* [PATCH 5.10 000/211] 5.10.181-rc1 review
@ 2023-05-28 19:08 Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 001/211] driver core: add a helper to setup both the of_node and fwnode of a device Greg Kroah-Hartman
` (216 more replies)
0 siblings, 217 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
This is the start of the stable review cycle for the 5.10.181 release.
There are 211 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.181-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 5.10.181-rc1
David Epping <david.epping@missinglinkelectronics.com>
net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
3c589_cs: Fix an error handling path in tc589_probe()
Hugo Villeneuve <hvilleneuve@dimonoff.com>
arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
Shay Drory <shayd@nvidia.com>
net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
Roi Dayan <roid@nvidia.com>
net/mlx5: Fix error message when failing to allocate device memory
Erez Shitrit <erezsh@nvidia.com>
net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
Jakub Kicinski <kuba@kernel.org>
net/mlx5e: do as little as possible in napi poll when budget is 0
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
forcedeth: Fix an error handling path in nv_probe()
Cezary Rojewski <cezary.rojewski@intel.com>
ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
Vernon Lovejoy <vlovejoy@redhat.com>
x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
Dan Carpenter <dan.carpenter@linaro.org>
xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
Dan Carpenter <dan.carpenter@linaro.org>
coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
Hao Ge <gehao@kylinos.cn>
fs: fix undefined behavior in bit shift for SB_NOUSER
Daisuke Nojiri <dnojiri@chromium.org>
power: supply: sbs-charger: Fix INHIBITED bit for Status reg
Hans de Goede <hdegoede@redhat.com>
power: supply: bq27xxx: Fix poll_interval handling and races on remove
Hans de Goede <hdegoede@redhat.com>
power: supply: bq27xxx: Fix I2C IRQ race on remove
Hans de Goede <hdegoede@redhat.com>
power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
Hans de Goede <hdegoede@redhat.com>
power: supply: leds: Fix blink to LED on transition
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
ipv6: Fix out-of-bounds access in ipv6_find_tlv()
Will Deacon <will@kernel.org>
bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
Sunil Goutham <sgoutham@marvell.com>
octeontx2-pf: Fix TSOv6 offload
Po-Hsu Lin <po-hsu.lin@canonical.com>
selftests: fib_tests: mute cleanup error message
Pratyush Yadav <ptyadav@amazon.de>
net: fix skb leak in __skb_tstamp_tx()
Alan Stern <stern@rowland.harvard.edu>
media: radio-shark: Add endpoint checks
Alan Stern <stern@rowland.harvard.edu>
USB: sisusbvga: Add endpoint checks
Alan Stern <stern@rowland.harvard.edu>
USB: core: Add routines for endpoint checks in old drivers
Kuniyuki Iwashima <kuniyu@amazon.com>
udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
Taehee Yoo <ap420073@gmail.com>
net: fix stack overflow when LRO is disabled for virtual interfaces
Alan Stern <stern@rowland.harvard.edu>
fbdev: udlfb: Fix endpoint check
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
debugobjects: Don't wake up kswapd from fill_pool()
Zhang Rui <rui.zhang@intel.com>
x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
Helge Deller <deller@gmx.de>
parisc: Fix flush_dcache_page() for usage from irq context
Hardik Garg <hargar@linux.microsoft.com>
selftests/memfd: Fix unknown type name build failure
Dave Hansen <dave.hansen@linux.intel.com>
x86/mm: Avoid incomplete Global INVLPG flushes
Frank Li <Frank.Li@nxp.com>
dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
Josef Bacik <josef@toxicpanda.com>
btrfs: use nofs when cleaning up aborted transactions
Zev Weiss <zev@bewilderbeest.net>
gpio: mockup: Fix mode of debugfs files
Helge Deller <deller@gmx.de>
parisc: Allow to reboot machine after system halt
Helge Deller <deller@gmx.de>
parisc: Handle kgdb breakpoints only in kernel context
Finn Thain <fthain@linux-m68k.org>
m68k: Move signal frame following exception on 68020/030
Tudor Ambarus <tudor.ambarus@linaro.org>
net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
Bin Li <bin.li@canonical.com>
ALSA: hda/realtek: Enable headset onLenovo M70/M90
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Fix unhandled register update during auto-suspend period
Adam Stylinski <kungfujesus06@gmail.com>
ALSA: hda/ca0132: add quirk for EVGA X299 DARK
Roberto Sassu <roberto.sassu@huawei.com>
ocfs2: Switch to security_inode_init_security()
Christophe Leroy <christophe.leroy@csgroup.eu>
spi: fsl-cpm: Use 16 bit mode for large transfers with even size
Christophe Leroy <christophe.leroy@csgroup.eu>
spi: fsl-spi: Re-organise transfer bits_per_word adaptation
Davide Caratti <dcaratti@redhat.com>
act_mirred: use the backlog for nested calls to mirred ingress
Davide Caratti <dcaratti@redhat.com>
net/sched: act_mirred: better wording on protection against excessive stack growth
wenxu <wenxu@ucloud.cn>
net/sched: act_mirred: refactor the handle of xmit
Greg Thelen <gthelen@google.com>
writeback, cgroup: remove extra percpu_ref_exit()
Olivier Moysan <olivier.moysan@foss.st.com>
ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
Gregory Oakes <gregory.oakes@amd.com>
watchdog: sp5100_tco: Immediately trigger upon starting.
Heiko Carstens <hca@linux.ibm.com>
s390/qdio: fix do_sqbs() inline assembly constraint
Heiko Carstens <hca@linux.ibm.com>
s390/qdio: get rid of register asm
Andrew Davis <afd@ti.com>
serial: 8250_exar: Add support for USR298x PCI Modems
Matthew Howell <matthew.howell@sealevel.com>
serial: exar: Add support for Sealevel 7xxxC serial cards
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards
Will Deacon <will@kernel.org>
KVM: arm64: Link position-independent string routines into .hyp.text
Ping Cheng <pinglinux@gmail.com>
HID: wacom: add three styli to wacom_intuos_get_tool_type
Ping Cheng <pinglinux@gmail.com>
HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
Jason Gerecke <killertofu@gmail.com>
HID: wacom: Force pen out of prox if no events have been received in a while
Ryusuke Konishi <konishi.ryusuke@gmail.com>
nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
Michael Ellerman <mpe@ellerman.id.au>
powerpc/64s/radix: Fix soft dirty tracking
Jerry Snitselaar <jsnitsel@redhat.com>
tpm/tpm_tis: Disable interrupts for more Lenovo devices
Xiubo Li <xiubli@redhat.com>
ceph: force updating the msg pointer in non-split case
George Kennedy <george.kennedy@oracle.com>
vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
Vitaliy Tomin <tomin@iszf.irk.ru>
serial: Add support for Advantech PCI-1611U card
Ilya Leoshkevich <iii@linux.ibm.com>
statfs: enforce statfs[64] structure initialization
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Disable interrupts in probe error path
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Empty SRB buffer in probe
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Call request_irq() before enabling interrupts
Jimmy Assarsson <extja@kvaser.com>
can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
Oliver Hartkopp <socketcan@hartkopp.net>
can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
Oliver Hartkopp <socketcan@hartkopp.net>
can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
Luke D. Jones <luke@ljones.dev>
ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
Ai Chao <aichao@kylinos.cn>
ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
Jeremy Soller <jeremy@system76.com>
ALSA: hda/realtek: Add quirk for Clevo L140AU
Nikhil Mahale <nmahale@nvidia.com>
ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
Takashi Iwai <tiwai@suse.de>
ALSA: hda: Fix Oops by 9.1 surround channel names
Badhri Jagan Sridharan <badhri@google.com>
usb: typec: altmodes/displayport: fix pin_assignment_show
Konrad Gräfe <k.graefe@gateware.de>
usb: gadget: u_ether: Fix host MAC address case
Udipto Goswami <quic_ugoswami@quicinc.com>
usb: dwc3: debugfs: Resume dwc3 before accessing registers
Weitao Wang <WeitaoWang-oc@zhaoxin.com>
USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
Maxime Bizon <mbizon@freebox.fr>
usb-storage: fix deadlock when a scsi command timeouts more than once
Alan Stern <stern@rowland.harvard.edu>
USB: usbtmc: Fix direction for 0-length ioctl control messages
Takashi Iwai <tiwai@suse.de>
ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
Arnd Bergmann <arnd@arndb.de>
bridge: always declare tunnel functions
Florian Westphal <fw@strlen.de>
netfilter: nft_set_rbtree: fix null deref on element insertion
Eric Dumazet <edumazet@google.com>
vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
Aleksandr Loktionov <aleksandr.loktionov@intel.com>
igb: fix bit_shift to be in [1..8] range
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
cassini: Fix a memory leak in the error handling path of cas_init_one()
Michael Kelley <mikelley@microsoft.com>
scsi: storvsc: Don't pass unused PFNs to Hyper-V host
Johannes Berg <johannes.berg@intel.com>
wifi: iwlwifi: mvm: don't trust firmware n_channels
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: fix min center freq offset tracing
Florian Fainelli <f.fainelli@gmail.com>
net: bcmgenet: Restore phy_stop() depending upon suspend/close
Florian Fainelli <f.fainelli@gmail.com>
net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
Xin Long <lucien.xin@gmail.com>
tipc: check the bearer min mtu properly when setting it by netlink
Xin Long <lucien.xin@gmail.com>
tipc: do not update mtu if msg_max is too small in mtu negotiation
Xin Long <lucien.xin@gmail.com>
tipc: add tipc_bearer_min_mtu to calculate min mtu
Randy Dunlap <rdunlap@infradead.org>
net/tipc: fix tipc header files for kernel-doc
Dong Chenchen <dongchenchen2@huawei.com>
net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
Arnd Bergmann <arnd@arndb.de>
drm/exynos: fix g2d_open/close helper function definitions
Chuck Lever <chuck.lever@oracle.com>
SUNRPC: Fix trace_svc_register() call site
Duoming Zhou <duoming@zju.edu.cn>
media: netup_unidvb: fix use-after-free at del_timer()
Jie Wang <wangjie125@huawei.com>
net: hns3: fix reset delay time to avoid configuration timeout
Jijie Shao <shaojijie@huawei.com>
net: hns3: fix sending pfc frames after reset issue
Xin Long <lucien.xin@gmail.com>
erspan: get the proto with the md version for collect_md
Ke Zhang <m202171830@hust.edu.cn>
serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
Eric Dumazet <edumazet@google.com>
tcp: fix possible sk_priority leak in tcp_v4_send_reset()
sewookseo <sewookseo@google.com>
net: Find dst with sk's xfrm policy not ctl_sk
Eric Dumazet <edumazet@google.com>
ipv4/tcp: do not use per netns ctl sockets
Zhuang Shengen <zhuangshengen@huawei.com>
vsock: avoid to close connected socket after the timeout
Ryan C. Underwood <nemesis@icequake.net>
ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
Dan Carpenter <dan.carpenter@linaro.org>
ALSA: firewire-digi00x: prevent potential use after free
Grygorii Strashko <grygorii.strashko@ti.com>
net: phy: dp83867: add w/a for packet errors seen with short cables
Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
net: fec: Better handle pm_runtime_get() failing in .remove()
Tobias Brunner <tobias@strongswan.org>
af_key: Reject optional tunnel/BEET mode templates in outbound policies
Wyes Karny <wyes.karny@amd.com>
cpupower: Make TSC read per CPU for Mperf monitor
Marijn Suijten <marijn.suijten@somainline.org>
drm/msm/dpu: Remove duplicate register defines from INTF
Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
drm/msm/dp: unregister audio driver during unbind
Martin Willi <martin@strongswan.org>
Revert "Fix XFRM-I support for nested ESP tunnels"
Sabrina Dubroca <sd@queasysnail.net>
xfrm: don't check the default policy if the policy allows the packet
Filipe Manana <fdmanana@suse.com>
btrfs: fix space cache inconsistency after error loading it from disk
Nikolay Borisov <nborisov@suse.com>
btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
Nikolay Borisov <nborisov@suse.com>
btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c
Qiang Ning <qning0106@126.com>
mfd: dln2: Fix memory leak in dln2_probe()
Alain Volmat <avolmat@me.com>
phy: st: miphy28lp: use _poll_timeout functions for waits
Vicki Pfau <vi@endrift.com>
Input: xpad - add constants for GIP interface numbers
Tomas Krcka <krckatom@amazon.de>
iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
Arnd Bergmann <arnd@arndb.de>
clk: tegra20: fix gcc-7 constant overflow warning
Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
iommu/arm-smmu-qcom: Limit the SMR groups to 128
Gustavo A. R. Silva <gustavoars@kernel.org>
RDMA/core: Fix multiple -Warray-bounds warnings
Hao Zeng <zenghao@kylinos.cn>
recordmcount: Fix memory leaks in the uwrite function
Josh Poimboeuf <jpoimboe@kernel.org>
sched: Fix KCSAN noinstr violation
Rodríguez Barbarin, José Javier <JoseJavier.Rodriguez@duagon.com>
mcb-pci: Reallocate memory region to avoid memory overlapping
Tony Lindgren <tony@atomide.com>
serial: 8250: Reinit port->pm on port specific driver unbind
Frank Wang <frank.wang@rock-chips.com>
usb: typec: tcpm: fix multiple times discover svids error
Jason Gerecke <killertofu@gmail.com>
HID: wacom: generic: Set battery quirk only when we see battery data
Kevin Groeneveld <kgroeneveld@lenbrook.com>
spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
Bastien Nocera <hadess@hadess.net>
HID: logitech-hidpp: Reconcile USB and Unifying serials
Bastien Nocera <hadess@hadess.net>
HID: logitech-hidpp: Don't use the USB serial for USB devices
Philipp Hortmann <philipp.g.hortmann@gmail.com>
staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
Min Li <lm0963hack@gmail.com>
Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
Hans de Goede <hdegoede@redhat.com>
Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
Simon Horman <horms@kernel.org>
ipvs: Update width of source for ip_vs_sync_conn_options
Nagarajan Maran <quic_nmaran@quicinc.com>
wifi: ath11k: Fix SKB corruption in REO destination ring
Hans de Goede <hdegoede@redhat.com>
wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
Chaitanya Kulkarni <kch@nvidia.com>
null_blk: Always check queue mode setting from configfs
Hyunwoo Kim <imv4bel@gmail.com>
wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
Daniel Gabay <daniel.gabay@intel.com>
wifi: iwlwifi: pcie: fix possible NULL pointer dereference
Hao Zeng <zenghao@kylinos.cn>
samples/bpf: Fix fout leak in hbm's run_bpf_prog
Chao Yu <chao@kernel.org>
f2fs: fix to drop all dirty pages during umount() if cp_error is set
Ojaswin Mujoo <ojaswin@linux.ibm.com>
ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: set goal start correctly in ext4_mb_normalize_request
Andreas Gruenbacher <agruenba@redhat.com>
gfs2: Fix inode height consistency check
Zheng Wang <zyytlz.wz@163.com>
scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
Eli Cohen <elic@nvidia.com>
lib: cpu_rmap: Avoid use after free on rmap->obj array entries
Dmitry Bogdanov <d.bogdanov@yadro.com>
scsi: target: iscsit: Free cmds before session free
Nick Child <nnac123@linux.ibm.com>
net: Catch invalid index in XPS mapping
Nathan Chancellor <nathan@kernel.org>
net: pasemi: Fix return type of pasemi_mac_start_tx()
Justin Tee <justin.tee@broadcom.com>
scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
Jan Kara <jack@suse.cz>
ext2: Check block size validity during mount
Hector Martin <marcan@marcan.st>
wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
Kumar Kartikeya Dwivedi <memxor@gmail.com>
bpf: Annotate data races in bpf_local_storage
Kees Cook <keescook@chromium.org>
wifi: ath: Silence memcpy run-time false positive warning
Mario Limonciello <mario.limonciello@amd.com>
drm/amd: Fix an out of bounds error in BIOS parser
void0red <30990023+void0red@users.noreply.github.com>
ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
Tamir Duberstein <tamird@google.com>
ACPICA: Avoid undefined behavior: applying zero offset to null pointer
Nur Hussein <hussein@unixcat.org>
drm/tegra: Avoid potential 32-bit integer overflow
Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
remoteproc: stm32_rproc: Add mutex protection for workqueue
Armin Wolf <W_Armin@gmx.de>
ACPI: EC: Fix oops when removing custom query handlers
Pierre Gondois <pierre.gondois@arm.com>
firmware: arm_sdei: Fix sleep from invalid context BUG
Zheng Wang <zyytlz.wz@163.com>
memstick: r592: Fix UAF bug in r592_remove due to race condition
Konrad Dybcio <konrad.dybcio@linaro.org>
arm64: dts: qcom: msm8996: Add missing DWC3 quirks
Alexander Stein <alexander.stein@ew.tq-group.com>
regmap: cache: Return error in cache sync operations for REGCACHE_NONE
Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
drm/amd/display: Use DC_LOG_DC in the trasform pixel function
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
Zqiang <qiang1.zhang@intel.com>
rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
Paul E. McKenney <paulmck@kernel.org>
refscale: Move shutdown from wait_event() to wait_event_idle()
Theodore Ts'o <tytso@mit.edu>
ext4: allow ext4_get_group_info() to fail
Kemeng Shi <shikemeng@huaweicloud.com>
ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
Harshad Shirwadkar <harshadshirwadkar@gmail.com>
ext4: add mballoc stats proc file
Harshad Shirwadkar <harshadshirwadkar@gmail.com>
ext4: drop s_mb_bal_lock and convert protected fields to atomic
Chunguang Xu <brookxu@tencent.com>
ext4: remove redundant mb_regenerate_buddy()
Jan Kara <jack@suse.cz>
ext4: fix lockdep warning when enabling MMP
Theodore Ts'o <tytso@mit.edu>
ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled
Theodore Ts'o <tytso@mit.edu>
ext4: reflect error codes from ext4_multi_mount_protect() to its callers
Austin Kim <austindh.kim@gmail.com>
ext4: remove an unused variable warning with CONFIG_QUOTA=n
Zongjie Li <u202112089@hust.edu.cn>
fbdev: arcfb: Fix error handling in arcfb_probe()
Nikita Zhandarovich <n.zhandarovich@fintech.ru>
drm/i915/dp: prevent potential div-by-zero
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Fix data races around sk->sk_shutdown.
Kuniyuki Iwashima <kuniyu@amazon.com>
af_unix: Fix a data race of sk->sk_receive_queue->qlen.
