin_unlock(&wb->list_lock);
inode_sync_complete(inode);
@@ -2370,6 +2375,20 @@ void __mark_inode_dirty(struct inode *in
if (flags & I_DIRTY_INODE) {
/*
+ * Inode timestamp update will piggback on this dirtying.
+ * We tell ->dirty_inode callback that timestamps need to
+ * be updated by setting I_DIRTY_TIME in flags.
+ */
+ if (inode->i_state & I_DIRTY_TIME) {
+ spin_lock(&inode->i_lock);
+ if (inode->i_state & I_DIRTY_TIME) {
+ inode->i_state &= ~I_DIRTY_TIME;
+ flags |= I_DIRTY_TIME;
+ }
+ spin_unlock(&inode->i_lock);
+ }
+
+ /*
* Notify the filesystem about the inode being dirtied, so that
* (if needed) it can update on-disk fields and journal the
* inode. This is only needed when the inode itself is being
@@ -2378,7 +2397,8 @@ void __mark_inode_dirty(struct inode *in
*/
trace_writeback_dirty_inode_start(inode, flags);
if (sb->s_op->dirty_inode)
- sb->s_op->dirty_inode(inode, flags & I_DIRTY_INODE);
+ sb->s_op->dirty_inode(inode,
+ flags & (I_DIRTY_INODE | I_DIRTY_TIME));
trace_writeback_dirty_inode(inode, flags);
/* I_DIRTY_INODE supersedes I_DIRTY_TIME. */
@@ -2399,21 +2419,15 @@ void __mark_inode_dirty(struct inode *in
*/
smp_mb();
- if (((inode->i_state & flags) == flags) ||
- (dirtytime && (inode->i_state & I_DIRTY_INODE)))
+ if ((inode->i_state & flags) == flags)
return;
spin_lock(&inode->i_lock);
- if (dirtytime && (inode->i_state & I_DIRTY_INODE))
- goto out_unlock_inode;
if ((inode->i_state & flags) != flags) {
const int was_dirty = inode->i_state & I_DIRTY;
inode_attach_wb(inode, NULL);
- /* I_DIRTY_INODE supersedes I_DIRTY_TIME. */
- if (flags & I_DIRTY_INODE)
- inode->i_state &= ~I_DIRTY_TIME;
inode->i_state |= flags;
/*
@@ -2486,7 +2500,6 @@ void __mark_inode_dirty(struct inode *in
out_unlock:
if (wb)
spin_unlock(&wb->list_lock);
-out_unlock_inode:
spin_unlock(&inode->i_lock);
}
EXPORT_SYMBOL(__mark_inode_dirty);
--- a/fs/xfs/xfs_super.c
+++ b/fs/xfs/xfs_super.c
@@ -653,7 +653,7 @@ xfs_fs_destroy_inode(
static void
xfs_fs_dirty_inode(
struct inode *inode,
- int flag)
+ int flags)
{
struct xfs_inode *ip = XFS_I(inode);
struct xfs_mount *mp = ip->i_mount;
@@ -661,7 +661,13 @@ xfs_fs_dirty_inode(
if (!(inode->i_sb->s_flags & SB_LAZYTIME))
return;
- if (flag != I_DIRTY_SYNC || !(inode->i_state & I_DIRTY_TIME))
+
+ /*
+ * Only do the timestamp update if the inode is dirty (I_DIRTY_SYNC)
+ * and has dirty timestamp (I_DIRTY_TIME). I_DIRTY_TIME can be passed
+ * in flags possibly together with I_DIRTY_SYNC.
+ */
+ if ((flags & ~I_DIRTY_TIME) != I_DIRTY_SYNC || !(flags & I_DIRTY_TIME))
return;
if (xfs_trans_alloc(mp, &M_RES(mp)->tr_fsyncts, 0, 0, 0, &tp))
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2371,13 +2371,14 @@ static inline void kiocb_clone(struct ki
* don't have to write inode on fdatasync() when only
* e.g. the timestamps have changed.
* I_DIRTY_PAGES Inode has dirty pages. Inode itself may be clean.
- * I_DIRTY_TIME The inode itself only has dirty timestamps, and the
+ * I_DIRTY_TIME The inode itself has dirty timestamps, and the
* lazytime mount option is enabled. We keep track of this
* separately from I_DIRTY_SYNC in order to implement
* lazytime. This gets cleared if I_DIRTY_INODE
- * (I_DIRTY_SYNC and/or I_DIRTY_DATASYNC) gets set. I.e.
- * either I_DIRTY_TIME *or* I_DIRTY_INODE can be set in
- * i_state, but not both. I_DIRTY_PAGES may still be set.
+ * (I_DIRTY_SYNC and/or I_DIRTY_DATASYNC) gets set. But
+ * I_DIRTY_TIME can still be set if I_DIRTY_SYNC is already
+ * in place because writeback might already be in progress
+ * and we don't want to lose the time update
* I_NEW Serves as both a mutex and completion notification.
* New inodes set I_NEW. If two processes both create
* the same inode, one of them will release its inode and
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 118/862] btrfs: fix alignment of VMA for memory mapped files on THP
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 117/862] fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 119/862] btrfs: enhance unsupported compat RO flags handling Greg Kroah-Hartman
` (758 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Alexander Zhu, David Sterba
From: Alexander Zhu <alexlzhu@fb.com>
commit b0c582233a8563f3c4228df838cdc67a8807ec78 upstream.
With CONFIG_READ_ONLY_THP_FOR_FS, the Linux kernel supports using THPs for
read-only mmapped files, such as shared libraries. However, the kernel
makes no attempt to actually align those mappings on 2MB boundaries,
which makes it impossible to use those THPs most of the time. This issue
applies to general file mapping THP as well as existing setups using
CONFIG_READ_ONLY_THP_FOR_FS. This is easily fixed by using
thp_get_unmapped_area for the unmapped_area function in btrfs, which
is what ext2, ext4, fuse, and xfs all use.
Initially btrfs had been left out in commit 8c07fc452ac0 ("btrfs: fix
alignment of VMA for memory mapped files on THP") as btrfs does not support
DAX. However, commit 1854bc6e2420 ("mm/readahead: Align file mappings
for non-DAX") removed the DAX requirement. We should now be able to call
thp_get_unmapped_area() for btrfs.
The problem can be seen in /proc/PID/smaps where THPeligible is set to 0
on mappings to eligible shared object files as shown below.
Before this patch:
7fc6a7e18000-7fc6a80cc000 r-xp 00000000 00:1e 199856
/usr/lib64/libcrypto.so.1.1.1k
Size: 2768 kB
THPeligible: 0
VmFlags: rd ex mr mw me
With this patch the library is mapped at a 2MB aligned address:
fbdfe200000-7fbdfe4b4000 r-xp 00000000 00:1e 199856
/usr/lib64/libcrypto.so.1.1.1k
Size: 2768 kB
THPeligible: 1
VmFlags: rd ex mr mw me
This fixes the alignment of VMAs for any mmap of a file that has the
rd and ex permissions and size >= 2MB. The VMA alignment and
THPeligible field for anonymous memory is handled separately and
is thus not effected by this change.
CC: stable@vger.kernel.org # 5.18+
Signed-off-by: Alexander Zhu <alexlzhu@fb.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/file.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -3810,6 +3810,7 @@ const struct file_operations btrfs_file_
.mmap = btrfs_file_mmap,
.open = btrfs_file_open,
.release = btrfs_release_file,
+ .get_unmapped_area = thp_get_unmapped_area,
.fsync = btrfs_sync_file,
.fallocate = btrfs_fallocate,
.unlocked_ioctl = btrfs_ioctl,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 119/862] btrfs: enhance unsupported compat RO flags handling
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 118/862] btrfs: fix alignment of VMA for memory mapped files on THP Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 120/862] btrfs: fix race between quota enable and quota rescan ioctl Greg Kroah-Hartman
` (757 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nikolay Borisov, Qu Wenruo, David Sterba
From: Qu Wenruo <wqu@suse.com>
commit 81d5d61454c365718655cfc87d8200c84e25d596 upstream.
Currently there are two corner cases not handling compat RO flags
correctly:
- Remount
We can still mount the fs RO with compat RO flags, then remount it RW.
We should not allow any write into a fs with unsupported RO flags.
- Still try to search block group items
In fact, behavior/on-disk format change to extent tree should not
need a full incompat flag.
And since we can ensure fs with unsupported RO flags never got any
writes (with above case fixed), then we can even skip block group
items search at mount time.
This patch will enhance the unsupported RO compat flags by:
- Reject read-write remount if there are unsupported RO compat flags
- Go dummy block group items directly for unsupported RO compat flags
In fact, only changes to chunk/subvolume/root/csum trees should go
incompat flags.
The latter part should allow future change to extent tree to be compat
RO flags.
Thus this patch also needs to be backported to all stable trees.
CC: stable@vger.kernel.org # 4.9+
Reviewed-by: Nikolay Borisov <nborisov@suse.com>
Signed-off-by: Qu Wenruo <wqu@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/block-group.c | 11 ++++++++++-
fs/btrfs/super.c | 9 +++++++++
2 files changed, 19 insertions(+), 1 deletion(-)
--- a/fs/btrfs/block-group.c
+++ b/fs/btrfs/block-group.c
@@ -2190,7 +2190,16 @@ int btrfs_read_block_groups(struct btrfs
int need_clear = 0;
u64 cache_gen;
- if (!root)
+ /*
+ * Either no extent root (with ibadroots rescue option) or we have
+ * unsupported RO options. The fs can never be mounted read-write, so no
+ * need to waste time searching block group items.
+ *
+ * This also allows new extent tree related changes to be RO compat,
+ * no need for a full incompat flag.
+ */
+ if (!root || (btrfs_super_compat_ro_flags(info->super_copy) &
+ ~BTRFS_FEATURE_COMPAT_RO_SUPP))
return fill_dummy_bgs(info);
key.objectid = 0;
--- a/fs/btrfs/super.c
+++ b/fs/btrfs/super.c
@@ -2112,6 +2112,15 @@ static int btrfs_remount(struct super_bl
ret = -EINVAL;
goto restore;
}
+ if (btrfs_super_compat_ro_flags(fs_info->super_copy) &
+ ~BTRFS_FEATURE_COMPAT_RO_SUPP) {
+ btrfs_err(fs_info,
+ "can not remount read-write due to unsupported optional flags 0x%llx",
+ btrfs_super_compat_ro_flags(fs_info->super_copy) &
+ ~BTRFS_FEATURE_COMPAT_RO_SUPP);
+ ret = -EINVAL;
+ goto restore;
+ }
if (fs_info->fs_devices->rw_devices == 0) {
ret = -EACCES;
goto restore;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 120/862] btrfs: fix race between quota enable and quota rescan ioctl
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 119/862] btrfs: enhance unsupported compat RO flags handling Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 121/862] btrfs: fix missed extent on fsync after dropping extent maps Greg Kroah-Hartman
` (756 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ye Bin, Qu Wenruo, Filipe Manana,
David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit 331cd9461412e103d07595a10289de90004ac890 upstream.
When enabling quotas, at btrfs_quota_enable(), after committing the
transaction, we change fs_info->quota_root to point to the quota root we
created and set BTRFS_FS_QUOTA_ENABLED at fs_info->flags. Then we try
to start the qgroup rescan worker, first by initializing it with a call
to qgroup_rescan_init() - however if that fails we end up freeing the
quota root but we leave fs_info->quota_root still pointing to it, this
can later result in a use-after-free somewhere else.
We have previously set the flags BTRFS_FS_QUOTA_ENABLED and
BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with -EINPROGRESS at
btrfs_quota_enable(), which is possible if someone already called the
quota rescan ioctl, and therefore started the rescan worker.
So fix this by ignoring an -EINPROGRESS and asserting we can't get any
other error.
Reported-by: Ye Bin <yebin10@huawei.com>
Link: https://lore.kernel.org/linux-btrfs/20220823015931.421355-1-yebin10@huawei.com/
CC: stable@vger.kernel.org # 4.19+
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/qgroup.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/fs/btrfs/qgroup.c
+++ b/fs/btrfs/qgroup.c
@@ -1174,6 +1174,21 @@ out_add_root:
fs_info->qgroup_rescan_running = true;
btrfs_queue_work(fs_info->qgroup_rescan_workers,
&fs_info->qgroup_rescan_work);
+ } else {
+ /*
+ * We have set both BTRFS_FS_QUOTA_ENABLED and
+ * BTRFS_QGROUP_STATUS_FLAG_ON, so we can only fail with
+ * -EINPROGRESS. That can happen because someone started the
+ * rescan worker by calling quota rescan ioctl before we
+ * attempted to initialize the rescan worker. Failure due to
+ * quotas disabled in the meanwhile is not possible, because
+ * we are holding a write lock on fs_info->subvol_sem, which
+ * is also acquired when disabling quotas.
+ * Ignore such error, and any other error would need to undo
+ * everything we did in the transaction we just committed.
+ */
+ ASSERT(ret == -EINPROGRESS);
+ ret = 0;
}
out_free_path:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 121/862] btrfs: fix missed extent on fsync after dropping extent maps
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 120/862] btrfs: fix race between quota enable and quota rescan ioctl Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 122/862] btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer Greg Kroah-Hartman
` (755 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Anand Jain, Filipe Manana, David Sterba
From: Filipe Manana <fdmanana@suse.com>
commit cef7820d6abf8d61f8e1db411eae3c712f6d72a2 upstream.
When dropping extent maps for a range, through btrfs_drop_extent_cache(),
if we find an extent map that starts before our target range and/or ends
before the target range, and we are not able to allocate extent maps for
splitting that extent map, then we don't fail and simply remove the entire
extent map from the inode's extent map tree.
This is generally fine, because in case anyone needs to access the extent
map, it can just load it again later from the respective file extent
item(s) in the subvolume btree. However, if that extent map is new and is
in the list of modified extents, then a fast fsync will miss the parts of
the extent that were outside our range (that needed to be split),
therefore not logging them. Fix that by marking the inode for a full
fsync. This issue was introduced after removing BUG_ON()s triggered when
the split extent map allocations failed, done by commit 7014cdb49305ed
("Btrfs: btrfs_drop_extent_cache should never fail"), back in 2012, and
the fast fsync path already existed but was very recent.
Also, in the case where we could allocate extent maps for the split
operations but then fail to add a split extent map to the tree, mark the
inode for a full fsync as well. This is not supposed to ever fail, and we
assert that, but in case assertions are disabled (CONFIG_BTRFS_ASSERT is
not set), it's the correct thing to do to make sure a fast fsync will not
miss a new extent.
CC: stable@vger.kernel.org # 5.15+
Reviewed-by: Anand Jain <anand.jain@oracle.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/file.c | 58 ++++++++++++++++++++++++++++++++++++++++++++------------
1 file changed, 46 insertions(+), 12 deletions(-)
--- a/fs/btrfs/file.c
+++ b/fs/btrfs/file.c
@@ -523,6 +523,7 @@ void btrfs_drop_extent_cache(struct btrf
testend = 0;
}
while (1) {
+ bool ends_after_range = false;
int no_splits = 0;
modified = false;
@@ -539,10 +540,12 @@ void btrfs_drop_extent_cache(struct btrf
write_unlock(&em_tree->lock);
break;
}
+ if (testend && em->start + em->len > start + len)
+ ends_after_range = true;
flags = em->flags;
gen = em->generation;
if (skip_pinned && test_bit(EXTENT_FLAG_PINNED, &em->flags)) {
- if (testend && em->start + em->len >= start + len) {
+ if (ends_after_range) {
free_extent_map(em);
write_unlock(&em_tree->lock);
break;
@@ -592,7 +595,7 @@ void btrfs_drop_extent_cache(struct btrf
split = split2;
split2 = NULL;
}
- if (testend && em->start + em->len > start + len) {
+ if (ends_after_range) {
u64 diff = start + len - em->start;
split->start = start + len;
@@ -630,14 +633,42 @@ void btrfs_drop_extent_cache(struct btrf
} else {
ret = add_extent_mapping(em_tree, split,
modified);
- ASSERT(ret == 0); /* Logic error */
+ /* Logic error, shouldn't happen. */
+ ASSERT(ret == 0);
+ if (WARN_ON(ret != 0) && modified)
+ btrfs_set_inode_full_sync(inode);
}
free_extent_map(split);
split = NULL;
}
next:
- if (extent_map_in_tree(em))
+ if (extent_map_in_tree(em)) {
+ /*
+ * If the extent map is still in the tree it means that
+ * either of the following is true:
+ *
+ * 1) It fits entirely in our range (doesn't end beyond
+ * it or starts before it);
+ *
+ * 2) It starts before our range and/or ends after our
+ * range, and we were not able to allocate the extent
+ * maps for split operations, @split and @split2.
+ *
+ * If we are at case 2) then we just remove the entire
+ * extent map - this is fine since if anyone needs it to
+ * access the subranges outside our range, will just
+ * load it again from the subvolume tree's file extent
+ * item. However if the extent map was in the list of
+ * modified extents, then we must mark the inode for a
+ * full fsync, otherwise a fast fsync will miss this
+ * extent if it's new and needs to be logged.
+ */
+ if ((em->start < start || ends_after_range) && modified) {
+ ASSERT(no_splits);
+ btrfs_set_inode_full_sync(inode);
+ }
remove_extent_mapping(em_tree, em);
+ }
write_unlock(&em_tree->lock);
/* once for us */
@@ -2201,14 +2232,6 @@ int btrfs_sync_file(struct file *file, l
atomic_inc(&root->log_batch);
/*
- * Always check for the full sync flag while holding the inode's lock,
- * to avoid races with other tasks. The flag must be either set all the
- * time during logging or always off all the time while logging.
- */
- full_sync = test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
- &BTRFS_I(inode)->runtime_flags);
-
- /*
* Before we acquired the inode's lock and the mmap lock, someone may
* have dirtied more pages in the target range. We need to make sure
* that writeback for any such pages does not start while we are logging
@@ -2233,6 +2256,17 @@ int btrfs_sync_file(struct file *file, l
}
/*
+ * Always check for the full sync flag while holding the inode's lock,
+ * to avoid races with other tasks. The flag must be either set all the
+ * time during logging or always off all the time while logging.
+ * We check the flag here after starting delalloc above, because when
+ * running delalloc the full sync flag may be set if we need to drop
+ * extra extent map ranges due to temporary memory allocation failures.
+ */
+ full_sync = test_bit(BTRFS_INODE_NEEDS_FULL_SYNC,
+ &BTRFS_I(inode)->runtime_flags);
+
+ /*
* We have to do this here to avoid the priority inversion of waiting on
* IO of a lower priority task while holding a transaction open.
*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 122/862] btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 121/862] btrfs: fix missed extent on fsync after dropping extent maps Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 123/862] f2fs: fix wrong continue condition in GC Greg Kroah-Hartman
` (754 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot, Tetsuo Handa, David Sterba
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit cbddcc4fa3443fe8cfb2ff8e210deb1f6a0eea38 upstream.
syzbot is reporting uninit-value in btrfs_clean_tree_block() [1], for
commit bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code")
missed that btrfs_set_header_generation() in btrfs_init_new_buffer() must
not be moved to after clean_tree_block() because clean_tree_block() is
calling btrfs_header_generation() since commit 55c69072d6bd5be1 ("Btrfs:
Fix extent_buffer usage when nodesize != leafsize").
Since memzero_extent_buffer() will reset "struct btrfs_header" part, we
can't move btrfs_set_header_generation() to before memzero_extent_buffer().
Just re-add btrfs_set_header_generation() before btrfs_clean_tree_block().
Link: https://syzkaller.appspot.com/bug?extid=fba8e2116a12609b6c59 [1]
Reported-by: syzbot <syzbot+fba8e2116a12609b6c59@syzkaller.appspotmail.com>
Fixes: bc877d285ca3dba2 ("btrfs: Deduplicate extent_buffer init code")
CC: stable@vger.kernel.org # 4.19+
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/extent-tree.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -4888,6 +4888,9 @@ btrfs_init_new_buffer(struct btrfs_trans
!test_bit(BTRFS_ROOT_RESET_LOCKDEP_CLASS, &root->state))
lockdep_owner = BTRFS_FS_TREE_OBJECTID;
+ /* btrfs_clean_tree_block() accesses generation field. */
+ btrfs_set_header_generation(buf, trans->transid);
+
/*
* This needs to stay, because we could allocate a freed block from an
* old tree into a new tree, so we need to make sure this new block is
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 123/862] f2fs: fix wrong continue condition in GC
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 122/862] btrfs: set generation before calling btrfs_clean_tree_block in btrfs_init_new_buffer Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 124/862] f2fs: complete checkpoints during remount Greg Kroah-Hartman
` (753 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 605b0a778aa2599aa902ae639b8e9937c74b869b upstream.
We should decrease the frozen counter.
Cc: stable@vger.kernel.org
Fixes: 325163e9892b ("f2fs: add gc_urgent_high_remaining sysfs node")
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 12 ++++--------
1 file changed, 4 insertions(+), 8 deletions(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -97,14 +97,10 @@ static int gc_thread_func(void *data)
*/
if (sbi->gc_mode == GC_URGENT_HIGH) {
spin_lock(&sbi->gc_urgent_high_lock);
- if (sbi->gc_urgent_high_limited) {
- if (!sbi->gc_urgent_high_remaining) {
- sbi->gc_urgent_high_limited = false;
- spin_unlock(&sbi->gc_urgent_high_lock);
- sbi->gc_mode = GC_NORMAL;
- continue;
- }
- sbi->gc_urgent_high_remaining--;
+ if (sbi->gc_urgent_high_limited &&
+ !sbi->gc_urgent_high_remaining--) {
+ sbi->gc_urgent_high_limited = false;
+ sbi->gc_mode = GC_NORMAL;
}
spin_unlock(&sbi->gc_urgent_high_lock);
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 124/862] f2fs: complete checkpoints during remount
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 123/862] f2fs: fix wrong continue condition in GC Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 125/862] f2fs: flush pending checkpoints when freezing super Greg Kroah-Hartman
` (752 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 4f99484d27961cb194cebcd917176fa038a5025f upstream.
Otherwise, pending checkpoints can contribute a race condition to give a
quota warning.