Eric Dumazet <edumazet@google.com>
net: datagram: fix data-races in datagram_poll()
t.feng <fengtao40@huawei.com>
ipvlan:Fix out-of-bounds caused by unclear skb->cb
Eric Dumazet <edumazet@google.com>
tcp: add annotations around sk->sk_shutdown accesses
Paolo Abeni <pabeni@redhat.com>
tcp: factor out __tcp_close() helper
Eric Dumazet <edumazet@google.com>
net: add vlan_get_protocol_and_depth() helper
Menglong Dong <dong.menglong@zte.com.cn>
net: tap: check vlan with eth_type_vlan() method
Eric Dumazet <edumazet@google.com>
net: deal with most data-races in sk_wait_event()
Eric Dumazet <edumazet@google.com>
net: annotate sk->sk_err write from do_recvmmsg()
Eric Dumazet <edumazet@google.com>
netlink: annotate accesses to nlk->cb_running
Florian Westphal <fw@strlen.de>
netfilter: conntrack: fix possible bug_on with enable_hooks=1
Kuniyuki Iwashima <kuniyu@amazon.com>
net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
Roy Novich <royno@nvidia.com>
linux/dim: Do nothing if no time delta between samples
Christophe JAILLET <christophe.jaillet@wanadoo.fr>
net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
Randy Dunlap <rdunlap@infradead.org>
ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
Saravana Kannan <saravanak@google.com>
drm/mipi-dsi: Set the fwnode for mipi_dsi_device
Ioana Ciornei <ioana.ciornei@nxp.com>
driver core: add a helper to setup both the of_node and fwnode of a device
-------------
Diffstat:
.../devicetree/bindings/usb/cdns,usb3.yaml | 2 +-
Makefile | 4 +-
arch/arm/boot/dts/stm32mp15-pinctrl.dtsi | 2 +-
arch/arm/mach-sa1100/jornada720_ssp.c | 5 +-
arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 8 +-
arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +
arch/arm64/include/asm/hyp_image.h | 3 +
arch/arm64/kernel/image-vars.h | 11 +
arch/arm64/kvm/hyp/nvhe/Makefile | 4 +
arch/m68k/kernel/signal.c | 14 +-
arch/parisc/include/asm/cacheflush.h | 5 +
arch/parisc/kernel/cache.c | 5 +-
arch/parisc/kernel/process.c | 11 +-
arch/parisc/kernel/traps.c | 4 +-
arch/powerpc/mm/book3s64/radix_pgtable.c | 4 +-
arch/x86/include/asm/intel-family.h | 5 +
arch/x86/kernel/cpu/topology.c | 5 +-
arch/x86/kernel/dumpstack.c | 7 +-
arch/x86/mm/init.c | 25 +++
drivers/acpi/acpica/dbnames.c | 3 +
drivers/acpi/acpica/dswstate.c | 11 +-
drivers/acpi/ec.c | 1 +
drivers/base/core.c | 7 +
drivers/base/regmap/regcache.c | 6 +
drivers/block/null_blk/main.c | 5 +
drivers/bluetooth/btbcm.c | 47 +++-
drivers/char/tpm/tpm_tis.c | 16 ++
drivers/clk/tegra/clk-tegra20.c | 28 +--
drivers/firmware/arm_sdei.c | 37 ++--
drivers/gpio/gpio-mockup.c | 2 +-
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 +-
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 5 +-
drivers/gpu/drm/drm_mipi_dsi.c | 2 +-
drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 +-
drivers/gpu/drm/i915/display/intel_dp.c | 5 +
drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 -
drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++
drivers/gpu/drm/msm/dp/dp_audio.h | 2 +
drivers/gpu/drm/msm/dp/dp_display.c | 1 +
drivers/gpu/drm/tegra/sor.c | 2 +-
drivers/hid/hid-logitech-hidpp.c | 53 ++++-
drivers/hid/wacom.h | 3 +
drivers/hid/wacom_sys.c | 2 +
drivers/hid/wacom_wac.c | 80 +++++--
drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
drivers/infiniband/core/user_mad.c | 23 +-
drivers/input/joystick/xpad.c | 5 +-
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 +-
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +-
drivers/mcb/mcb-pci.c | 27 ++-
drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +-
drivers/media/radio/radio-shark.c | 10 +
drivers/media/radio/radio-shark2.c | 10 +
drivers/memstick/host/r592.c | 2 +-
drivers/message/fusion/mptlan.c | 2 +
drivers/mfd/dln2.c | 1 +
drivers/net/bonding/bond_main.c | 8 +-
drivers/net/can/kvaser_pciefd.c | 51 +++--
drivers/net/ethernet/3com/3c589_cs.c | 11 +-
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 9 +-
drivers/net/ethernet/freescale/fec_main.c | 15 +-
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +-
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 +-
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +
.../ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 +-
drivers/net/ethernet/intel/igb/e1000_mac.c | 4 +-
.../net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +-
drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c | 16 +-
.../net/ethernet/mellanox/mlx5/core/lib/devcom.c | 3 +-
drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
.../ethernet/mellanox/mlx5/core/steering/dr_ste.c | 3 +-
drivers/net/ethernet/nvidia/forcedeth.c | 1 +
drivers/net/ethernet/pasemi/pasemi_mac.c | 2 +-
drivers/net/ethernet/sun/cassini.c | 2 +
drivers/net/ipvlan/ipvlan_core.c | 6 +
drivers/net/mdio/mdio-mvusb.c | 11 +-
drivers/net/phy/dp83867.c | 22 +-
drivers/net/phy/mscc/mscc_main.c | 1 +
drivers/net/tap.c | 10 +-
drivers/net/team/team.c | 7 +-
drivers/net/usb/cdc_ncm.c | 24 ++-
drivers/net/wireless/ath/ath.h | 12 +-
drivers/net/wireless/ath/ath11k/dp_rx.c | 9 +-
drivers/net/wireless/ath/key.c | 2 +-
.../broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +-
drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 +-
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 +
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +
drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +-
drivers/phy/st/phy-miphy28lp.c | 42 +---
drivers/power/supply/bq27xxx_battery.c | 41 ++--
drivers/power/supply/bq27xxx_battery_i2c.c | 3 +-
drivers/power/supply/power_supply_leds.c | 5 +-
drivers/power/supply/sbs-charger.c | 2 +-
drivers/remoteproc/stm32_rproc.c | 8 +
drivers/s390/cio/qdio.h | 25 +--
drivers/s390/cio/qdio_main.c | 62 +++---
drivers/scsi/lpfc/lpfc_debugfs.c | 7 +-
drivers/scsi/storvsc_drv.c | 8 +-
drivers/spi/spi-fsl-cpm.c | 23 ++
drivers/spi/spi-fsl-spi.c | 53 +++--
drivers/spi/spi-imx.c | 24 ++-
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 6 +-
drivers/staging/rtl8192e/rtl8192e/rtl_core.h | 5 -
drivers/target/iscsi/iscsi_target.c | 6 +-
drivers/tty/serial/8250/8250_core.c | 1 +
drivers/tty/serial/8250/8250_exar.c | 68 +++---
drivers/tty/serial/8250/8250_pci.c | 5 +
drivers/tty/serial/arc_uart.c | 7 +-
drivers/tty/vt/vc_screen.c | 11 +-
drivers/usb/class/usbtmc.c | 2 +
drivers/usb/core/usb.c | 76 +++++++
drivers/usb/dwc3/debugfs.c | 109 ++++++++++
drivers/usb/gadget/function/u_ether.c | 3 +
drivers/usb/host/uhci-pci.c | 10 +-
drivers/usb/misc/sisusbvga/sisusb.c | 14 ++
drivers/usb/storage/scsiglue.c | 28 ++-
drivers/usb/typec/altmodes/displayport.c | 4 +
drivers/usb/typec/tcpm/tcpm.c | 16 +-
drivers/video/fbdev/arcfb.c | 15 +-
drivers/video/fbdev/udlfb.c | 13 +-
drivers/watchdog/sp5100_tco.c | 4 +
drivers/xen/pvcalls-back.c | 9 +-
fs/btrfs/disk-io.c | 64 ++++++
fs/btrfs/disk-io.h | 2 +
fs/btrfs/free-space-cache.c | 7 +-
fs/btrfs/inode-map.c | 55 -----
fs/btrfs/inode-map.h | 3 -
fs/btrfs/inode.c | 12 +-
fs/ceph/snap.c | 13 ++
fs/ext2/ext2.h | 1 +
fs/ext2/super.c | 7 +
fs/ext4/balloc.c | 18 +-
fs/ext4/ext4.h | 25 +--
fs/ext4/ialloc.c | 12 +-
fs/ext4/mballoc.c | 238 +++++++++++++++------
fs/ext4/mmp.c | 39 +++-
fs/ext4/super.c | 28 ++-
fs/ext4/sysfs.c | 2 +
fs/f2fs/checkpoint.c | 12 +-
fs/f2fs/data.c | 3 +-
fs/gfs2/glops.c | 3 +-
fs/hfsplus/inode.c | 28 ++-
fs/nilfs2/inode.c | 18 ++
fs/ocfs2/namei.c | 2 +
fs/ocfs2/xattr.c | 30 ++-
fs/statfs.c | 4 +-
include/linux/cpuhotplug.h | 1 -
include/linux/device.h | 1 +
include/linux/dim.h | 3 +-
include/linux/fs.h | 42 ++--
include/linux/if_team.h | 1 +
include/linux/if_vlan.h | 17 ++
include/linux/power/bq27xxx_battery.h | 1 +
include/linux/sched/task_stack.h | 2 +-
include/linux/usb.h | 5 +
include/net/bonding.h | 1 +
include/net/ip_vs.h | 6 +-
include/net/netns/ipv4.h | 1 -
include/net/sch_generic.h | 5 -
include/net/sock.h | 2 +-
include/net/tcp.h | 1 +
include/net/xfrm.h | 2 +
include/uapi/sound/skl-tplg-interface.h | 3 +-
kernel/bpf/bpf_local_storage.c | 16 +-
kernel/bpf/verifier.c | 2 +-
kernel/rcu/refscale.c | 2 +-
kernel/rcu/tree_exp.h | 6 +-
lib/cpu_rmap.c | 5 +-
lib/debugobjects.c | 2 +-
lib/dim/dim.c | 5 +-
lib/dim/net_dim.c | 3 +-
lib/dim/rdma_dim.c | 3 +-
mm/backing-dev.c | 1 -
net/8021q/vlan_dev.c | 4 +-
net/bluetooth/l2cap_core.c | 1 -
net/bridge/br_forward.c | 2 +-
net/bridge/br_private_tunnel.h | 8 +-
net/can/isotp.c | 2 +-
net/can/j1939/socket.c | 2 +-
net/core/datagram.c | 15 +-
net/core/dev.c | 4 +-
net/core/skbuff.c | 4 +-
net/core/stream.c | 12 +-
net/ipv4/af_inet.c | 2 +-
net/ipv4/ip_output.c | 2 +-
net/ipv4/tcp.c | 23 +-
net/ipv4/tcp_bpf.c | 2 +-
net/ipv4/tcp_input.c | 4 +-
net/ipv4/tcp_ipv4.c | 68 +++---
net/ipv4/udplite.c | 2 +
net/ipv6/exthdrs_core.c | 2 +
net/ipv6/ip6_gre.c | 13 +-
net/ipv6/tcp_ipv6.c | 5 +-
net/ipv6/udplite.c | 2 +
net/key/af_key.c | 12 +-
net/llc/af_llc.c | 8 +-
net/mac80211/trace.h | 2 +-
net/netfilter/core.c | 6 +-
net/netfilter/ipvs/ip_vs_sync.c | 2 +-
net/netfilter/nf_conntrack_standalone.c | 3 +-
net/netfilter/nft_set_rbtree.c | 20 +-
net/netlink/af_netlink.c | 8 +-
net/nsh/nsh.c | 8 +-
net/packet/af_packet.c | 6 +-
net/sched/act_mirred.c | 44 ++--
net/smc/smc_close.c | 4 +-
net/smc/smc_rx.c | 4 +-
net/smc/smc_tx.c | 4 +-
net/socket.c | 2 +-
net/sunrpc/svc.c | 2 +-
net/tipc/bearer.c | 17 +-
net/tipc/bearer.h | 13 +-
net/tipc/crypto.h | 6 +-
net/tipc/link.c | 9 +-
net/tipc/name_distr.h | 2 +-
net/tipc/name_table.h | 9 +-
net/tipc/socket.c | 4 +-
net/tipc/subscr.h | 11 +-
net/tipc/udp_media.c | 5 +-
net/tls/tls_main.c | 3 +-
net/unix/af_unix.c | 22 +-
net/vmw_vsock/af_vsock.c | 2 +-
net/xfrm/xfrm_interface.c | 54 +----
net/xfrm/xfrm_policy.c | 9 -
samples/bpf/hbm.c | 1 +
scripts/recordmcount.c | 6 +-
sound/firewire/digi00x/digi00x-stream.c | 4 +-
sound/hda/hdac_device.c | 2 +-
sound/pci/hda/hda_generic.c | 7 +-
sound/pci/hda/patch_ca0132.c | 1 +
sound/pci/hda/patch_hdmi.c | 5 +
sound/pci/hda/patch_realtek.c | 7 +-
sound/usb/format.c | 1 +
.../cpupower/utils/idle_monitor/mperf_monitor.c | 31 ++-
tools/testing/selftests/memfd/fuse_test.c | 1 +
tools/testing/selftests/net/fib_tests.sh | 2 +-
.../testing/selftests/net/forwarding/tc_actions.sh | 48 ++++-
238 files changed, 2060 insertions(+), 905 deletions(-)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 001/211] driver core: add a helper to setup both the of_node and fwnode of a device
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 002/211] drm/mipi-dsi: Set the fwnode for mipi_dsi_device Greg Kroah-Hartman
` (215 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Lunn, Ioana Ciornei,
David S. Miller, Sasha Levin
From: Ioana Ciornei <ioana.ciornei@nxp.com>
[ Upstream commit 43e76d463c09a0272b84775bcc727c1eb8b384b2 ]
There are many places where both the fwnode_handle and the of_node of a
device need to be populated. Add a function which does both so that we
have consistency.
Suggested-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Ioana Ciornei <ioana.ciornei@nxp.com>
Reviewed-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: a26cc2934331 ("drm/mipi-dsi: Set the fwnode for mipi_dsi_device")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/core.c | 7 +++++++
include/linux/device.h | 1 +
2 files changed, 8 insertions(+)
diff --git a/drivers/base/core.c b/drivers/base/core.c
index 9a874a58d690c..cb859febd03cf 100644
--- a/drivers/base/core.c
+++ b/drivers/base/core.c
@@ -4352,6 +4352,13 @@ void device_set_of_node_from_dev(struct device *dev, const struct device *dev2)
}
EXPORT_SYMBOL_GPL(device_set_of_node_from_dev);
+void device_set_node(struct device *dev, struct fwnode_handle *fwnode)
+{
+ dev->fwnode = fwnode;
+ dev->of_node = to_of_node(fwnode);
+}
+EXPORT_SYMBOL_GPL(device_set_node);
+
int device_match_name(struct device *dev, const void *name)
{
return sysfs_streq(dev_name(dev), name);
diff --git a/include/linux/device.h b/include/linux/device.h
index 5dc0f81e4f9d4..4f7e0c85e11fa 100644
--- a/include/linux/device.h
+++ b/include/linux/device.h
@@ -818,6 +818,7 @@ int device_online(struct device *dev);
void set_primary_fwnode(struct device *dev, struct fwnode_handle *fwnode);
void set_secondary_fwnode(struct device *dev, struct fwnode_handle *fwnode);
void device_set_of_node_from_dev(struct device *dev, const struct device *dev2);
+void device_set_node(struct device *dev, struct fwnode_handle *fwnode);
static inline int dev_num_vf(struct device *dev)
{
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 002/211] drm/mipi-dsi: Set the fwnode for mipi_dsi_device
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 001/211] driver core: add a helper to setup both the of_node and fwnode of a device Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 003/211] ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings Greg Kroah-Hartman
` (214 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Kepplinger, Saravana Kannan,
Maxime Ripard, Sasha Levin
From: Saravana Kannan <saravanak@google.com>
[ Upstream commit a26cc2934331b57b5a7164bff344f0a2ec245fc0 ]
After commit 3fb16866b51d ("driver core: fw_devlink: Make cycle
detection more robust"), fw_devlink prints an error when consumer
devices don't have their fwnode set. This used to be ignored silently.
Set the fwnode mipi_dsi_device so fw_devlink can find them and properly
track their dependencies.
This fixes errors like this:
[ 0.334054] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with regulator-lcd-1v8
[ 0.346964] nwl-dsi 30a00000.mipi-dsi: Failed to create device link with backlight-dsi
Reported-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Link: https://lore.kernel.org/lkml/2a8e407f4f18c9350f8629a2b5fa18673355b2ae.camel@puri.sm/
Fixes: 068a00233969 ("drm: Add MIPI DSI bus support")
Signed-off-by: Saravana Kannan <saravanak@google.com>
Tested-by: Martin Kepplinger <martin.kepplinger@puri.sm>
Link: https://lore.kernel.org/r/20230310063910.2474472-1-saravanak@google.com
Signed-off-by: Maxime Ripard <maxime@cerno.tech>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_mipi_dsi.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/drm_mipi_dsi.c b/drivers/gpu/drm/drm_mipi_dsi.c
index 19fb1d93a4f07..0c806e99e8690 100644
--- a/drivers/gpu/drm/drm_mipi_dsi.c
+++ b/drivers/gpu/drm/drm_mipi_dsi.c
@@ -221,7 +221,7 @@ mipi_dsi_device_register_full(struct mipi_dsi_host *host,
return dsi;
}
- dsi->dev.of_node = info->node;
+ device_set_node(&dsi->dev, of_fwnode_handle(info->node));
dsi->channel = info->channel;
strlcpy(dsi->name, info->type, sizeof(dsi->name));
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 003/211] ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 001/211] driver core: add a helper to setup both the of_node and fwnode of a device Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 002/211] drm/mipi-dsi: Set the fwnode for mipi_dsi_device Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 004/211] net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() Greg Kroah-Hartman
` (213 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, kernel test robot,
Arnd Bergmann, Kristoffer Ericson, patches, Russell King (Oracle),
Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit 46dd6078dbc7e363a8bb01209da67015a1538929 ]
Fix kernel-doc warnings from the kernel test robot:
jornada720_ssp.c:24: warning: Function parameter or member 'jornada_ssp_lock' not described in 'DEFINE_SPINLOCK'
jornada720_ssp.c:24: warning: expecting prototype for arch/arm/mac(). Prototype was for DEFINE_SPINLOCK() instead
jornada720_ssp.c:34: warning: Function parameter or member 'byte' not described in 'jornada_ssp_reverse'
jornada720_ssp.c:57: warning: Function parameter or member 'byte' not described in 'jornada_ssp_byte'
jornada720_ssp.c:85: warning: Function parameter or member 'byte' not described in 'jornada_ssp_inout'
Link: lore.kernel.org/r/202304210535.tWby3jWF-lkp@intel.com
Fixes: 69ebb22277a5 ("[ARM] 4506/1: HP Jornada 7XX: Addition of SSP Platform Driver")
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Reported-by: kernel test robot <lkp@intel.com>
Cc: Arnd Bergmann <arnd@arndb.de>
Cc: Kristoffer Ericson <Kristoffer.ericson@gmail.com>
Cc: patches@armlinux.org.uk
Signed-off-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/mach-sa1100/jornada720_ssp.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/arch/arm/mach-sa1100/jornada720_ssp.c b/arch/arm/mach-sa1100/jornada720_ssp.c
index 1dbe98948ce30..9627c4cf3e41d 100644
--- a/arch/arm/mach-sa1100/jornada720_ssp.c
+++ b/arch/arm/mach-sa1100/jornada720_ssp.c
@@ -1,5 +1,5 @@
// SPDX-License-Identifier: GPL-2.0-only
-/**
+/*
* arch/arm/mac-sa1100/jornada720_ssp.c
*
* Copyright (C) 2006/2007 Kristoffer Ericson <Kristoffer.Ericson@gmail.com>
@@ -26,6 +26,7 @@ static unsigned long jornada_ssp_flags;
/**
* jornada_ssp_reverse - reverses input byte
+ * @byte: input byte to reverse
*
* we need to reverse all data we receive from the mcu due to its physical location
* returns : 01110111 -> 11101110
@@ -46,6 +47,7 @@ EXPORT_SYMBOL(jornada_ssp_reverse);
/**
* jornada_ssp_byte - waits for ready ssp bus and sends byte
+ * @byte: input byte to transmit
*
* waits for fifo buffer to clear and then transmits, if it doesn't then we will
* timeout after <timeout> rounds. Needs mcu running before its called.
@@ -77,6 +79,7 @@ EXPORT_SYMBOL(jornada_ssp_byte);
/**
* jornada_ssp_inout - decide if input is command or trading byte
+ * @byte: input byte to send (may be %TXDUMMY)
*
* returns : (jornada_ssp_byte(byte)) on success
* : %-ETIMEDOUT on timeout failure
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 004/211] net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 003/211] ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 005/211] linux/dim: Do nothing if no time delta between samples Greg Kroah-Hartman
` (212 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Simon Horman,
Andrew Lunn, David S. Miller, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 27c1eaa07283b0c94becf8241f95368267cf558b ]
Should of_mdiobus_register() fail, a previous usb_get_dev() call should be
undone as in the .disconnect function.
Fixes: 04e37d92fbed ("net: phy: add marvell usb to mdio controller")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/mdio/mdio-mvusb.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
diff --git a/drivers/net/mdio/mdio-mvusb.c b/drivers/net/mdio/mdio-mvusb.c
index d5eabddfdf51b..11e048136ac23 100644
--- a/drivers/net/mdio/mdio-mvusb.c
+++ b/drivers/net/mdio/mdio-mvusb.c
@@ -73,6 +73,7 @@ static int mvusb_mdio_probe(struct usb_interface *interface,
struct device *dev = &interface->dev;
struct mvusb_mdio *mvusb;
struct mii_bus *mdio;
+ int ret;
mdio = devm_mdiobus_alloc_size(dev, sizeof(*mvusb));
if (!mdio)
@@ -93,7 +94,15 @@ static int mvusb_mdio_probe(struct usb_interface *interface,
mdio->write = mvusb_mdio_write;
usb_set_intfdata(interface, mvusb);
- return of_mdiobus_register(mdio, dev->of_node);
+ ret = of_mdiobus_register(mdio, dev->of_node);
+ if (ret)
+ goto put_dev;
+
+ return 0;
+
+put_dev:
+ usb_put_dev(mvusb->udev);
+ return ret;
}
static void mvusb_mdio_disconnect(struct usb_interface *interface)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 005/211] linux/dim: Do nothing if no time delta between samples
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 004/211] net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 006/211] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs() Greg Kroah-Hartman
` (211 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roy Novich, Aya Levin,
Saeed Mahameed, Tariq Toukan, Leon Romanovsky, Michal Kubiak,
Paolo Abeni, Sasha Levin
From: Roy Novich <royno@nvidia.com>
[ Upstream commit 162bd18eb55adf464a0fa2b4144b8d61c75ff7c2 ]
Add return value for dim_calc_stats. This is an indication for the
caller if curr_stats was assigned by the function. Avoid using
curr_stats uninitialized over {rdma/net}_dim, when no time delta between
samples. Coverity reported this potential use of an uninitialized
variable.
Fixes: 4c4dbb4a7363 ("net/mlx5e: Move dynamic interrupt coalescing code to include/linux")
Fixes: cb3c7fd4f839 ("net/mlx5e: Support adaptive RX coalescing")
Signed-off-by: Roy Novich <royno@nvidia.com>
Reviewed-by: Aya Levin <ayal@nvidia.com>
Reviewed-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Tariq Toukan <tariqt@nvidia.com>
Reviewed-by: Leon Romanovsky <leonro@nvidia.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Link: https://lore.kernel.org/r/20230507135743.138993-1-tariqt@nvidia.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/dim.h | 3 ++-
lib/dim/dim.c | 5 +++--
lib/dim/net_dim.c | 3 ++-
lib/dim/rdma_dim.c | 3 ++-
4 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/include/linux/dim.h b/include/linux/dim.h
index 6c5733981563e..f343bc9aa2ec9 100644
--- a/include/linux/dim.h
+++ b/include/linux/dim.h
@@ -236,8 +236,9 @@ void dim_park_tired(struct dim *dim);
*
* Calculate the delta between two samples (in data rates).
* Takes into consideration counter wrap-around.
+ * Returned boolean indicates whether curr_stats are reliable.
*/
-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
+bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
struct dim_stats *curr_stats);
/**
diff --git a/lib/dim/dim.c b/lib/dim/dim.c
index 38045d6d05381..e89aaf07bde50 100644
--- a/lib/dim/dim.c
+++ b/lib/dim/dim.c
@@ -54,7 +54,7 @@ void dim_park_tired(struct dim *dim)
}
EXPORT_SYMBOL(dim_park_tired);
-void dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
+bool dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
struct dim_stats *curr_stats)
{
/* u32 holds up to 71 minutes, should be enough */
@@ -66,7 +66,7 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
start->comp_ctr);
if (!delta_us)
- return;
+ return false;
curr_stats->ppms = DIV_ROUND_UP(npkts * USEC_PER_MSEC, delta_us);
curr_stats->bpms = DIV_ROUND_UP(nbytes * USEC_PER_MSEC, delta_us);
@@ -79,5 +79,6 @@ void dim_calc_stats(struct dim_sample *start, struct dim_sample *end,
else
curr_stats->cpe_ratio = 0;
+ return true;
}
EXPORT_SYMBOL(dim_calc_stats);
diff --git a/lib/dim/net_dim.c b/lib/dim/net_dim.c
index dae3b51ac3d9b..0e4f3a686f1de 100644
--- a/lib/dim/net_dim.c
+++ b/lib/dim/net_dim.c
@@ -227,7 +227,8 @@ void net_dim(struct dim *dim, struct dim_sample end_sample)
dim->start_sample.event_ctr);
if (nevents < DIM_NEVENTS)
break;
- dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats);
+ if (!dim_calc_stats(&dim->start_sample, &end_sample, &curr_stats))
+ break;
if (net_dim_decision(&curr_stats, dim)) {
dim->state = DIM_APPLY_NEW_PROFILE;
schedule_work(&dim->work);
diff --git a/lib/dim/rdma_dim.c b/lib/dim/rdma_dim.c
index f7e26c7b4749f..d32c8b105adc9 100644
--- a/lib/dim/rdma_dim.c
+++ b/lib/dim/rdma_dim.c
@@ -88,7 +88,8 @@ void rdma_dim(struct dim *dim, u64 completions)
nevents = curr_sample->event_ctr - dim->start_sample.event_ctr;
if (nevents < DIM_NEVENTS)
break;
- dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats);
+ if (!dim_calc_stats(&dim->start_sample, curr_sample, &curr_stats))
+ break;
if (rdma_dim_decision(&curr_stats, dim)) {
dim->state = DIM_APPLY_NEW_PROFILE;
schedule_work(&dim->work);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 006/211] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs().
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 005/211] linux/dim: Do nothing if no time delta between samples Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 007/211] netfilter: conntrack: fix possible bug_on with enable_hooks=1 Greg Kroah-Hartman
` (210 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Kuniyuki Iwashima,
Eric Dumazet, Jakub Kicinski, Sasha Levin
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit dfd9248c071a3710c24365897459538551cb7167 ]
KCSAN found a data race in sock_recv_cmsgs() where the read access
to sk->sk_stamp needs READ_ONCE().
BUG: KCSAN: data-race in packet_recvmsg / packet_recvmsg
write (marked) to 0xffff88803c81f258 of 8 bytes by task 19171 on cpu 0:
sock_write_timestamp include/net/sock.h:2670 [inline]
sock_recv_cmsgs include/net/sock.h:2722 [inline]
packet_recvmsg+0xb97/0xd00 net/packet/af_packet.c:3489
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg+0x11a/0x130 net/socket.c:1040
sock_read_iter+0x176/0x220 net/socket.c:1118
call_read_iter include/linux/fs.h:1845 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x5e0/0x630 fs/read_write.c:470
ksys_read+0x163/0x1a0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x41/0x50 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffff88803c81f258 of 8 bytes by task 19183 on cpu 1:
sock_recv_cmsgs include/net/sock.h:2721 [inline]
packet_recvmsg+0xb64/0xd00 net/packet/af_packet.c:3489
sock_recvmsg_nosec net/socket.c:1019 [inline]
sock_recvmsg+0x11a/0x130 net/socket.c:1040
sock_read_iter+0x176/0x220 net/socket.c:1118
call_read_iter include/linux/fs.h:1845 [inline]
new_sync_read fs/read_write.c:389 [inline]
vfs_read+0x5e0/0x630 fs/read_write.c:470
ksys_read+0x163/0x1a0 fs/read_write.c:613
__do_sys_read fs/read_write.c:623 [inline]
__se_sys_read fs/read_write.c:621 [inline]
__x64_sys_read+0x41/0x50 fs/read_write.c:621
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0xffffffffc4653600 -> 0x0000000000000000
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 19183 Comm: syz-executor.5 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Fixes: 6c7c98bad488 ("sock: avoid dirtying sk_stamp, if possible")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20230508175543.55756-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/sock.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/net/sock.h b/include/net/sock.h
index 1d8529311d6f9..651dc0a7bbd58 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -2535,7 +2535,7 @@ static inline void sock_recv_ts_and_drops(struct msghdr *msg, struct sock *sk,
__sock_recv_ts_and_drops(msg, sk, skb);
else if (unlikely(sock_flag(sk, SOCK_TIMESTAMP)))
sock_write_timestamp(sk, skb->tstamp);
- else if (unlikely(sk->sk_stamp == SK_DEFAULT_STAMP))
+ else if (unlikely(sock_read_timestamp(sk) == SK_DEFAULT_STAMP))
sock_write_timestamp(sk, 0);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 007/211] netfilter: conntrack: fix possible bug_on with enable_hooks=1
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 006/211] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs() Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 008/211] netlink: annotate accesses to nlk->cb_running Greg Kroah-Hartman
` (209 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Westphal, Pablo Neira Ayuso,
Sasha Levin
From: Florian Westphal <fw@strlen.de>
[ Upstream commit e72eeab542dbf4f544e389e64fa13b82a1b6d003 ]
I received a bug report (no reproducer so far) where we trip over
712 rcu_read_lock();
713 ct_hook = rcu_dereference(nf_ct_hook);
714 BUG_ON(ct_hook == NULL); // here
In nf_conntrack_destroy().
First turn this BUG_ON into a WARN. I think it was triggered
via enable_hooks=1 flag.
When this flag is turned on, the conntrack hooks are registered
before nf_ct_hook pointer gets assigned.
This opens a short window where packets enter the conntrack machinery,
can have skb->_nfct set up and a subsequent kfree_skb might occur
before nf_ct_hook is set.
Call nf_conntrack_init_end() to set nf_ct_hook before we register the
pernet ops.
Fixes: ba3fbe663635 ("netfilter: nf_conntrack: provide modparam to always register conntrack hooks")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/core.c | 6 ++++--
net/netfilter/nf_conntrack_standalone.c | 3 ++-
2 files changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/netfilter/core.c b/net/netfilter/core.c
index 60332fdb6dd44..5b7578adbf0f1 100644
--- a/net/netfilter/core.c
+++ b/net/netfilter/core.c
@@ -674,9 +674,11 @@ void nf_conntrack_destroy(struct nf_conntrack *nfct)
rcu_read_lock();
ct_hook = rcu_dereference(nf_ct_hook);
- BUG_ON(ct_hook == NULL);
- ct_hook->destroy(nfct);
+ if (ct_hook)
+ ct_hook->destroy(nfct);
rcu_read_unlock();
+
+ WARN_ON(!ct_hook);
}
EXPORT_SYMBOL(nf_conntrack_destroy);
diff --git a/net/netfilter/nf_conntrack_standalone.c b/net/netfilter/nf_conntrack_standalone.c
index e12b52019a550..b613de96ad855 100644
--- a/net/netfilter/nf_conntrack_standalone.c
+++ b/net/netfilter/nf_conntrack_standalone.c
@@ -1170,11 +1170,12 @@ static int __init nf_conntrack_standalone_init(void)
nf_conntrack_htable_size_user = nf_conntrack_htable_size;
#endif
+ nf_conntrack_init_end();
+
ret = register_pernet_subsys(&nf_conntrack_net_ops);
if (ret < 0)
goto out_pernet;
- nf_conntrack_init_end();
return 0;
out_pernet:
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 008/211] netlink: annotate accesses to nlk->cb_running
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 007/211] netfilter: conntrack: fix possible bug_on with enable_hooks=1 Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 009/211] net: annotate sk->sk_err write from do_recvmmsg() Greg Kroah-Hartman
` (208 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit a939d14919b799e6fff8a9c80296ca229ba2f8a4 ]
Both netlink_recvmsg() and netlink_native_seq_show() read
nlk->cb_running locklessly. Use READ_ONCE() there.
Add corresponding WRITE_ONCE() to netlink_dump() and
__netlink_dump_start()
syzbot reported:
BUG: KCSAN: data-race in __netlink_dump_start / netlink_recvmsg
write to 0xffff88813ea4db59 of 1 bytes by task 28219 on cpu 0:
__netlink_dump_start+0x3af/0x4d0 net/netlink/af_netlink.c:2399
netlink_dump_start include/linux/netlink.h:308 [inline]
rtnetlink_rcv_msg+0x70f/0x8c0 net/core/rtnetlink.c:6130
netlink_rcv_skb+0x126/0x220 net/netlink/af_netlink.c:2577
rtnetlink_rcv+0x1c/0x20 net/core/rtnetlink.c:6192
netlink_unicast_kernel net/netlink/af_netlink.c:1339 [inline]
netlink_unicast+0x56f/0x640 net/netlink/af_netlink.c:1365
netlink_sendmsg+0x665/0x770 net/netlink/af_netlink.c:1942
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
sock_write_iter+0x1aa/0x230 net/socket.c:1138
call_write_iter include/linux/fs.h:1851 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x463/0x760 fs/read_write.c:584
ksys_write+0xeb/0x1a0 fs/read_write.c:637
__do_sys_write fs/read_write.c:649 [inline]
__se_sys_write fs/read_write.c:646 [inline]
__x64_sys_write+0x42/0x50 fs/read_write.c:646
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88813ea4db59 of 1 bytes by task 28222 on cpu 1:
netlink_recvmsg+0x3b4/0x730 net/netlink/af_netlink.c:2022
sock_recvmsg_nosec+0x4c/0x80 net/socket.c:1017
____sys_recvmsg+0x2db/0x310 net/socket.c:2718
___sys_recvmsg net/socket.c:2762 [inline]
do_recvmmsg+0x2e5/0x710 net/socket.c:2856
__sys_recvmmsg net/socket.c:2935 [inline]
__do_sys_recvmmsg net/socket.c:2958 [inline]
__se_sys_recvmmsg net/socket.c:2951 [inline]
__x64_sys_recvmmsg+0xe2/0x160 net/socket.c:2951
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00 -> 0x01
Fixes: 16b304f3404f ("netlink: Eliminate kmalloc in netlink dump operation.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netlink/af_netlink.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c
index eedb16517f16a..651f8ca912af0 100644
--- a/net/netlink/af_netlink.c
+++ b/net/netlink/af_netlink.c
@@ -1992,7 +1992,7 @@ static int netlink_recvmsg(struct socket *sock, struct msghdr *msg, size_t len,
skb_free_datagram(sk, skb);
- if (nlk->cb_running &&
+ if (READ_ONCE(nlk->cb_running) &&
atomic_read(&sk->sk_rmem_alloc) <= sk->sk_rcvbuf / 2) {
ret = netlink_dump(sk);
if (ret) {
@@ -2304,7 +2304,7 @@ static int netlink_dump(struct sock *sk)
if (cb->done)
cb->done(cb);
- nlk->cb_running = false;
+ WRITE_ONCE(nlk->cb_running, false);
module = cb->module;
skb = cb->skb;
mutex_unlock(nlk->cb_mutex);
@@ -2367,7 +2367,7 @@ int __netlink_dump_start(struct sock *ssk, struct sk_buff *skb,
goto error_put;
}
- nlk->cb_running = true;
+ WRITE_ONCE(nlk->cb_running, true);
nlk->dump_done_errno = INT_MAX;
mutex_unlock(nlk->cb_mutex);
@@ -2653,7 +2653,7 @@ static int netlink_native_seq_show(struct seq_file *seq, void *v)
nlk->groups ? (u32)nlk->groups[0] : 0,
sk_rmem_alloc_get(s),
sk_wmem_alloc_get(s),
- nlk->cb_running,
+ READ_ONCE(nlk->cb_running),
refcount_read(&s->sk_refcnt),
atomic_read(&s->sk_drops),
sock_i_ino(s)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 009/211] net: annotate sk->sk_err write from do_recvmmsg()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 008/211] netlink: annotate accesses to nlk->cb_running Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 010/211] net: deal with most data-races in sk_wait_event() Greg Kroah-Hartman
` (207 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, syzbot,
Kuniyuki Iwashima, David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e05a5f510f26607616fecdd4ac136310c8bea56b ]
do_recvmmsg() can write to sk->sk_err from multiple threads.
As said before, many other points reading or writing sk_err
need annotations.
Fixes: 34b88a68f26a ("net: Fix use after free in the recvmmsg exit path")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reported-by: syzbot <syzkaller@googlegroups.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/socket.c b/net/socket.c
index 8657112a687a4..84223419da862 100644
--- a/net/socket.c
+++ b/net/socket.c
@@ -2764,7 +2764,7 @@ static int do_recvmmsg(int fd, struct mmsghdr __user *mmsg,
* error to return on the next call or if the
* app asks about it using getsockopt(SO_ERROR).
*/
- sock->sk->sk_err = -err;
+ WRITE_ONCE(sock->sk->sk_err, -err);
}
out_put:
fput_light(sock->file, fput_needed);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 010/211] net: deal with most data-races in sk_wait_event()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 009/211] net: annotate sk->sk_err write from do_recvmmsg() Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 011/211] net: tap: check vlan with eth_type_vlan() method Greg Kroah-Hartman
` (206 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit d0ac89f6f9879fae316c155de77b5173b3e2c9c9 ]
__condition is evaluated twice in sk_wait_event() macro.
First invocation is lockless, and reads can race with writes,
as spotted by syzbot.
BUG: KCSAN: data-race in sk_stream_wait_connect / tcp_disconnect
write to 0xffff88812d83d6a0 of 4 bytes by task 9065 on cpu 1:
tcp_disconnect+0x2cd/0xdb0
inet_shutdown+0x19e/0x1f0 net/ipv4/af_inet.c:911
__sys_shutdown_sock net/socket.c:2343 [inline]
__sys_shutdown net/socket.c:2355 [inline]
__do_sys_shutdown net/socket.c:2363 [inline]
__se_sys_shutdown+0xf8/0x140 net/socket.c:2361
__x64_sys_shutdown+0x31/0x40 net/socket.c:2361
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88812d83d6a0 of 4 bytes by task 9040 on cpu 0:
sk_stream_wait_connect+0x1de/0x3a0 net/core/stream.c:75
tcp_sendmsg_locked+0x2e4/0x2120 net/ipv4/tcp.c:1266
tcp_sendmsg+0x30/0x50 net/ipv4/tcp.c:1484
inet6_sendmsg+0x63/0x80 net/ipv6/af_inet6.c:651
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
__sys_sendto+0x246/0x300 net/socket.c:2142
__do_sys_sendto net/socket.c:2154 [inline]
__se_sys_sendto net/socket.c:2150 [inline]
__x64_sys_sendto+0x78/0x90 net/socket.c:2150
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00000000 -> 0x00000068
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/stream.c | 12 ++++++------
net/ipv4/tcp_bpf.c | 2 +-
net/llc/af_llc.c | 8 +++++---
net/smc/smc_close.c | 4 ++--
net/smc/smc_rx.c | 4 ++--
net/smc/smc_tx.c | 4 ++--
net/tipc/socket.c | 4 ++--
net/tls/tls_main.c | 3 ++-
8 files changed, 22 insertions(+), 19 deletions(-)
diff --git a/net/core/stream.c b/net/core/stream.c
index cd60746877b1e..422ee97e4f2be 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -73,8 +73,8 @@ int sk_stream_wait_connect(struct sock *sk, long *timeo_p)
add_wait_queue(sk_sleep(sk), &wait);
sk->sk_write_pending++;
done = sk_wait_event(sk, timeo_p,
- !sk->sk_err &&
- !((1 << sk->sk_state) &
+ !READ_ONCE(sk->sk_err) &&
+ !((1 << READ_ONCE(sk->sk_state)) &
~(TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)), &wait);
remove_wait_queue(sk_sleep(sk), &wait);
sk->sk_write_pending--;
@@ -87,9 +87,9 @@ EXPORT_SYMBOL(sk_stream_wait_connect);
* sk_stream_closing - Return 1 if we still have things to send in our buffers.