- Thread - checkpoint thread
add checkpoints to the list
do_remount()
down_write(&sb->s_umount);
f2fs_remount()
block_operations()
down_read_trylock(&sb->s_umount) = 0
up_write(&sb->s_umount);
f2fs_quota_sync()
dquot_writeback_dquots()
WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount));
Or,
do_remount()
down_write(&sb->s_umount);
f2fs_remount()
create a ckpt thread
f2fs_enable_checkpoint() adds checkpoints
wait for f2fs_sync_fs()
trigger another pending checkpoint
block_operations()
down_read_trylock(&sb->s_umount) = 0
up_write(&sb->s_umount);
f2fs_quota_sync()
dquot_writeback_dquots()
WARN_ON_ONCE(!rwsem_is_locked(&sb->s_umount));
Cc: stable@vger.kernel.org
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -2181,6 +2181,9 @@ static void f2fs_enable_checkpoint(struc
f2fs_up_write(&sbi->gc_lock);
f2fs_sync_fs(sbi->sb, 1);
+
+ /* Let's ensure there's no pending checkpoint anymore */
+ f2fs_flush_ckpt_thread(sbi);
}
static int f2fs_remount(struct super_block *sb, int *flags, char *data)
@@ -2346,6 +2349,9 @@ static int f2fs_remount(struct super_blo
f2fs_stop_ckpt_thread(sbi);
need_restart_ckpt = true;
} else {
+ /* Flush if the prevous checkpoint, if exists. */
+ f2fs_flush_ckpt_thread(sbi);
+
err = f2fs_start_ckpt_thread(sbi);
if (err) {
f2fs_err(sbi,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 125/862] f2fs: flush pending checkpoints when freezing super
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 124/862] f2fs: complete checkpoints during remount Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 126/862] f2fs: increase the limit for reserve_root Greg Kroah-Hartman
` (751 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Chao Yu, Jaegeuk Kim
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit c7b58576370147833999fd4cc874d0f918bdf9ca upstream.
This avoids -EINVAL when trying to freeze f2fs.
Cc: stable@vger.kernel.org
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/checkpoint.c | 24 ++++++++++++++++++------
fs/f2fs/f2fs.h | 1 +
fs/f2fs/super.c | 5 ++---
3 files changed, 21 insertions(+), 9 deletions(-)
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -1892,15 +1892,27 @@ int f2fs_start_ckpt_thread(struct f2fs_s
void f2fs_stop_ckpt_thread(struct f2fs_sb_info *sbi)
{
struct ckpt_req_control *cprc = &sbi->cprc_info;
+ struct task_struct *ckpt_task;
- if (cprc->f2fs_issue_ckpt) {
- struct task_struct *ckpt_task = cprc->f2fs_issue_ckpt;
+ if (!cprc->f2fs_issue_ckpt)
+ return;
- cprc->f2fs_issue_ckpt = NULL;
- kthread_stop(ckpt_task);
+ ckpt_task = cprc->f2fs_issue_ckpt;
+ cprc->f2fs_issue_ckpt = NULL;
+ kthread_stop(ckpt_task);
- flush_remained_ckpt_reqs(sbi, NULL);
- }
+ f2fs_flush_ckpt_thread(sbi);
+}
+
+void f2fs_flush_ckpt_thread(struct f2fs_sb_info *sbi)
+{
+ struct ckpt_req_control *cprc = &sbi->cprc_info;
+
+ flush_remained_ckpt_reqs(sbi, NULL);
+
+ /* Let's wait for the previous dispatched checkpoint. */
+ while (atomic_read(&cprc->queued_ckpt))
+ io_schedule_timeout(DEFAULT_IO_TIMEOUT);
}
void f2fs_init_ckpt_req_control(struct f2fs_sb_info *sbi)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -3707,6 +3707,7 @@ static inline bool f2fs_need_rand_seg(st
* checkpoint.c
*/
void f2fs_stop_checkpoint(struct f2fs_sb_info *sbi, bool end_io);
+void f2fs_flush_ckpt_thread(struct f2fs_sb_info *sbi);
struct page *f2fs_grab_meta_page(struct f2fs_sb_info *sbi, pgoff_t index);
struct page *f2fs_get_meta_page(struct f2fs_sb_info *sbi, pgoff_t index);
struct page *f2fs_get_meta_page_retry(struct f2fs_sb_info *sbi, pgoff_t index);
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1666,9 +1666,8 @@ static int f2fs_freeze(struct super_bloc
if (is_sbi_flag_set(F2FS_SB(sb), SBI_IS_DIRTY))
return -EINVAL;
- /* ensure no checkpoint required */
- if (!llist_empty(&F2FS_SB(sb)->cprc_info.issue_list))
- return -EINVAL;
+ /* Let's flush checkpoints and stop the thread. */
+ f2fs_flush_ckpt_thread(F2FS_SB(sb));
/* to avoid deadlock on f2fs_evict_inode->SB_FREEZE_FS */
set_sbi_flag(F2FS_SB(sb), SBI_IS_FREEZING);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 126/862] f2fs: increase the limit for reserve_root
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 125/862] f2fs: flush pending checkpoints when freezing super Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 127/862] f2fs: fix to do sanity check on destination blkaddr during recovery Greg Kroah-Hartman
` (750 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Aran Dalton, Chao Yu, Jaegeuk Kim
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit da35fe96d12d15779f3cb74929b7ed03941cf983 upstream.
This patch increases the threshold that limits the reserved root space from 0.2%
to 12.5% by using simple shift operation.
Typically Android sets 128MB, but if the storage capacity is 32GB, 0.2% which is
around 64MB becomes too small. Let's relax it.
Cc: stable@vger.kernel.org
Reported-by: Aran Dalton <arda@allwinnertech.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/super.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -301,10 +301,10 @@ static void f2fs_destroy_casefold_cache(
static inline void limit_reserve_root(struct f2fs_sb_info *sbi)
{
- block_t limit = min((sbi->user_block_count << 1) / 1000,
+ block_t limit = min((sbi->user_block_count >> 3),
sbi->user_block_count - sbi->reserved_blocks);
- /* limit is 0.2% */
+ /* limit is 12.5% */
if (test_opt(sbi, RESERVE_ROOT) &&
F2FS_OPTION(sbi).root_reserved_blocks > limit) {
F2FS_OPTION(sbi).root_reserved_blocks = limit;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 127/862] f2fs: fix to do sanity check on destination blkaddr during recovery
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 126/862] f2fs: increase the limit for reserve_root Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 128/862] f2fs: fix to do sanity check on summary info Greg Kroah-Hartman
` (749 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wenqing Liu, Chao Yu, Jaegeuk Kim
From: Chao Yu <chao@kernel.org>
commit 0ef4ca04a3f9223ff8bc440041c524b2123e09a3 upstream.
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=216456
loop5: detected capacity change from 0 to 131072
F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1
F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0
F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1
F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0
F2FS-fs (loop5): recover_inode: ino = 6, name = hln, inline = 1
F2FS-fs (loop5): recover_data: ino = 6 (i_size: recover) err = 0
F2FS-fs (loop5): Bitmap was wrongly set, blk:5634
------------[ cut here ]------------
WARNING: CPU: 3 PID: 1013 at fs/f2fs/segment.c:2198
RIP: 0010:update_sit_entry+0xa55/0x10b0 [f2fs]
Call Trace:
<TASK>
f2fs_do_replace_block+0xa98/0x1890 [f2fs]
f2fs_replace_block+0xeb/0x180 [f2fs]
recover_data+0x1a69/0x6ae0 [f2fs]
f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
f2fs_fill_super+0x4665/0x61e0 [f2fs]
mount_bdev+0x2cf/0x3b0
legacy_get_tree+0xed/0x1d0
vfs_get_tree+0x81/0x2b0
path_mount+0x47e/0x19d0
do_mount+0xce/0xf0
__x64_sys_mount+0x12c/0x1a0
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
If we enable CONFIG_F2FS_CHECK_FS config, it will trigger a kernel panic
instead of warning.
The root cause is: in fuzzed image, SIT table is inconsistent with inode
mapping table, result in triggering such warning during SIT table update.
This patch introduces a new flag DATA_GENERIC_ENHANCE_UPDATE, w/ this
flag, data block recovery flow can check destination blkaddr's validation
in SIT table, and skip f2fs_replace_block() to avoid inconsistent status.
Cc: stable@vger.kernel.org
Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/checkpoint.c | 10 +++++++++-
fs/f2fs/f2fs.h | 4 ++++
fs/f2fs/recovery.c | 8 ++++++++
3 files changed, 21 insertions(+), 1 deletion(-)
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -140,7 +140,7 @@ static bool __is_bitmap_valid(struct f2f
unsigned int segno, offset;
bool exist;
- if (type != DATA_GENERIC_ENHANCE && type != DATA_GENERIC_ENHANCE_READ)
+ if (type == DATA_GENERIC)
return true;
segno = GET_SEGNO(sbi, blkaddr);
@@ -148,6 +148,13 @@ static bool __is_bitmap_valid(struct f2f
se = get_seg_entry(sbi, segno);
exist = f2fs_test_bit(offset, se->cur_valid_map);
+ if (exist && type == DATA_GENERIC_ENHANCE_UPDATE) {
+ f2fs_err(sbi, "Inconsistent error blkaddr:%u, sit bitmap:%d",
+ blkaddr, exist);
+ set_sbi_flag(sbi, SBI_NEED_FSCK);
+ return exist;
+ }
+
if (!exist && type == DATA_GENERIC_ENHANCE) {
f2fs_err(sbi, "Inconsistent error blkaddr:%u, sit bitmap:%d",
blkaddr, exist);
@@ -185,6 +192,7 @@ bool f2fs_is_valid_blkaddr(struct f2fs_s
case DATA_GENERIC:
case DATA_GENERIC_ENHANCE:
case DATA_GENERIC_ENHANCE_READ:
+ case DATA_GENERIC_ENHANCE_UPDATE:
if (unlikely(blkaddr >= MAX_BLKADDR(sbi) ||
blkaddr < MAIN_BLKADDR(sbi))) {
f2fs_warn(sbi, "access invalid blkaddr:%u",
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -266,6 +266,10 @@ enum {
* condition of read on truncated area
* by extent_cache
*/
+ DATA_GENERIC_ENHANCE_UPDATE, /*
+ * strong check on range and segment
+ * bitmap for update case
+ */
META_GENERIC,
};
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -698,6 +698,14 @@ retry_prev:
goto err;
}
+ if (f2fs_is_valid_blkaddr(sbi, dest,
+ DATA_GENERIC_ENHANCE_UPDATE)) {
+ f2fs_err(sbi, "Inconsistent dest blkaddr:%u, ino:%lu, ofs:%u",
+ dest, inode->i_ino, dn.ofs_in_node);
+ err = -EFSCORRUPTED;
+ goto err;
+ }
+
/* write dummy data page */
f2fs_replace_block(sbi, &dn, src, dest,
ni.version, false, false);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 128/862] f2fs: fix to do sanity check on summary info
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 127/862] f2fs: fix to do sanity check on destination blkaddr during recovery Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 129/862] f2fs: allow direct read for zoned device Greg Kroah-Hartman
` (748 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Wenqing Liu, Chao Yu, Jaegeuk Kim
From: Chao Yu <chao@kernel.org>
commit c6ad7fd16657ebd34a87a97d9588195aae87597d upstream.
As Wenqing Liu reported in bugzilla:
https://bugzilla.kernel.org/show_bug.cgi?id=216456
BUG: KASAN: use-after-free in recover_data+0x63ae/0x6ae0 [f2fs]
Read of size 4 at addr ffff8881464dcd80 by task mount/1013
CPU: 3 PID: 1013 Comm: mount Tainted: G W 6.0.0-rc4 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014
Call Trace:
dump_stack_lvl+0x45/0x5e
print_report.cold+0xf3/0x68d
kasan_report+0xa8/0x130
recover_data+0x63ae/0x6ae0 [f2fs]
f2fs_recover_fsync_data+0x120d/0x1fc0 [f2fs]
f2fs_fill_super+0x4665/0x61e0 [f2fs]
mount_bdev+0x2cf/0x3b0
legacy_get_tree+0xed/0x1d0
vfs_get_tree+0x81/0x2b0
path_mount+0x47e/0x19d0
do_mount+0xce/0xf0
__x64_sys_mount+0x12c/0x1a0
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
The root cause is: in fuzzed image, SSA table is corrupted: ofs_in_node
is larger than ADDRS_PER_PAGE(), result in out-of-range access on 4k-size
page.
- recover_data
- do_recover_data
- check_index_in_prev_nodes
- f2fs_data_blkaddr
This patch adds sanity check on summary info in recovery and GC flow
in where the flows rely on them.
After patch:
[ 29.310883] F2FS-fs (loop0): Inconsistent ofs_in_node:65286 in summary, ino:0, nid:6, max:1018
Cc: stable@vger.kernel.org
Reported-by: Wenqing Liu <wenqingliu0120@gmail.com>
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/gc.c | 10 +++++++++-
fs/f2fs/recovery.c | 15 ++++++++++++---
2 files changed, 21 insertions(+), 4 deletions(-)
--- a/fs/f2fs/gc.c
+++ b/fs/f2fs/gc.c
@@ -1078,7 +1078,7 @@ static bool is_alive(struct f2fs_sb_info
{
struct page *node_page;
nid_t nid;
- unsigned int ofs_in_node;
+ unsigned int ofs_in_node, max_addrs;
block_t source_blkaddr;
nid = le32_to_cpu(sum->nid);
@@ -1104,6 +1104,14 @@ static bool is_alive(struct f2fs_sb_info
return false;
}
+ max_addrs = IS_INODE(node_page) ? DEF_ADDRS_PER_INODE :
+ DEF_ADDRS_PER_BLOCK;
+ if (ofs_in_node >= max_addrs) {
+ f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%u, nid:%u, max:%u",
+ ofs_in_node, dni->ino, dni->nid, max_addrs);
+ return false;
+ }
+
*nofs = ofs_of_node(node_page);
source_blkaddr = data_blkaddr(NULL, node_page, ofs_in_node);
f2fs_put_page(node_page, 1);
--- a/fs/f2fs/recovery.c
+++ b/fs/f2fs/recovery.c
@@ -474,7 +474,7 @@ static int check_index_in_prev_nodes(str
struct dnode_of_data tdn = *dn;
nid_t ino, nid;
struct inode *inode;
- unsigned int offset;
+ unsigned int offset, ofs_in_node, max_addrs;
block_t bidx;
int i;
@@ -501,15 +501,24 @@ static int check_index_in_prev_nodes(str
got_it:
/* Use the locked dnode page and inode */
nid = le32_to_cpu(sum.nid);
+ ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+
+ max_addrs = ADDRS_PER_PAGE(dn->node_page, dn->inode);
+ if (ofs_in_node >= max_addrs) {
+ f2fs_err(sbi, "Inconsistent ofs_in_node:%u in summary, ino:%lu, nid:%u, max:%u",
+ ofs_in_node, dn->inode->i_ino, nid, max_addrs);
+ return -EFSCORRUPTED;
+ }
+
if (dn->inode->i_ino == nid) {
tdn.nid = nid;
if (!dn->inode_page_locked)
lock_page(dn->inode_page);
tdn.node_page = dn->inode_page;
- tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+ tdn.ofs_in_node = ofs_in_node;
goto truncate_out;
} else if (dn->nid == nid) {
- tdn.ofs_in_node = le16_to_cpu(sum.ofs_in_node);
+ tdn.ofs_in_node = ofs_in_node;
goto truncate_out;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 129/862] f2fs: allow direct read for zoned device
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 128/862] f2fs: fix to do sanity check on summary info Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 130/862] jbd2: wake up journal waiters in FIFO order, not LIFO Greg Kroah-Hartman
` (747 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Eunhee Rho, Chao Yu, Jaegeuk Kim
From: Jaegeuk Kim <jaegeuk@kernel.org>
commit 689fe57e7ecefd2eeba76c32aa569bb3e1e790d9 upstream.
This reverts dbf8e63f48af ("f2fs: remove device type check for direct IO"),
and apply the below first version, since it contributed out-of-order DIO writes.
For zoned devices, f2fs forbids direct IO and forces buffered IO
to serialize write IOs. However, the constraint does not apply to
read IOs.
Cc: stable@vger.kernel.org
Fixes: dbf8e63f48af ("f2fs: remove device type check for direct IO")
Signed-off-by: Eunhee Rho <eunhee83.rho@samsung.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/f2fs/f2fs.h | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -4513,7 +4513,12 @@ static inline bool f2fs_force_buffered_i
/* disallow direct IO if any of devices has unaligned blksize */
if (f2fs_is_multi_device(sbi) && !sbi->aligned_blksize)
return true;
-
+ /*
+ * for blkzoned device, fallback direct IO to buffered IO, so
+ * all IOs can be serialized by log-structured write.
+ */
+ if (f2fs_sb_has_blkzoned(sbi) && (rw == WRITE))
+ return true;
if (f2fs_lfs_mode(sbi) && (rw == WRITE)) {
if (block_unaligned_IO(inode, iocb, iter))
return true;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 130/862] jbd2: wake up journal waiters in FIFO order, not LIFO
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 129/862] f2fs: allow direct read for zoned device Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 131/862] jbd2: fix potential buffer head reference count leak Greg Kroah-Hartman
` (746 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Alexey Lyashkov,
Ritesh Harjani (IBM),
Theodore Tso
From: Andrew Perepechko <anserper@ya.ru>
commit 34fc8768ec6089565d6d73bad26724083cecf7bd upstream.
LIFO wakeup order is unfair and sometimes leads to a journal
user not being able to get a journal handle for hundreds of
transactions in a row.
FIFO wakeup can make things more fair.
Cc: stable@kernel.org
Signed-off-by: Alexey Lyashkov <alexey.lyashkov@gmail.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20220907165959.1137482-1-alexey.lyashkov@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/commit.c | 2 +-
fs/jbd2/transaction.c | 6 +++---
2 files changed, 4 insertions(+), 4 deletions(-)
--- a/fs/jbd2/commit.c
+++ b/fs/jbd2/commit.c
@@ -570,7 +570,7 @@ void jbd2_journal_commit_transaction(jou
journal->j_running_transaction = NULL;
start_time = ktime_get();
commit_transaction->t_log_start = journal->j_head;
- wake_up(&journal->j_wait_transaction_locked);
+ wake_up_all(&journal->j_wait_transaction_locked);
write_unlock(&journal->j_state_lock);
jbd2_debug(3, "JBD2: commit phase 2a\n");
--- a/fs/jbd2/transaction.c
+++ b/fs/jbd2/transaction.c
@@ -168,7 +168,7 @@ static void wait_transaction_locked(jour
int need_to_start;
tid_t tid = journal->j_running_transaction->t_tid;
- prepare_to_wait(&journal->j_wait_transaction_locked, &wait,
+ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait,
TASK_UNINTERRUPTIBLE);
need_to_start = !tid_geq(journal->j_commit_request, tid);
read_unlock(&journal->j_state_lock);
@@ -194,7 +194,7 @@ static void wait_transaction_switching(j
read_unlock(&journal->j_state_lock);
return;
}
- prepare_to_wait(&journal->j_wait_transaction_locked, &wait,
+ prepare_to_wait_exclusive(&journal->j_wait_transaction_locked, &wait,
TASK_UNINTERRUPTIBLE);
read_unlock(&journal->j_state_lock);
/*
@@ -920,7 +920,7 @@ void jbd2_journal_unlock_updates (journa
write_lock(&journal->j_state_lock);
--journal->j_barrier_count;
write_unlock(&journal->j_state_lock);
- wake_up(&journal->j_wait_transaction_locked);
+ wake_up_all(&journal->j_wait_transaction_locked);
}
static void warn_dirty_buffer(struct buffer_head *bh)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 131/862] jbd2: fix potential buffer head reference count leak
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 130/862] jbd2: wake up journal waiters in FIFO order, not LIFO Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 132/862] jbd2: fix potential use-after-free in jbd2_fc_wait_bufs Greg Kroah-Hartman
` (745 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit e0d5fc7a6d80ac2406c7dfc6bb625201d0250a8a upstream.
As in 'jbd2_fc_wait_bufs' if buffer isn't uptodate, will return -EIO without
update 'journal->j_fc_off'. But 'jbd2_fc_release_bufs' will release buffer head
from ‘j_fc_off - 1’ if 'bh' is NULL will terminal release which will lead to
buffer head buffer head reference count leak.
To solve above issue, update 'journal->j_fc_off' before return -EIO.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220914100812.1414768-2-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -925,8 +925,14 @@ int jbd2_fc_wait_bufs(journal_t *journal
wait_on_buffer(bh);
put_bh(bh);
journal->j_fc_wbuf[i] = NULL;
- if (unlikely(!buffer_uptodate(bh)))
+ /*
+ * Update j_fc_off so jbd2_fc_release_bufs can release remain
+ * buffer head.
+ */
+ if (unlikely(!buffer_uptodate(bh))) {
+ journal->j_fc_off = i;
return -EIO;
+ }
}
return 0;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 132/862] jbd2: fix potential use-after-free in jbd2_fc_wait_bufs
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 131/862] jbd2: fix potential buffer head reference count leak Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 133/862] jbd2: add miss release buffer head in fc_do_one_pass() Greg Kroah-Hartman
` (744 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit 243d1a5d505d0b0460c9af0ad56ed4a56ef0bebd upstream.
In 'jbd2_fc_wait_bufs' use 'bh' after put buffer head reference count
which may lead to use-after-free.
So judge buffer if uptodate before put buffer head reference count.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220914100812.1414768-3-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/journal.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/fs/jbd2/journal.c
+++ b/fs/jbd2/journal.c
@@ -923,16 +923,16 @@ int jbd2_fc_wait_bufs(journal_t *journal
for (i = j_fc_off - 1; i >= j_fc_off - num_blks; i--) {
bh = journal->j_fc_wbuf[i];
wait_on_buffer(bh);
- put_bh(bh);
- journal->j_fc_wbuf[i] = NULL;
/*
* Update j_fc_off so jbd2_fc_release_bufs can release remain
* buffer head.
*/
if (unlikely(!buffer_uptodate(bh))) {
- journal->j_fc_off = i;
+ journal->j_fc_off = i + 1;
return -EIO;
}
+ put_bh(bh);
+ journal->j_fc_wbuf[i] = NULL;
}
return 0;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 133/862] jbd2: add miss release buffer head in fc_do_one_pass()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 132/862] jbd2: fix potential use-after-free in jbd2_fc_wait_bufs Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 134/862] ext2: Add sanity checks for group and filesystem size Greg Kroah-Hartman
` (743 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit dfff66f30f66b9524b661f311bbed8ff3d2ca49f upstream.
In fc_do_one_pass() miss release buffer head after use which will lead
to reference count leak.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220917093805.1782845-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/jbd2/recovery.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/jbd2/recovery.c
+++ b/fs/jbd2/recovery.c
@@ -256,6 +256,7 @@ static int fc_do_one_pass(journal_t *jou
err = journal->j_fc_replay_callback(journal, bh, pass,
next_fc_block - journal->j_fc_first,
expected_commit_id);
+ brelse(bh);
next_fc_block++;
if (err < 0 || err == JBD2_FC_REPLAY_STOP)
break;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 134/862] ext2: Add sanity checks for group and filesystem size
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 133/862] jbd2: add miss release buffer head in fc_do_one_pass() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 135/862] ext4: avoid crash when inline data creation follows DIO write Greg Kroah-Hartman
` (742 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, syzbot+0f2f7e65a3007d39539f,
Jan Kara, kernel test robot
From: Jan Kara <jack@suse.cz>
commit d766f2d1e3e3bd44024a7f971ffcf8b8fbb7c5d2 upstream.
Add sanity check that filesystem size does not exceed the underlying
device size and that group size is big enough so that metadata can fit
into it. This avoid trying to mount some crafted filesystems with
extremely large group counts.
Reported-by: syzbot+0f2f7e65a3007d39539f@syzkaller.appspotmail.com
Reported-by: kernel test robot <oliver.sang@intel.com> # Test fixup
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext2/super.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -1052,6 +1052,13 @@ static int ext2_fill_super(struct super_
sbi->s_blocks_per_group);
goto failed_mount;
}
+ /* At least inode table, bitmaps, and sb have to fit in one group */
+ if (sbi->s_blocks_per_group <= sbi->s_itb_per_group + 3) {
+ ext2_msg(sb, KERN_ERR,
+ "error: #blocks per group smaller than metadata size: %lu <= %lu",
+ sbi->s_blocks_per_group, sbi->s_inodes_per_group + 3);
+ goto failed_mount;
+ }
if (sbi->s_frags_per_group > sb->s_blocksize * 8) {
ext2_msg(sb, KERN_ERR,
"error: #fragments per group too big: %lu",
@@ -1065,9 +1072,14 @@ static int ext2_fill_super(struct super_
sbi->s_inodes_per_group);
goto failed_mount;
}
+ if (sb_bdev_nr_blocks(sb) < le32_to_cpu(es->s_blocks_count)) {
+ ext2_msg(sb, KERN_ERR,
+ "bad geometry: block count %u exceeds size of device (%u blocks)",
+ le32_to_cpu(es->s_blocks_count),
+ (unsigned)sb_bdev_nr_blocks(sb));
+ goto failed_mount;
+ }
- if (EXT2_BLOCKS_PER_GROUP(sb) == 0)
- goto cantfind_ext2;
sbi->s_groups_count = ((le32_to_cpu(es->s_blocks_count) -
le32_to_cpu(es->s_first_data_block) - 1)
/ EXT2_BLOCKS_PER_GROUP(sb)) + 1;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 135/862] ext4: avoid crash when inline data creation follows DIO write
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 134/862] ext2: Add sanity checks for group and filesystem size Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 136/862] ext4: fix null-ptr-deref in ext4_write_info Greg Kroah-Hartman
` (741 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Tadeusz Struk,
syzbot+bd13648a53ed6933ca49, Jan Kara, Lukas Czerner,
Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 4bb26f2885ac6930984ee451b952c5a6042f2c0e upstream.
When inode is created and written to using direct IO, there is nothing
to clear the EXT4_STATE_MAY_INLINE_DATA flag. Thus when inode gets
truncated later to say 1 byte and written using normal write, we will
try to store the data as inline data. This confuses the code later
because the inode now has both normal block and inline data allocated
and the confusion manifests for example as:
kernel BUG at fs/ext4/inode.c:2721!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 359 Comm: repro Not tainted 5.19.0-rc8-00001-g31ba1e3b8305-dirty #15
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014
RIP: 0010:ext4_writepages+0x363d/0x3660
RSP: 0018:ffffc90000ccf260 EFLAGS: 00010293
RAX: ffffffff81e1abcd RBX: 0000008000000000 RCX: ffff88810842a180
RDX: 0000000000000000 RSI: 0000008000000000 RDI: 0000000000000000
RBP: ffffc90000ccf650 R08: ffffffff81e17d58 R09: ffffed10222c680b
R10: dfffe910222c680c R11: 1ffff110222c680a R12: ffff888111634128
R13: ffffc90000ccf880 R14: 0000008410000000 R15: 0000000000000001
FS: 00007f72635d2640(0000) GS:ffff88811b000000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000565243379180 CR3: 000000010aa74000 CR4: 0000000000150eb0
Call Trace:
<TASK>
do_writepages+0x397/0x640
filemap_fdatawrite_wbc+0x151/0x1b0
file_write_and_wait_range+0x1c9/0x2b0
ext4_sync_file+0x19e/0xa00
vfs_fsync_range+0x17b/0x190
ext4_buffered_write_iter+0x488/0x530
ext4_file_write_iter+0x449/0x1b90
vfs_write+0xbcd/0xf40
ksys_write+0x198/0x2c0
__x64_sys_write+0x7b/0x90
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x63/0xcd
</TASK>
Fix the problem by clearing EXT4_STATE_MAY_INLINE_DATA when we are doing
direct IO write to a file.
Cc: stable@kernel.org
Reported-by: Tadeusz Struk <tadeusz.struk@linaro.org>
Reported-by: syzbot+bd13648a53ed6933ca49@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=a1e89d09bbbcbd5c4cb45db230ee28c822953984
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Tested-by: Tadeusz Struk<tadeusz.struk@linaro.org>
Link: https://lore.kernel.org/r/20220727155753.13969-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/file.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -528,6 +528,12 @@ static ssize_t ext4_dio_write_iter(struc
ret = -EAGAIN;
goto out;
}
+ /*
+ * Make sure inline data cannot be created anymore since we are going
+ * to allocate blocks for DIO. We know the inode does not have any
+ * inline data now because ext4_dio_supported() checked for that.
+ */
+ ext4_clear_inode_state(inode, EXT4_STATE_MAY_INLINE_DATA);
offset = iocb->ki_pos;
count = ret;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 136/862] ext4: fix null-ptr-deref in ext4_write_info
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 135/862] ext4: avoid crash when inline data creation follows DIO write Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 137/862] ext4: make ext4_lazyinit_thread freezable Greg Kroah-Hartman
` (740 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Baokun Li, Jan Kara, Theodore Tso
From: Baokun Li <libaokun1@huawei.com>
commit f9c1f248607d5546075d3f731e7607d5571f2b60 upstream.
I caught a null-ptr-deref bug as follows:
==================================================================
KASAN: null-ptr-deref in range [0x0000000000000068-0x000000000000006f]
CPU: 1 PID: 1589 Comm: umount Not tainted 5.10.0-02219-dirty #339
RIP: 0010:ext4_write_info+0x53/0x1b0
[...]
Call Trace:
dquot_writeback_dquots+0x341/0x9a0
ext4_sync_fs+0x19e/0x800
__sync_filesystem+0x83/0x100
sync_filesystem+0x89/0xf0
generic_shutdown_super+0x79/0x3e0
kill_block_super+0xa1/0x110
deactivate_locked_super+0xac/0x130
deactivate_super+0xb6/0xd0
cleanup_mnt+0x289/0x400
__cleanup_mnt+0x16/0x20
task_work_run+0x11c/0x1c0
exit_to_user_mode_prepare+0x203/0x210
syscall_exit_to_user_mode+0x5b/0x3a0
do_syscall_64+0x59/0x70
entry_SYSCALL_64_after_hwframe+0x44/0xa9
==================================================================
Above issue may happen as follows:
-------------------------------------
exit_to_user_mode_prepare
task_work_run
__cleanup_mnt
cleanup_mnt
deactivate_super
deactivate_locked_super
kill_block_super
generic_shutdown_super
shrink_dcache_for_umount
dentry = sb->s_root
sb->s_root = NULL <--- Here set NULL
sync_filesystem
__sync_filesystem
sb->s_op->sync_fs > ext4_sync_fs
dquot_writeback_dquots
sb->dq_op->write_info > ext4_write_info
ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2)
d_inode(sb->s_root)
s_root->d_inode <--- Null pointer dereference
To solve this problem, we use ext4_journal_start_sb directly
to avoid s_root being used.
Cc: stable@kernel.org
Signed-off-by: Baokun Li <libaokun1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220805123947.565152-1-libaokun1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -6653,7 +6653,7 @@ static int ext4_write_info(struct super_
handle_t *handle;
/* Data block + inode block */
- handle = ext4_journal_start(d_inode(sb->s_root), EXT4_HT_QUOTA, 2);
+ handle = ext4_journal_start_sb(sb, EXT4_HT_QUOTA, 2);
if (IS_ERR(handle))
return PTR_ERR(handle);
ret = dquot_commit_info(sb, type);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 137/862] ext4: make ext4_lazyinit_thread freezable
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 136/862] ext4: fix null-ptr-deref in ext4_write_info Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 138/862] ext4: fix check for block being out of directory size Greg Kroah-Hartman
` (739 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Lalith Rajendran, Theodore Tso
From: Lalith Rajendran <lalithkraj@google.com>
commit 3b575495ab8dbb4dbe85b4ac7f991693c3668ff5 upstream.
ext4_lazyinit_thread is not set freezable. Hence when the thread calls
try_to_freeze it doesn't freeze during suspend and continues to send
requests to the storage during suspend, resulting in suspend failures.
Cc: stable@kernel.org
Signed-off-by: Lalith Rajendran <lalithkraj@google.com>
Link: https://lore.kernel.org/r/20220818214049.1519544-1-lalithkraj@google.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 1 +
1 file changed, 1 insertion(+)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -3767,6 +3767,7 @@ static int ext4_lazyinit_thread(void *ar
unsigned long next_wakeup, cur;
BUG_ON(NULL == eli);
+ set_freezable();
cont_thread:
while (true) {
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 138/862] ext4: fix check for block being out of directory size
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 137/862] ext4: make ext4_lazyinit_thread freezable Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 139/862] ext4: dont increase iversion counter for ea_inodes Greg Kroah-Hartman
` (738 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Jan Kara, Lukas Czerner, Theodore Tso
From: Jan Kara <jack@suse.cz>
commit 61a1d87a324ad5e3ed27c6699dfc93218fcf3201 upstream.
The check in __ext4_read_dirblock() for block being outside of directory
size was wrong because it compared block number against directory size
in bytes. Fix it.
Fixes: 65f8ea4cd57d ("ext4: check if directory block is within i_size")
CVE: CVE-2022-1184
CC: stable@vger.kernel.org
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Lukas Czerner <lczerner@redhat.com>
Link: https://lore.kernel.org/r/20220822114832.1482-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -126,7 +126,7 @@ static struct buffer_head *__ext4_read_d
struct ext4_dir_entry *dirent;
int is_dx_block = 0;
- if (block >= inode->i_size) {
+ if (block >= inode->i_size >> inode->i_blkbits) {
ext4_error_inode(inode, func, line, block,
"Attempting to read directory block (%u) that is past i_size (%llu)",
block, inode->i_size);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 139/862] ext4: dont increase iversion counter for ea_inodes
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 138/862] ext4: fix check for block being out of directory size Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 140/862] ext4: unconditionally enable the i_version counter Greg Kroah-Hartman
` (737 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Lukas Czerner, Jan Kara,
Jeff Layton, Christian Brauner (Microsoft),
Theodore Tso
From: Lukas Czerner <lczerner@redhat.com>
commit 50f094a5580e6297bf10a807d16f0ee23fa576cf upstream.
ea_inodes are using i_version for storing part of the reference count so
we really need to leave it alone.
The problem can be reproduced by xfstest ext4/026 when iversion is
enabled. Fix it by not calling inode_inc_iversion() for EXT4_EA_INODE_FL
inodes in ext4_mark_iloc_dirty().
Cc: stable@kernel.org
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Link: https://lore.kernel.org/r/20220824160349.39664-1-lczerner@redhat.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5731,7 +5731,12 @@ int ext4_mark_iloc_dirty(handle_t *handl
}
ext4_fc_track_inode(handle, inode);
- if (IS_I_VERSION(inode))
+ /*
+ * ea_inodes are using i_version for storing reference count, don't
+ * mess with it
+ */
+ if (IS_I_VERSION(inode) &&
+ !(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
inode_inc_iversion(inode);
/* the do_update_inode consumes one bh->b_count */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 140/862] ext4: unconditionally enable the i_version counter
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 139/862] ext4: dont increase iversion counter for ea_inodes Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 141/862] ext4: ext4_read_bh_lock() should submit IO if the buffer isnt uptodate Greg Kroah-Hartman
` (736 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Dave Chinner,
Benjamin Coddington, Christoph Hellwig, Darrick J. Wong,
Jeff Layton, Lukas Czerner, Christian Brauner (Microsoft),
Jan Kara, Theodore Tso
From: Jeff Layton <jlayton@kernel.org>
commit 1ff20307393e17dc57fde62226df625a3a3c36e9 upstream.
The original i_version implementation was pretty expensive, requiring a
log flush on every change. Because of this, it was gated behind a mount
option (implemented via the MS_I_VERSION mountoption flag).
Commit ae5e165d855d (fs: new API for handling inode->i_version) made the
i_version flag much less expensive, so there is no longer a performance
penalty from enabling it. xfs and btrfs already enable it
unconditionally when the on-disk format can support it.
Have ext4 ignore the SB_I_VERSION flag, and just enable it
unconditionally. While we're in here, mark the i_version mount
option Opt_removed.
[ Removed leftover bits of i_version from ext4_apply_options() since it
now can't ever be set in ctx->mask_s_flags -- lczerner ]
Cc: stable@kernel.org
Cc: Dave Chinner <david@fromorbit.com>
Cc: Benjamin Coddington <bcodding@redhat.com>
Cc: Christoph Hellwig <hch@infradead.org>
Cc: Darrick J. Wong <djwong@kernel.org>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220824160349.39664-3-lczerner@redhat.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 5 ++---
fs/ext4/super.c | 22 +++++-----------------
2 files changed, 7 insertions(+), 20 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5425,7 +5425,7 @@ int ext4_setattr(struct user_namespace *
return -EINVAL;
}
- if (IS_I_VERSION(inode) && attr->ia_size != inode->i_size)
+ if (attr->ia_size != inode->i_size)
inode_inc_iversion(inode);
if (shrink) {
@@ -5735,8 +5735,7 @@ int ext4_mark_iloc_dirty(handle_t *handl
* ea_inodes are using i_version for storing reference count, don't
* mess with it
*/
- if (IS_I_VERSION(inode) &&
- !(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
+ if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
inode_inc_iversion(inode);
/* the do_update_inode consumes one bh->b_count */
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1585,7 +1585,7 @@ enum {
Opt_inlinecrypt,
Opt_usrjquota, Opt_grpjquota, Opt_quota,
Opt_noquota, Opt_barrier, Opt_nobarrier, Opt_err,
- Opt_usrquota, Opt_grpquota, Opt_prjquota, Opt_i_version,
+ Opt_usrquota, Opt_grpquota, Opt_prjquota,
Opt_dax, Opt_dax_always, Opt_dax_inode, Opt_dax_never,
Opt_stripe, Opt_delalloc, Opt_nodelalloc, Opt_warn_on_error,
Opt_nowarn_on_error, Opt_mblk_io_submit, Opt_debug_want_extra_isize,
@@ -1694,7 +1694,7 @@ static const struct fs_parameter_spec ex
fsparam_flag ("barrier", Opt_barrier),
fsparam_u32 ("barrier", Opt_barrier),
fsparam_flag ("nobarrier", Opt_nobarrier),
- fsparam_flag ("i_version", Opt_i_version),
+ fsparam_flag ("i_version", Opt_removed),
fsparam_flag ("dax", Opt_dax),
fsparam_enum ("dax", Opt_dax_type, ext4_param_dax),
fsparam_u32 ("stripe", Opt_stripe),
@@ -2140,11 +2140,6 @@ static int ext4_parse_param(struct fs_co
case Opt_abort:
ctx_set_mount_flag(ctx, EXT4_MF_FS_ABORTED);
return 0;
- case Opt_i_version:
- ext4_msg(NULL, KERN_WARNING, deprecated_msg, param->key, "5.20");
- ext4_msg(NULL, KERN_WARNING, "Use iversion instead\n");
- ctx_set_flags(ctx, SB_I_VERSION);
- return 0;
case Opt_inlinecrypt:
#ifdef CONFIG_FS_ENCRYPTION_INLINE_CRYPT
ctx_set_flags(ctx, SB_INLINECRYPT);
@@ -2814,14 +2809,6 @@ static void ext4_apply_options(struct fs
sb->s_flags &= ~ctx->mask_s_flags;
sb->s_flags |= ctx->vals_s_flags;
- /*
- * i_version differs from common mount option iversion so we have
- * to let vfs know that it was set, otherwise it would get cleared
- * on remount
- */
- if (ctx->mask_s_flags & SB_I_VERSION)
- fc->sb_flags |= SB_I_VERSION;
-
#define APPLY(X) ({ if (ctx->spec & EXT4_SPEC_##X) sbi->X = ctx->X; })
APPLY(s_commit_interval);
APPLY(s_stripe);
@@ -2970,8 +2957,6 @@ static int _ext4_show_options(struct seq
SEQ_OPTS_PRINT("min_batch_time=%u", sbi->s_min_batch_time);
if (nodefs || sbi->s_max_batch_time != EXT4_DEF_MAX_BATCH_TIME)
SEQ_OPTS_PRINT("max_batch_time=%u", sbi->s_max_batch_time);
- if (sb->s_flags & SB_I_VERSION)
- SEQ_OPTS_PUTS("i_version");
if (nodefs || sbi->s_stripe)
SEQ_OPTS_PRINT("stripe=%lu", sbi->s_stripe);
if (nodefs || EXT4_MOUNT_DATA_FLAGS &
@@ -4641,6 +4626,9 @@ static int __ext4_fill_super(struct fs_c
sb->s_flags = (sb->s_flags & ~SB_POSIXACL) |
(test_opt(sb, POSIX_ACL) ? SB_POSIXACL : 0);
+ /* i_version is always enabled now */
+ sb->s_flags |= SB_I_VERSION;
+
if (le32_to_cpu(es->s_rev_level) == EXT4_GOOD_OLD_REV &&
(ext4_has_compat_features(sb) ||
ext4_has_ro_compat_features(sb) ||
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 141/862] ext4: ext4_read_bh_lock() should submit IO if the buffer isnt uptodate
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 140/862] ext4: unconditionally enable the i_version counter Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 142/862] ext4: place buffer head allocation before handle start Greg Kroah-Hartman
` (735 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Zhang Yi, Jan Kara, Theodore Tso
From: Zhang Yi <yi.zhang@huawei.com>
commit 0b73284c564d3ae4feef4bc920292f004acf4980 upstream.
Recently we notice that ext4 filesystem would occasionally fail to read
metadata from disk and report error message, but the disk and block
layer looks fine. After analyse, we lockon commit 88dbcbb3a484
("blkdev: avoid migration stalls for blkdev pages"). It provide a
migration method for the bdev, we could move page that has buffers
without extra users now, but it lock the buffers on the page, which
breaks the fragile metadata read operation on ext4 filesystem,
ext4_read_bh_lock() was copied from ll_rw_block(), it depends on the
assumption of that locked buffer means it is under IO. So it just
trylock the buffer and skip submit IO if it lock failed, after
wait_on_buffer() we conclude IO error because the buffer is not
uptodate.
This issue could be easily reproduced by add some delay just after
buffer_migrate_lock_buffers() in __buffer_migrate_folio() and do
fsstress on ext4 filesystem.
EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #73193:
comm fsstress: reading directory lblock 0
EXT4-fs error (device pmem1): __ext4_find_entry:1658: inode #75334:
comm fsstress: reading directory lblock 0
Fix it by removing the trylock logic in ext4_read_bh_lock(), just lock
the buffer and submit IO if it's not uptodate, and also leave over
readahead helper.
Cc: stable@kernel.org
Signed-off-by: Zhang Yi <yi.zhang@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220831074629.3755110-1-yi.zhang@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/super.c | 16 +++++-----------
1 file changed, 5 insertions(+), 11 deletions(-)
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -205,19 +205,12 @@ int ext4_read_bh(struct buffer_head *bh,
int ext4_read_bh_lock(struct buffer_head *bh, blk_opf_t op_flags, bool wait)
{
- if (trylock_buffer(bh)) {
- if (wait)
- return ext4_read_bh(bh, op_flags, NULL);
+ lock_buffer(bh);
+ if (!wait) {
ext4_read_bh_nowait(bh, op_flags, NULL);
return 0;
}
- if (wait) {
- wait_on_buffer(bh);
- if (buffer_uptodate(bh))
- return 0;
- return -EIO;
- }
- return 0;
+ return ext4_read_bh(bh, op_flags, NULL);
}
/*
@@ -264,7 +257,8 @@ void ext4_sb_breadahead_unmovable(struct
struct buffer_head *bh = sb_getblk_gfp(sb, block, 0);
if (likely(bh)) {
- ext4_read_bh_lock(bh, REQ_RAHEAD, false);
+ if (trylock_buffer(bh))
+ ext4_read_bh_nowait(bh, REQ_RAHEAD, NULL);
brelse(bh);
}
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 142/862] ext4: place buffer head allocation before handle start
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 141/862] ext4: ext4_read_bh_lock() should submit IO if the buffer isnt uptodate Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 143/862] ext4: fix i_version handling in ext4 Greg Kroah-Hartman
` (734 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, stable, Jinke Han, Theodore Tso
From: Jinke Han <hanjinke.666@bytedance.com>
commit d1052d236eddf6aa851434db1897b942e8db9921 upstream.
In our product environment, we encounter some jbd hung waiting handles to
stop while several writters were doing memory reclaim for buffer head
allocation in delay alloc write path. Ext4 do buffer head allocation with
holding transaction handle which may be blocked too long if the reclaim
works not so smooth. According to our bcc trace, the reclaim time in
buffer head allocation can reach 258s and the jbd transaction commit also
take almost the same time meanwhile. Except for these extreme cases,
we often see several seconds delays for cgroup memory reclaim on our
servers. This is more likely to happen considering docker environment.
One thing to note, the allocation of buffer heads is as often as page
allocation or more often when blocksize less than page size. Just like
page cache allocation, we should also place the buffer head allocation
before startting the handle.