* @sk: socket to verify
*/
-static inline int sk_stream_closing(struct sock *sk)
+static int sk_stream_closing(const struct sock *sk)
{
- return (1 << sk->sk_state) &
+ return (1 << READ_ONCE(sk->sk_state)) &
(TCPF_FIN_WAIT1 | TCPF_CLOSING | TCPF_LAST_ACK);
}
@@ -142,8 +142,8 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk->sk_write_pending++;
- sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
- (sk->sk_shutdown & SEND_SHUTDOWN) ||
+ sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) ||
+ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
(sk_stream_memory_free(sk) &&
!vm_wait), &wait);
sk->sk_write_pending--;
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 926e29e84b40b..d0ca1fc325cd6 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -262,7 +262,7 @@ static int tcp_bpf_wait_data(struct sock *sk, struct sk_psock *psock,
sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
ret = sk_wait_event(sk, &timeo,
!list_empty(&psock->ingress_msg) ||
- !skb_queue_empty(&sk->sk_receive_queue), &wait);
+ !skb_queue_empty_lockless(&sk->sk_receive_queue), &wait);
sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
remove_wait_queue(sk_sleep(sk), &wait);
return ret;
diff --git a/net/llc/af_llc.c b/net/llc/af_llc.c
index 99a37c411323e..01e26698285a0 100644
--- a/net/llc/af_llc.c
+++ b/net/llc/af_llc.c
@@ -582,7 +582,8 @@ static int llc_ui_wait_for_disc(struct sock *sk, long timeout)
add_wait_queue(sk_sleep(sk), &wait);
while (1) {
- if (sk_wait_event(sk, &timeout, sk->sk_state == TCP_CLOSE, &wait))
+ if (sk_wait_event(sk, &timeout,
+ READ_ONCE(sk->sk_state) == TCP_CLOSE, &wait))
break;
rc = -ERESTARTSYS;
if (signal_pending(current))
@@ -602,7 +603,8 @@ static bool llc_ui_wait_for_conn(struct sock *sk, long timeout)
add_wait_queue(sk_sleep(sk), &wait);
while (1) {
- if (sk_wait_event(sk, &timeout, sk->sk_state != TCP_SYN_SENT, &wait))
+ if (sk_wait_event(sk, &timeout,
+ READ_ONCE(sk->sk_state) != TCP_SYN_SENT, &wait))
break;
if (signal_pending(current) || !timeout)
break;
@@ -621,7 +623,7 @@ static int llc_ui_wait_for_busy_core(struct sock *sk, long timeout)
while (1) {
rc = 0;
if (sk_wait_event(sk, &timeout,
- (sk->sk_shutdown & RCV_SHUTDOWN) ||
+ (READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN) ||
(!llc_data_accept_state(llc->state) &&
!llc->remote_busy_flag &&
!llc->p_flag), &wait))
diff --git a/net/smc/smc_close.c b/net/smc/smc_close.c
index 84102db5bb314..149a59ecd299f 100644
--- a/net/smc/smc_close.c
+++ b/net/smc/smc_close.c
@@ -64,8 +64,8 @@ static void smc_close_stream_wait(struct smc_sock *smc, long timeout)
rc = sk_wait_event(sk, &timeout,
!smc_tx_prepared_sends(&smc->conn) ||
- sk->sk_err == ECONNABORTED ||
- sk->sk_err == ECONNRESET ||
+ READ_ONCE(sk->sk_err) == ECONNABORTED ||
+ READ_ONCE(sk->sk_err) == ECONNRESET ||
smc->conn.killed,
&wait);
if (rc)
diff --git a/net/smc/smc_rx.c b/net/smc/smc_rx.c
index 7f7e983e42b1f..3757aff6c2f00 100644
--- a/net/smc/smc_rx.c
+++ b/net/smc/smc_rx.c
@@ -203,9 +203,9 @@ int smc_rx_wait(struct smc_sock *smc, long *timeo,
sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
add_wait_queue(sk_sleep(sk), &wait);
rc = sk_wait_event(sk, timeo,
- sk->sk_err ||
+ READ_ONCE(sk->sk_err) ||
cflags->peer_conn_abort ||
- sk->sk_shutdown & RCV_SHUTDOWN ||
+ READ_ONCE(sk->sk_shutdown) & RCV_SHUTDOWN ||
conn->killed ||
fcrit(conn),
&wait);
diff --git a/net/smc/smc_tx.c b/net/smc/smc_tx.c
index 52ef1fca0b604..2429f9fc7e0e7 100644
--- a/net/smc/smc_tx.c
+++ b/net/smc/smc_tx.c
@@ -110,8 +110,8 @@ static int smc_tx_wait(struct smc_sock *smc, int flags)
break; /* at least 1 byte of free & no urgent data */
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk_wait_event(sk, &timeo,
- sk->sk_err ||
- (sk->sk_shutdown & SEND_SHUTDOWN) ||
+ READ_ONCE(sk->sk_err) ||
+ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
smc_cdc_rxed_any_close(conn) ||
(atomic_read(&conn->sndbuf_space) &&
!conn->urg_tx_pend),
diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index 8f3c9fbb99165..7cf9b40b5c73b 100644
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -300,9 +300,9 @@ static void tsk_rej_rx_queue(struct sock *sk, int error)
tipc_sk_respond(sk, skb, error);
}
-static bool tipc_sk_connected(struct sock *sk)
+static bool tipc_sk_connected(const struct sock *sk)
{
- return sk->sk_state == TIPC_ESTABLISHED;
+ return READ_ONCE(sk->sk_state) == TIPC_ESTABLISHED;
}
/* tipc_sk_type_connectionless - check if the socket is datagram socket
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 54863e68f3040..7ee3c8b03a39e 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -92,7 +92,8 @@ int wait_on_pending_writer(struct sock *sk, long *timeo)
break;
}
- if (sk_wait_event(sk, timeo, !sk->sk_write_pending, &wait))
+ if (sk_wait_event(sk, timeo,
+ !READ_ONCE(sk->sk_write_pending), &wait))
break;
}
remove_wait_queue(sk_sleep(sk), &wait);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 011/211] net: tap: check vlan with eth_type_vlan() method
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 010/211] net: deal with most data-races in sk_wait_event() Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 012/211] net: add vlan_get_protocol_and_depth() helper Greg Kroah-Hartman
` (205 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Menglong Dong, Jakub Kicinski, Sasha Levin
From: Menglong Dong <dong.menglong@zte.com.cn>
[ Upstream commit b69df2608281b71575fbb3b9f426dbcc4be8a700 ]
Replace some checks for ETH_P_8021Q and ETH_P_8021AD in
drivers/net/tap.c with eth_type_vlan.
Signed-off-by: Menglong Dong <dong.menglong@zte.com.cn>
Link: https://lore.kernel.org/r/20210115023238.4681-1-dong.menglong@zte.com.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 4063384ef762 ("net: add vlan_get_protocol_and_depth() helper")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tap.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index d9018d9fe3106..aed3b1cd80f23 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -713,8 +713,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control,
skb_probe_transport_header(skb);
/* Move network header to the right position for VLAN tagged packets */
- if ((skb->protocol == htons(ETH_P_8021Q) ||
- skb->protocol == htons(ETH_P_8021AD)) &&
+ if (eth_type_vlan(skb->protocol) &&
__vlan_get_protocol(skb, skb->protocol, &depth) != 0)
skb_set_network_header(skb, depth);
@@ -1165,8 +1164,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
}
/* Move network header to the right position for VLAN tagged packets */
- if ((skb->protocol == htons(ETH_P_8021Q) ||
- skb->protocol == htons(ETH_P_8021AD)) &&
+ if (eth_type_vlan(skb->protocol) &&
__vlan_get_protocol(skb, skb->protocol, &depth) != 0)
skb_set_network_header(skb, depth);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 012/211] net: add vlan_get_protocol_and_depth() helper
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 011/211] net: tap: check vlan with eth_type_vlan() method Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 013/211] tcp: factor out __tcp_close() helper Greg Kroah-Hartman
` (204 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Toke Høiland-Jørgensen, Willem de Bruijn, Simon Horman,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 4063384ef762cc5946fc7a3f89879e76c6ec51e2 ]
Before blamed commit, pskb_may_pull() was used instead
of skb_header_pointer() in __vlan_get_protocol() and friends.
Few callers depended on skb->head being populated with MAC header,
syzbot caught one of them (skb_mac_gso_segment())
Add vlan_get_protocol_and_depth() to make the intent clearer
and use it where sensible.
This is a more generic fix than commit e9d3f80935b6
("net/af_packet: make sure to pull mac header") which was
dealing with a similar issue.
kernel BUG at include/linux/skbuff.h:2655 !
invalid opcode: 0000 [#1] SMP KASAN
CPU: 0 PID: 1441 Comm: syz-executor199 Not tainted 6.1.24-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:__skb_pull include/linux/skbuff.h:2655 [inline]
RIP: 0010:skb_mac_gso_segment+0x68f/0x6a0 net/core/gro.c:136
Code: fd 48 8b 5c 24 10 44 89 6b 70 48 c7 c7 c0 ae 0d 86 44 89 e6 e8 a1 91 d0 00 48 c7 c7 00 af 0d 86 48 89 de 31 d2 e8 d1 4a e9 ff <0f> 0b 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 55 48 89 e5 41
RSP: 0018:ffffc90001bd7520 EFLAGS: 00010286
RAX: ffffffff8469736a RBX: ffff88810f31dac0 RCX: ffff888115a18b00
RDX: 0000000000000000 RSI: 0000000000000000 RDI: 0000000000000000
RBP: ffffc90001bd75e8 R08: ffffffff84697183 R09: fffff5200037adf9
R10: 0000000000000000 R11: dffffc0000000001 R12: 0000000000000012
R13: 000000000000fee5 R14: 0000000000005865 R15: 000000000000fed7
FS: 000055555633f300(0000) GS:ffff8881f6a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000000 CR3: 0000000116fea000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
[<ffffffff847018dd>] __skb_gso_segment+0x32d/0x4c0 net/core/dev.c:3419
[<ffffffff8470398a>] skb_gso_segment include/linux/netdevice.h:4819 [inline]
[<ffffffff8470398a>] validate_xmit_skb+0x3aa/0xee0 net/core/dev.c:3725
[<ffffffff84707042>] __dev_queue_xmit+0x1332/0x3300 net/core/dev.c:4313
[<ffffffff851a9ec7>] dev_queue_xmit+0x17/0x20 include/linux/netdevice.h:3029
[<ffffffff851b4a82>] packet_snd net/packet/af_packet.c:3111 [inline]
[<ffffffff851b4a82>] packet_sendmsg+0x49d2/0x6470 net/packet/af_packet.c:3142
[<ffffffff84669a12>] sock_sendmsg_nosec net/socket.c:716 [inline]
[<ffffffff84669a12>] sock_sendmsg net/socket.c:736 [inline]
[<ffffffff84669a12>] __sys_sendto+0x472/0x5f0 net/socket.c:2139
[<ffffffff84669c75>] __do_sys_sendto net/socket.c:2151 [inline]
[<ffffffff84669c75>] __se_sys_sendto net/socket.c:2147 [inline]
[<ffffffff84669c75>] __x64_sys_sendto+0xe5/0x100 net/socket.c:2147
[<ffffffff8551d40f>] do_syscall_x64 arch/x86/entry/common.c:50 [inline]
[<ffffffff8551d40f>] do_syscall_64+0x2f/0x50 arch/x86/entry/common.c:80
[<ffffffff85600087>] entry_SYSCALL_64_after_hwframe+0x63/0xcd
Fixes: 469aceddfa3e ("vlan: consolidate VLAN parsing code and limit max parsing depth")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Toke Høiland-Jørgensen <toke@redhat.com>
Cc: Willem de Bruijn <willemb@google.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/tap.c | 4 ++--
include/linux/if_vlan.h | 17 +++++++++++++++++
net/bridge/br_forward.c | 2 +-
net/core/dev.c | 2 +-
net/packet/af_packet.c | 6 ++----
5 files changed, 23 insertions(+), 8 deletions(-)
diff --git a/drivers/net/tap.c b/drivers/net/tap.c
index aed3b1cd80f23..f9b3eb2d8d8b0 100644
--- a/drivers/net/tap.c
+++ b/drivers/net/tap.c
@@ -714,7 +714,7 @@ static ssize_t tap_get_user(struct tap_queue *q, void *msg_control,
/* Move network header to the right position for VLAN tagged packets */
if (eth_type_vlan(skb->protocol) &&
- __vlan_get_protocol(skb, skb->protocol, &depth) != 0)
+ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0)
skb_set_network_header(skb, depth);
rcu_read_lock();
@@ -1165,7 +1165,7 @@ static int tap_get_user_xdp(struct tap_queue *q, struct xdp_buff *xdp)
/* Move network header to the right position for VLAN tagged packets */
if (eth_type_vlan(skb->protocol) &&
- __vlan_get_protocol(skb, skb->protocol, &depth) != 0)
+ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0)
skb_set_network_header(skb, depth);
rcu_read_lock();
diff --git a/include/linux/if_vlan.h b/include/linux/if_vlan.h
index 41a518336673b..4e7e72f3da5bd 100644
--- a/include/linux/if_vlan.h
+++ b/include/linux/if_vlan.h
@@ -626,6 +626,23 @@ static inline __be16 vlan_get_protocol(const struct sk_buff *skb)
return __vlan_get_protocol(skb, skb->protocol, NULL);
}
+/* This version of __vlan_get_protocol() also pulls mac header in skb->head */
+static inline __be16 vlan_get_protocol_and_depth(struct sk_buff *skb,
+ __be16 type, int *depth)
+{
+ int maclen;
+
+ type = __vlan_get_protocol(skb, type, &maclen);
+
+ if (type) {
+ if (!pskb_may_pull(skb, maclen))
+ type = 0;
+ else if (depth)
+ *depth = maclen;
+ }
+ return type;
+}
+
/* A getter for the SKB protocol field which will handle VLAN tags consistently
* whether VLAN acceleration is enabled or not.
*/
diff --git a/net/bridge/br_forward.c b/net/bridge/br_forward.c
index e28ffadd13719..4610f3a13966f 100644
--- a/net/bridge/br_forward.c
+++ b/net/bridge/br_forward.c
@@ -43,7 +43,7 @@ int br_dev_queue_push_xmit(struct net *net, struct sock *sk, struct sk_buff *skb
skb->protocol == htons(ETH_P_8021AD))) {
int depth;
- if (!__vlan_get_protocol(skb, skb->protocol, &depth))
+ if (!vlan_get_protocol_and_depth(skb, skb->protocol, &depth))
goto drop;
skb_set_network_header(skb, depth);
diff --git a/net/core/dev.c b/net/core/dev.c
index 413c2a08d79db..1eaf224a90ce5 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -3320,7 +3320,7 @@ __be16 skb_network_protocol(struct sk_buff *skb, int *depth)
type = eth->h_proto;
}
- return __vlan_get_protocol(skb, type, depth);
+ return vlan_get_protocol_and_depth(skb, type, depth);
}
/**
diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c
index 2e766490a739b..3c05414cd3f83 100644
--- a/net/packet/af_packet.c
+++ b/net/packet/af_packet.c
@@ -1897,10 +1897,8 @@ static void packet_parse_headers(struct sk_buff *skb, struct socket *sock)
/* Move network header to the right position for VLAN tagged packets */
if (likely(skb->dev->type == ARPHRD_ETHER) &&
eth_type_vlan(skb->protocol) &&
- __vlan_get_protocol(skb, skb->protocol, &depth) != 0) {
- if (pskb_may_pull(skb, depth))
- skb_set_network_header(skb, depth);
- }
+ vlan_get_protocol_and_depth(skb, skb->protocol, &depth) != 0)
+ skb_set_network_header(skb, depth);
skb_probe_transport_header(skb);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 013/211] tcp: factor out __tcp_close() helper
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 012/211] net: add vlan_get_protocol_and_depth() helper Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 014/211] tcp: add annotations around sk->sk_shutdown accesses Greg Kroah-Hartman
` (203 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Jakub Kicinski, Sasha Levin
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 77c3c95637526f1e4330cc9a4b2065f668c2c4fe ]
unlocked version of protocol level close, will be used by
MPTCP to allow decouple orphaning and subflow level close.
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: e14cadfd80d7 ("tcp: add annotations around sk->sk_shutdown accesses")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/tcp.h | 1 +
net/ipv4/tcp.c | 9 +++++++--
2 files changed, 8 insertions(+), 2 deletions(-)
diff --git a/include/net/tcp.h b/include/net/tcp.h
index 9a8d98639b20f..d213b86a48227 100644
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -381,6 +381,7 @@ void tcp_update_metrics(struct sock *sk);
void tcp_init_metrics(struct sock *sk);
void tcp_metrics_init(void);
bool tcp_peer_is_proven(struct request_sock *req, struct dst_entry *dst);
+void __tcp_close(struct sock *sk, long timeout);
void tcp_close(struct sock *sk, long timeout);
void tcp_init_sock(struct sock *sk);
void tcp_init_transfer(struct sock *sk, int bpf_op, struct sk_buff *skb);
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 6a0560a735ce4..3666fa307d0f0 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -2510,13 +2510,12 @@ bool tcp_check_oom(struct sock *sk, int shift)
return too_many_orphans || out_of_socket_memory;
}
-void tcp_close(struct sock *sk, long timeout)
+void __tcp_close(struct sock *sk, long timeout)
{
struct sk_buff *skb;
int data_was_unread = 0;
int state;
- lock_sock(sk);
sk->sk_shutdown = SHUTDOWN_MASK;
if (sk->sk_state == TCP_LISTEN) {
@@ -2680,6 +2679,12 @@ void tcp_close(struct sock *sk, long timeout)
out:
bh_unlock_sock(sk);
local_bh_enable();
+}
+
+void tcp_close(struct sock *sk, long timeout)
+{
+ lock_sock(sk);
+ __tcp_close(sk, timeout);
release_sock(sk);
sock_put(sk);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 014/211] tcp: add annotations around sk->sk_shutdown accesses
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 013/211] tcp: factor out __tcp_close() helper Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 015/211] ipvlan:Fix out-of-bounds caused by unclear skb->cb Greg Kroah-Hartman
` (202 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit e14cadfd80d76f01bfaa1a8d745b1db19b57d6be ]
Now sk->sk_shutdown is no longer a bitfield, we can add
standard READ_ONCE()/WRITE_ONCE() annotations to silence
KCSAN reports like the following:
BUG: KCSAN: data-race in tcp_disconnect / tcp_poll
write to 0xffff88814588582c of 1 bytes by task 3404 on cpu 1:
tcp_disconnect+0x4d6/0xdb0 net/ipv4/tcp.c:3121
__inet_stream_connect+0x5dd/0x6e0 net/ipv4/af_inet.c:715
inet_stream_connect+0x48/0x70 net/ipv4/af_inet.c:727
__sys_connect_file net/socket.c:2001 [inline]
__sys_connect+0x19b/0x1b0 net/socket.c:2018
__do_sys_connect net/socket.c:2028 [inline]
__se_sys_connect net/socket.c:2025 [inline]
__x64_sys_connect+0x41/0x50 net/socket.c:2025
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffff88814588582c of 1 bytes by task 3374 on cpu 0:
tcp_poll+0x2e6/0x7d0 net/ipv4/tcp.c:562
sock_poll+0x253/0x270 net/socket.c:1383
vfs_poll include/linux/poll.h:88 [inline]
io_poll_check_events io_uring/poll.c:281 [inline]
io_poll_task_func+0x15a/0x820 io_uring/poll.c:333
handle_tw_list io_uring/io_uring.c:1184 [inline]
tctx_task_work+0x1fe/0x4d0 io_uring/io_uring.c:1246
task_work_run+0x123/0x160 kernel/task_work.c:179
get_signal+0xe64/0xff0 kernel/signal.c:2635
arch_do_signal_or_restart+0x89/0x2a0 arch/x86/kernel/signal.c:306
exit_to_user_mode_loop+0x6f/0xe0 kernel/entry/common.c:168
exit_to_user_mode_prepare+0x6c/0xb0 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x26/0x140 kernel/entry/common.c:297
do_syscall_64+0x4d/0xc0 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x03 -> 0x00
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/af_inet.c | 2 +-
net/ipv4/tcp.c | 14 ++++++++------
net/ipv4/tcp_input.c | 4 ++--
3 files changed, 11 insertions(+), 9 deletions(-)
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 8dab0d311aba3..800c2c7607e1a 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -884,7 +884,7 @@ int inet_shutdown(struct socket *sock, int how)
EPOLLHUP, even on eg. unconnected UDP sockets -- RR */
fallthrough;
default:
- sk->sk_shutdown |= how;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | how);
if (sk->sk_prot->shutdown)
sk->sk_prot->shutdown(sk, how);
break;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 3666fa307d0f0..eecce63ba25e3 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -506,6 +506,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
__poll_t mask;
struct sock *sk = sock->sk;
const struct tcp_sock *tp = tcp_sk(sk);
+ u8 shutdown;
int state;
sock_poll_wait(file, sock, wait);
@@ -548,9 +549,10 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
* NOTE. Check for TCP_CLOSE is added. The goal is to prevent
* blocking on fresh not-connected or disconnected socket. --ANK
*/
- if (sk->sk_shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
+ shutdown = READ_ONCE(sk->sk_shutdown);
+ if (shutdown == SHUTDOWN_MASK || state == TCP_CLOSE)
mask |= EPOLLHUP;
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ if (shutdown & RCV_SHUTDOWN)
mask |= EPOLLIN | EPOLLRDNORM | EPOLLRDHUP;
/* Connected or passive Fast Open socket? */
@@ -566,7 +568,7 @@ __poll_t tcp_poll(struct file *file, struct socket *sock, poll_table *wait)
if (tcp_stream_is_readable(tp, target, sk))
mask |= EPOLLIN | EPOLLRDNORM;
- if (!(sk->sk_shutdown & SEND_SHUTDOWN)) {
+ if (!(shutdown & SEND_SHUTDOWN)) {
if (__sk_stream_is_writeable(sk, 1)) {
mask |= EPOLLOUT | EPOLLWRNORM;
} else { /* send SIGIO later */
@@ -2516,7 +2518,7 @@ void __tcp_close(struct sock *sk, long timeout)
int data_was_unread = 0;
int state;
- sk->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
if (sk->sk_state == TCP_LISTEN) {
tcp_set_state(sk, TCP_CLOSE);
@@ -2782,7 +2784,7 @@ int tcp_disconnect(struct sock *sk, int flags)
if (!(sk->sk_userlocks & SOCK_BINDADDR_LOCK))
inet_reset_saddr(sk);
- sk->sk_shutdown = 0;
+ WRITE_ONCE(sk->sk_shutdown, 0);
sock_reset_flag(sk, SOCK_DONE);
tp->srtt_us = 0;
tp->mdev_us = jiffies_to_usecs(TCP_TIMEOUT_INIT);
@@ -4169,7 +4171,7 @@ void tcp_done(struct sock *sk)
if (req)
reqsk_fastopen_remove(sk, req, false);
- sk->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
if (!sock_flag(sk, SOCK_DEAD))
sk->sk_state_change(sk);
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
index 541758cd0b81f..b98b7920c4029 100644
--- a/net/ipv4/tcp_input.c
+++ b/net/ipv4/tcp_input.c
@@ -4323,7 +4323,7 @@ void tcp_fin(struct sock *sk)
inet_csk_schedule_ack(sk);
- sk->sk_shutdown |= RCV_SHUTDOWN;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | RCV_SHUTDOWN);
sock_set_flag(sk, SOCK_DONE);
switch (sk->sk_state) {
@@ -6504,7 +6504,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
break;
tcp_set_state(sk, TCP_FIN_WAIT2);
- sk->sk_shutdown |= SEND_SHUTDOWN;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | SEND_SHUTDOWN);
sk_dst_confirm(sk);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 015/211] ipvlan:Fix out-of-bounds caused by unclear skb->cb
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 014/211] tcp: add annotations around sk->sk_shutdown accesses Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 016/211] net: datagram: fix data-races in datagram_poll() Greg Kroah-Hartman
` (201 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, t.feng, Florian Westphal,
Paolo Abeni, David S. Miller, Sasha Levin
From: t.feng <fengtao40@huawei.com>
[ Upstream commit 90cbed5247439a966b645b34eb0a2e037836ea8e ]
If skb enqueue the qdisc, fq_skb_cb(skb)->time_to_send is changed which
is actually skb->cb, and IPCB(skb_in)->opt will be used in
__ip_options_echo. It is possible that memcpy is out of bounds and lead
to stack overflow.