Cc: stable@kernel.org
Signed-off-by: Jinke Han <hanjinke.666@bytedance.com>
Link: https://lore.kernel.org/r/20220903012429.22555-1-hanjinke.666@bytedance.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 7 +++++++
1 file changed, 7 insertions(+)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -1188,6 +1188,13 @@ retry_grab:
page = grab_cache_page_write_begin(mapping, index);
if (!page)
return -ENOMEM;
+ /*
+ * The same as page allocation, we prealloc buffer heads before
+ * starting the handle.
+ */
+ if (!page_has_buffers(page))
+ create_empty_buffers(page, inode->i_sb->s_blocksize, 0);
+
unlock_page(page);
retry_journal:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 143/862] ext4: fix i_version handling in ext4
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 142/862] ext4: place buffer head allocation before handle start Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 144/862] ext4: fix dir corruption when ext4_dx_add_entry() fails Greg Kroah-Hartman
` (733 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Lukas Czerner, Jan Kara,
Christian Brauner (Microsoft),
Jeff Layton, Theodore Tso
From: Jeff Layton <jlayton@kernel.org>
commit a642c2c0827f5604a93f9fa1e5701eecdce4ae22 upstream.
ext4 currently updates the i_version counter when the atime is updated
during a read. This is less than ideal as it can cause unnecessary cache
invalidations with NFSv4 and unnecessary remeasurements for IMA.
The increment in ext4_mark_iloc_dirty is also problematic since it can
corrupt the i_version counter for ea_inodes. We aren't bumping the file
times in ext4_mark_iloc_dirty, so changing the i_version there seems
wrong, and is the cause of both problems.
Remove that callsite and add increments to the setattr, setxattr and
ioctl codepaths, at the same times that we update the ctime. The
i_version bump that already happens during timestamp updates should take
care of the rest.
In ext4_move_extents, increment the i_version on both inodes, and also
add in missing ctime updates.
[ Some minor updates since we've already enabled the i_version counter
unconditionally already via another patch series. -- TYT ]
Cc: stable@kernel.org
Cc: Lukas Czerner <lczerner@redhat.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christian Brauner (Microsoft) <brauner@kernel.org>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20220908172448.208585-3-jlayton@kernel.org
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/inode.c | 14 +++++---------
fs/ext4/ioctl.c | 4 ++++
fs/ext4/xattr.c | 1 +
3 files changed, 10 insertions(+), 9 deletions(-)
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -5349,6 +5349,7 @@ int ext4_setattr(struct user_namespace *
int error, rc = 0;
int orphan = 0;
const unsigned int ia_valid = attr->ia_valid;
+ bool inc_ivers = true;
if (unlikely(ext4_forced_shutdown(EXT4_SB(inode->i_sb))))
return -EIO;
@@ -5432,8 +5433,8 @@ int ext4_setattr(struct user_namespace *
return -EINVAL;
}
- if (attr->ia_size != inode->i_size)
- inode_inc_iversion(inode);
+ if (attr->ia_size == inode->i_size)
+ inc_ivers = false;
if (shrink) {
if (ext4_should_order_data(inode)) {
@@ -5535,6 +5536,8 @@ out_mmap_sem:
}
if (!error) {
+ if (inc_ivers)
+ inode_inc_iversion(inode);
setattr_copy(mnt_userns, inode, attr);
mark_inode_dirty(inode);
}
@@ -5738,13 +5741,6 @@ int ext4_mark_iloc_dirty(handle_t *handl
}
ext4_fc_track_inode(handle, inode);
- /*
- * ea_inodes are using i_version for storing reference count, don't
- * mess with it
- */
- if (!(EXT4_I(inode)->i_flags & EXT4_EA_INODE_FL))
- inode_inc_iversion(inode);
-
/* the do_update_inode consumes one bh->b_count */
get_bh(iloc->bh);
--- a/fs/ext4/ioctl.c
+++ b/fs/ext4/ioctl.c
@@ -452,6 +452,7 @@ static long swap_inode_boot_loader(struc
swap_inode_data(inode, inode_bl);
inode->i_ctime = inode_bl->i_ctime = current_time(inode);
+ inode_inc_iversion(inode);
inode->i_generation = prandom_u32();
inode_bl->i_generation = prandom_u32();
@@ -665,6 +666,7 @@ static int ext4_ioctl_setflags(struct in
ext4_set_inode_flags(inode, false);
inode->i_ctime = current_time(inode);
+ inode_inc_iversion(inode);
err = ext4_mark_iloc_dirty(handle, inode, &iloc);
flags_err:
@@ -775,6 +777,7 @@ static int ext4_ioctl_setproject(struct
EXT4_I(inode)->i_projid = kprojid;
inode->i_ctime = current_time(inode);
+ inode_inc_iversion(inode);
out_dirty:
rc = ext4_mark_iloc_dirty(handle, inode, &iloc);
if (!err)
@@ -1257,6 +1260,7 @@ static long __ext4_ioctl(struct file *fi
err = ext4_reserve_inode_write(handle, inode, &iloc);
if (err == 0) {
inode->i_ctime = current_time(inode);
+ inode_inc_iversion(inode);
inode->i_generation = generation;
err = ext4_mark_iloc_dirty(handle, inode, &iloc);
}
--- a/fs/ext4/xattr.c
+++ b/fs/ext4/xattr.c
@@ -2412,6 +2412,7 @@ retry_inode:
if (!error) {
ext4_xattr_update_super_block(handle, inode->i_sb);
inode->i_ctime = current_time(inode);
+ inode_inc_iversion(inode);
if (!value)
no_expand = 0;
error = ext4_mark_iloc_dirty(handle, inode, &is.iloc);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 144/862] ext4: fix dir corruption when ext4_dx_add_entry() fails
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 143/862] ext4: fix i_version handling in ext4 Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 145/862] ext4: fix miss release buffer head in ext4_fc_write_inode Greg Kroah-Hartman
` (732 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Zhihao Cheng, Jan Kara, Theodore Tso
From: Zhihao Cheng <chengzhihao1@huawei.com>
commit 7177dd009c7c04290891e9a534cd47d1b620bd04 upstream.
Following process may lead to fs corruption:
1. ext4_create(dir/foo)
ext4_add_nondir
ext4_add_entry
ext4_dx_add_entry
a. add_dirent_to_buf
ext4_mark_inode_dirty
ext4_handle_dirty_metadata // dir inode bh is recorded into journal
b. ext4_append // dx_get_count(entries) == dx_get_limit(entries)
ext4_bread(EXT4_GET_BLOCKS_CREATE)
ext4_getblk
ext4_map_blocks
ext4_ext_map_blocks
ext4_mb_new_blocks
dquot_alloc_block
dquot_alloc_space_nodirty
inode_add_bytes // update dir's i_blocks
ext4_ext_insert_extent
ext4_ext_dirty // record extent bh into journal
ext4_handle_dirty_metadata(bh)
// record new block into journal
inode->i_size += inode->i_sb->s_blocksize // new size(in mem)
c. ext4_handle_dirty_dx_node(bh2)
// record dir's new block(dx_node) into journal
d. ext4_handle_dirty_dx_node((frame - 1)->bh)
e. ext4_handle_dirty_dx_node(frame->bh)
f. do_split // ret err!
g. add_dirent_to_buf
ext4_mark_inode_dirty(dir) // update raw_inode on disk(skipped)
2. fsck -a /dev/sdb
drop last block(dx_node) which beyonds dir's i_size.
/dev/sdb: recovering journal
/dev/sdb contains a file system with errors, check forced.
/dev/sdb: Inode 12, end of extent exceeds allowed value
(logical block 128, physical block 3938, len 1)
3. fsck -fn /dev/sdb
dx_node->entry[i].blk > dir->i_size
Pass 2: Checking directory structure
Problem in HTREE directory inode 12 (/dir): bad block number 128.
Clear HTree index? no
Problem in HTREE directory inode 12: block #3 has invalid depth (2)
Problem in HTREE directory inode 12: block #3 has bad max hash
Problem in HTREE directory inode 12: block #3 not referenced
Fix it by marking inode dirty directly inside ext4_append().
Fetch a reproducer in [Link].
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216466
Cc: stable@vger.kernel.org
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220911045204.516460-1-chengzhihao1@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -85,15 +85,20 @@ static struct buffer_head *ext4_append(h
return bh;
inode->i_size += inode->i_sb->s_blocksize;
EXT4_I(inode)->i_disksize = inode->i_size;
+ err = ext4_mark_inode_dirty(handle, inode);
+ if (err)
+ goto out;
BUFFER_TRACE(bh, "get_write_access");
err = ext4_journal_get_write_access(handle, inode->i_sb, bh,
EXT4_JTR_NONE);
- if (err) {
- brelse(bh);
- ext4_std_error(inode->i_sb, err);
- return ERR_PTR(err);
- }
+ if (err)
+ goto out;
return bh;
+
+out:
+ brelse(bh);
+ ext4_std_error(inode->i_sb, err);
+ return ERR_PTR(err);
}
static int ext4_dx_csum_verify(struct inode *inode,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 145/862] ext4: fix miss release buffer head in ext4_fc_write_inode
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 144/862] ext4: fix dir corruption when ext4_dx_add_entry() fails Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 146/862] ext4: fix potential memory leak in ext4_fc_record_modified_inode() Greg Kroah-Hartman
` (731 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit ccbf8eeb39f2ff00b54726a2b20b35d788c4ecb5 upstream.
In 'ext4_fc_write_inode' function first call 'ext4_get_inode_loc' get 'iloc',
after use it miss release 'iloc.bh'.
So just release 'iloc.bh' before 'ext4_fc_write_inode' return.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220914100859.1415196-1-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -874,22 +874,25 @@ static int ext4_fc_write_inode(struct in
tl.fc_tag = cpu_to_le16(EXT4_FC_TAG_INODE);
tl.fc_len = cpu_to_le16(inode_len + sizeof(fc_inode.fc_ino));
+ ret = -ECANCELED;
dst = ext4_fc_reserve_space(inode->i_sb,
sizeof(tl) + inode_len + sizeof(fc_inode.fc_ino), crc);
if (!dst)
- return -ECANCELED;
+ goto err;
if (!ext4_fc_memcpy(inode->i_sb, dst, &tl, sizeof(tl), crc))
- return -ECANCELED;
+ goto err;
dst += sizeof(tl);
if (!ext4_fc_memcpy(inode->i_sb, dst, &fc_inode, sizeof(fc_inode), crc))
- return -ECANCELED;
+ goto err;
dst += sizeof(fc_inode);
if (!ext4_fc_memcpy(inode->i_sb, dst, (u8 *)ext4_raw_inode(&iloc),
inode_len, crc))
- return -ECANCELED;
-
- return 0;
+ goto err;
+ ret = 0;
+err:
+ brelse(iloc.bh);
+ return ret;
}
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 146/862] ext4: fix potential memory leak in ext4_fc_record_modified_inode()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 145/862] ext4: fix miss release buffer head in ext4_fc_write_inode Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 147/862] ext4: fix potential memory leak in ext4_fc_record_regions() Greg Kroah-Hartman
` (730 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit 9305721a309fa1bd7c194e0d4a2335bf3b29dca4 upstream.
As krealloc may return NULL, in this case 'state->fc_modified_inodes'
may not be freed by krealloc, but 'state->fc_modified_inodes' already
set NULL. Then will lead to 'state->fc_modified_inodes' memory leak.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220921064040.3693255-2-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1494,13 +1494,15 @@ static int ext4_fc_record_modified_inode
if (state->fc_modified_inodes[i] == ino)
return 0;
if (state->fc_modified_inodes_used == state->fc_modified_inodes_size) {
- state->fc_modified_inodes = krealloc(
- state->fc_modified_inodes,
+ int *fc_modified_inodes;
+
+ fc_modified_inodes = krealloc(state->fc_modified_inodes,
sizeof(int) * (state->fc_modified_inodes_size +
EXT4_FC_REPLAY_REALLOC_INCREMENT),
GFP_KERNEL);
- if (!state->fc_modified_inodes)
+ if (!fc_modified_inodes)
return -ENOMEM;
+ state->fc_modified_inodes = fc_modified_inodes;
state->fc_modified_inodes_size +=
EXT4_FC_REPLAY_REALLOC_INCREMENT;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 147/862] ext4: fix potential memory leak in ext4_fc_record_regions()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 146/862] ext4: fix potential memory leak in ext4_fc_record_modified_inode() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 148/862] ext4: update state->fc_regions_size after successful memory allocation Greg Kroah-Hartman
` (729 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit 7069d105c1f15c442b68af43f7fde784f3126739 upstream.
As krealloc may return NULL, in this case 'state->fc_regions' may not be
freed by krealloc, but 'state->fc_regions' already set NULL. Then will
lead to 'state->fc_regions' memory leak.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220921064040.3693255-3-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1687,15 +1687,17 @@ int ext4_fc_record_regions(struct super_
if (replay && state->fc_regions_used != state->fc_regions_valid)
state->fc_regions_used = state->fc_regions_valid;
if (state->fc_regions_used == state->fc_regions_size) {
+ struct ext4_fc_alloc_region *fc_regions;
+
state->fc_regions_size +=
EXT4_FC_REPLAY_REALLOC_INCREMENT;
- state->fc_regions = krealloc(
- state->fc_regions,
- state->fc_regions_size *
- sizeof(struct ext4_fc_alloc_region),
- GFP_KERNEL);
- if (!state->fc_regions)
+ fc_regions = krealloc(state->fc_regions,
+ state->fc_regions_size *
+ sizeof(struct ext4_fc_alloc_region),
+ GFP_KERNEL);
+ if (!fc_regions)
return -ENOMEM;
+ state->fc_regions = fc_regions;
}
region = &state->fc_regions[state->fc_regions_used++];
region->ino = ino;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 148/862] ext4: update state->fc_regions_size after successful memory allocation
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 147/862] ext4: fix potential memory leak in ext4_fc_record_regions() Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 149/862] livepatch: fix race between fork and KLP transition Greg Kroah-Hartman
` (728 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, stable, Ye Bin, Jan Kara, Theodore Tso
From: Ye Bin <yebin10@huawei.com>
commit 27cd49780381c6ccbf248798e5e8fd076200ffba upstream.
To avoid to 'state->fc_regions_size' mismatch with 'state->fc_regions'
when fail to reallocate 'fc_reqions',only update 'state->fc_regions_size'
after 'state->fc_regions' is allocated successfully.
Cc: stable@kernel.org
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20220921064040.3693255-4-yebin10@huawei.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/fast_commit.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- a/fs/ext4/fast_commit.c
+++ b/fs/ext4/fast_commit.c
@@ -1689,14 +1689,15 @@ int ext4_fc_record_regions(struct super_
if (state->fc_regions_used == state->fc_regions_size) {
struct ext4_fc_alloc_region *fc_regions;
- state->fc_regions_size +=
- EXT4_FC_REPLAY_REALLOC_INCREMENT;
fc_regions = krealloc(state->fc_regions,
- state->fc_regions_size *
- sizeof(struct ext4_fc_alloc_region),
+ sizeof(struct ext4_fc_alloc_region) *
+ (state->fc_regions_size +
+ EXT4_FC_REPLAY_REALLOC_INCREMENT),
GFP_KERNEL);
if (!fc_regions)
return -ENOMEM;
+ state->fc_regions_size +=
+ EXT4_FC_REPLAY_REALLOC_INCREMENT;
state->fc_regions = fc_regions;
}
region = &state->fc_regions[state->fc_regions_used++];
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 149/862] livepatch: fix race between fork and KLP transition
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 148/862] ext4: update state->fc_regions_size after successful memory allocation Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 150/862] ftrace: Properly unset FTRACE_HASH_FL_MOD Greg Kroah-Hartman
` (727 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Rik van Riel, Breno Leitao,
Petr Mladek, Josh Poimboeuf, stable
From: Rik van Riel <riel@surriel.com>
commit 747f7a2901174c9afa805dddfb7b24db6f65e985 upstream.
The KLP transition code depends on the TIF_PATCH_PENDING and
the task->patch_state to stay in sync. On a normal (forward)
transition, TIF_PATCH_PENDING will be set on every task in
the system, while on a reverse transition (after a failed
forward one) first TIF_PATCH_PENDING will be cleared from
every task, followed by it being set on tasks that need to
be transitioned back to the original code.
However, the fork code copies over the TIF_PATCH_PENDING flag
from the parent to the child early on, in dup_task_struct and
setup_thread_stack. Much later, klp_copy_process will set
child->patch_state to match that of the parent.
However, the parent's patch_state may have been changed by KLP loading
or unloading since it was initially copied over into the child.
This results in the KLP code occasionally hitting this warning in
klp_complete_transition:
for_each_process_thread(g, task) {
WARN_ON_ONCE(test_tsk_thread_flag(task, TIF_PATCH_PENDING));
task->patch_state = KLP_UNDEFINED;
}
Set, or clear, the TIF_PATCH_PENDING flag in the child task
depending on whether or not it is needed at the time
klp_copy_process is called, at a point in copy_process where the
tasklist_lock is held exclusively, preventing races with the KLP
code.
The KLP code does have a few places where the state is changed
without the tasklist_lock held, but those should not cause
problems because klp_update_patch_state(current) cannot be
called while the current task is in the middle of fork,
klp_check_and_switch_task() which is called under the pi_lock,
which prevents rescheduling, and manipulation of the patch
state of idle tasks, which do not fork.
This should prevent this warning from triggering again in the
future, and close the race for both normal and reverse transitions.
Signed-off-by: Rik van Riel <riel@surriel.com>
Reported-by: Breno Leitao <leitao@debian.org>
Reviewed-by: Petr Mladek <pmladek@suse.com>
Acked-by: Josh Poimboeuf <jpoimboe@kernel.org>
Fixes: d83a7cb375ee ("livepatch: change to a per-task consistency model")
Cc: stable@kernel.org
Signed-off-by: Petr Mladek <pmladek@suse.com>
Link: https://lore.kernel.org/r/20220808150019.03d6a67b@imladris.surriel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/livepatch/transition.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
--- a/kernel/livepatch/transition.c
+++ b/kernel/livepatch/transition.c
@@ -610,9 +610,23 @@ void klp_reverse_transition(void)
/* Called from copy_process() during fork */
void klp_copy_process(struct task_struct *child)
{
- child->patch_state = current->patch_state;
- /* TIF_PATCH_PENDING gets copied in setup_thread_stack() */
+ /*
+ * The parent process may have gone through a KLP transition since
+ * the thread flag was copied in setup_thread_stack earlier. Bring
+ * the task flag up to date with the parent here.
+ *
+ * The operation is serialized against all klp_*_transition()
+ * operations by the tasklist_lock. The only exception is
+ * klp_update_patch_state(current), but we cannot race with
+ * that because we are current.
+ */
+ if (test_tsk_thread_flag(current, TIF_PATCH_PENDING))
+ set_tsk_thread_flag(child, TIF_PATCH_PENDING);
+ else
+ clear_tsk_thread_flag(child, TIF_PATCH_PENDING);
+
+ child->patch_state = current->patch_state;
}
/*
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 150/862] ftrace: Properly unset FTRACE_HASH_FL_MOD
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 149/862] livepatch: fix race between fork and KLP transition Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 151/862] ftrace: Still disable enabled records marked as disabled Greg Kroah-Hartman
` (726 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, mingo, Zheng Yejian, Steven Rostedt (Google)
From: Zheng Yejian <zhengyejian1@huawei.com>
commit 0ce0638edf5ec83343302b884fa208179580700a upstream.
When executing following commands like what document said, but the log
"#### all functions enabled ####" was not shown as expect:
1. Set a 'mod' filter:
$ echo 'write*:mod:ext3' > /sys/kernel/tracing/set_ftrace_filter
2. Invert above filter:
$ echo '!write*:mod:ext3' >> /sys/kernel/tracing/set_ftrace_filter
3. Read the file:
$ cat /sys/kernel/tracing/set_ftrace_filter
By some debugging, I found that flag FTRACE_HASH_FL_MOD was not unset
after inversion like above step 2 and then result of ftrace_hash_empty()
is incorrect.
Link: https://lkml.kernel.org/r/20220926152008.2239274-1-zhengyejian1@huawei.com
Cc: <mingo@redhat.com>
Cc: stable@vger.kernel.org
Fixes: 8c08f0d5c6fb ("ftrace: Have cached module filters be an active filter")
Signed-off-by: Zheng Yejian <zhengyejian1@huawei.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -6081,8 +6081,12 @@ int ftrace_regex_release(struct inode *i
if (filter_hash) {
orig_hash = &iter->ops->func_hash->filter_hash;
- if (iter->tr && !list_empty(&iter->tr->mod_trace))
- iter->hash->flags |= FTRACE_HASH_FL_MOD;
+ if (iter->tr) {
+ if (list_empty(&iter->tr->mod_trace))
+ iter->hash->flags &= ~FTRACE_HASH_FL_MOD;
+ else
+ iter->hash->flags |= FTRACE_HASH_FL_MOD;
+ }
} else
orig_hash = &iter->ops->func_hash->notrace_hash;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 151/862] ftrace: Still disable enabled records marked as disabled
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 150/862] ftrace: Properly unset FTRACE_HASH_FL_MOD Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:23 ` [PATCH 6.0 152/862] ring-buffer: Allow splice to read previous partially read pages Greg Kroah-Hartman
` (725 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit cf04f2d5df0037741207382ac8fe289e8bf84ced upstream.
Weak functions started causing havoc as they showed up in the
"available_filter_functions" and this confused people as to why some
functions marked as "notrace" were listed, but when enabled they did
nothing. This was because weak functions can still have fentry calls, and
these addresses get added to the "available_filter_functions" file.
kallsyms is what converts those addresses to names, and since the weak
functions are not listed in kallsyms, it would just pick the function
before that.
To solve this, there was a trick to detect weak functions listed, and
these records would be marked as DISABLED so that they do not get enabled
and are mostly ignored. As the processing of the list of all functions to
figure out what is weak or not can take a long time, this process is put
off into a kernel thread and run in parallel with the rest of start up.
Now the issue happens whet function tracing is enabled via the kernel
command line. As it starts very early in boot up, it can be enabled before
the records that are weak are marked to be disabled. This causes an issue
in the accounting, as the weak records are enabled by the command line
function tracing, but after boot up, they are not disabled.