We should clear skb->cb before ip_local_out or ip6_local_out.
v2:
1. clean the stack info
2. use IPCB/IP6CB instead of skb->cb
crash on stable-5.10(reproduce in kasan kernel).
Stack info:
[ 2203.651571] BUG: KASAN: stack-out-of-bounds in
__ip_options_echo+0x589/0x800
[ 2203.653327] Write of size 4 at addr ffff88811a388f27 by task
swapper/3/0
[ 2203.655460] CPU: 3 PID: 0 Comm: swapper/3 Kdump: loaded Not tainted
5.10.0-60.18.0.50.h856.kasan.eulerosv2r11.x86_64 #1
[ 2203.655466] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996),
BIOS rel-1.10.2-0-g5f4c7b1-20181220_000000-szxrtosci10000 04/01/2014
[ 2203.655475] Call Trace:
[ 2203.655481] <IRQ>
[ 2203.655501] dump_stack+0x9c/0xd3
[ 2203.655514] print_address_description.constprop.0+0x19/0x170
[ 2203.655530] __kasan_report.cold+0x6c/0x84
[ 2203.655586] kasan_report+0x3a/0x50
[ 2203.655594] check_memory_region+0xfd/0x1f0
[ 2203.655601] memcpy+0x39/0x60
[ 2203.655608] __ip_options_echo+0x589/0x800
[ 2203.655654] __icmp_send+0x59a/0x960
[ 2203.655755] nf_send_unreach+0x129/0x3d0 [nf_reject_ipv4]
[ 2203.655763] reject_tg+0x77/0x1bf [ipt_REJECT]
[ 2203.655772] ipt_do_table+0x691/0xa40 [ip_tables]
[ 2203.655821] nf_hook_slow+0x69/0x100
[ 2203.655828] __ip_local_out+0x21e/0x2b0
[ 2203.655857] ip_local_out+0x28/0x90
[ 2203.655868] ipvlan_process_v4_outbound+0x21e/0x260 [ipvlan]
[ 2203.655931] ipvlan_xmit_mode_l3+0x3bd/0x400 [ipvlan]
[ 2203.655967] ipvlan_queue_xmit+0xb3/0x190 [ipvlan]
[ 2203.655977] ipvlan_start_xmit+0x2e/0xb0 [ipvlan]
[ 2203.655984] xmit_one.constprop.0+0xe1/0x280
[ 2203.655992] dev_hard_start_xmit+0x62/0x100
[ 2203.656000] sch_direct_xmit+0x215/0x640
[ 2203.656028] __qdisc_run+0x153/0x1f0
[ 2203.656069] __dev_queue_xmit+0x77f/0x1030
[ 2203.656173] ip_finish_output2+0x59b/0xc20
[ 2203.656244] __ip_finish_output.part.0+0x318/0x3d0
[ 2203.656312] ip_finish_output+0x168/0x190
[ 2203.656320] ip_output+0x12d/0x220
[ 2203.656357] __ip_queue_xmit+0x392/0x880
[ 2203.656380] __tcp_transmit_skb+0x1088/0x11c0
[ 2203.656436] __tcp_retransmit_skb+0x475/0xa30
[ 2203.656505] tcp_retransmit_skb+0x2d/0x190
[ 2203.656512] tcp_retransmit_timer+0x3af/0x9a0
[ 2203.656519] tcp_write_timer_handler+0x3ba/0x510
[ 2203.656529] tcp_write_timer+0x55/0x180
[ 2203.656542] call_timer_fn+0x3f/0x1d0
[ 2203.656555] expire_timers+0x160/0x200
[ 2203.656562] run_timer_softirq+0x1f4/0x480
[ 2203.656606] __do_softirq+0xfd/0x402
[ 2203.656613] asm_call_irq_on_stack+0x12/0x20
[ 2203.656617] </IRQ>
[ 2203.656623] do_softirq_own_stack+0x37/0x50
[ 2203.656631] irq_exit_rcu+0x134/0x1a0
[ 2203.656639] sysvec_apic_timer_interrupt+0x36/0x80
[ 2203.656646] asm_sysvec_apic_timer_interrupt+0x12/0x20
[ 2203.656654] RIP: 0010:default_idle+0x13/0x20
[ 2203.656663] Code: 89 f0 5d 41 5c 41 5d 41 5e c3 cc cc cc cc cc cc cc
cc cc cc cc cc cc 0f 1f 44 00 00 0f 1f 44 00 00 0f 00 2d 9f 32 57 00 fb
f4 <c3> cc cc cc cc 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 41 54 be 08
[ 2203.656668] RSP: 0018:ffff88810036fe78 EFLAGS: 00000256
[ 2203.656676] RAX: ffffffffaf2a87f0 RBX: ffff888100360000 RCX:
ffffffffaf290191
[ 2203.656681] RDX: 0000000000098b5e RSI: 0000000000000004 RDI:
ffff88811a3c4f60
[ 2203.656686] RBP: 0000000000000000 R08: 0000000000000001 R09:
ffff88811a3c4f63
[ 2203.656690] R10: ffffed10234789ec R11: 0000000000000001 R12:
0000000000000003
[ 2203.656695] R13: ffff888100360000 R14: 0000000000000000 R15:
0000000000000000
[ 2203.656729] default_idle_call+0x5a/0x150
[ 2203.656735] cpuidle_idle_call+0x1c6/0x220
[ 2203.656780] do_idle+0xab/0x100
[ 2203.656786] cpu_startup_entry+0x19/0x20
[ 2203.656793] secondary_startup_64_no_verify+0xc2/0xcb
[ 2203.657409] The buggy address belongs to the page:
[ 2203.658648] page:0000000027a9842f refcount:1 mapcount:0
mapping:0000000000000000 index:0x0 pfn:0x11a388
[ 2203.658665] flags:
0x17ffffc0001000(reserved|node=0|zone=2|lastcpupid=0x1fffff)
[ 2203.658675] raw: 0017ffffc0001000 ffffea000468e208 ffffea000468e208
0000000000000000
[ 2203.658682] raw: 0000000000000000 0000000000000000 00000001ffffffff
0000000000000000
[ 2203.658686] page dumped because: kasan: bad access detected
To reproduce(ipvlan with IPVLAN_MODE_L3):
Env setting:
=======================================================
modprobe ipvlan ipvlan_default_mode=1
sysctl net.ipv4.conf.eth0.forwarding=1
iptables -t nat -A POSTROUTING -s 20.0.0.0/255.255.255.0 -o eth0 -j
MASQUERADE
ip link add gw link eth0 type ipvlan
ip -4 addr add 20.0.0.254/24 dev gw
ip netns add net1
ip link add ipv1 link eth0 type ipvlan
ip link set ipv1 netns net1
ip netns exec net1 ip link set ipv1 up
ip netns exec net1 ip -4 addr add 20.0.0.4/24 dev ipv1
ip netns exec net1 route add default gw 20.0.0.254
ip netns exec net1 tc qdisc add dev ipv1 root netem loss 10%
ifconfig gw up
iptables -t filter -A OUTPUT -p tcp --dport 8888 -j REJECT --reject-with
icmp-port-unreachable
=======================================================
And then excute the shell(curl any address of eth0 can reach):
for((i=1;i<=100000;i++))
do
ip netns exec net1 curl x.x.x.x:8888
done
=======================================================
Fixes: 2ad7bf363841 ("ipvlan: Initial check-in of the IPVLAN driver.")
Signed-off-by: "t.feng" <fengtao40@huawei.com>
Suggested-by: Florian Westphal <fw@strlen.de>
Reviewed-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ipvlan/ipvlan_core.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/net/ipvlan/ipvlan_core.c b/drivers/net/ipvlan/ipvlan_core.c
index a33149ee0ddcf..0a5b5ff597c6f 100644
--- a/drivers/net/ipvlan/ipvlan_core.c
+++ b/drivers/net/ipvlan/ipvlan_core.c
@@ -437,6 +437,9 @@ static int ipvlan_process_v4_outbound(struct sk_buff *skb)
goto err;
}
skb_dst_set(skb, &rt->dst);
+
+ memset(IPCB(skb), 0, sizeof(*IPCB(skb)));
+
err = ip_local_out(net, skb->sk, skb);
if (unlikely(net_xmit_eval(err)))
dev->stats.tx_errors++;
@@ -475,6 +478,9 @@ static int ipvlan_process_v6_outbound(struct sk_buff *skb)
goto err;
}
skb_dst_set(skb, dst);
+
+ memset(IP6CB(skb), 0, sizeof(*IP6CB(skb)));
+
err = ip6_local_out(net, skb->sk, skb);
if (unlikely(net_xmit_eval(err)))
dev->stats.tx_errors++;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 016/211] net: datagram: fix data-races in datagram_poll()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 015/211] ipvlan:Fix out-of-bounds caused by unclear skb->cb Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 017/211] af_unix: Fix a data race of sk->sk_receive_queue->qlen Greg Kroah-Hartman
` (200 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Kuniyuki Iwashima,
Jakub Kicinski, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 5bca1d081f44c9443e61841842ce4e9179d327b6 ]
datagram_poll() runs locklessly, we should add READ_ONCE()
annotations while reading sk->sk_err, sk->sk_shutdown and sk->sk_state.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230509173131.3263780-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/datagram.c | 15 ++++++++++-----
1 file changed, 10 insertions(+), 5 deletions(-)
diff --git a/net/core/datagram.c b/net/core/datagram.c
index bc92683fdcdb4..9e77695d1bdc2 100644
--- a/net/core/datagram.c
+++ b/net/core/datagram.c
@@ -799,18 +799,21 @@ __poll_t datagram_poll(struct file *file, struct socket *sock,
{
struct sock *sk = sock->sk;
__poll_t mask;
+ u8 shutdown;
sock_poll_wait(file, sock, wait);
mask = 0;
/* exceptional events? */
- if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
+ if (READ_ONCE(sk->sk_err) ||
+ !skb_queue_empty_lockless(&sk->sk_error_queue))
mask |= EPOLLERR |
(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ shutdown = READ_ONCE(sk->sk_shutdown);
+ if (shutdown & RCV_SHUTDOWN)
mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
- if (sk->sk_shutdown == SHUTDOWN_MASK)
+ if (shutdown == SHUTDOWN_MASK)
mask |= EPOLLHUP;
/* readable? */
@@ -819,10 +822,12 @@ __poll_t datagram_poll(struct file *file, struct socket *sock,
/* Connection-based need to check for termination and startup */
if (connection_based(sk)) {
- if (sk->sk_state == TCP_CLOSE)
+ int state = READ_ONCE(sk->sk_state);
+
+ if (state == TCP_CLOSE)
mask |= EPOLLHUP;
/* connection hasn't started yet? */
- if (sk->sk_state == TCP_SYN_SENT)
+ if (state == TCP_SYN_SENT)
return mask;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 017/211] af_unix: Fix a data race of sk->sk_receive_queue->qlen.
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 016/211] net: datagram: fix data-races in datagram_poll() Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 018/211] af_unix: Fix data races around sk->sk_shutdown Greg Kroah-Hartman
` (199 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Kuniyuki Iwashima,
Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit 679ed006d416ea0cecfe24a99d365d1dea69c683 ]
KCSAN found a data race of sk->sk_receive_queue->qlen where recvmsg()
updates qlen under the queue lock and sendmsg() checks qlen under
unix_state_sock(), not the queue lock, so the reader side needs
READ_ONCE().
BUG: KCSAN: data-race in __skb_try_recv_from_queue / unix_wait_for_peer
write (marked) to 0xffff888019fe7c68 of 4 bytes by task 49792 on cpu 0:
__skb_unlink include/linux/skbuff.h:2347 [inline]
__skb_try_recv_from_queue+0x3de/0x470 net/core/datagram.c:197
__skb_try_recv_datagram+0xf7/0x390 net/core/datagram.c:263
__unix_dgram_recvmsg+0x109/0x8a0 net/unix/af_unix.c:2452
unix_dgram_recvmsg+0x94/0xa0 net/unix/af_unix.c:2549
sock_recvmsg_nosec net/socket.c:1019 [inline]
____sys_recvmsg+0x3a3/0x3b0 net/socket.c:2720
___sys_recvmsg+0xc8/0x150 net/socket.c:2764
do_recvmmsg+0x182/0x560 net/socket.c:2858
__sys_recvmmsg net/socket.c:2937 [inline]
__do_sys_recvmmsg net/socket.c:2960 [inline]
__se_sys_recvmmsg net/socket.c:2953 [inline]
__x64_sys_recvmmsg+0x153/0x170 net/socket.c:2953
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffff888019fe7c68 of 4 bytes by task 49793 on cpu 1:
skb_queue_len include/linux/skbuff.h:2127 [inline]
unix_recvq_full net/unix/af_unix.c:229 [inline]
unix_wait_for_peer+0x154/0x1a0 net/unix/af_unix.c:1445
unix_dgram_sendmsg+0x13bc/0x14b0 net/unix/af_unix.c:2048
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg+0x148/0x160 net/socket.c:747
____sys_sendmsg+0x20e/0x620 net/socket.c:2503
___sys_sendmsg+0xc6/0x140 net/socket.c:2557
__sys_sendmmsg+0x11d/0x370 net/socket.c:2643
__do_sys_sendmmsg net/socket.c:2672 [inline]
__se_sys_sendmmsg net/socket.c:2669 [inline]
__x64_sys_sendmmsg+0x58/0x70 net/socket.c:2669
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x0000000b -> 0x00000001
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 49793 Comm: syz-executor.0 Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index 28721e9575b75..a210275368560 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -1236,7 +1236,7 @@ static long unix_wait_for_peer(struct sock *other, long timeo)
sched = !sock_flag(other, SOCK_DEAD) &&
!(other->sk_shutdown & RCV_SHUTDOWN) &&
- unix_recvq_full(other);
+ unix_recvq_full_lockless(other);
unix_state_unlock(other);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 018/211] af_unix: Fix data races around sk->sk_shutdown.
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 017/211] af_unix: Fix a data race of sk->sk_receive_queue->qlen Greg Kroah-Hartman
@ 2023-05-28 19:08 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 019/211] drm/i915/dp: prevent potential div-by-zero Greg Kroah-Hartman
` (198 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:08 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Kuniyuki Iwashima,
Eric Dumazet, Michal Kubiak, Jakub Kicinski, Sasha Levin
From: Kuniyuki Iwashima <kuniyu@amazon.com>
[ Upstream commit e1d09c2c2f5793474556b60f83900e088d0d366d ]
KCSAN found a data race around sk->sk_shutdown where unix_release_sock()
and unix_shutdown() update it under unix_state_lock(), OTOH unix_poll()
and unix_dgram_poll() read it locklessly.
We need to annotate the writes and reads with WRITE_ONCE() and READ_ONCE().
BUG: KCSAN: data-race in unix_poll / unix_release_sock
write to 0xffff88800d0f8aec of 1 bytes by task 264 on cpu 0:
unix_release_sock+0x75c/0x910 net/unix/af_unix.c:631
unix_release+0x59/0x80 net/unix/af_unix.c:1042
__sock_release+0x7d/0x170 net/socket.c:653
sock_close+0x19/0x30 net/socket.c:1397
__fput+0x179/0x5e0 fs/file_table.c:321
____fput+0x15/0x20 fs/file_table.c:349
task_work_run+0x116/0x1a0 kernel/task_work.c:179
resume_user_mode_work include/linux/resume_user_mode.h:49 [inline]
exit_to_user_mode_loop kernel/entry/common.c:171 [inline]
exit_to_user_mode_prepare+0x174/0x180 kernel/entry/common.c:204
__syscall_exit_to_user_mode_work kernel/entry/common.c:286 [inline]
syscall_exit_to_user_mode+0x1a/0x30 kernel/entry/common.c:297
do_syscall_64+0x4b/0x90 arch/x86/entry/common.c:86
entry_SYSCALL_64_after_hwframe+0x72/0xdc
read to 0xffff88800d0f8aec of 1 bytes by task 222 on cpu 1:
unix_poll+0xa3/0x2a0 net/unix/af_unix.c:3170
sock_poll+0xcf/0x2b0 net/socket.c:1385
vfs_poll include/linux/poll.h:88 [inline]
ep_item_poll.isra.0+0x78/0xc0 fs/eventpoll.c:855
ep_send_events fs/eventpoll.c:1694 [inline]
ep_poll fs/eventpoll.c:1823 [inline]
do_epoll_wait+0x6c4/0xea0 fs/eventpoll.c:2258
__do_sys_epoll_wait fs/eventpoll.c:2270 [inline]
__se_sys_epoll_wait fs/eventpoll.c:2265 [inline]
__x64_sys_epoll_wait+0xcc/0x190 fs/eventpoll.c:2265
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x3b/0x90 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x72/0xdc
value changed: 0x00 -> 0x03
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 222 Comm: dbus-broker Not tainted 6.3.0-rc7-02330-gca6270c12e20 #2
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
Fixes: 3c73419c09a5 ("af_unix: fix 'poll for write'/ connected DGRAM sockets")
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Michal Kubiak <michal.kubiak@intel.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/unix/af_unix.c | 20 ++++++++++++--------
1 file changed, 12 insertions(+), 8 deletions(-)
diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c
index a210275368560..2fe0efcbfed16 100644
--- a/net/unix/af_unix.c
+++ b/net/unix/af_unix.c
@@ -529,7 +529,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
/* Clear state */
unix_state_lock(sk);
sock_orphan(sk);
- sk->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(sk->sk_shutdown, SHUTDOWN_MASK);
path = u->path;
u->path.dentry = NULL;
u->path.mnt = NULL;
@@ -547,7 +547,7 @@ static void unix_release_sock(struct sock *sk, int embrion)
if (sk->sk_type == SOCK_STREAM || sk->sk_type == SOCK_SEQPACKET) {
unix_state_lock(skpair);
/* No more writes */
- skpair->sk_shutdown = SHUTDOWN_MASK;
+ WRITE_ONCE(skpair->sk_shutdown, SHUTDOWN_MASK);
if (!skb_queue_empty(&sk->sk_receive_queue) || embrion)
skpair->sk_err = ECONNRESET;
unix_state_unlock(skpair);
@@ -2581,7 +2581,7 @@ static int unix_shutdown(struct socket *sock, int mode)
++mode;
unix_state_lock(sk);
- sk->sk_shutdown |= mode;
+ WRITE_ONCE(sk->sk_shutdown, sk->sk_shutdown | mode);
other = unix_peer(sk);
if (other)
sock_hold(other);
@@ -2598,7 +2598,7 @@ static int unix_shutdown(struct socket *sock, int mode)
if (mode&SEND_SHUTDOWN)
peer_mode |= RCV_SHUTDOWN;
unix_state_lock(other);
- other->sk_shutdown |= peer_mode;
+ WRITE_ONCE(other->sk_shutdown, other->sk_shutdown | peer_mode);
unix_state_unlock(other);
other->sk_state_change(other);
if (peer_mode == SHUTDOWN_MASK)
@@ -2717,16 +2717,18 @@ static __poll_t unix_poll(struct file *file, struct socket *sock, poll_table *wa
{
struct sock *sk = sock->sk;
__poll_t mask;
+ u8 shutdown;
sock_poll_wait(file, sock, wait);
mask = 0;
+ shutdown = READ_ONCE(sk->sk_shutdown);
/* exceptional events? */
if (sk->sk_err)
mask |= EPOLLERR;
- if (sk->sk_shutdown == SHUTDOWN_MASK)
+ if (shutdown == SHUTDOWN_MASK)
mask |= EPOLLHUP;
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ if (shutdown & RCV_SHUTDOWN)
mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
/* readable? */
@@ -2754,18 +2756,20 @@ static __poll_t unix_dgram_poll(struct file *file, struct socket *sock,
struct sock *sk = sock->sk, *other;
unsigned int writable;
__poll_t mask;
+ u8 shutdown;
sock_poll_wait(file, sock, wait);
mask = 0;
+ shutdown = READ_ONCE(sk->sk_shutdown);
/* exceptional events? */
if (sk->sk_err || !skb_queue_empty_lockless(&sk->sk_error_queue))
mask |= EPOLLERR |
(sock_flag(sk, SOCK_SELECT_ERR_QUEUE) ? EPOLLPRI : 0);
- if (sk->sk_shutdown & RCV_SHUTDOWN)
+ if (shutdown & RCV_SHUTDOWN)
mask |= EPOLLRDHUP | EPOLLIN | EPOLLRDNORM;
- if (sk->sk_shutdown == SHUTDOWN_MASK)
+ if (shutdown == SHUTDOWN_MASK)
mask |= EPOLLHUP;
/* readable? */
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 019/211] drm/i915/dp: prevent potential div-by-zero
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2023-05-28 19:08 ` [PATCH 5.10 018/211] af_unix: Fix data races around sk->sk_shutdown Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 020/211] fbdev: arcfb: Fix error handling in arcfb_probe() Greg Kroah-Hartman
` (197 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikita Zhandarovich, Rodrigo Vivi,
Joonas Lahtinen, Sasha Levin
From: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
[ Upstream commit 0ff80028e2702c7c3d78b69705dc47c1ccba8c39 ]
drm_dp_dsc_sink_max_slice_count() may return 0 if something goes
wrong on the part of the DSC sink and its DPCD register. This null
value may be later used as a divisor in intel_dsc_compute_params(),
which will lead to an error.
In the unlikely event that this issue occurs, fix it by testing the
return value of drm_dp_dsc_sink_max_slice_count() against zero.
Found by Linux Verification Center (linuxtesting.org) with static
analysis tool SVACE.
Fixes: a4a157777c80 ("drm/i915/dp: Compute DSC pipe config in atomic check")
Signed-off-by: Nikita Zhandarovich <n.zhandarovich@fintech.ru>
Reviewed-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230418140430.69902-1-n.zhandarovich@fintech.ru
(cherry picked from commit 51f7008239de011370c5067bbba07f0207f06b72)
Signed-off-by: Joonas Lahtinen <joonas.lahtinen@linux.intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_dp.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/gpu/drm/i915/display/intel_dp.c b/drivers/gpu/drm/i915/display/intel_dp.c
index 1c1931f5c958b..7f633f8b3239a 100644
--- a/drivers/gpu/drm/i915/display/intel_dp.c
+++ b/drivers/gpu/drm/i915/display/intel_dp.c
@@ -2281,6 +2281,11 @@ static int intel_dp_dsc_compute_config(struct intel_dp *intel_dp,
pipe_config->dsc.slice_count =
drm_dp_dsc_sink_max_slice_count(intel_dp->dsc_dpcd,
true);
+ if (!pipe_config->dsc.slice_count) {
+ drm_dbg_kms(&dev_priv->drm, "Unsupported Slice Count %d\n",
+ pipe_config->dsc.slice_count);
+ return -EINVAL;
+ }
} else {
u16 dsc_max_output_bpp;
u8 dsc_dp_slice_count;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 020/211] fbdev: arcfb: Fix error handling in arcfb_probe()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 019/211] drm/i915/dp: prevent potential div-by-zero Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 021/211] ext4: remove an unused variable warning with CONFIG_QUOTA=n Greg Kroah-Hartman
` (196 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zongjie Li, Dongliang Mu,
Helge Deller, Sasha Levin
From: Zongjie Li <u202112089@hust.edu.cn>
[ Upstream commit 5a6bef734247c7a8c19511664ff77634ab86f45b ]
Smatch complains that:
arcfb_probe() warn: 'irq' from request_irq() not released on lines: 587.
Fix error handling in the arcfb_probe() function. If IO addresses are
not provided or framebuffer registration fails, the code will jump to
the err_addr or err_register_fb label to release resources.
If IRQ request fails, previously allocated resources will be freed.
Fixes: 1154ea7dcd8e ("[PATCH] Framebuffer driver for Arc LCD board")
Signed-off-by: Zongjie Li <u202112089@hust.edu.cn>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/video/fbdev/arcfb.c | 15 +++++++++------
1 file changed, 9 insertions(+), 6 deletions(-)
diff --git a/drivers/video/fbdev/arcfb.c b/drivers/video/fbdev/arcfb.c
index 1447324ed0b64..08da436265d92 100644
--- a/drivers/video/fbdev/arcfb.c
+++ b/drivers/video/fbdev/arcfb.c
@@ -523,7 +523,7 @@ static int arcfb_probe(struct platform_device *dev)
info = framebuffer_alloc(sizeof(struct arcfb_par), &dev->dev);
if (!info)
- goto err;
+ goto err_fb_alloc;
info->screen_base = (char __iomem *)videomemory;
info->fbops = &arcfb_ops;
@@ -535,7 +535,7 @@ static int arcfb_probe(struct platform_device *dev)
if (!dio_addr || !cio_addr || !c2io_addr) {
printk(KERN_WARNING "no IO addresses supplied\n");
- goto err1;
+ goto err_addr;
}
par->dio_addr = dio_addr;
par->cio_addr = cio_addr;
@@ -551,12 +551,12 @@ static int arcfb_probe(struct platform_device *dev)
printk(KERN_INFO
"arcfb: Failed req IRQ %d\n", par->irq);
retval = -EBUSY;
- goto err1;
+ goto err_addr;
}
}
retval = register_framebuffer(info);
if (retval < 0)
- goto err1;
+ goto err_register_fb;
platform_set_drvdata(dev, info);
fb_info(info, "Arc frame buffer device, using %dK of video memory\n",
videomemorysize >> 10);
@@ -580,9 +580,12 @@ static int arcfb_probe(struct platform_device *dev)
}
return 0;
-err1:
+
+err_register_fb:
+ free_irq(par->irq, info);
+err_addr:
framebuffer_release(info);
-err:
+err_fb_alloc:
vfree(videomemory);
return retval;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 021/211] ext4: remove an unused variable warning with CONFIG_QUOTA=n
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 020/211] fbdev: arcfb: Fix error handling in arcfb_probe() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 022/211] ext4: reflect error codes from ext4_multi_mount_protect() to its callers Greg Kroah-Hartman
` (195 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Austin Kim, Jan Kara, Theodore Tso,
Sasha Levin
From: Austin Kim <austindh.kim@gmail.com>
[ Upstream commit 3bbef91bdd2180c67407285ba160b023eb4d5306 ]
The 'enable_quota' variable is only used in an CONFIG_QUOTA.
With CONFIG_QUOTA=n, compiler causes a harmless warning:
fs/ext4/super.c: In function ‘ext4_remount’:
fs/ext4/super.c:5840:6: warning: variable ‘enable_quota’ set but not used
[-Wunused-but-set-variable]
int enable_quota = 0;
^~~~~
Move 'enable_quota' into the same #ifdef CONFIG_QUOTA block
to remove an unused variable warning.
Signed-off-by: Austin Kim <austindh.kim@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/20210824034929.GA13415@raspberrypi
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44be64bbecb ("ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 8694be5132415..d75aa45a846d1 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5792,11 +5792,11 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
struct ext4_sb_info *sbi = EXT4_SB(sb);
unsigned long old_sb_flags, vfs_flags;
struct ext4_mount_options old_opts;
- int enable_quota = 0;
ext4_group_t g;
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
int err = 0;
#ifdef CONFIG_QUOTA
+ int enable_quota = 0;
int i, j;
char *to_free[EXT4_MAXQUOTAS];
#endif
@@ -5994,7 +5994,9 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
err = -EROFS;
goto restore_opts;
}
+#ifdef CONFIG_QUOTA
enable_quota = 1;
+#endif
}
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 022/211] ext4: reflect error codes from ext4_multi_mount_protect() to its callers
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 021/211] ext4: remove an unused variable warning with CONFIG_QUOTA=n Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 023/211] ext4: dont clear SB_RDONLY when remounting r/w until quota is re-enabled Greg Kroah-Hartman
` (194 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andreas Dilger, Theodore Tso, Sasha Levin
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 3b50d5018ed06a647bb26c44bb5ae74e59c903c7 ]
This will allow more fine-grained errno codes to be returned by the
mount system call.
Cc: Andreas Dilger <adilger.kernel@dilger.ca>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: a44be64bbecb ("ext4: don't clear SB_RDONLY when remounting r/w until quota is re-enabled")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mmp.c | 9 ++++++++-
fs/ext4/super.c | 16 +++++++++-------
2 files changed, 17 insertions(+), 8 deletions(-)
diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
index bc364c119af6a..92c863fd9a78d 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
@@ -290,6 +290,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
if (mmp_block < le32_to_cpu(es->s_first_data_block) ||
mmp_block >= ext4_blocks_count(es)) {
ext4_warning(sb, "Invalid MMP block in superblock");
+ retval = -EINVAL;
goto failed;
}
@@ -315,6 +316,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
if (seq == EXT4_MMP_SEQ_FSCK) {
dump_mmp_msg(sb, mmp, "fsck is running on the filesystem");
+ retval = -EBUSY;
goto failed;
}
@@ -328,6 +330,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
if (schedule_timeout_interruptible(HZ * wait_time) != 0) {
ext4_warning(sb, "MMP startup interrupted, failing mount\n");
+ retval = -ETIMEDOUT;
goto failed;
}
@@ -338,6 +341,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
if (seq != le32_to_cpu(mmp->mmp_seq)) {
dump_mmp_msg(sb, mmp,
"Device is already active on another node.");
+ retval = -EBUSY;
goto failed;
}
@@ -357,6 +361,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
*/
if (schedule_timeout_interruptible(HZ * wait_time) != 0) {
ext4_warning(sb, "MMP startup interrupted, failing mount");
+ retval = -ETIMEDOUT;
goto failed;
}
@@ -367,6 +372,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
if (seq != le32_to_cpu(mmp->mmp_seq)) {
dump_mmp_msg(sb, mmp,
"Device is already active on another node.");
+ retval = -EBUSY;
goto failed;
}
@@ -383,6 +389,7 @@ int ext4_multi_mount_protect(struct super_block *sb,
EXT4_SB(sb)->s_mmp_tsk = NULL;
ext4_warning(sb, "Unable to create kmmpd thread for %s.",
sb->s_id);
+ retval = -ENOMEM;
goto failed;
}
@@ -390,5 +397,5 @@ int ext4_multi_mount_protect(struct super_block *sb,
failed:
brelse(bh);
- return 1;
+ return retval;
}
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index d75aa45a846d1..edd1409663932 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -4777,9 +4777,11 @@ static int ext4_fill_super(struct super_block *sb, void *data, int silent)
needs_recovery = (es->s_last_orphan != 0 ||
ext4_has_feature_journal_needs_recovery(sb));
- if (ext4_has_feature_mmp(sb) && !sb_rdonly(sb))
- if (ext4_multi_mount_protect(sb, le64_to_cpu(es->s_mmp_block)))
+ if (ext4_has_feature_mmp(sb) && !sb_rdonly(sb)) {
+ err = ext4_multi_mount_protect(sb, le64_to_cpu(es->s_mmp_block));
+ if (err)
goto failed_mount3a;
+ }
/*
* The first inode we look at is the journal inode. Don't try
@@ -5988,12 +5990,12 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
goto restore_opts;
sb->s_flags &= ~SB_RDONLY;
- if (ext4_has_feature_mmp(sb))
- if (ext4_multi_mount_protect(sb,
- le64_to_cpu(es->s_mmp_block))) {
- err = -EROFS;
+ if (ext4_has_feature_mmp(sb)) {
+ err = ext4_multi_mount_protect(sb,
+ le64_to_cpu(es->s_mmp_block));
+ if (err)
goto restore_opts;
- }
+ }
#ifdef CONFIG_QUOTA
enable_quota = 1;
#endif
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 023/211] ext4: dont clear SB_RDONLY when remounting r/w until quota is re-enabled
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 022/211] ext4: reflect error codes from ext4_multi_mount_protect() to its callers Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 024/211] ext4: fix lockdep warning when enabling MMP Greg Kroah-Hartman
` (193 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+6385d7d3065524c5ca6d,
Theodore Tso, Sasha Levin
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit a44be64bbecb15a452496f60db6eacfee2b59c79 ]
When a file system currently mounted read/only is remounted
read/write, if we clear the SB_RDONLY flag too early, before the quota
is initialized, and there is another process/thread constantly
attempting to create a directory, it's possible to trigger the
WARN_ON_ONCE(dquot_initialize_needed(inode));
in ext4_xattr_block_set(), with the following stack trace:
WARNING: CPU: 0 PID: 5338 at fs/ext4/xattr.c:2141 ext4_xattr_block_set+0x2ef2/0x3680
RIP: 0010:ext4_xattr_block_set+0x2ef2/0x3680 fs/ext4/xattr.c:2141
Call Trace:
ext4_xattr_set_handle+0xcd4/0x15c0 fs/ext4/xattr.c:2458
ext4_initxattrs+0xa3/0x110 fs/ext4/xattr_security.c:44
security_inode_init_security+0x2df/0x3f0 security/security.c:1147
__ext4_new_inode+0x347e/0x43d0 fs/ext4/ialloc.c:1324
ext4_mkdir+0x425/0xce0 fs/ext4/namei.c:2992
vfs_mkdir+0x29d/0x450 fs/namei.c:4038
do_mkdirat+0x264/0x520 fs/namei.c:4061
__do_sys_mkdirat fs/namei.c:4076 [inline]
__se_sys_mkdirat fs/namei.c:4074 [inline]
__x64_sys_mkdirat+0x89/0xa0 fs/namei.c:4074
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20230506142419.984260-1-tytso@mit.edu
Reported-by: syzbot+6385d7d3065524c5ca6d@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=6513f6cb5cd6b5fc9f37e3bb70d273b94be9c34c
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/super.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index edd1409663932..681efff3af50f 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5797,6 +5797,7 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
ext4_group_t g;
unsigned int journal_ioprio = DEFAULT_JOURNAL_IOPRIO;
int err = 0;
+ int enable_rw = 0;
#ifdef CONFIG_QUOTA
int enable_quota = 0;
int i, j;
@@ -5989,7 +5990,7 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
if (err)
goto restore_opts;
- sb->s_flags &= ~SB_RDONLY;
+ enable_rw = 1;
if (ext4_has_feature_mmp(sb)) {
err = ext4_multi_mount_protect(sb,
le64_to_cpu(es->s_mmp_block));
@@ -6048,6 +6049,9 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks)
ext4_release_system_zone(sb);
+ if (enable_rw)
+ sb->s_flags &= ~SB_RDONLY;
+
if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb))
ext4_stop_mmpd(sbi);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 024/211] ext4: fix lockdep warning when enabling MMP
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 023/211] ext4: dont clear SB_RDONLY when remounting r/w until quota is re-enabled Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 025/211] ext4: remove redundant mb_regenerate_buddy() Greg Kroah-Hartman
` (192 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+6b7df7d5506b32467149,
Jan Kara, Christian Brauner, Theodore Tso, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 949f95ff39bf188e594e7ecd8e29b82eb108f5bf ]
When we enable MMP in ext4_multi_mount_protect() during mount or
remount, we end up calling sb_start_write() from write_mmp_block(). This
triggers lockdep warning because freeze protection ranks above s_umount
semaphore we are holding during mount / remount. The problem is harmless
because we are guaranteed the filesystem is not frozen during mount /
remount but still let's fix the warning by not grabbing freeze
protection from ext4_multi_mount_protect().
Cc: stable@kernel.org
Reported-by: syzbot+6b7df7d5506b32467149@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=ab7e5b6f400b7778d46f01841422e5718fb81843
Signed-off-by: Jan Kara <jack@suse.cz>
Reviewed-by: Christian Brauner <brauner@kernel.org>
Link: https://lore.kernel.org/r/20230411121019.21940-1-jack@suse.cz
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mmp.c | 30 +++++++++++++++++++++---------
1 file changed, 21 insertions(+), 9 deletions(-)
diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
index 92c863fd9a78d..7a9a8ed1de66c 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
@@ -39,28 +39,36 @@ static void ext4_mmp_csum_set(struct super_block *sb, struct mmp_struct *mmp)
* Write the MMP block using REQ_SYNC to try to get the block on-disk
* faster.
*/
-static int write_mmp_block(struct super_block *sb, struct buffer_head *bh)
+static int write_mmp_block_thawed(struct super_block *sb,
+ struct buffer_head *bh)
{
struct mmp_struct *mmp = (struct mmp_struct *)(bh->b_data);
- /*
- * We protect against freezing so that we don't create dirty buffers
- * on frozen filesystem.
- */
- sb_start_write(sb);
ext4_mmp_csum_set(sb, mmp);
lock_buffer(bh);
bh->b_end_io = end_buffer_write_sync;
get_bh(bh);
submit_bh(REQ_OP_WRITE, REQ_SYNC | REQ_META | REQ_PRIO, bh);
wait_on_buffer(bh);
- sb_end_write(sb);
if (unlikely(!buffer_uptodate(bh)))
return -EIO;
-
return 0;
}
+static int write_mmp_block(struct super_block *sb, struct buffer_head *bh)
+{
+ int err;
+
+ /*
+ * We protect against freezing so that we don't create dirty buffers
+ * on frozen filesystem.
+ */
+ sb_start_write(sb);
+ err = write_mmp_block_thawed(sb, bh);
+ sb_end_write(sb);
+ return err;
+}
+
/*
* Read the MMP block. It _must_ be read from disk and hence we clear the
* uptodate flag on the buffer.