The ftrace records have several accounting flags and a ref count. The
DISABLED flag is just one. If the record is enabled before it is marked
DISABLED it will get an ENABLED flag and also have its ref counter
incremented. After it is marked for DISABLED, neither the ENABLED flag nor
the ref counter is cleared. There's sanity checks on the records that are
performed after an ftrace function is registered or unregistered, and this
detected that there were records marked as ENABLED with ref counter that
should not have been.
Note, the module loading code uses the DISABLED flag as well to keep its
functions from being modified while its being loaded and some of these
flags may get set in this process. So changing the verification code to
ignore DISABLED records is a no go, as it still needs to verify that the
module records are working too.
Also, the weak functions still are calling a trampoline. Even though they
should never be called, it is dangerous to leave these weak functions
calling a trampoline that is freed, so they should still be set back to
nops.
There's two places that need to not skip records that have the ENABLED
and the DISABLED flags set. That is where the ftrace_ops is processed and
sets the records ref counts, and then later when the function itself is to
be updated, and the ENABLED flag gets removed. Add a helper function
"skip_record()" that returns true if the record has the DISABLED flag set
but not the ENABLED flag.
Link: https://lkml.kernel.org/r/20221005003809.27d2b97b@gandalf.local.home
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Fixes: b39181f7c6907 ("ftrace: Add FTRACE_MCOUNT_MAX_OFFSET to avoid adding weak function")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ftrace.c | 20 ++++++++++++++++----
1 file changed, 16 insertions(+), 4 deletions(-)
--- a/kernel/trace/ftrace.c
+++ b/kernel/trace/ftrace.c
@@ -1644,6 +1644,18 @@ ftrace_find_tramp_ops_any_other(struct d
static struct ftrace_ops *
ftrace_find_tramp_ops_next(struct dyn_ftrace *rec, struct ftrace_ops *ops);
+static bool skip_record(struct dyn_ftrace *rec)
+{
+ /*
+ * At boot up, weak functions are set to disable. Function tracing
+ * can be enabled before they are, and they still need to be disabled now.
+ * If the record is disabled, still continue if it is marked as already
+ * enabled (this is needed to keep the accounting working).
+ */
+ return rec->flags & FTRACE_FL_DISABLED &&
+ !(rec->flags & FTRACE_FL_ENABLED);
+}
+
static bool __ftrace_hash_rec_update(struct ftrace_ops *ops,
int filter_hash,
bool inc)
@@ -1693,7 +1705,7 @@ static bool __ftrace_hash_rec_update(str
int in_hash = 0;
int match = 0;
- if (rec->flags & FTRACE_FL_DISABLED)
+ if (skip_record(rec))
continue;
if (all) {
@@ -2126,7 +2138,7 @@ static int ftrace_check_record(struct dy
ftrace_bug_type = FTRACE_BUG_UNKNOWN;
- if (rec->flags & FTRACE_FL_DISABLED)
+ if (skip_record(rec))
return FTRACE_UPDATE_IGNORE;
/*
@@ -2241,7 +2253,7 @@ static int ftrace_check_record(struct dy
if (update) {
/* If there's no more users, clear all flags */
if (!ftrace_rec_count(rec))
- rec->flags = 0;
+ rec->flags &= FTRACE_FL_DISABLED;
else
/*
* Just disable the record, but keep the ops TRAMP
@@ -2634,7 +2646,7 @@ void __weak ftrace_replace_code(int mod_
do_for_each_ftrace_rec(pg, rec) {
- if (rec->flags & FTRACE_FL_DISABLED)
+ if (skip_record(rec))
continue;
failed = __ftrace_replace_code(rec, enable);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 152/862] ring-buffer: Allow splice to read previous partially read pages
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 151/862] ftrace: Still disable enabled records marked as disabled Greg Kroah-Hartman
@ 2022-10-19 8:23 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 153/862] ring-buffer: Have the shortest_full queue be the shortest not longest Greg Kroah-Hartman
` (724 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:23 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit fa8f4a89736b654125fb254b0db753ac68a5fced upstream.
If a page is partially read, and then the splice system call is run
against the ring buffer, it will always fail to read, no matter how much
is in the ring buffer. That's because the code path for a partial read of
the page does will fail if the "full" flag is set.
The splice system call wants full pages, so if the read of the ring buffer
is not yet full, it should return zero, and the splice will block. But if
a previous read was done, where the beginning has been consumed, it should
still be given to the splice caller if the rest of the page has been
written to.
This caused the splice command to never consume data in this scenario, and
let the ring buffer just fill up and lose events.
Link: https://lkml.kernel.org/r/20220927144317.46be6b80@gandalf.local.home
Cc: stable@vger.kernel.org
Fixes: 8789a9e7df6bf ("ring-buffer: read page interface")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -5616,7 +5616,15 @@ int ring_buffer_read_page(struct trace_b
unsigned int pos = 0;
unsigned int size;
- if (full)
+ /*
+ * If a full page is expected, this can still be returned
+ * if there's been a previous partial read and the
+ * rest of the page can be read and the commit page is off
+ * the reader page.
+ */
+ if (full &&
+ (!read || (len < (commit - read)) ||
+ cpu_buffer->reader_page == cpu_buffer->commit_page))
goto out_unlock;
if (len > (commit - read))
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 153/862] ring-buffer: Have the shortest_full queue be the shortest not longest
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2022-10-19 8:23 ` [PATCH 6.0 152/862] ring-buffer: Allow splice to read previous partially read pages Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 154/862] ring-buffer: Check pending waiters when doing wake ups as well Greg Kroah-Hartman
` (723 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 3b19d614b61b93a131f463817e08219c9ce1fee3 upstream.
The logic to know when the shortest waiters on the ring buffer should be
woken up or not has uses a less than instead of a greater than compare,
which causes the shortest_full to actually be the longest.
Link: https://lkml.kernel.org/r/20220927231823.718039222@goodmis.org
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 2c2b0a78b3739 ("ring-buffer: Add percentage of ring buffer full to wake up reader")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -1011,7 +1011,7 @@ int ring_buffer_wait(struct trace_buffer
nr_pages = cpu_buffer->nr_pages;
dirty = ring_buffer_nr_dirty_pages(buffer, cpu);
if (!cpu_buffer->shortest_full ||
- cpu_buffer->shortest_full < full)
+ cpu_buffer->shortest_full > full)
cpu_buffer->shortest_full = full;
raw_spin_unlock_irqrestore(&cpu_buffer->reader_lock, flags);
if (!pagebusy &&
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 154/862] ring-buffer: Check pending waiters when doing wake ups as well
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 153/862] ring-buffer: Have the shortest_full queue be the shortest not longest Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 155/862] ring-buffer: Add ring_buffer_wake_waiters() Greg Kroah-Hartman
` (722 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit ec0bbc5ec5664dcee344f79373852117dc672c86 upstream.
The wake up waiters only checks the "wakeup_full" variable and not the
"full_waiters_pending". The full_waiters_pending is set when a waiter is
added to the wait queue. The wakeup_full is only set when an event is
triggered, and it clears the full_waiters_pending to avoid multiple calls
to irq_work_queue().
The irq_work callback really needs to check both wakeup_full as well as
full_waiters_pending such that this code can be used to wake up waiters
when a file is closed that represents the ring buffer and the waiters need
to be woken up.
Link: https://lkml.kernel.org/r/20220927231824.209460321@goodmis.org
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 15693458c4bc0 ("tracing/ring-buffer: Move poll wake ups into ring buffer code")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -917,8 +917,9 @@ static void rb_wake_up_waiters(struct ir
struct rb_irq_work *rbwork = container_of(work, struct rb_irq_work, work);
wake_up_all(&rbwork->waiters);
- if (rbwork->wakeup_full) {
+ if (rbwork->full_waiters_pending || rbwork->wakeup_full) {
rbwork->wakeup_full = false;
+ rbwork->full_waiters_pending = false;
wake_up_all(&rbwork->full_waiters);
}
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 155/862] ring-buffer: Add ring_buffer_wake_waiters()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 154/862] ring-buffer: Check pending waiters when doing wake ups as well Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 156/862] ring-buffer: Fix race between reset page and reading page Greg Kroah-Hartman
` (721 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 7e9fbbb1b776d8d7969551565bc246f74ec53b27 upstream.
On closing of a file that represents a ring buffer or flushing the file,
there may be waiters on the ring buffer that needs to be woken up and exit
the ring_buffer_wait() function.
Add ring_buffer_wake_waiters() to wake up the waiters on the ring buffer
and allow them to exit the wait loop.
Link: https://lkml.kernel.org/r/20220928133938.28dc2c27@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: 15693458c4bc0 ("tracing/ring-buffer: Move poll wake ups into ring buffer code")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/ring_buffer.h | 2 +-
kernel/trace/ring_buffer.c | 39 +++++++++++++++++++++++++++++++++++++++
2 files changed, 40 insertions(+), 1 deletion(-)
--- a/include/linux/ring_buffer.h
+++ b/include/linux/ring_buffer.h
@@ -101,7 +101,7 @@ __ring_buffer_alloc(unsigned long size,
int ring_buffer_wait(struct trace_buffer *buffer, int cpu, int full);
__poll_t ring_buffer_poll_wait(struct trace_buffer *buffer, int cpu,
struct file *filp, poll_table *poll_table);
-
+void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu);
#define RING_BUFFER_ALL_CPUS -1
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -413,6 +413,7 @@ struct rb_irq_work {
struct irq_work work;
wait_queue_head_t waiters;
wait_queue_head_t full_waiters;
+ long wait_index;
bool waiters_pending;
bool full_waiters_pending;
bool wakeup_full;
@@ -925,6 +926,37 @@ static void rb_wake_up_waiters(struct ir
}
/**
+ * ring_buffer_wake_waiters - wake up any waiters on this ring buffer
+ * @buffer: The ring buffer to wake waiters on
+ *
+ * In the case of a file that represents a ring buffer is closing,
+ * it is prudent to wake up any waiters that are on this.
+ */
+void ring_buffer_wake_waiters(struct trace_buffer *buffer, int cpu)
+{
+ struct ring_buffer_per_cpu *cpu_buffer;
+ struct rb_irq_work *rbwork;
+
+ if (cpu == RING_BUFFER_ALL_CPUS) {
+
+ /* Wake up individual ones too. One level recursion */
+ for_each_buffer_cpu(buffer, cpu)
+ ring_buffer_wake_waiters(buffer, cpu);
+
+ rbwork = &buffer->irq_work;
+ } else {
+ cpu_buffer = buffer->buffers[cpu];
+ rbwork = &cpu_buffer->irq_work;
+ }
+
+ rbwork->wait_index++;
+ /* make sure the waiters see the new index */
+ smp_wmb();
+
+ rb_wake_up_waiters(&rbwork->work);
+}
+
+/**
* ring_buffer_wait - wait for input to the ring buffer
* @buffer: buffer to wait on
* @cpu: the cpu buffer to wait on
@@ -939,6 +971,7 @@ int ring_buffer_wait(struct trace_buffer
struct ring_buffer_per_cpu *cpu_buffer;
DEFINE_WAIT(wait);
struct rb_irq_work *work;
+ long wait_index;
int ret = 0;
/*
@@ -957,6 +990,7 @@ int ring_buffer_wait(struct trace_buffer
work = &cpu_buffer->irq_work;
}
+ wait_index = READ_ONCE(work->wait_index);
while (true) {
if (full)
@@ -1021,6 +1055,11 @@ int ring_buffer_wait(struct trace_buffer
}
schedule();
+
+ /* Make sure to see the new wait index */
+ smp_rmb();
+ if (wait_index != work->wait_index)
+ break;
}
if (full)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 156/862] ring-buffer: Fix race between reset page and reading page
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 155/862] ring-buffer: Add ring_buffer_wake_waiters() Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 157/862] tracing/eprobe: Fix alloc event dir failed when event name no set Greg Kroah-Hartman
` (720 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton, Jiazi.Li,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit a0fcaaed0c46cf9399d3a2d6e0c87ddb3df0e044 upstream.
The ring buffer is broken up into sub buffers (currently of page size).
Each sub buffer has a pointer to its "tail" (the last event written to the
sub buffer). When a new event is requested, the tail is locally
incremented to cover the size of the new event. This is done in a way that
there is no need for locking.
If the tail goes past the end of the sub buffer, the process of moving to
the next sub buffer takes place. After setting the current sub buffer to
the next one, the previous one that had the tail go passed the end of the
sub buffer needs to be reset back to the original tail location (before
the new event was requested) and the rest of the sub buffer needs to be
"padded".
The race happens when a reader takes control of the sub buffer. As readers
do a "swap" of sub buffers from the ring buffer to get exclusive access to
the sub buffer, it replaces the "head" sub buffer with an empty sub buffer
that goes back into the writable portion of the ring buffer. This swap can
happen as soon as the writer moves to the next sub buffer and before it
updates the last sub buffer with padding.
Because the sub buffer can be released to the reader while the writer is
still updating the padding, it is possible for the reader to see the event
that goes past the end of the sub buffer. This can cause obvious issues.
To fix this, add a few memory barriers so that the reader definitely sees
the updates to the sub buffer, and also waits until the writer has put
back the "tail" of the sub buffer back to the last event that was written
on it.
To be paranoid, it will only spin for 1 second, otherwise it will
warn and shutdown the ring buffer code. 1 second should be enough as
the writer does have preemption disabled. If the writer doesn't move
within 1 second (with preemption disabled) something is horribly
wrong. No interrupt should last 1 second!
Link: https://lore.kernel.org/all/20220830120854.7545-1-jiazi.li@transsion.com/
Link: https://bugzilla.kernel.org/show_bug.cgi?id=216369
Link: https://lkml.kernel.org/r/20220929104909.0650a36c@gandalf.local.home
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Fixes: c7b0930857e22 ("ring-buffer: prevent adding write in discarded area")
Reported-by: Jiazi.Li <jiazi.li@transsion.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/ring_buffer.c | 33 +++++++++++++++++++++++++++++++++
1 file changed, 33 insertions(+)
--- a/kernel/trace/ring_buffer.c
+++ b/kernel/trace/ring_buffer.c
@@ -2648,6 +2648,9 @@ rb_reset_tail(struct ring_buffer_per_cpu
/* Mark the rest of the page with padding */
rb_event_set_padding(event);
+ /* Make sure the padding is visible before the write update */
+ smp_wmb();
+
/* Set the write back to the previous setting */
local_sub(length, &tail_page->write);
return;
@@ -2659,6 +2662,9 @@ rb_reset_tail(struct ring_buffer_per_cpu
/* time delta must be non zero */
event->time_delta = 1;
+ /* Make sure the padding is visible before the tail_page->write update */
+ smp_wmb();
+
/* Set write to end of buffer */
length = (tail + length) - BUF_PAGE_SIZE;
local_sub(length, &tail_page->write);
@@ -4627,6 +4633,33 @@ rb_get_reader_page(struct ring_buffer_pe
arch_spin_unlock(&cpu_buffer->lock);
local_irq_restore(flags);
+ /*
+ * The writer has preempt disable, wait for it. But not forever
+ * Although, 1 second is pretty much "forever"
+ */
+#define USECS_WAIT 1000000
+ for (nr_loops = 0; nr_loops < USECS_WAIT; nr_loops++) {
+ /* If the write is past the end of page, a writer is still updating it */
+ if (likely(!reader || rb_page_write(reader) <= BUF_PAGE_SIZE))
+ break;
+
+ udelay(1);
+
+ /* Get the latest version of the reader write value */
+ smp_rmb();
+ }
+
+ /* The writer is not moving forward? Something is wrong */
+ if (RB_WARN_ON(cpu_buffer, nr_loops == USECS_WAIT))
+ reader = NULL;
+
+ /*
+ * Make sure we see any padding after the write update
+ * (see rb_reset_tail())
+ */
+ smp_rmb();
+
+
return reader;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 157/862] tracing/eprobe: Fix alloc event dir failed when event name no set
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 156/862] ring-buffer: Fix race between reset page and reading page Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 158/862] tracing: Disable interrupt or preemption before acquiring arch_spinlock_t Greg Kroah-Hartman
` (719 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Tom Zanussi, Linyu Yuan,
Masami Hiramatsu (Google), Tao Chen, Steven Rostedt (Google)
From: Tao Chen <chentao.kernel@linux.alibaba.com>
commit dc399adecd4e2826868e5d116a58e33071b18346 upstream.
The event dir will alloc failed when event name no set, using the
command:
"echo "e:esys/ syscalls/sys_enter_openat file=\$filename:string"
>> dynamic_events"
It seems that dir name="syscalls/sys_enter_openat" is not allowed
in debugfs. So just use the "sys_enter_openat" as the event name.
Link: https://lkml.kernel.org/r/1664028814-45923-1-git-send-email-chentao.kernel@linux.alibaba.com
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Tom Zanussi <zanussi@kernel.org>
Cc: Linyu Yuan <quic_linyyuan@quicinc.com>
Cc: Tao Chen <chentao.kernel@linux.alibaba.com
Cc: stable@vger.kernel.org
Fixes: 95c104c378dc ("tracing: Auto generate event name when creating a group of events")
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Tao Chen <chentao.kernel@linux.alibaba.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_eprobe.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/kernel/trace/trace_eprobe.c
+++ b/kernel/trace/trace_eprobe.c
@@ -968,8 +968,7 @@ static int __trace_eprobe_create(int arg
}
if (!event) {
- strscpy(buf1, argv[1], MAX_EVENT_NAME_LEN);
- sanitize_event_name(buf1);
+ strscpy(buf1, sys_event, MAX_EVENT_NAME_LEN);
event = buf1;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 158/862] tracing: Disable interrupt or preemption before acquiring arch_spinlock_t
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 157/862] tracing/eprobe: Fix alloc event dir failed when event name no set Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 159/862] tracing: Wake up ring buffer waiters on closing of the file Greg Kroah-Hartman
` (718 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Peter Zijlstra, Ingo Molnar,
Will Deacon, Boqun Feng, Steven Rostedt, Waiman Long
From: Waiman Long <longman@redhat.com>
commit c0a581d7126c0bbc96163276f585fd7b4e4d8d0e upstream.
It was found that some tracing functions in kernel/trace/trace.c acquire
an arch_spinlock_t with preemption and irqs enabled. An example is the
tracing_saved_cmdlines_size_read() function which intermittently causes
a "BUG: using smp_processor_id() in preemptible" warning when the LTP
read_all_proc test is run.
That can be problematic in case preemption happens after acquiring the
lock. Add the necessary preemption or interrupt disabling code in the
appropriate places before acquiring an arch_spinlock_t.
The convention here is to disable preemption for trace_cmdline_lock and
interupt for max_lock.
Link: https://lkml.kernel.org/r/20220922145622.1744826-1-longman@redhat.com
Cc: Peter Zijlstra <peterz@infradead.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Will Deacon <will@kernel.org>
Cc: Boqun Feng <boqun.feng@gmail.com>
Cc: stable@vger.kernel.org
Fixes: a35873a0993b ("tracing: Add conditional snapshot")
Fixes: 939c7a4f04fc ("tracing: Introduce saved_cmdlines_size file")
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Waiman Long <longman@redhat.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -1193,12 +1193,14 @@ void *tracing_cond_snapshot_data(struct
{
void *cond_data = NULL;
+ local_irq_disable();
arch_spin_lock(&tr->max_lock);
if (tr->cond_snapshot)
cond_data = tr->cond_snapshot->cond_data;
arch_spin_unlock(&tr->max_lock);
+ local_irq_enable();
return cond_data;
}
@@ -1334,9 +1336,11 @@ int tracing_snapshot_cond_enable(struct
goto fail_unlock;
}
+ local_irq_disable();
arch_spin_lock(&tr->max_lock);
tr->cond_snapshot = cond_snapshot;
arch_spin_unlock(&tr->max_lock);
+ local_irq_enable();
mutex_unlock(&trace_types_lock);
@@ -1363,6 +1367,7 @@ int tracing_snapshot_cond_disable(struct
{
int ret = 0;
+ local_irq_disable();
arch_spin_lock(&tr->max_lock);
if (!tr->cond_snapshot)
@@ -1373,6 +1378,7 @@ int tracing_snapshot_cond_disable(struct
}
arch_spin_unlock(&tr->max_lock);
+ local_irq_enable();
return ret;
}
@@ -2200,6 +2206,11 @@ static size_t tgid_map_max;
#define SAVED_CMDLINES_DEFAULT 128
#define NO_CMDLINE_MAP UINT_MAX
+/*
+ * Preemption must be disabled before acquiring trace_cmdline_lock.
+ * The various trace_arrays' max_lock must be acquired in a context
+ * where interrupt is disabled.
+ */
static arch_spinlock_t trace_cmdline_lock = __ARCH_SPIN_LOCK_UNLOCKED;
struct saved_cmdlines_buffer {
unsigned map_pid_to_cmdline[PID_MAX_DEFAULT+1];
@@ -2412,7 +2423,11 @@ static int trace_save_cmdline(struct tas
* the lock, but we also don't want to spin
* nor do we want to disable interrupts,
* so if we miss here, then better luck next time.
+ *
+ * This is called within the scheduler and wake up, so interrupts
+ * had better been disabled and run queue lock been held.
*/
+ lockdep_assert_preemption_disabled();
if (!arch_spin_trylock(&trace_cmdline_lock))
return 0;
@@ -5890,9 +5905,11 @@ tracing_saved_cmdlines_size_read(struct
char buf[64];
int r;
+ preempt_disable();
arch_spin_lock(&trace_cmdline_lock);
r = scnprintf(buf, sizeof(buf), "%u\n", savedcmd->cmdline_num);
arch_spin_unlock(&trace_cmdline_lock);
+ preempt_enable();
return simple_read_from_buffer(ubuf, cnt, ppos, buf, r);
}
@@ -5917,10 +5934,12 @@ static int tracing_resize_saved_cmdlines
return -ENOMEM;
}
+ preempt_disable();
arch_spin_lock(&trace_cmdline_lock);
savedcmd_temp = savedcmd;
savedcmd = s;
arch_spin_unlock(&trace_cmdline_lock);
+ preempt_enable();
free_saved_cmdlines_buffer(savedcmd_temp);
return 0;
@@ -6373,10 +6392,12 @@ int tracing_set_tracer(struct trace_arra
#ifdef CONFIG_TRACER_SNAPSHOT
if (t->use_max_tr) {
+ local_irq_disable();
arch_spin_lock(&tr->max_lock);
if (tr->cond_snapshot)
ret = -EBUSY;
arch_spin_unlock(&tr->max_lock);
+ local_irq_enable();
if (ret)
goto out;
}
@@ -7436,10 +7457,12 @@ tracing_snapshot_write(struct file *filp
goto out;
}
+ local_irq_disable();
arch_spin_lock(&tr->max_lock);
if (tr->cond_snapshot)
ret = -EBUSY;
arch_spin_unlock(&tr->max_lock);
+ local_irq_enable();
if (ret)
goto out;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 159/862] tracing: Wake up ring buffer waiters on closing of the file
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 158/862] tracing: Disable interrupt or preemption before acquiring arch_spinlock_t Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 160/862] tracing: Wake up waiters when tracing is disabled Greg Kroah-Hartman
` (717 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit f3ddb74ad0790030c9592229fb14d8c451f4e9a8 upstream.