@@ -352,7 +360,11 @@ int ext4_multi_mount_protect(struct super_block *sb,
seq = mmp_new_seq();
mmp->mmp_seq = cpu_to_le32(seq);
- retval = write_mmp_block(sb, bh);
+ /*
+ * On mount / remount we are protected against fs freezing (by s_umount
+ * semaphore) and grabbing freeze protection upsets lockdep
+ */
+ retval = write_mmp_block_thawed(sb, bh);
if (retval)
goto failed;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 025/211] ext4: remove redundant mb_regenerate_buddy()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 024/211] ext4: fix lockdep warning when enabling MMP Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 026/211] ext4: drop s_mb_bal_lock and convert protected fields to atomic Greg Kroah-Hartman
` (191 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chunguang Xu, Andreas Dilger,
Theodore Tso, Sasha Levin
From: Chunguang Xu <brookxu@tencent.com>
[ Upstream commit 6bd97bf273bdb4944904e57480f6545bca48ad77 ]
After this patch (163a203), if an abnormal bitmap is detected, we
will mark the group as corrupt, and we will not use this group in
the future. Therefore, it should be meaningless to regenerate the
buddy bitmap of this group, It might be better to delete it.
Signed-off-by: Chunguang Xu <brookxu@tencent.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Link: https://lore.kernel.org/r/1604764698-4269-2-git-send-email-brookxu@tencent.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 19 -------------------
1 file changed, 19 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index a7c42e4bfc5ec..708a5fa3c69f6 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -822,24 +822,6 @@ void ext4_mb_generate_buddy(struct super_block *sb,
spin_unlock(&sbi->s_bal_lock);
}
-static void mb_regenerate_buddy(struct ext4_buddy *e4b)
-{
- int count;
- int order = 1;
- void *buddy;
-
- while ((buddy = mb_find_buddy(e4b, order++, &count))) {
- ext4_set_bits(buddy, 0, count);
- }
- e4b->bd_info->bb_fragments = 0;
- memset(e4b->bd_info->bb_counters, 0,
- sizeof(*e4b->bd_info->bb_counters) *
- (e4b->bd_sb->s_blocksize_bits + 2));
-
- ext4_mb_generate_buddy(e4b->bd_sb, e4b->bd_buddy,
- e4b->bd_bitmap, e4b->bd_group);
-}
-
/* The buddy information is attached the buddy cache inode
* for convenience. The information regarding each group
* is loaded via ext4_mb_load_buddy. The information involve
@@ -1512,7 +1494,6 @@ static void mb_free_blocks(struct inode *inode, struct ext4_buddy *e4b,
sb, e4b->bd_group,
EXT4_GROUP_INFO_BBITMAP_CORRUPT);
}
- mb_regenerate_buddy(e4b);
goto done;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 026/211] ext4: drop s_mb_bal_lock and convert protected fields to atomic
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 025/211] ext4: remove redundant mb_regenerate_buddy() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 027/211] ext4: add mballoc stats proc file Greg Kroah-Hartman
` (190 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshad Shirwadkar, Andreas Dilger,
Ritesh Harjani, Theodore Tso, Sasha Levin
From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
[ Upstream commit 67d25186046145748d5fe4c5019d832215e01c1e ]
s_mb_buddies_generated gets used later in this patch series to
determine if the cr 0 and cr 1 optimziations should be performed or
not. Currently, s_mb_buddies_generated is protected under a
spin_lock. In the allocation path, it is better if we don't depend on
the lock and instead read the value atomically. In order to do that,
we drop s_bal_lock altogether and we convert the only two protected
fields by it s_mb_buddies_generated and s_mb_generation_time to atomic
type.
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20210401172129.189766-2-harshadshirwadkar@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 5 ++---
fs/ext4/mballoc.c | 13 +++++--------
2 files changed, 7 insertions(+), 11 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 246573a4e8041..5efd48d7c9a79 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1538,9 +1538,8 @@ struct ext4_sb_info {
atomic_t s_bal_goals; /* goal hits */
atomic_t s_bal_breaks; /* too long searches */
atomic_t s_bal_2orders; /* 2^order hits */
- spinlock_t s_bal_lock;
- unsigned long s_mb_buddies_generated;
- unsigned long long s_mb_generation_time;
+ atomic_t s_mb_buddies_generated; /* number of buddies generated */
+ atomic64_t s_mb_generation_time;
atomic_t s_mb_lost_chunks;
atomic_t s_mb_preallocated;
atomic_t s_mb_discarded;
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 708a5fa3c69f6..beee54480562a 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -816,10 +816,8 @@ void ext4_mb_generate_buddy(struct super_block *sb,
clear_bit(EXT4_GROUP_INFO_NEED_INIT_BIT, &(grp->bb_state));
period = get_cycles() - period;
- spin_lock(&sbi->s_bal_lock);
- sbi->s_mb_buddies_generated++;
- sbi->s_mb_generation_time += period;
- spin_unlock(&sbi->s_bal_lock);
+ atomic_inc(&sbi->s_mb_buddies_generated);
+ atomic64_add(period, &sbi->s_mb_generation_time);
}
/* The buddy information is attached the buddy cache inode
@@ -2855,7 +2853,6 @@ int ext4_mb_init(struct super_block *sb)
} while (i <= sb->s_blocksize_bits + 1);
spin_lock_init(&sbi->s_md_lock);
- spin_lock_init(&sbi->s_bal_lock);
sbi->s_mb_free_pending = 0;
INIT_LIST_HEAD(&sbi->s_freed_data_list);
@@ -2991,9 +2988,9 @@ int ext4_mb_release(struct super_block *sb)
atomic_read(&sbi->s_bal_breaks),
atomic_read(&sbi->s_mb_lost_chunks));
ext4_msg(sb, KERN_INFO,
- "mballoc: %lu generated and it took %Lu",
- sbi->s_mb_buddies_generated,
- sbi->s_mb_generation_time);
+ "mballoc: %u generated and it took %llu",
+ atomic_read(&sbi->s_mb_buddies_generated),
+ atomic64_read(&sbi->s_mb_generation_time));
ext4_msg(sb, KERN_INFO,
"mballoc: %u preallocated, %u discarded",
atomic_read(&sbi->s_mb_preallocated),
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 027/211] ext4: add mballoc stats proc file
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 026/211] ext4: drop s_mb_bal_lock and convert protected fields to atomic Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 028/211] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set Greg Kroah-Hartman
` (189 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harshad Shirwadkar, Andreas Dilger,
Ritesh Harjani, Theodore Tso, Sasha Levin
From: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
[ Upstream commit a6c75eaf11032f4a3d2b3ce2265a194ac6e4a7f0 ]
Add new stats for measuring the performance of mballoc. This patch is
forked from Artem Blagodarenko's work that can be found here:
https://github.com/lustre/lustre-release/blob/master/ldiskfs/kernel_patches/patches/rhel8/ext4-simple-blockalloc.patch
This patch reorganizes the stats by cr level. This is how the output
looks like:
mballoc:
reqs: 0
success: 0
groups_scanned: 0
cr0_stats:
hits: 0
groups_considered: 0
useless_loops: 0
bad_suggestions: 0
cr1_stats:
hits: 0
groups_considered: 0
useless_loops: 0
bad_suggestions: 0
cr2_stats:
hits: 0
groups_considered: 0
useless_loops: 0
cr3_stats:
hits: 0
groups_considered: 0
useless_loops: 0
extents_scanned: 0
goal_hits: 0
2^n_hits: 0
breaks: 0
lost: 0
buddies_generated: 0/40
buddies_time_used: 0
preallocated: 0
discarded: 0
Signed-off-by: Harshad Shirwadkar <harshadshirwadkar@gmail.com>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Reviewed-by: Ritesh Harjani <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20210401172129.189766-4-harshadshirwadkar@gmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/ext4.h | 5 ++++
fs/ext4/mballoc.c | 75 +++++++++++++++++++++++++++++++++++++++++++++--
fs/ext4/sysfs.c | 2 ++
3 files changed, 80 insertions(+), 2 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 5efd48d7c9a79..1de55d8e0d354 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1535,9 +1535,13 @@ struct ext4_sb_info {
atomic_t s_bal_success; /* we found long enough chunks */
atomic_t s_bal_allocated; /* in blocks */
atomic_t s_bal_ex_scanned; /* total extents scanned */
+ atomic_t s_bal_groups_scanned; /* number of groups scanned */
atomic_t s_bal_goals; /* goal hits */
atomic_t s_bal_breaks; /* too long searches */
atomic_t s_bal_2orders; /* 2^order hits */
+ atomic64_t s_bal_cX_groups_considered[4];
+ atomic64_t s_bal_cX_hits[4];
+ atomic64_t s_bal_cX_failed[4]; /* cX loop didn't find blocks */
atomic_t s_mb_buddies_generated; /* number of buddies generated */
atomic64_t s_mb_generation_time;
atomic_t s_mb_lost_chunks;
@@ -2784,6 +2788,7 @@ int ext4_fc_record_regions(struct super_block *sb, int ino,
extern const struct seq_operations ext4_mb_seq_groups_ops;
extern long ext4_mb_stats;
extern long ext4_mb_max_to_scan;
+extern int ext4_seq_mb_stats_show(struct seq_file *seq, void *offset);
extern int ext4_mb_init(struct super_block *);
extern int ext4_mb_release(struct super_block *);
extern ext4_fsblk_t ext4_mb_new_blocks(handle_t *,
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index beee54480562a..aa51d1b837274 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2151,6 +2151,8 @@ static int ext4_mb_good_group_nolock(struct ext4_allocation_context *ac,
ext4_grpblk_t free;
int ret = 0;
+ if (sbi->s_mb_stats)
+ atomic64_inc(&sbi->s_bal_cX_groups_considered[ac->ac_criteria]);
if (should_lock)
ext4_lock_group(sb, group);
free = grp->bb_free;
@@ -2425,6 +2427,9 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
if (ac->ac_status != AC_STATUS_CONTINUE)
break;
}
+ /* Processed all groups and haven't found blocks */
+ if (sbi->s_mb_stats && i == ngroups)
+ atomic64_inc(&sbi->s_bal_cX_failed[cr]);
}
if (ac->ac_b_ex.fe_len > 0 && ac->ac_status != AC_STATUS_FOUND &&
@@ -2454,6 +2459,9 @@ ext4_mb_regular_allocator(struct ext4_allocation_context *ac)
goto repeat;
}
}
+
+ if (sbi->s_mb_stats && ac->ac_status == AC_STATUS_FOUND)
+ atomic64_inc(&sbi->s_bal_cX_hits[ac->ac_criteria]);
out:
if (!err && ac->ac_status != AC_STATUS_FOUND && first_err)
err = first_err;
@@ -2553,6 +2561,67 @@ const struct seq_operations ext4_mb_seq_groups_ops = {
.show = ext4_mb_seq_groups_show,
};
+int ext4_seq_mb_stats_show(struct seq_file *seq, void *offset)
+{
+ struct super_block *sb = (struct super_block *)seq->private;
+ struct ext4_sb_info *sbi = EXT4_SB(sb);
+
+ seq_puts(seq, "mballoc:\n");
+ if (!sbi->s_mb_stats) {
+ seq_puts(seq, "\tmb stats collection turned off.\n");
+ seq_puts(seq, "\tTo enable, please write \"1\" to sysfs file mb_stats.\n");
+ return 0;
+ }
+ seq_printf(seq, "\treqs: %u\n", atomic_read(&sbi->s_bal_reqs));
+ seq_printf(seq, "\tsuccess: %u\n", atomic_read(&sbi->s_bal_success));
+
+ seq_printf(seq, "\tgroups_scanned: %u\n", atomic_read(&sbi->s_bal_groups_scanned));
+
+ seq_puts(seq, "\tcr0_stats:\n");
+ seq_printf(seq, "\t\thits: %llu\n", atomic64_read(&sbi->s_bal_cX_hits[0]));
+ seq_printf(seq, "\t\tgroups_considered: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_groups_considered[0]));
+ seq_printf(seq, "\t\tuseless_loops: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_failed[0]));
+
+ seq_puts(seq, "\tcr1_stats:\n");
+ seq_printf(seq, "\t\thits: %llu\n", atomic64_read(&sbi->s_bal_cX_hits[1]));
+ seq_printf(seq, "\t\tgroups_considered: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_groups_considered[1]));
+ seq_printf(seq, "\t\tuseless_loops: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_failed[1]));
+
+ seq_puts(seq, "\tcr2_stats:\n");
+ seq_printf(seq, "\t\thits: %llu\n", atomic64_read(&sbi->s_bal_cX_hits[2]));
+ seq_printf(seq, "\t\tgroups_considered: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_groups_considered[2]));
+ seq_printf(seq, "\t\tuseless_loops: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_failed[2]));
+
+ seq_puts(seq, "\tcr3_stats:\n");
+ seq_printf(seq, "\t\thits: %llu\n", atomic64_read(&sbi->s_bal_cX_hits[3]));
+ seq_printf(seq, "\t\tgroups_considered: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_groups_considered[3]));
+ seq_printf(seq, "\t\tuseless_loops: %llu\n",
+ atomic64_read(&sbi->s_bal_cX_failed[3]));
+ seq_printf(seq, "\textents_scanned: %u\n", atomic_read(&sbi->s_bal_ex_scanned));
+ seq_printf(seq, "\t\tgoal_hits: %u\n", atomic_read(&sbi->s_bal_goals));
+ seq_printf(seq, "\t\t2^n_hits: %u\n", atomic_read(&sbi->s_bal_2orders));
+ seq_printf(seq, "\t\tbreaks: %u\n", atomic_read(&sbi->s_bal_breaks));
+ seq_printf(seq, "\t\tlost: %u\n", atomic_read(&sbi->s_mb_lost_chunks));
+
+ seq_printf(seq, "\tbuddies_generated: %u/%u\n",
+ atomic_read(&sbi->s_mb_buddies_generated),
+ ext4_get_groups_count(sb));
+ seq_printf(seq, "\tbuddies_time_used: %llu\n",
+ atomic64_read(&sbi->s_mb_generation_time));
+ seq_printf(seq, "\tpreallocated: %u\n",
+ atomic_read(&sbi->s_mb_preallocated));
+ seq_printf(seq, "\tdiscarded: %u\n",
+ atomic_read(&sbi->s_mb_discarded));
+ return 0;
+}
+
static struct kmem_cache *get_groupinfo_cache(int blocksize_bits)
{
int cache_index = blocksize_bits - EXT4_MIN_BLOCK_LOG_SIZE;
@@ -2980,9 +3049,10 @@ int ext4_mb_release(struct super_block *sb)
atomic_read(&sbi->s_bal_reqs),
atomic_read(&sbi->s_bal_success));
ext4_msg(sb, KERN_INFO,
- "mballoc: %u extents scanned, %u goal hits, "
+ "mballoc: %u extents scanned, %u groups scanned, %u goal hits, "
"%u 2^N hits, %u breaks, %u lost",
atomic_read(&sbi->s_bal_ex_scanned),
+ atomic_read(&sbi->s_bal_groups_scanned),
atomic_read(&sbi->s_bal_goals),
atomic_read(&sbi->s_bal_2orders),
atomic_read(&sbi->s_bal_breaks),
@@ -3620,12 +3690,13 @@ static void ext4_mb_collect_stats(struct ext4_allocation_context *ac)
{
struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
- if (sbi->s_mb_stats && ac->ac_g_ex.fe_len > 1) {
+ if (sbi->s_mb_stats && ac->ac_g_ex.fe_len >= 1) {
atomic_inc(&sbi->s_bal_reqs);
atomic_add(ac->ac_b_ex.fe_len, &sbi->s_bal_allocated);
if (ac->ac_b_ex.fe_len >= ac->ac_o_ex.fe_len)
atomic_inc(&sbi->s_bal_success);
atomic_add(ac->ac_found, &sbi->s_bal_ex_scanned);
+ atomic_add(ac->ac_groups_scanned, &sbi->s_bal_groups_scanned);
if (ac->ac_g_ex.fe_start == ac->ac_b_ex.fe_start &&
ac->ac_g_ex.fe_group == ac->ac_b_ex.fe_group)
atomic_inc(&sbi->s_bal_goals);
diff --git a/fs/ext4/sysfs.c b/fs/ext4/sysfs.c
index ce74cde6d8faa..b0bb4a92c9c94 100644
--- a/fs/ext4/sysfs.c
+++ b/fs/ext4/sysfs.c
@@ -539,6 +539,8 @@ int ext4_register_sysfs(struct super_block *sb)
ext4_fc_info_show, sb);
proc_create_seq_data("mb_groups", S_IRUGO, sbi->s_proc,
&ext4_mb_seq_groups_ops, sb);
+ proc_create_single_data("mb_stats", 0444, sbi->s_proc,
+ ext4_seq_mb_stats_show, sb);
}
return 0;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 028/211] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 027/211] ext4: add mballoc stats proc file Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 029/211] ext4: allow ext4_get_group_info() to fail Greg Kroah-Hartman
` (188 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Ojaswin Mujoo,
Theodore Tso, Sasha Levin
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit 01e4ca29451760b9ac10b4cdc231c52150842643 ]
If EXT4_MB_HINT_GOAL_ONLY is set, ext4_mb_regular_allocator will only
allocate blocks from ext4_mb_find_by_goal. Allow to find by goal in
ext4_mb_find_by_goal if EXT4_MB_HINT_GOAL_ONLY is set or allocation
with EXT4_MB_HINT_GOAL_ONLY set will always fail.
EXT4_MB_HINT_GOAL_ONLY is not used at all, so the problem is not
found for now.
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Link: https://lore.kernel.org/r/20230303172120.3800725-3-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Stable-dep-of: 5354b2af3406 ("ext4: allow ext4_get_group_info() to fail")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index aa51d1b837274..84d74ba02b378 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -1864,7 +1864,7 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac,
struct ext4_group_info *grp = ext4_get_group_info(ac->ac_sb, group);
struct ext4_free_extent ex;
- if (!(ac->ac_flags & EXT4_MB_HINT_TRY_GOAL))
+ if (!(ac->ac_flags & (EXT4_MB_HINT_TRY_GOAL | EXT4_MB_HINT_GOAL_ONLY)))
return 0;
if (grp->bb_free == 0)
return 0;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 029/211] ext4: allow ext4_get_group_info() to fail
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 028/211] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 030/211] refscale: Move shutdown from wait_event() to wait_event_idle() Greg Kroah-Hartman
` (187 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzbot+e2efa3efc15a1c9e95c3,
Theodore Tso, Jan Kara, Sasha Levin
From: Theodore Ts'o <tytso@mit.edu>
[ Upstream commit 5354b2af34064a4579be8bc0e2f15a7b70f14b5f ]
Previously, ext4_get_group_info() would treat an invalid group number
as BUG(), since in theory it should never happen. However, if a
malicious attaker (or fuzzer) modifies the superblock via the block
device while it is the file system is mounted, it is possible for
s_first_data_block to get set to a very large number. In that case,
when calculating the block group of some block number (such as the
starting block of a preallocation region), could result in an
underflow and very large block group number. Then the BUG_ON check in
ext4_get_group_info() would fire, resutling in a denial of service
attack that can be triggered by root or someone with write access to
the block device.
For a quality of implementation perspective, it's best that even if
the system administrator does something that they shouldn't, that it
will not trigger a BUG. So instead of BUG'ing, ext4_get_group_info()
will call ext4_error and return NULL. We also add fallback code in
all of the callers of ext4_get_group_info() that it might NULL.
Also, since ext4_get_group_info() was already borderline to be an
inline function, un-inline it. The results in a next reduction of the
compiled text size of ext4 by roughly 2k.