When the file that represents the ring buffer is closed, there may be
waiters waiting on more input from the ring buffer. Call
ring_buffer_wake_waiters() to wake up any waiters when the file is
closed.
Link: https://lkml.kernel.org/r/20220927231825.182416969@goodmis.org
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/trace_events.h | 1 +
kernel/trace/trace.c | 15 +++++++++++++++
2 files changed, 16 insertions(+)
--- a/include/linux/trace_events.h
+++ b/include/linux/trace_events.h
@@ -92,6 +92,7 @@ struct trace_iterator {
unsigned int temp_size;
char *fmt; /* modified format holder */
unsigned int fmt_size;
+ long wait_index;
/* trace_seq for __print_flags() and __print_symbolic() etc. */
struct trace_seq tmp_seq;
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8160,6 +8160,12 @@ static int tracing_buffers_release(struc
__trace_array_put(iter->tr);
+ iter->wait_index++;
+ /* Make sure the waiters see the new wait_index */
+ smp_wmb();
+
+ ring_buffer_wake_waiters(iter->array_buffer->buffer, iter->cpu_file);
+
if (info->spare)
ring_buffer_free_read_page(iter->array_buffer->buffer,
info->spare_cpu, info->spare);
@@ -8313,6 +8319,8 @@ tracing_buffers_splice_read(struct file
/* did we read anything? */
if (!spd.nr_pages) {
+ long wait_index;
+
if (ret)
goto out;
@@ -8320,10 +8328,17 @@ tracing_buffers_splice_read(struct file
if ((file->f_flags & O_NONBLOCK) || (flags & SPLICE_F_NONBLOCK))
goto out;
+ wait_index = READ_ONCE(iter->wait_index);
+
ret = wait_on_pipe(iter, iter->tr->buffer_percent);
if (ret)
goto out;
+ /* Make sure we see the new wait_index */
+ smp_rmb();
+ if (wait_index != iter->wait_index)
+ goto out;
+
goto again;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 160/862] tracing: Wake up waiters when tracing is disabled
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 159/862] tracing: Wake up ring buffer waiters on closing of the file Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 161/862] tracing: Add ioctl() to force ring buffer waiters to wake up Greg Kroah-Hartman
` (716 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 2b0fd9a59b7990c161fa1cb7b79edb22847c87c2 upstream.
When tracing is disabled, there's no reason that waiters should stay
waiting, wake them up, otherwise tasks get stuck when they should be
flushing the buffers.
Cc: stable@vger.kernel.org
Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8334,6 +8334,10 @@ tracing_buffers_splice_read(struct file
if (ret)
goto out;
+ /* No need to wait after waking up when tracing is off */
+ if (!tracer_tracing_is_on(iter->tr))
+ goto out;
+
/* Make sure we see the new wait_index */
smp_rmb();
if (wait_index != iter->wait_index)
@@ -9043,6 +9047,8 @@ rb_simple_write(struct file *filp, const
tracer_tracing_off(tr);
if (tr->current_trace->stop)
tr->current_trace->stop(tr);
+ /* Wake up any waiters */
+ ring_buffer_wake_waiters(buffer, RING_BUFFER_ALL_CPUS);
}
mutex_unlock(&trace_types_lock);
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 161/862] tracing: Add ioctl() to force ring buffer waiters to wake up
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 160/862] tracing: Wake up waiters when tracing is disabled Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 162/862] tracing: Do not free snapshot if tracer is on cmdline Greg Kroah-Hartman
` (715 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Ingo Molnar, Andrew Morton,
Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 01b2a52171735c6eea80ee2f355f32bea6c41418 upstream.
If a process is waiting on the ring buffer for data, there currently isn't
a clean way to force it to wake up. Add an ioctl call that will force any
tasks that are waiting on the trace_pipe_raw file to wake up.
Link: https://lkml.kernel.org/r/20220929095029.117f913f@gandalf.local.home
Cc: stable@vger.kernel.org
Cc: Ingo Molnar <mingo@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Fixes: e30f53aad2202 ("tracing: Do not busy wait in buffer splice")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -8353,12 +8353,34 @@ out:
return ret;
}
+/* An ioctl call with cmd 0 to the ring buffer file will wake up all waiters */
+static long tracing_buffers_ioctl(struct file *file, unsigned int cmd, unsigned long arg)
+{
+ struct ftrace_buffer_info *info = file->private_data;
+ struct trace_iterator *iter = &info->iter;
+
+ if (cmd)
+ return -ENOIOCTLCMD;
+
+ mutex_lock(&trace_types_lock);
+
+ iter->wait_index++;
+ /* Make sure the waiters see the new wait_index */
+ smp_wmb();
+
+ ring_buffer_wake_waiters(iter->array_buffer->buffer, iter->cpu_file);
+
+ mutex_unlock(&trace_types_lock);
+ return 0;
+}
+
static const struct file_operations tracing_buffers_fops = {
.open = tracing_buffers_open,
.read = tracing_buffers_read,
.poll = tracing_buffers_poll,
.release = tracing_buffers_release,
.splice_read = tracing_buffers_splice_read,
+ .unlocked_ioctl = tracing_buffers_ioctl,
.llseek = no_llseek,
};
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 162/862] tracing: Do not free snapshot if tracer is on cmdline
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 161/862] tracing: Add ioctl() to force ring buffer waiters to wake up Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 163/862] tracing: Move duplicate code of trace_kprobe/eprobe.c into header Greg Kroah-Hartman
` (714 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Masami Hiramatsu, Andrew Morton,
Ross Zwisler, Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit a541a9559bb0a8ecc434de01d3e4826c32e8bb53 upstream.
The ftrace_boot_snapshot and alloc_snapshot cmdline options allocate the
snapshot buffer at boot up for use later. The ftrace_boot_snapshot in
particular requires the snapshot to be allocated because it will take a
snapshot at the end of boot up allowing to see the traces that happened
during boot so that it's not lost when user space takes over.
When a tracer is registered (started) there's a path that checks if it
requires the snapshot buffer or not, and if it does not and it was
allocated it will do a synchronization and free the snapshot buffer.
This is only required if the previous tracer was using it for "max
latency" snapshots, as it needs to make sure all max snapshots are
complete before freeing. But this is only needed if the previous tracer
was using the snapshot buffer for latency (like irqoff tracer and
friends). But it does not make sense to free it, if the previous tracer
was not using it, and the snapshot was allocated by the cmdline
parameters. This basically takes away the point of allocating it in the
first place!
Note, the allocated snapshot worked fine for just trace events, but fails
when a tracer is enabled on the cmdline.
Further investigation, this goes back even further and it does not require
a tracer on the cmdline to fail. Simply enable snapshots and then enable a
tracer, and it will remove the snapshot.
Link: https://lkml.kernel.org/r/20221005113757.041df7fe@gandalf.local.home
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: stable@vger.kernel.org
Fixes: 45ad21ca5530 ("tracing: Have trace_array keep track if snapshot buffer is allocated")
Reported-by: Ross Zwisler <zwisler@kernel.org>
Tested-by: Ross Zwisler <zwisler@kernel.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/kernel/trace/trace.c
+++ b/kernel/trace/trace.c
@@ -6428,12 +6428,12 @@ int tracing_set_tracer(struct trace_arra
if (tr->current_trace->reset)
tr->current_trace->reset(tr);
+#ifdef CONFIG_TRACER_MAX_TRACE
+ had_max_tr = tr->current_trace->use_max_tr;
+
/* Current trace needs to be nop_trace before synchronize_rcu */
tr->current_trace = &nop_trace;
-#ifdef CONFIG_TRACER_MAX_TRACE
- had_max_tr = tr->allocated_snapshot;
-
if (had_max_tr && !t->use_max_tr) {
/*
* We need to make sure that the update_max_tr sees that
@@ -6446,11 +6446,13 @@ int tracing_set_tracer(struct trace_arra
free_snapshot(tr);
}
- if (t->use_max_tr && !had_max_tr) {
+ if (t->use_max_tr && !tr->allocated_snapshot) {
ret = tracing_alloc_snapshot_instance(tr);
if (ret < 0)
goto out;
}
+#else
+ tr->current_trace = &nop_trace;
#endif
if (t->init) {
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 163/862] tracing: Move duplicate code of trace_kprobe/eprobe.c into header
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 162/862] tracing: Do not free snapshot if tracer is on cmdline Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 164/862] tracing: Add "(fault)" name injection to kernel probes Greg Kroah-Hartman
` (713 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Morton, Tom Zanussi,
Masami Hiramatsu (Google), Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit f1d3cbfaafc10464550c6d3a125f4fc802bbaed5 upstream.
The functions:
fetch_store_strlen_user()
fetch_store_strlen()
fetch_store_string_user()
fetch_store_string()
are identical in both trace_kprobe.c and trace_eprobe.c. Move them into
a new header file trace_probe_kernel.h to share it. This code will later
be used by the synthetic events as well.
Marked for stable as a fix for a crash in synthetic events requires it.
Link: https://lkml.kernel.org/r/20221012104534.467668078@goodmis.org
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Fixes: bd82631d7ccdc ("tracing: Add support for dynamic strings to synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_eprobe.c | 60 +----------------------
kernel/trace/trace_kprobe.c | 60 +----------------------
kernel/trace/trace_probe_kernel.h | 96 ++++++++++++++++++++++++++++++++++++++
3 files changed, 106 insertions(+), 110 deletions(-)
create mode 100644 kernel/trace/trace_probe_kernel.h
--- a/kernel/trace/trace_eprobe.c
+++ b/kernel/trace/trace_eprobe.c
@@ -16,6 +16,7 @@
#include "trace_dynevent.h"
#include "trace_probe.h"
#include "trace_probe_tmpl.h"
+#include "trace_probe_kernel.h"
#define EPROBE_EVENT_SYSTEM "eprobes"
@@ -453,29 +454,14 @@ NOKPROBE_SYMBOL(process_fetch_insn)
static nokprobe_inline int
fetch_store_strlen_user(unsigned long addr)
{
- const void __user *uaddr = (__force const void __user *)addr;
-
- return strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+ return kern_fetch_store_strlen_user(addr);
}
/* Return the length of string -- including null terminal byte */
static nokprobe_inline int
fetch_store_strlen(unsigned long addr)
{
- int ret, len = 0;
- u8 c;
-
-#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
- if (addr < TASK_SIZE)
- return fetch_store_strlen_user(addr);
-#endif
-
- do {
- ret = copy_from_kernel_nofault(&c, (u8 *)addr + len, 1);
- len++;
- } while (c && ret == 0 && len < MAX_STRING_SIZE);
-
- return (ret < 0) ? ret : len;
+ return kern_fetch_store_strlen(addr);
}
/*
@@ -485,21 +471,7 @@ fetch_store_strlen(unsigned long addr)
static nokprobe_inline int
fetch_store_string_user(unsigned long addr, void *dest, void *base)
{
- const void __user *uaddr = (__force const void __user *)addr;
- int maxlen = get_loc_len(*(u32 *)dest);
- void *__dest;
- long ret;
-
- if (unlikely(!maxlen))
- return -ENOMEM;
-
- __dest = get_loc_data(dest, base);
-
- ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
-
- return ret;
+ return kern_fetch_store_string_user(addr, dest, base);
}
/*
@@ -509,29 +481,7 @@ fetch_store_string_user(unsigned long ad
static nokprobe_inline int
fetch_store_string(unsigned long addr, void *dest, void *base)
{
- int maxlen = get_loc_len(*(u32 *)dest);
- void *__dest;
- long ret;
-
-#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
- if ((unsigned long)addr < TASK_SIZE)
- return fetch_store_string_user(addr, dest, base);
-#endif
-
- if (unlikely(!maxlen))
- return -ENOMEM;
-
- __dest = get_loc_data(dest, base);
-
- /*
- * Try to get string again, since the string can be changed while
- * probing.
- */
- ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
-
- return ret;
+ return kern_fetch_store_string(addr, dest, base);
}
static nokprobe_inline int
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -20,6 +20,7 @@
#include "trace_kprobe_selftest.h"
#include "trace_probe.h"
#include "trace_probe_tmpl.h"
+#include "trace_probe_kernel.h"
#define KPROBE_EVENT_SYSTEM "kprobes"
#define KRETPROBE_MAXACTIVE_MAX 4096
@@ -1223,29 +1224,14 @@ static const struct file_operations kpro
static nokprobe_inline int
fetch_store_strlen_user(unsigned long addr)
{
- const void __user *uaddr = (__force const void __user *)addr;
-
- return strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+ return kern_fetch_store_strlen_user(addr);
}
/* Return the length of string -- including null terminal byte */
static nokprobe_inline int
fetch_store_strlen(unsigned long addr)
{
- int ret, len = 0;
- u8 c;
-
-#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
- if (addr < TASK_SIZE)
- return fetch_store_strlen_user(addr);
-#endif
-
- do {
- ret = copy_from_kernel_nofault(&c, (u8 *)addr + len, 1);
- len++;
- } while (c && ret == 0 && len < MAX_STRING_SIZE);
-
- return (ret < 0) ? ret : len;
+ return kern_fetch_store_strlen(addr);
}
/*
@@ -1255,21 +1241,7 @@ fetch_store_strlen(unsigned long addr)
static nokprobe_inline int
fetch_store_string_user(unsigned long addr, void *dest, void *base)
{
- const void __user *uaddr = (__force const void __user *)addr;
- int maxlen = get_loc_len(*(u32 *)dest);
- void *__dest;
- long ret;
-
- if (unlikely(!maxlen))
- return -ENOMEM;
-
- __dest = get_loc_data(dest, base);
-
- ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
-
- return ret;
+ return kern_fetch_store_string_user(addr, dest, base);
}
/*
@@ -1279,29 +1251,7 @@ fetch_store_string_user(unsigned long ad
static nokprobe_inline int
fetch_store_string(unsigned long addr, void *dest, void *base)
{
- int maxlen = get_loc_len(*(u32 *)dest);
- void *__dest;
- long ret;
-
-#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
- if ((unsigned long)addr < TASK_SIZE)
- return fetch_store_string_user(addr, dest, base);
-#endif
-
- if (unlikely(!maxlen))
- return -ENOMEM;
-
- __dest = get_loc_data(dest, base);
-
- /*
- * Try to get string again, since the string can be changed while
- * probing.
- */
- ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
-
- return ret;
+ return kern_fetch_store_string(addr, dest, base);
}
static nokprobe_inline int
--- /dev/null
+++ b/kernel/trace/trace_probe_kernel.h
@@ -0,0 +1,96 @@
+/* SPDX-License-Identifier: GPL-2.0 */
+#ifndef __TRACE_PROBE_KERNEL_H_
+#define __TRACE_PROBE_KERNEL_H_
+
+/*
+ * This depends on trace_probe.h, but can not include it due to
+ * the way trace_probe_tmpl.h is used by trace_kprobe.c and trace_eprobe.c.
+ * Which means that any other user must include trace_probe.h before including
+ * this file.
+ */
+/* Return the length of string -- including null terminal byte */
+static nokprobe_inline int
+kern_fetch_store_strlen_user(unsigned long addr)
+{
+ const void __user *uaddr = (__force const void __user *)addr;
+
+ return strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+}
+
+/* Return the length of string -- including null terminal byte */
+static nokprobe_inline int
+kern_fetch_store_strlen(unsigned long addr)
+{
+ int ret, len = 0;
+ u8 c;
+
+#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
+ if (addr < TASK_SIZE)
+ return kern_fetch_store_strlen_user(addr);
+#endif
+
+ do {
+ ret = copy_from_kernel_nofault(&c, (u8 *)addr + len, 1);
+ len++;
+ } while (c && ret == 0 && len < MAX_STRING_SIZE);
+
+ return (ret < 0) ? ret : len;
+}
+
+/*
+ * Fetch a null-terminated string from user. Caller MUST set *(u32 *)buf
+ * with max length and relative data location.
+ */
+static nokprobe_inline int
+kern_fetch_store_string_user(unsigned long addr, void *dest, void *base)
+{
+ const void __user *uaddr = (__force const void __user *)addr;
+ int maxlen = get_loc_len(*(u32 *)dest);
+ void *__dest;
+ long ret;
+
+ if (unlikely(!maxlen))
+ return -ENOMEM;
+
+ __dest = get_loc_data(dest, base);
+
+ ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
+ if (ret >= 0)
+ *(u32 *)dest = make_data_loc(ret, __dest - base);
+
+ return ret;
+}
+
+/*
+ * Fetch a null-terminated string. Caller MUST set *(u32 *)buf with max
+ * length and relative data location.
+ */
+static nokprobe_inline int
+kern_fetch_store_string(unsigned long addr, void *dest, void *base)
+{
+ int maxlen = get_loc_len(*(u32 *)dest);
+ void *__dest;
+ long ret;
+
+#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
+ if ((unsigned long)addr < TASK_SIZE)
+ return kern_fetch_store_string_user(addr, dest, base);
+#endif
+
+ if (unlikely(!maxlen))
+ return -ENOMEM;
+
+ __dest = get_loc_data(dest, base);
+
+ /*
+ * Try to get string again, since the string can be changed while
+ * probing.
+ */
+ ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
+ if (ret >= 0)
+ *(u32 *)dest = make_data_loc(ret, __dest - base);
+
+ return ret;
+}
+
+#endif /* __TRACE_PROBE_KERNEL_H_ */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 164/862] tracing: Add "(fault)" name injection to kernel probes
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 163/862] tracing: Move duplicate code of trace_kprobe/eprobe.c into header Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 165/862] tracing: Fix reading strings from synthetic events Greg Kroah-Hartman
` (712 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Morton, Tom Zanussi,
Masami Hiramatsu (Google), Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 2e9906f84fc7c99388bb7123ade167250d50f1c0 upstream.
Have the specific functions for kernel probes that read strings to inject
the "(fault)" name directly. trace_probes.c does this too (for uprobes)
but as the code to read strings are going to be used by synthetic events
(and perhaps other utilities), it simplifies the code by making sure those
other uses do not need to implement the "(fault)" name injection as well.
Link: https://lkml.kernel.org/r/20221012104534.644803645@goodmis.org
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Fixes: bd82631d7ccdc ("tracing: Add support for dynamic strings to synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_probe_kernel.h | 31 +++++++++++++++++++++++++------
1 file changed, 25 insertions(+), 6 deletions(-)
--- a/kernel/trace/trace_probe_kernel.h
+++ b/kernel/trace/trace_probe_kernel.h
@@ -2,6 +2,8 @@
#ifndef __TRACE_PROBE_KERNEL_H_
#define __TRACE_PROBE_KERNEL_H_
+#define FAULT_STRING "(fault)"
+
/*
* This depends on trace_probe.h, but can not include it due to
* the way trace_probe_tmpl.h is used by trace_kprobe.c and trace_eprobe.c.
@@ -13,8 +15,16 @@ static nokprobe_inline int
kern_fetch_store_strlen_user(unsigned long addr)
{
const void __user *uaddr = (__force const void __user *)addr;
+ int ret;
- return strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+ ret = strnlen_user_nofault(uaddr, MAX_STRING_SIZE);
+ /*
+ * strnlen_user_nofault returns zero on fault, insert the
+ * FAULT_STRING when that occurs.
+ */
+ if (ret <= 0)
+ return strlen(FAULT_STRING) + 1;
+ return ret;
}
/* Return the length of string -- including null terminal byte */
@@ -34,7 +44,18 @@ kern_fetch_store_strlen(unsigned long ad
len++;
} while (c && ret == 0 && len < MAX_STRING_SIZE);
- return (ret < 0) ? ret : len;
+ /* For faults, return enough to hold the FAULT_STRING */
+ return (ret < 0) ? strlen(FAULT_STRING) + 1 : len;
+}
+
+static nokprobe_inline void set_data_loc(int ret, void *dest, void *__dest, void *base, int len)
+{
+ if (ret >= 0) {
+ *(u32 *)dest = make_data_loc(ret, __dest - base);
+ } else {
+ strscpy(__dest, FAULT_STRING, len);
+ ret = strlen(__dest) + 1;
+ }
}
/*
@@ -55,8 +76,7 @@ kern_fetch_store_string_user(unsigned lo
__dest = get_loc_data(dest, base);
ret = strncpy_from_user_nofault(__dest, uaddr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
+ set_data_loc(ret, dest, __dest, base, maxlen);
return ret;
}
@@ -87,8 +107,7 @@ kern_fetch_store_string(unsigned long ad
* probing.
*/
ret = strncpy_from_kernel_nofault(__dest, (void *)addr, maxlen);
- if (ret >= 0)
- *(u32 *)dest = make_data_loc(ret, __dest - base);
+ set_data_loc(ret, dest, __dest, base, maxlen);
return ret;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 165/862] tracing: Fix reading strings from synthetic events
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 164/862] tracing: Add "(fault)" name injection to kernel probes Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 166/862] rpmsg: char: Avoid double destroy of default endpoint Greg Kroah-Hartman
` (711 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Andrew Morton, Tom Zanussi,
Masami Hiramatsu (Google), Steven Rostedt (Google)
From: Steven Rostedt (Google) <rostedt@goodmis.org>
commit 0934ae9977c27133449b6dd8c6213970e7eece38 upstream.
The follow commands caused a crash:
# cd /sys/kernel/tracing
# echo 's:open char file[]' > dynamic_events
# echo 'hist:keys=common_pid:file=filename:onchange($file).trace(open,$file)' > events/syscalls/sys_enter_openat/trigger'
# echo 1 > events/synthetic/open/enable
BOOM!
The problem is that the synthetic event field "char file[]" will read
the value given to it as a string without any memory checks to make sure
the address is valid. The above example will pass in the user space
address and the sythetic event code will happily call strlen() on it
and then strscpy() where either one will cause an oops when accessing
user space addresses.
Use the helper functions from trace_kprobe and trace_eprobe that can
read strings safely (and actually succeed when the address is from user
space and the memory is mapped in).
Now the above can show:
packagekitd-1721 [000] ...2. 104.597170: open: file=/usr/lib/rpm/fileattrs/cmake.attr
in:imjournal-978 [006] ...2. 104.599642: open: file=/var/lib/rsyslog/imjournal.state.tmp
packagekitd-1721 [000] ...2. 104.626308: open: file=/usr/lib/rpm/fileattrs/debuginfo.attr
Link: https://lkml.kernel.org/r/20221012104534.826549315@goodmis.org
Cc: stable@vger.kernel.org
Cc: Andrew Morton <akpm@linux-foundation.org>
Cc: Tom Zanussi <zanussi@kernel.org>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Reviewed-by: Tom Zanussi <zanussi@kernel.org>
Fixes: bd82631d7ccdc ("tracing: Add support for dynamic strings to synthetic events")
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_events_synth.c | 23 +++++++++++++++++------
1 file changed, 17 insertions(+), 6 deletions(-)
--- a/kernel/trace/trace_events_synth.c
+++ b/kernel/trace/trace_events_synth.c
@@ -17,6 +17,8 @@
/* for gfp flag names */
#include <linux/trace_events.h>
#include <trace/events/mmflags.h>
+#include "trace_probe.h"
+#include "trace_probe_kernel.h"
#include "trace_synth.h"
@@ -409,6 +411,7 @@ static unsigned int trace_string(struct
{
unsigned int len = 0;
char *str_field;
+ int ret;
if (is_dynamic) {
u32 data_offset;
@@ -417,19 +420,27 @@ static unsigned int trace_string(struct
data_offset += event->n_u64 * sizeof(u64);
data_offset += data_size;
- str_field = (char *)entry + data_offset;
-
- len = strlen(str_val) + 1;
- strscpy(str_field, str_val, len);
+ len = kern_fetch_store_strlen((unsigned long)str_val);
data_offset |= len << 16;
*(u32 *)&entry->fields[*n_u64] = data_offset;
+ ret = kern_fetch_store_string((unsigned long)str_val, &entry->fields[*n_u64], entry);
+
(*n_u64)++;
} else {
str_field = (char *)&entry->fields[*n_u64];
- strscpy(str_field, str_val, STR_VAR_LEN_MAX);
+#ifdef CONFIG_ARCH_HAS_NON_OVERLAPPING_ADDRESS_SPACE
+ if ((unsigned long)str_val < TASK_SIZE)
+ ret = strncpy_from_user_nofault(str_field, str_val, STR_VAR_LEN_MAX);
+ else
+#endif
+ ret = strncpy_from_kernel_nofault(str_field, str_val, STR_VAR_LEN_MAX);
+
+ if (ret < 0)
+ strcpy(str_field, FAULT_STRING);
+
(*n_u64) += STR_VAR_LEN_MAX / sizeof(u64);
}
@@ -462,7 +473,7 @@ static notrace void trace_event_raw_even
val_idx = var_ref_idx[field_pos];
str_val = (char *)(long)var_ref_vals[val_idx];
- len = strlen(str_val) + 1;
+ len = kern_fetch_store_strlen((unsigned long)str_val);
fields_size += len;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 166/862] rpmsg: char: Avoid double destroy of default endpoint
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 165/862] tracing: Fix reading strings from synthetic events Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 167/862] thunderbolt: Explicitly enable lane adapter hotplug events at startup Greg Kroah-Hartman
` (710 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Shengjiu Wang, Arnaud Pouliquen,
Peng Fan, Mathieu Poirier
From: Shengjiu Wang <shengjiu.wang@nxp.com>
commit 467233a4ac29b215d492843d067a9f091e6bf0c5 upstream.
The rpmsg_dev_remove() in rpmsg_core is the place for releasing
this default endpoint.
So need to avoid destroying the default endpoint in
rpmsg_chrdev_eptdev_destroy(), this should be the same as
rpmsg_eptdev_release(). Otherwise there will be double destroy
issue that ept->refcount report warning:
refcount_t: underflow; use-after-free.
Call trace:
refcount_warn_saturate+0xf8/0x150
virtio_rpmsg_destroy_ept+0xd4/0xec
rpmsg_dev_remove+0x60/0x70
The issue can be reproduced by stopping remoteproc before
closing the /dev/rpmsgX.
Fixes: bea9b79c2d10 ("rpmsg: char: Add possibility to use default endpoint of the rpmsg device")
Signed-off-by: Shengjiu Wang <shengjiu.wang@nxp.com>
Reviewed-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Reviewed-by: Peng Fan <peng.fan@nxp.com>
Cc: stable <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1663725523-6514-1-git-send-email-shengjiu.wang@nxp.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/rpmsg/rpmsg_char.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/drivers/rpmsg/rpmsg_char.c
+++ b/drivers/rpmsg/rpmsg_char.c
@@ -76,7 +76,9 @@ int rpmsg_chrdev_eptdev_destroy(struct d
mutex_lock(&eptdev->ept_lock);
if (eptdev->ept) {
- rpmsg_destroy_ept(eptdev->ept);
+ /* The default endpoint is released by the rpmsg core */
+ if (!eptdev->default_ept)
+ rpmsg_destroy_ept(eptdev->ept);
eptdev->ept = NULL;
}
mutex_unlock(&eptdev->ept_lock);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 167/862] thunderbolt: Explicitly enable lane adapter hotplug events at startup
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 166/862] rpmsg: char: Avoid double destroy of default endpoint Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 168/862] efi: libstub: drop pointless get_memory_map() call Greg Kroah-Hartman
` (709 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Mario Limonciello, Mika Westerberg
From: Mario Limonciello <mario.limonciello@amd.com>
commit 5d2569cb4a65c373896ec0217febdf88739ed295 upstream.
Software that has run before the USB4 CM in Linux runs may have disabled
hotplug events for a given lane adapter.
Other CMs such as that one distributed with Windows 11 will enable hotplug
events. Do the same thing in the Linux CM which fixes hotplug events on
"AMD Pink Sardine".
Cc: stable@vger.kernel.org
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/switch.c | 24 ++++++++++++++++++++++++
drivers/thunderbolt/tb.h | 1 +
drivers/thunderbolt/tb_regs.h | 1 +
drivers/thunderbolt/usb4.c | 20 ++++++++++++++++++++
4 files changed, 46 insertions(+)
--- a/drivers/thunderbolt/switch.c
+++ b/drivers/thunderbolt/switch.c
@@ -2822,6 +2822,26 @@ static void tb_switch_credits_init(struc
tb_sw_info(sw, "failed to determine preferred buffer allocation, using defaults\n");
}
+static int tb_switch_port_hotplug_enable(struct tb_switch *sw)
+{
+ struct tb_port *port;
+
+ if (tb_switch_is_icm(sw))
+ return 0;
+
+ tb_switch_for_each_port(sw, port) {
+ int res;
+
+ if (!port->cap_usb4)
+ continue;
+
+ res = usb4_port_hotplug_enable(port);
+ if (res)
+ return res;
+ }
+ return 0;
+}
+
/**
* tb_switch_add() - Add a switch to the domain
* @sw: Switch to add
@@ -2891,6 +2911,10 @@ int tb_switch_add(struct tb_switch *sw)
return ret;
}
+ ret = tb_switch_port_hotplug_enable(sw);
+ if (ret)
+ return ret;
+
ret = device_add(&sw->dev);
if (ret) {
dev_err(&sw->dev, "failed to add device: %d\n", ret);
--- a/drivers/thunderbolt/tb.h
+++ b/drivers/thunderbolt/tb.h
@@ -1174,6 +1174,7 @@ int usb4_switch_add_ports(struct tb_swit
void usb4_switch_remove_ports(struct tb_switch *sw);
int usb4_port_unlock(struct tb_port *port);
+int usb4_port_hotplug_enable(struct tb_port *port);
int usb4_port_configure(struct tb_port *port);
void usb4_port_unconfigure(struct tb_port *port);
int usb4_port_configure_xdomain(struct tb_port *port);
--- a/drivers/thunderbolt/tb_regs.h
+++ b/drivers/thunderbolt/tb_regs.h
@@ -308,6 +308,7 @@ struct tb_regs_port_header {
#define ADP_CS_5 0x05
#define ADP_CS_5_LCA_MASK GENMASK(28, 22)
#define ADP_CS_5_LCA_SHIFT 22
+#define ADP_CS_5_DHP BIT(31)
/* TMU adapter registers */
#define TMU_ADP_CS_3 0x03
--- a/drivers/thunderbolt/usb4.c
+++ b/drivers/thunderbolt/usb4.c
@@ -1046,6 +1046,26 @@ int usb4_port_unlock(struct tb_port *por
return tb_port_write(port, &val, TB_CFG_PORT, ADP_CS_4, 1);
}
+/**
+ * usb4_port_hotplug_enable() - Enables hotplug for a port
+ * @port: USB4 port to operate on
+ *
+ * Enables hot plug events on a given port. This is only intended
+ * to be used on lane, DP-IN, and DP-OUT adapters.
+ */
+int usb4_port_hotplug_enable(struct tb_port *port)
+{
+ int ret;
+ u32 val;
+
+ ret = tb_port_read(port, &val, TB_CFG_PORT, ADP_CS_5, 1);
+ if (ret)
+ return ret;
+
+ val &= ~ADP_CS_5_DHP;
+ return tb_port_write(port, &val, TB_CFG_PORT, ADP_CS_5, 1);
+}
+
static int usb4_port_set_configured(struct tb_port *port, bool configured)
{
int ret;
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 168/862] efi: libstub: drop pointless get_memory_map() call
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 167/862] thunderbolt: Explicitly enable lane adapter hotplug events at startup Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 169/862] media: cedrus: Fix watchdog race condition Greg Kroah-Hartman
` (708 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Ard Biesheuvel
From: Ard Biesheuvel <ardb@kernel.org>
commit d80ca810f096ff66f451e7a3ed2f0cd9ef1ff519 upstream.
Currently, the non-x86 stub code calls get_memory_map() redundantly,
given that the data it returns is never used anywhere. So drop the call.
Cc: <stable@vger.kernel.org> # v4.14+
Fixes: 24d7c494ce46 ("efi/arm-stub: Round up FDT allocation to mapping size")
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/firmware/efi/libstub/fdt.c | 8 --------
1 file changed, 8 deletions(-)
--- a/drivers/firmware/efi/libstub/fdt.c
+++ b/drivers/firmware/efi/libstub/fdt.c
@@ -280,14 +280,6 @@ efi_status_t allocate_new_fdt_and_exit_b
goto fail;
}
- /*
- * Now that we have done our final memory allocation (and free)
- * we can get the memory map key needed for exit_boot_services().
- */
- status = efi_get_memory_map(&map);
- if (status != EFI_SUCCESS)
- goto fail_free_new_fdt;
-
status = update_fdt((void *)fdt_addr, fdt_size,
(void *)*new_fdt_addr, MAX_FDT_SIZE, cmdline_ptr,
initrd_addr, initrd_size);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 169/862] media: cedrus: Fix watchdog race condition
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 168/862] efi: libstub: drop pointless get_memory_map() call Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 170/862] media: cedrus: Set the platform driver data earlier Greg Kroah-Hartman
` (707 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolas Dufresne, Paul Kocialkowski,
Hans Verkuil, Mauro Carvalho Chehab
From: Nicolas Dufresne <nicolas.dufresne@collabora.com>
commit fe8b81fde69acfcbb5af9e85328e5b9549999fdb upstream.
The watchdog needs to be scheduled before we trigger the decode
operation, otherwise there is a risk that the decoder IRQ will be
called before we have schedule the watchdog. As a side effect, the
watchdog would never be cancelled and its function would be called
at an inappropriate time.
This was observed while running Fluster with GStreamer as a backend.
Some programming error would cause the decoder IRQ to be call very
quickly after the trigger. Later calls into the driver would deadlock
due to the unbalanced state.
Cc: stable@vger.kernel.org
Fixes: 7c38a551bda1 ("media: cedrus: Add watchdog for job completion")
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Reviewed-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/sunxi/cedrus/cedrus_dec.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/sunxi/cedrus/cedrus_dec.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_dec.c
@@ -106,11 +106,11 @@ void cedrus_device_run(void *priv)
/* Trigger decoding if setup went well, bail out otherwise. */
if (!error) {
- dev->dec_ops[ctx->current_codec]->trigger(ctx);
-
/* Start the watchdog timer. */
schedule_delayed_work(&dev->watchdog_work,
msecs_to_jiffies(2000));
+
+ dev->dec_ops[ctx->current_codec]->trigger(ctx);
} else {
v4l2_m2m_buf_done_and_job_finish(ctx->dev->m2m_dev,
ctx->fh.m2m_ctx,
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 170/862] media: cedrus: Set the platform driver data earlier
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 169/862] media: cedrus: Fix watchdog race condition Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 171/862] media: cedrus: Fix endless loop in cedrus_h265_skip_bits() Greg Kroah-Hartman
` (706 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Dmitry Osipenko, Nicolas Dufresne,
Samuel Holland, Paul Kocialkowski, Hans Verkuil,
Mauro Carvalho Chehab
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit 708938f8495147fe2e77a9a3e1015d8e6899323e upstream.
The cedrus_hw_resume() crashes with NULL deference on driver probe if
runtime PM is disabled because it uses platform data that hasn't been
set up yet. Fix this by setting the platform data earlier during probe.
Cc: stable@vger.kernel.org
Fixes: 50e761516f2b (media: platform: Add Cedrus VPU decoder driver)
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Reviewed-by: Samuel Holland <samuel@sholland.org>
Acked-by: Paul Kocialkowski <paul.kocialkowski@bootlin.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/sunxi/cedrus/cedrus.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/sunxi/cedrus/cedrus.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus.c
@@ -448,6 +448,8 @@ static int cedrus_probe(struct platform_
if (!dev)
return -ENOMEM;
+ platform_set_drvdata(pdev, dev);
+
dev->vfd = cedrus_video_device;
dev->dev = &pdev->dev;
dev->pdev = pdev;
@@ -521,8 +523,6 @@ static int cedrus_probe(struct platform_
goto err_m2m_mc;
}
- platform_set_drvdata(pdev, dev);
-
return 0;
err_m2m_mc:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 171/862] media: cedrus: Fix endless loop in cedrus_h265_skip_bits()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 170/862] media: cedrus: Set the platform driver data earlier Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 172/862] blk-throttle: fix that io throttle can only work for single bio Greg Kroah-Hartman
` (705 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Nicolas Dufresne, Dmitry Osipenko,
Hans Verkuil, Mauro Carvalho Chehab
From: Dmitry Osipenko <dmitry.osipenko@collabora.com>
commit 91db7a3fc7fe670cf1770a398a43bb4a1f776bf1 upstream.
The busy status bit may never de-assert if number of programmed skip
bits is incorrect, resulting in a kernel hang because the bit is polled
endlessly in the code. Fix it by adding timeout for the bit-polling.
This problem is reproducible by setting the data_bit_offset field of
the HEVC slice params to a wrong value by userspace.
Cc: stable@vger.kernel.org
Fixes: 7678c5462680 (media: cedrus: Fix decoding for some HEVC videos)
Reported-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Dmitry Osipenko <dmitry.osipenko@collabora.com>
Signed-off-by: Nicolas Dufresne <nicolas.dufresne@collabora.com>
Signed-off-by: Hans Verkuil <hverkuil-cisco@xs4all.nl>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/media/sunxi/cedrus/cedrus_h265.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
+++ b/drivers/staging/media/sunxi/cedrus/cedrus_h265.c
@@ -234,8 +234,9 @@ static void cedrus_h265_skip_bits(struct
cedrus_write(dev, VE_DEC_H265_TRIGGER,
VE_DEC_H265_TRIGGER_FLUSH_BITS |
VE_DEC_H265_TRIGGER_TYPE_N_BITS(tmp));
- while (cedrus_read(dev, VE_DEC_H265_STATUS) & VE_DEC_H265_STATUS_VLD_BUSY)
- udelay(1);
+
+ if (cedrus_wait_for(dev, VE_DEC_H265_STATUS, VE_DEC_H265_STATUS_VLD_BUSY))
+ dev_err_ratelimited(dev->dev, "timed out waiting to skip bits\n");
count += tmp;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 172/862] blk-throttle: fix that io throttle can only work for single bio
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 171/862] media: cedrus: Fix endless loop in cedrus_h265_skip_bits() Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 173/862] blk-wbt: call rq_qos_add() after wb_normal is initialized Greg Kroah-Hartman
` (704 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Kuai, Tejun Heo, Jens Axboe
From: Yu Kuai <yukuai3@huawei.com>
commit 320fb0f91e55ba248d4bad106b408e59099cfa89 upstream.
Test scripts:
cd /sys/fs/cgroup/blkio/
echo "8:0 1024" > blkio.throttle.write_bps_device
echo $$ > cgroup.procs
dd if=/dev/zero of=/dev/sda bs=10k count=1 oflag=direct &
dd if=/dev/zero of=/dev/sda bs=10k count=1 oflag=direct &
Test result:
10240 bytes (10 kB, 10 KiB) copied, 10.0134 s, 1.0 kB/s
10240 bytes (10 kB, 10 KiB) copied, 10.0135 s, 1.0 kB/s
The problem is that the second bio is finished after 10s instead of 20s.
Root cause:
1) second bio will be flagged:
__blk_throtl_bio
while (true) {
...
if (sq->nr_queued[rw]) -> some bio is throttled already
break
};
bio_set_flag(bio, BIO_THROTTLED); -> flag the bio
2) flagged bio will be dispatched without waiting:
throtl_dispatch_tg
tg_may_dispatch
tg_with_in_bps_limit
if (bps_limit == U64_MAX || bio_flagged(bio, BIO_THROTTLED))
*wait = 0; -> wait time is zero
return true;
commit 9f5ede3c01f9 ("block: throttle split bio in case of iops limit")
support to count split bios for iops limit, thus it adds flagged bio
checking in tg_with_in_bps_limit() so that split bios will only count
once for bps limit, however, it introduce a new problem that io throttle
won't work if multiple bios are throttled.
In order to fix the problem, handle iops/bps limit in different ways:
1) for iops limit, there is no flag to record if the bio is throttled,
and iops is always applied.
2) for bps limit, original bio will be flagged with BIO_BPS_THROTTLED,
and io throttle will ignore bio with the flag.
Noted this patch also remove the code to set flag in __bio_clone(), it's
introduced in commit 111be8839817 ("block-throttle: avoid double
charge"), and author thinks split bio can be resubmited and throttled
again, which is wrong because split bio will continue to dispatch from
caller.
Fixes: 9f5ede3c01f9 ("block: throttle split bio in case of iops limit")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Acked-by: Tejun Heo <tj@kernel.org>
Link: https://lore.kernel.org/r/20220829022240.3348319-2-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/bio.c | 2 --
block/blk-throttle.c | 20 ++++++--------------
block/blk-throttle.h | 2 +-
include/linux/bio.h | 2 +-
include/linux/blk_types.h | 2 +-
5 files changed, 9 insertions(+), 19 deletions(-)
--- a/block/bio.c
+++ b/block/bio.c
@@ -760,8 +760,6 @@ EXPORT_SYMBOL(bio_put);
static int __bio_clone(struct bio *bio, struct bio *bio_src, gfp_t gfp)
{
bio_set_flag(bio, BIO_CLONED);
- if (bio_flagged(bio_src, BIO_THROTTLED))
- bio_set_flag(bio, BIO_THROTTLED);
bio->bi_ioprio = bio_src->bi_ioprio;
bio->bi_iter = bio_src->bi_iter;
--- a/block/blk-throttle.c
+++ b/block/blk-throttle.c
@@ -811,7 +811,7 @@ static bool tg_with_in_bps_limit(struct
unsigned int bio_size = throtl_bio_data_size(bio);
/* no need to throttle if this bio's bytes have been accounted */
- if (bps_limit == U64_MAX || bio_flagged(bio, BIO_THROTTLED)) {
+ if (bps_limit == U64_MAX || bio_flagged(bio, BIO_BPS_THROTTLED)) {
if (wait)
*wait = 0;
return true;
@@ -921,22 +921,13 @@ static void throtl_charge_bio(struct thr
unsigned int bio_size = throtl_bio_data_size(bio);
/* Charge the bio to the group */
- if (!bio_flagged(bio, BIO_THROTTLED)) {
+ if (!bio_flagged(bio, BIO_BPS_THROTTLED)) {
tg->bytes_disp[rw] += bio_size;
tg->last_bytes_disp[rw] += bio_size;
}
tg->io_disp[rw]++;
tg->last_io_disp[rw]++;
-
- /*
- * BIO_THROTTLED is used to prevent the same bio to be throttled
- * more than once as a throttled bio will go through blk-throtl the
- * second time when it eventually gets issued. Set it when a bio
- * is being charged to a tg.
- */
- if (!bio_flagged(bio, BIO_THROTTLED))
- bio_set_flag(bio, BIO_THROTTLED);
}
/**
@@ -1026,6 +1017,7 @@ static void tg_dispatch_one_bio(struct t
sq->nr_queued[rw]--;
throtl_charge_bio(tg, bio);
+ bio_set_flag(bio, BIO_BPS_THROTTLED);
/*
* If our parent is another tg, we just need to transfer @bio to
@@ -2159,8 +2151,10 @@ again:
qn = &tg->qnode_on_parent[rw];
sq = sq->parent_sq;
tg = sq_to_tg(sq);
- if (!tg)
+ if (!tg) {
+ bio_set_flag(bio, BIO_BPS_THROTTLED);
goto out_unlock;
+ }
}
/* out-of-limit, queue to @tg */
@@ -2189,8 +2183,6 @@ again:
}
out_unlock:
- bio_set_flag(bio, BIO_THROTTLED);
-
#ifdef CONFIG_BLK_DEV_THROTTLING_LOW
if (throttled || !td->track_bio_latency)
bio->bi_issue.value |= BIO_ISSUE_THROTL_SKIP_LATENCY;
--- a/block/blk-throttle.h
+++ b/block/blk-throttle.h
@@ -175,7 +175,7 @@ static inline bool blk_throtl_bio(struct
struct throtl_grp *tg = blkg_to_tg(bio->bi_blkg);
/* no need to throttle bps any more if the bio has been throttled */
- if (bio_flagged(bio, BIO_THROTTLED) &&
+ if (bio_flagged(bio, BIO_BPS_THROTTLED) &&
!(tg->flags & THROTL_TG_HAS_IOPS_LIMIT))
return false;
--- a/include/linux/bio.h
+++ b/include/linux/bio.h
@@ -509,7 +509,7 @@ static inline void bio_set_dev(struct bi
{
bio_clear_flag(bio, BIO_REMAPPED);
if (bio->bi_bdev != bdev)
- bio_clear_flag(bio, BIO_THROTTLED);
+ bio_clear_flag(bio, BIO_BPS_THROTTLED);
bio->bi_bdev = bdev;
bio_associate_blkg(bio);
}
--- a/include/linux/blk_types.h
+++ b/include/linux/blk_types.h
@@ -325,7 +325,7 @@ enum {
BIO_QUIET, /* Make BIO Quiet */
BIO_CHAIN, /* chained bio, ->bi_remaining in effect */
BIO_REFFED, /* bio has elevated ->bi_cnt */
- BIO_THROTTLED, /* This bio has already been subjected to
+ BIO_BPS_THROTTLED, /* This bio has already been subjected to
* throttling rules. Don't do it again. */
BIO_TRACE_COMPLETION, /* bio_endio() should trace the final completion
* of this bio. */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 173/862] blk-wbt: call rq_qos_add() after wb_normal is initialized
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 172/862] blk-throttle: fix that io throttle can only work for single bio Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 174/862] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility Greg Kroah-Hartman
` (703 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Yu Kuai, Jens Axboe
From: Yu Kuai <yukuai3@huawei.com>
commit 8c5035dfbb9475b67c82b3fdb7351236525bf52b upstream.
Our test found a problem that wbt inflight counter is negative, which
will cause io hang(noted that this problem doesn't exist in mainline):
t1: device create t2: issue io
add_disk
blk_register_queue
wbt_enable_default
wbt_init
rq_qos_add
// wb_normal is still 0
/*
* in mainline, disk can't be opened before
* bdev_add(), however, in old kernels, disk
* can be opened before blk_register_queue().
*/
blkdev_issue_flush
// disk size is 0, however, it's not checked
submit_bio_wait
submit_bio
blk_mq_submit_bio
rq_qos_throttle
wbt_wait
bio_to_wbt_flags
rwb_enabled
// wb_normal is 0, inflight is not increased
wbt_queue_depth_changed(&rwb->rqos);
wbt_update_limits
// wb_normal is initialized
rq_qos_track
wbt_track
rq->wbt_flags |= bio_to_wbt_flags(rwb, bio);
// wb_normal is not 0,wbt_flags will be set
t3: io completion
blk_mq_free_request
rq_qos_done
wbt_done
wbt_is_tracked
// return true
__wbt_done
wbt_rqw_done
atomic_dec_return(&rqw->inflight);
// inflight is decreased
commit 8235b5c1e8c1 ("block: call bdev_add later in device_add_disk") can
avoid this problem, however it's better to fix this problem in wbt:
1) Lower kernel can't backport this patch due to lots of refactor.
2) Root cause is that wbt call rq_qos_add() before wb_normal is
initialized.
Fixes: e34cbd307477 ("blk-wbt: add general throttling mechanism")
Cc: <stable@vger.kernel.org>
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Link: https://lore.kernel.org/r/20220913105749.3086243-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/blk-wbt.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/block/blk-wbt.c
+++ b/block/blk-wbt.c
@@ -843,6 +843,10 @@ int wbt_init(struct request_queue *q)
rwb->enable_state = WBT_STATE_ON_DEFAULT;
rwb->wc = 1;
rwb->rq_depth.default_depth = RWB_DEF_DEPTH;
+ rwb->min_lat_nsec = wbt_default_latency_nsec(q);
+
+ wbt_queue_depth_changed(&rwb->rqos);
+ wbt_set_write_cache(q, test_bit(QUEUE_FLAG_WC, &q->queue_flags));
/*
* Assign rwb and add the stats callback.
@@ -853,11 +857,6 @@ int wbt_init(struct request_queue *q)
blk_stat_add_callback(q, rwb->cb);
- rwb->min_lat_nsec = wbt_default_latency_nsec(q);
-
- wbt_queue_depth_changed(&rwb->rqos);
- wbt_set_write_cache(q, test_bit(QUEUE_FLAG_WC, &q->queue_flags));
-
return 0;
err_free:
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 174/862] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 173/862] blk-wbt: call rq_qos_add() after wb_normal is initialized Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 175/862] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" Greg Kroah-Hartman
` (702 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Michal Luczaj, Sean Christopherson
From: Michal Luczaj <mhal@rbox.co>
commit 6aa5c47c351b22c21205c87977c84809cd015fcf upstream.
The emulator checks the wrong variable while setting the CPU
interruptibility state, the target segment is embedded in the instruction
opcode, not the ModR/M register. Fix the condition.
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Fixes: a5457e7bcf9a ("KVM: emulate: POP SS triggers a MOV SS shadow too")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/all/20220821215900.1419215-1-mhal@rbox.co
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/emulate.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/x86/kvm/emulate.c
+++ b/arch/x86/kvm/emulate.c
@@ -1953,7 +1953,7 @@ static int em_pop_sreg(struct x86_emulat
if (rc != X86EMUL_CONTINUE)
return rc;
- if (ctxt->modrm_reg == VCPU_SREG_SS)
+ if (seg == VCPU_SREG_SS)
ctxt->interruptibility = KVM_X86_SHADOW_INT_MOV_SS;
if (ctxt->op_bytes > 2)
rsp_increment(ctxt, ctxt->op_bytes - 2);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 175/862] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit"
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 174/862] KVM: x86/emulator: Fix handing of POP SS to correctly set interruptibility Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 176/862] KVM: nVMX: Dont propagate vmcs12s PERF_GLOBAL_CTRL settings to vmcs02 Greg Kroah-Hartman
` (701 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Jim Mattson,
Maxim Levitsky, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit d953540430c5af57f5de97ea9e36253908204027 upstream.
Drop pending exceptions and events queued for re-injection when leaving
nested guest mode, even if the "exit" is due to VM-Fail, SMI, or forced
by host userspace. Failure to purge events could result in an event
belonging to L2 being injected into L1.
This _should_ never happen for VM-Fail as all events should be blocked by
nested_run_pending, but it's possible if KVM, not the L1 hypervisor, is
the source of VM-Fail when running vmcs02.
SMI is a nop (barring unknown bugs) as recognition of SMI and thus entry
to SMM is blocked by pending exceptions and re-injected events.
Forced exit is definitely buggy, but has likely gone unnoticed because
userspace probably follows the forced exit with KVM_SET_VCPU_EVENTS (or
some other ioctl() that purges the queue).
Fixes: 4f350c6dbcb9 ("kvm: nVMX: Handle deferred early VMLAUNCH/VMRESUME failure properly")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220830231614.3580124-2-seanjc@google.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 19 +++++++++++--------
1 file changed, 11 insertions(+), 8 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -4255,14 +4255,6 @@ static void prepare_vmcs12(struct kvm_vc
nested_vmx_abort(vcpu,
VMX_ABORT_SAVE_GUEST_MSR_FAIL);
}
-
- /*
- * Drop what we picked up for L2 via vmx_complete_interrupts. It is
- * preserved above and would only end up incorrectly in L1.
- */
- vcpu->arch.nmi_injected = false;
- kvm_clear_exception_queue(vcpu);
- kvm_clear_interrupt_queue(vcpu);
}
/*
@@ -4602,6 +4594,17 @@ void nested_vmx_vmexit(struct kvm_vcpu *
WARN_ON_ONCE(nested_early_check);
}
+ /*
+ * Drop events/exceptions that were queued for re-injection to L2
+ * (picked up via vmx_complete_interrupts()), as well as exceptions
+ * that were pending for L2. Note, this must NOT be hoisted above
+ * prepare_vmcs12(), events/exceptions queued for re-injection need to
+ * be captured in vmcs12 (see vmcs12_save_pending_event()).
+ */
+ vcpu->arch.nmi_injected = false;
+ kvm_clear_exception_queue(vcpu);
+ kvm_clear_interrupt_queue(vcpu);
+
vmx_switch_vmcs(vcpu, &vmx->vmcs01);
/* Update any VMCS fields that might have changed while L2 ran */
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 176/862] KVM: nVMX: Dont propagate vmcs12s PERF_GLOBAL_CTRL settings to vmcs02
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 175/862] KVM: nVMX: Unconditionally purge queued/injected events on nested "exit" Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 177/862] KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1) Greg Kroah-Hartman
` (700 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson,
Vitaly Kuznetsov, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit def9d705c05eab3fdedeb10ad67907513b12038e upstream.
Don't propagate vmcs12's VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL to vmcs02.
KVM doesn't disallow L1 from using VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL
even when KVM itself doesn't use the control, e.g. due to the various
CPU errata that where the MSR can be corrupted on VM-Exit.
Preserve KVM's (vmcs01) setting to hopefully avoid having to toggle the
bit in vmcs02 at a later point. E.g. if KVM is loading PERF_GLOBAL_CTRL
when running L1, then odds are good KVM will also load the MSR when
running L2.
Fixes: 8bf00a529967 ("KVM: VMX: add support for switching of PERF_GLOBAL_CTRL")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Vitaly Kuznetsov <vkuznets@redhat.com>
Link: https://lore.kernel.org/r/20220830133737.1539624-18-vkuznets@redhat.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -2328,9 +2328,14 @@ static void prepare_vmcs02_early(struct
* are emulated by vmx_set_efer() in prepare_vmcs02(), but speculate
* on the related bits (if supported by the CPU) in the hope that
* we can avoid VMWrites during vmx_set_efer().
+ *
+ * Similarly, take vmcs01's PERF_GLOBAL_CTRL in the hope that if KVM is
+ * loading PERF_GLOBAL_CTRL via the VMCS for L1, then KVM will want to
+ * do the same for L2.
*/
exec_control = __vm_entry_controls_get(vmcs01);
- exec_control |= vmcs12->vm_entry_controls;
+ exec_control |= (vmcs12->vm_entry_controls &
+ ~VM_ENTRY_LOAD_IA32_PERF_GLOBAL_CTRL);
exec_control &= ~(VM_ENTRY_IA32E_MODE | VM_ENTRY_LOAD_IA32_EFER);
if (cpu_has_load_ia32_efer()) {
if (guest_efer & EFER_LMA)
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 177/862] KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1)
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 176/862] KVM: nVMX: Dont propagate vmcs12s PERF_GLOBAL_CTRL settings to vmcs02 Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 178/862] KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS Greg Kroah-Hartman
` (699 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Maxim Levitsky,
Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit 5623f751bd9c438ed12840e086f33c4646440d19 upstream.
Add a dedicated "exception type" for #DBs, as #DBs can be fault-like or
trap-like depending the sub-type of #DB, and effectively defer the
decision of what to do with the #DB to the caller.
For the emulator's two calls to exception_type(), treat the #DB as
fault-like, as the emulator handles only code breakpoint and general
detect #DBs, both of which are fault-like.
For event injection, which uses exception_type() to determine whether to
set EFLAGS.RF=1 on the stack, keep the current behavior of not setting
RF=1 for #DBs. Intel and AMD explicitly state RF isn't set on code #DBs,
so exempting by failing the "== EXCPT_FAULT" check is correct. The only
other fault-like #DB is General Detect, and despite Intel and AMD both
strongly implying (through omission) that General Detect #DBs should set
RF=1, hardware (multiple generations of both Intel and AMD), in fact does
not. Through insider knowledge, extreme foresight, sheer dumb luck, or
some combination thereof, KVM correctly handled RF for General Detect #DBs.
Fixes: 38827dbd3fb8 ("KVM: x86: Do not update EFLAGS on faulting emulation")
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220830231614.3580124-9-seanjc@google.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/x86.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -528,6 +528,7 @@ static int exception_class(int vector)
#define EXCPT_TRAP 1
#define EXCPT_ABORT 2
#define EXCPT_INTERRUPT 3
+#define EXCPT_DB 4
static int exception_type(int vector)
{
@@ -538,8 +539,14 @@ static int exception_type(int vector)
mask = 1 << vector;
- /* #DB is trap, as instruction watchpoints are handled elsewhere */
- if (mask & ((1 << DB_VECTOR) | (1 << BP_VECTOR) | (1 << OF_VECTOR)))
+ /*
+ * #DBs can be trap-like or fault-like, the caller must check other CPU
+ * state, e.g. DR6, to determine whether a #DB is a trap or fault.
+ */
+ if (mask & (1 << DB_VECTOR))
+ return EXCPT_DB;
+
+ if (mask & ((1 << BP_VECTOR) | (1 << OF_VECTOR)))
return EXCPT_TRAP;
if (mask & ((1 << DF_VECTOR) | (1 << MC_VECTOR)))
@@ -8801,6 +8808,12 @@ writeback:
unsigned long rflags = static_call(kvm_x86_get_rflags)(vcpu);
toggle_interruptibility(vcpu, ctxt->interruptibility);
vcpu->arch.emulate_regs_need_sync_to_vcpu = false;
+
+ /*
+ * Note, EXCPT_DB is assumed to be fault-like as the emulator
+ * only supports code breakpoints and general detect #DB, both
+ * of which are fault-like.
+ */
if (!ctxt->have_exception ||
exception_type(ctxt->exception.vector) == EXCPT_TRAP) {
kvm_pmu_trigger_event(vcpu, PERF_COUNT_HW_INSTRUCTIONS);
@@ -9724,6 +9737,16 @@ static int inject_pending_event(struct k
/* try to inject new event if pending */
if (vcpu->arch.exception.pending) {
+ /*
+ * Fault-class exceptions, except #DBs, set RF=1 in the RFLAGS
+ * value pushed on the stack. Trap-like exception and all #DBs
+ * leave RF as-is (KVM follows Intel's behavior in this regard;
+ * AMD states that code breakpoint #DBs excplitly clear RF=0).
+ *
+ * Note, most versions of Intel's SDM and AMD's APM incorrectly
+ * describe the behavior of General Detect #DBs, which are
+ * fault-like. They do _not_ set RF, a la code breakpoints.
+ */
if (exception_type(vcpu->arch.exception.nr) == EXCPT_FAULT)
__kvm_set_rflags(vcpu, kvm_get_rflags(vcpu) |
X86_EFLAGS_RF);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 178/862] KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 177/862] KVM: x86: Treat #DBs from the emulator as fault-like (code and DR7.GD=1) Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 179/862] staging: greybus: audio_helper: remove unused and wrong debugfs usage Greg Kroah-Hartman
` (698 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel
Cc: Greg Kroah-Hartman, stable, Sean Christopherson, Jim Mattson,
Maxim Levitsky, Paolo Bonzini
From: Sean Christopherson <seanjc@google.com>
commit eba9799b5a6efe2993cf92529608e4aa8163d73b upstream.
Deliberately truncate the exception error code when shoving it into the
VMCS (VM-Entry field for vmcs01 and vmcs02, VM-Exit field for vmcs12).
Intel CPUs are incapable of handling 32-bit error codes and will never
generate an error code with bits 31:16, but userspace can provide an
arbitrary error code via KVM_SET_VCPU_EVENTS. Failure to drop the bits
on exception injection results in failed VM-Entry, as VMX disallows
setting bits 31:16. Setting the bits on VM-Exit would at best confuse
L1, and at worse induce a nested VM-Entry failure, e.g. if L1 decided to
reinject the exception back into L2.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Reviewed-by: Jim Mattson <jmattson@google.com>
Reviewed-by: Maxim Levitsky <mlevitsk@redhat.com>
Link: https://lore.kernel.org/r/20220830231614.3580124-3-seanjc@google.com
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/vmx/nested.c | 11 ++++++++++-
arch/x86/kvm/vmx/vmx.c | 12 +++++++++++-
2 files changed, 21 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/vmx/nested.c
+++ b/arch/x86/kvm/vmx/nested.c
@@ -3832,7 +3832,16 @@ static void nested_vmx_inject_exception_
u32 intr_info = nr | INTR_INFO_VALID_MASK;
if (vcpu->arch.exception.has_error_code) {
- vmcs12->vm_exit_intr_error_code = vcpu->arch.exception.error_code;
+ /*
+ * Intel CPUs do not generate error codes with bits 31:16 set,
+ * and more importantly VMX disallows setting bits 31:16 in the
+ * injected error code for VM-Entry. Drop the bits to mimic
+ * hardware and avoid inducing failure on nested VM-Entry if L1
+ * chooses to inject the exception back to L2. AMD CPUs _do_
+ * generate "full" 32-bit error codes, so KVM allows userspace
+ * to inject exception error codes with bits 31:16 set.
+ */
+ vmcs12->vm_exit_intr_error_code = (u16)vcpu->arch.exception.error_code;
intr_info |= INTR_INFO_DELIVER_CODE_MASK;
}
--- a/arch/x86/kvm/vmx/vmx.c
+++ b/arch/x86/kvm/vmx/vmx.c
@@ -1695,7 +1695,17 @@ static void vmx_queue_exception(struct k
kvm_deliver_exception_payload(vcpu);
if (has_error_code) {
- vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, error_code);
+ /*
+ * Despite the error code being architecturally defined as 32
+ * bits, and the VMCS field being 32 bits, Intel CPUs and thus
+ * VMX don't actually supporting setting bits 31:16. Hardware
+ * will (should) never provide a bogus error code, but AMD CPUs
+ * do generate error codes with bits 31:16 set, and so KVM's
+ * ABI lets userspace shove in arbitrary 32-bit values. Drop
+ * the upper bits to avoid VM-Fail, losing information that
+ * does't really exist is preferable to killing the VM.
+ */
+ vmcs_write32(VM_ENTRY_EXCEPTION_ERROR_CODE, (u16)error_code);
intr_info |= INTR_INFO_DELIVER_CODE_MASK;
}
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 179/862] staging: greybus: audio_helper: remove unused and wrong debugfs usage
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 178/862] KVM: VMX: Drop bits 31:16 when shoving exception error code into VMCS Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 180/862] drm/nouveau/kms/nv140-: Disable interlacing Greg Kroah-Hartman
` (697 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Johan Hovold, Alex Elder, stable
From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
commit d517cdeb904ddc0cbebcc959d43596426cac40b0 upstream.
In the greybus audio_helper code, the debugfs file for the dapm has the
potential to be removed and memory will be leaked. There is also the
very real potential for this code to remove ALL debugfs entries from the
system, and it seems like this is what will really happen if this code
ever runs. This all is very wrong as the greybus audio driver did not
create this debugfs file, the sound core did and controls the lifespan
of it.
So remove all of the debugfs logic from the audio_helper code as there's
no way it could be correct. If this really is needed, it can come back
with a fixup for the incorrect usage of the debugfs_lookup() call which
is what caused this to be noticed at all.
Cc: Johan Hovold <johan@kernel.org>
Cc: Alex Elder <elder@kernel.org>
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20220902143715.320500-1-gregkh@linuxfoundation.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/greybus/audio_helper.c | 11 -----------
1 file changed, 11 deletions(-)
--- a/drivers/staging/greybus/audio_helper.c
+++ b/drivers/staging/greybus/audio_helper.c
@@ -3,7 +3,6 @@
* Greybus Audio Sound SoC helper APIs
*/
-#include <linux/debugfs.h>
#include <sound/core.h>
#include <sound/soc.h>
#include <sound/soc-dapm.h>
@@ -116,10 +115,6 @@ int gbaudio_dapm_free_controls(struct sn
{
int i;
struct snd_soc_dapm_widget *w, *tmp_w;
-#ifdef CONFIG_DEBUG_FS
- struct dentry *parent = dapm->debugfs_dapm;
- struct dentry *debugfs_w = NULL;
-#endif
mutex_lock(&dapm->card->dapm_mutex);
for (i = 0; i < num; i++) {
@@ -139,12 +134,6 @@ int gbaudio_dapm_free_controls(struct sn
continue;
}
widget++;
-#ifdef CONFIG_DEBUG_FS
- if (!parent)
- debugfs_w = debugfs_lookup(w->name, parent);
- debugfs_remove(debugfs_w);
- debugfs_w = NULL;
-#endif
gbaudio_dapm_free_widget(w);
}
mutex_unlock(&dapm->card->dapm_mutex);
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 180/862] drm/nouveau/kms/nv140-: Disable interlacing
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2022-10-19 8:24 ` [PATCH 6.0 179/862] staging: greybus: audio_helper: remove unused and wrong debugfs usage Greg Kroah-Hartman
@ 2022-10-19 8:24 ` Greg Kroah-Hartman
2022-10-19 8:24 ` [PATCH 6.0 181/862] drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table() Greg Kroah-Hartman
` (696 subsequent siblings)
876 siblings, 0 replies; 909+ messages in thread
From: Greg Kroah-Hartman @ 2022-10-19 8:24 UTC (permalink / raw)
To: linux-kernel; +Cc: Greg Kroah-Hartman, stable, Lyude Paul, Karol Herbst
From: Lyude Paul <lyude@redhat.com>
commit 8ba9249396bef37cb68be9e8dee7847f1737db9d upstream.
As it turns out: while Nvidia does actually have interlacing knobs on their
GPU still pretty much no current GPUs since Volta actually support it.
Trying interlacing on these GPUs will result in NVDisplay being quite
unhappy like so:
nouveau 0000:1f:00.0: disp: chid 0 stat 00004802 reason 4 [INVALID_ARG] mthd 2008 data 00000001 code 00080000
nouveau 0000:1f:00.0: disp: chid 0 stat 10005080 reason 5 [INVALID_STATE] mthd 0200 data 00000001 code 00000001
So let's fix this by following the same behavior Nvidia's driver does and
disable interlacing entirely.
Signed-off-by: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org
Reviewed-by: Karol Herbst <kherbst@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20220816180436.156310-1-lyude@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nouveau_connector.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/nouveau/nouveau_connector.c
+++ b/drivers/gpu/drm/nouveau/nouveau_connector.c
@@ -504,7 +504,8 @@ nouveau_connector_set_encoder(struct drm
connector->interlace_allowed =
nv_encoder->caps.dp_interlace;
else
- connector->interlace_allowed = true;
+ connector->interlace_allowed =
+ drm->client.device.info.family < NV_DEVICE_INFO_V0_VOLTA;
connector->doublescan_allowed = true;
} else
if (nv_encoder->dcb->type == DCB_OUTPUT_LVDS ||
^ permalink raw reply [flat|nested] 909+ messages in thread
* [PATCH 6.0 181/862] drm/nouveau: fix a use-after-free in nouveau_gem_prime_import_sg_table()
2022-10-19 8:21 [PATCH 6.0 000/862] 6.0.3-rc1 review Greg Kroah-Hartman
`