Cc: stable@kernel.org
Link: https://lore.kernel.org/r/20230430154311.579720-2-tytso@mit.edu
Reported-by: syzbot+e2efa3efc15a1c9e95c3@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?id=69b28112e098b070f639efb356393af3ffec4220
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/balloc.c | 18 ++++++++++++-
fs/ext4/ext4.h | 15 ++---------
fs/ext4/ialloc.c | 12 ++++++---
fs/ext4/mballoc.c | 64 +++++++++++++++++++++++++++++++++++++++--------
fs/ext4/super.c | 2 ++
5 files changed, 82 insertions(+), 29 deletions(-)
diff --git a/fs/ext4/balloc.c b/fs/ext4/balloc.c
index 50a0e90e8af9b..a43167042b6b1 100644
--- a/fs/ext4/balloc.c
+++ b/fs/ext4/balloc.c
@@ -319,6 +319,22 @@ static ext4_fsblk_t ext4_valid_block_bitmap_padding(struct super_block *sb,
return (next_zero_bit < bitmap_size ? next_zero_bit : 0);
}
+struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
+ ext4_group_t group)
+{
+ struct ext4_group_info **grp_info;
+ long indexv, indexh;
+
+ if (unlikely(group >= EXT4_SB(sb)->s_groups_count)) {
+ ext4_error(sb, "invalid group %u", group);
+ return NULL;
+ }
+ indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
+ indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
+ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
+ return grp_info[indexh];
+}
+
/*
* Return the block number which was discovered to be invalid, or 0 if
* the block bitmap is valid.
@@ -393,7 +409,7 @@ static int ext4_validate_block_bitmap(struct super_block *sb,
if (buffer_verified(bh))
return 0;
- if (EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
+ if (!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp))
return -EFSCORRUPTED;
ext4_lock_group(sb, block_group);
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 1de55d8e0d354..84a240025aa46 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2551,6 +2551,8 @@ extern void ext4_check_blocks_bitmap(struct super_block *);
extern struct ext4_group_desc * ext4_get_group_desc(struct super_block * sb,
ext4_group_t block_group,
struct buffer_head ** bh);
+extern struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
+ ext4_group_t group);
extern int ext4_should_retry_alloc(struct super_block *sb, int *retries);
extern struct buffer_head *ext4_read_block_bitmap_nowait(struct super_block *sb,
@@ -3198,19 +3200,6 @@ static inline void ext4_isize_set(struct ext4_inode *raw_inode, loff_t i_size)
raw_inode->i_size_high = cpu_to_le32(i_size >> 32);
}
-static inline
-struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
- ext4_group_t group)
-{
- struct ext4_group_info **grp_info;
- long indexv, indexh;
- BUG_ON(group >= EXT4_SB(sb)->s_groups_count);
- indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
- indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
- grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
- return grp_info[indexh];
-}
-
/*
* Reading s_groups_count requires using smp_rmb() afterwards. See
* the locking protocol documented in the comments of ext4_group_add()
diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
index c53c9b1322049..d178543ca13f1 100644
--- a/fs/ext4/ialloc.c
+++ b/fs/ext4/ialloc.c
@@ -91,7 +91,7 @@ static int ext4_validate_inode_bitmap(struct super_block *sb,
if (buffer_verified(bh))
return 0;
- if (EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
+ if (!grp || EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
return -EFSCORRUPTED;
ext4_lock_group(sb, block_group);
@@ -293,7 +293,7 @@ void ext4_free_inode(handle_t *handle, struct inode *inode)
}
if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) {
grp = ext4_get_group_info(sb, block_group);
- if (unlikely(EXT4_MB_GRP_IBITMAP_CORRUPT(grp))) {
+ if (!grp || unlikely(EXT4_MB_GRP_IBITMAP_CORRUPT(grp))) {
fatal = -EFSCORRUPTED;
goto error_return;
}
@@ -1045,7 +1045,7 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir,
* Skip groups with already-known suspicious inode
* tables
*/
- if (EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
+ if (!grp || EXT4_MB_GRP_IBITMAP_CORRUPT(grp))
goto next_group;
}
@@ -1180,6 +1180,10 @@ struct inode *__ext4_new_inode(handle_t *handle, struct inode *dir,
if (!(sbi->s_mount_state & EXT4_FC_REPLAY)) {
grp = ext4_get_group_info(sb, group);
+ if (!grp) {
+ err = -EFSCORRUPTED;
+ goto out;
+ }
down_read(&grp->alloc_sem); /*
* protect vs itable
* lazyinit
@@ -1523,7 +1527,7 @@ int ext4_init_inode_table(struct super_block *sb, ext4_group_t group,
}
gdp = ext4_get_group_desc(sb, group, &group_desc_bh);
- if (!gdp)
+ if (!gdp || !grp)
goto out;
/*
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 84d74ba02b378..f18aa35b82b04 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -684,6 +684,8 @@ static int __mb_check_buddy(struct ext4_buddy *e4b, char *file,
MB_CHECK_ASSERT(e4b->bd_info->bb_fragments == fragments);
grp = ext4_get_group_info(sb, e4b->bd_group);
+ if (!grp)
+ return NULL;
list_for_each(cur, &grp->bb_prealloc_list) {
ext4_group_t groupnr;
struct ext4_prealloc_space *pa;
@@ -767,9 +769,9 @@ mb_set_largest_free_order(struct super_block *sb, struct ext4_group_info *grp)
static noinline_for_stack
void ext4_mb_generate_buddy(struct super_block *sb,
- void *buddy, void *bitmap, ext4_group_t group)
+ void *buddy, void *bitmap, ext4_group_t group,
+ struct ext4_group_info *grp)
{
- struct ext4_group_info *grp = ext4_get_group_info(sb, group);
struct ext4_sb_info *sbi = EXT4_SB(sb);
ext4_grpblk_t max = EXT4_CLUSTERS_PER_GROUP(sb);
ext4_grpblk_t i = 0;
@@ -889,6 +891,8 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp)
break;
grinfo = ext4_get_group_info(sb, group);
+ if (!grinfo)
+ continue;
/*
* If page is uptodate then we came here after online resize
* which added some new uninitialized group info structs, so
@@ -954,6 +958,10 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp)
group, page->index, i * blocksize);
trace_ext4_mb_buddy_bitmap_load(sb, group);
grinfo = ext4_get_group_info(sb, group);
+ if (!grinfo) {
+ err = -EFSCORRUPTED;
+ goto out;
+ }
grinfo->bb_fragments = 0;
memset(grinfo->bb_counters, 0,
sizeof(*grinfo->bb_counters) *
@@ -964,7 +972,7 @@ static int ext4_mb_init_cache(struct page *page, char *incore, gfp_t gfp)
ext4_lock_group(sb, group);
/* init the buddy */
memset(data, 0xff, blocksize);
- ext4_mb_generate_buddy(sb, data, incore, group);
+ ext4_mb_generate_buddy(sb, data, incore, group, grinfo);
ext4_unlock_group(sb, group);
incore = NULL;
} else {
@@ -1078,6 +1086,9 @@ int ext4_mb_init_group(struct super_block *sb, ext4_group_t group, gfp_t gfp)
might_sleep();
mb_debug(sb, "init group %u\n", group);
this_grp = ext4_get_group_info(sb, group);
+ if (!this_grp)
+ return -EFSCORRUPTED;
+
/*
* This ensures that we don't reinit the buddy cache
* page which map to the group from which we are already
@@ -1152,6 +1163,8 @@ ext4_mb_load_buddy_gfp(struct super_block *sb, ext4_group_t group,
blocks_per_page = PAGE_SIZE / sb->s_blocksize;
grp = ext4_get_group_info(sb, group);
+ if (!grp)
+ return -EFSCORRUPTED;
e4b->bd_blkbits = sb->s_blocksize_bits;
e4b->bd_info = grp;
@@ -1864,6 +1877,8 @@ int ext4_mb_find_by_goal(struct ext4_allocation_context *ac,
struct ext4_group_info *grp = ext4_get_group_info(ac->ac_sb, group);
struct ext4_free_extent ex;
+ if (!grp)
+ return -EFSCORRUPTED;
if (!(ac->ac_flags & (EXT4_MB_HINT_TRY_GOAL | EXT4_MB_HINT_GOAL_ONLY)))
return 0;
if (grp->bb_free == 0)
@@ -2088,7 +2103,7 @@ static bool ext4_mb_good_group(struct ext4_allocation_context *ac,
BUG_ON(cr < 0 || cr >= 4);
- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp)))
+ if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(grp) || !grp))
return false;
free = grp->bb_free;
@@ -2151,6 +2166,8 @@ static int ext4_mb_good_group_nolock(struct ext4_allocation_context *ac,
ext4_grpblk_t free;
int ret = 0;
+ if (!grp)
+ return -EFSCORRUPTED;
if (sbi->s_mb_stats)
atomic64_inc(&sbi->s_bal_cX_groups_considered[ac->ac_criteria]);
if (should_lock)
@@ -2223,7 +2240,7 @@ ext4_group_t ext4_mb_prefetch(struct super_block *sb, ext4_group_t group,
* prefetch once, so we avoid getblk() call, which can
* be expensive.
*/
- if (!EXT4_MB_GRP_TEST_AND_SET_READ(grp) &&
+ if (gdp && grp && !EXT4_MB_GRP_TEST_AND_SET_READ(grp) &&
EXT4_MB_GRP_NEED_INIT(grp) &&
ext4_free_group_clusters(sb, gdp) > 0 &&
!(ext4_has_group_desc_csum(sb) &&
@@ -2267,7 +2284,7 @@ void ext4_mb_prefetch_fini(struct super_block *sb, ext4_group_t group,
group--;
grp = ext4_get_group_info(sb, group);
- if (EXT4_MB_GRP_NEED_INIT(grp) &&
+ if (grp && gdp && EXT4_MB_GRP_NEED_INIT(grp) &&
ext4_free_group_clusters(sb, gdp) > 0 &&
!(ext4_has_group_desc_csum(sb) &&
(gdp->bg_flags & cpu_to_le16(EXT4_BG_BLOCK_UNINIT)))) {
@@ -2525,6 +2542,8 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v)
sizeof(struct ext4_group_info);
grinfo = ext4_get_group_info(sb, group);
+ if (!grinfo)
+ return 0;
/* Load the group info in memory only if not already loaded. */
if (unlikely(EXT4_MB_GRP_NEED_INIT(grinfo))) {
err = ext4_mb_load_buddy(sb, group, &e4b);
@@ -2535,7 +2554,7 @@ static int ext4_mb_seq_groups_show(struct seq_file *seq, void *v)
buddy_loaded = 1;
}
- memcpy(&sg, ext4_get_group_info(sb, group), i);
+ memcpy(&sg, grinfo, i);
if (buddy_loaded)
ext4_mb_unload_buddy(&e4b);
@@ -2812,8 +2831,12 @@ static int ext4_mb_init_backend(struct super_block *sb)
err_freebuddy:
cachep = get_groupinfo_cache(sb->s_blocksize_bits);
- while (i-- > 0)
- kmem_cache_free(cachep, ext4_get_group_info(sb, i));
+ while (i-- > 0) {
+ struct ext4_group_info *grp = ext4_get_group_info(sb, i);
+
+ if (grp)
+ kmem_cache_free(cachep, grp);
+ }
i = sbi->s_group_info_size;
rcu_read_lock();
group_info = rcu_dereference(sbi->s_group_info);
@@ -3020,6 +3043,8 @@ int ext4_mb_release(struct super_block *sb)
for (i = 0; i < ngroups; i++) {
cond_resched();
grinfo = ext4_get_group_info(sb, i);
+ if (!grinfo)
+ continue;
mb_group_bb_bitmap_free(grinfo);
ext4_lock_group(sb, i);
count = ext4_mb_cleanup_pa(grinfo);
@@ -3933,6 +3958,8 @@ static void ext4_mb_generate_from_freelist(struct super_block *sb, void *bitmap,
struct ext4_free_data *entry;
grp = ext4_get_group_info(sb, group);
+ if (!grp)
+ return;
n = rb_first(&(grp->bb_free_root));
while (n) {
@@ -3960,6 +3987,9 @@ void ext4_mb_generate_from_pa(struct super_block *sb, void *bitmap,
int preallocated = 0;
int len;
+ if (!grp)
+ return;
+
/* all form of preallocation discards first load group,
* so the only competing code is preallocation use.
* we don't need any locking here
@@ -4151,6 +4181,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
ei = EXT4_I(ac->ac_inode);
grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
+ if (!grp)
+ return;
pa->pa_obj_lock = &ei->i_prealloc_lock;
pa->pa_inode = ac->ac_inode;
@@ -4204,6 +4236,8 @@ ext4_mb_new_group_pa(struct ext4_allocation_context *ac)
atomic_add(pa->pa_free, &EXT4_SB(sb)->s_mb_preallocated);
grp = ext4_get_group_info(sb, ac->ac_b_ex.fe_group);
+ if (!grp)
+ return;
lg = ac->ac_lg;
BUG_ON(lg == NULL);
@@ -4332,6 +4366,8 @@ ext4_mb_discard_group_preallocations(struct super_block *sb,
int err;
int free = 0;
+ if (!grp)
+ return 0;
mb_debug(sb, "discard preallocation for group %u\n", group);
if (list_empty(&grp->bb_prealloc_list))
goto out_dbg;
@@ -4569,6 +4605,9 @@ static inline void ext4_mb_show_pa(struct super_block *sb)
struct ext4_prealloc_space *pa;
ext4_grpblk_t start;
struct list_head *cur;
+
+ if (!grp)
+ continue;
ext4_lock_group(sb, i);
list_for_each(cur, &grp->bb_prealloc_list) {
pa = list_entry(cur, struct ext4_prealloc_space,
@@ -5372,6 +5411,7 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode,
struct buffer_head *bitmap_bh = NULL;
struct super_block *sb = inode->i_sb;
struct ext4_group_desc *gdp;
+ struct ext4_group_info *grp;
unsigned int overflow;
ext4_grpblk_t bit;
struct buffer_head *gd_bh;
@@ -5397,8 +5437,8 @@ static void ext4_mb_clear_bb(handle_t *handle, struct inode *inode,
overflow = 0;
ext4_get_group_no_and_offset(sb, block, &block_group, &bit);
- if (unlikely(EXT4_MB_GRP_BBITMAP_CORRUPT(
- ext4_get_group_info(sb, block_group))))
+ grp = ext4_get_group_info(sb, block_group);
+ if (unlikely(!grp || EXT4_MB_GRP_BBITMAP_CORRUPT(grp)))
return;
/*
@@ -5986,6 +6026,8 @@ int ext4_trim_fs(struct super_block *sb, struct fstrim_range *range)
for (group = first_group; group <= last_group; group++) {
grp = ext4_get_group_info(sb, group);
+ if (!grp)
+ continue;
/* We only do this if the grp has never been initialized */
if (unlikely(EXT4_MB_GRP_NEED_INIT(grp))) {
ret = ext4_mb_init_group(sb, group, GFP_NOFS);
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 681efff3af50f..d89750e90bc4b 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -1011,6 +1011,8 @@ void ext4_mark_group_bitmap_corrupted(struct super_block *sb,
struct ext4_group_desc *gdp = ext4_get_group_desc(sb, group, NULL);
int ret;
+ if (!grp || !gdp)
+ return;
if (flags & EXT4_GROUP_INFO_BBITMAP_CORRUPT) {
ret = ext4_test_and_set_bit(EXT4_GROUP_INFO_BBITMAP_CORRUPT_BIT,
&grp->bb_state);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 030/211] refscale: Move shutdown from wait_event() to wait_event_idle()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 029/211] ext4: allow ext4_get_group_info() to fail Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 031/211] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access Greg Kroah-Hartman
` (186 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paul E. McKenney, Boqun Feng, Sasha Levin
From: Paul E. McKenney <paulmck@kernel.org>
[ Upstream commit 6bc6e6b27524304aadb9c04611ddb1c84dd7617a ]
The ref_scale_shutdown() kthread/function uses wait_event() to wait for
the refscale test to complete. However, although the read-side tests
are normally extremely fast, there is no law against specifying a very
large value for the refscale.loops module parameter or against having
a slow read-side primitive. Either way, this might well trigger the
hung-task timeout.
This commit therefore replaces those wait_event() calls with calls to
wait_event_idle(), which do not trigger the hung-task timeout.
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Boqun Feng <boqun.feng@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/refscale.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kernel/rcu/refscale.c b/kernel/rcu/refscale.c
index 952595c678b37..4e419ca6d6114 100644
--- a/kernel/rcu/refscale.c
+++ b/kernel/rcu/refscale.c
@@ -625,7 +625,7 @@ ref_scale_cleanup(void)
static int
ref_scale_shutdown(void *arg)
{
- wait_event(shutdown_wq, shutdown_start);
+ wait_event_idle(shutdown_wq, shutdown_start);
smp_mb(); // Wake before output.
ref_scale_cleanup();
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 031/211] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 030/211] refscale: Move shutdown from wait_event() to wait_event_idle() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 032/211] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() Greg Kroah-Hartman
` (185 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Joel Fernandes (Google),
Zqiang, Paul E. McKenney, Sasha Levin
From: Zqiang <qiang1.zhang@intel.com>
[ Upstream commit 3c1566bca3f8349f12b75d0a2d5e4a20ad6262ec ]
For kernels built with CONFIG_PREEMPT_RCU=y, the following scenario can
result in a NULL-pointer dereference:
CPU1 CPU2
rcu_preempt_deferred_qs_irqrestore rcu_print_task_exp_stall
if (special.b.blocked) READ_ONCE(rnp->exp_tasks) != NULL
raw_spin_lock_rcu_node
np = rcu_next_node_entry(t, rnp)
if (&t->rcu_node_entry == rnp->exp_tasks)
WRITE_ONCE(rnp->exp_tasks, np)
....
raw_spin_unlock_irqrestore_rcu_node
raw_spin_lock_irqsave_rcu_node
t = list_entry(rnp->exp_tasks->prev,
struct task_struct, rcu_node_entry)
(if rnp->exp_tasks is NULL, this
will dereference a NULL pointer)
The problem is that CPU2 accesses the rcu_node structure's->exp_tasks
field without holding the rcu_node structure's ->lock and CPU2 did
not observe CPU1's change to rcu_node structure's ->exp_tasks in time.
Therefore, if CPU1 sets rcu_node structure's->exp_tasks pointer to NULL,
then CPU2 might dereference that NULL pointer.
This commit therefore holds the rcu_node structure's ->lock while
accessing that structure's->exp_tasks field.
[ paulmck: Apply Frederic Weisbecker feedback. ]
Acked-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Zqiang <qiang1.zhang@intel.com>
Signed-off-by: Paul E. McKenney <paulmck@kernel.org>
Signed-off-by: Joel Fernandes (Google) <joel@joelfernandes.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/rcu/tree_exp.h | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/kernel/rcu/tree_exp.h b/kernel/rcu/tree_exp.h
index ef6570137dcd5..401c1f331cafa 100644
--- a/kernel/rcu/tree_exp.h
+++ b/kernel/rcu/tree_exp.h
@@ -707,9 +707,11 @@ static int rcu_print_task_exp_stall(struct rcu_node *rnp)
int ndetected = 0;
struct task_struct *t;
- if (!READ_ONCE(rnp->exp_tasks))
- return 0;
raw_spin_lock_irqsave_rcu_node(rnp, flags);
+ if (!rnp->exp_tasks) {
+ raw_spin_unlock_irqrestore_rcu_node(rnp, flags);
+ return 0;
+ }
t = list_entry(rnp->exp_tasks->prev,
struct task_struct, rcu_node_entry);
list_for_each_entry_continue(t, &rnp->blkd_tasks, rcu_node_entry) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 032/211] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 031/211] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 033/211] drm/amd/display: Use DC_LOG_DC in the trasform pixel function Greg Kroah-Hartman
` (184 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, syzbot, Tetsuo Handa,
Viacheslav Dubeyko, Christian Brauner, Sasha Levin
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
[ Upstream commit 81b21c0f0138ff5a499eafc3eb0578ad2a99622c ]
syzbot is hitting WARN_ON() in hfsplus_cat_{read,write}_inode(), for
crafted filesystem image can contain bogus length. There conditions are
not kernel bugs that can justify kernel to panic.
Reported-by: syzbot <syzbot+e2787430e752a92b8750@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=e2787430e752a92b8750
Reported-by: syzbot <syzbot+4913dca2ea6e4d43f3f1@syzkaller.appspotmail.com>
Link: https://syzkaller.appspot.com/bug?extid=4913dca2ea6e4d43f3f1
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Reviewed-by: Viacheslav Dubeyko <slava@dubeyko.com>
Message-Id: <15308173-5252-d6a3-ae3b-e96d46cb6f41@I-love.SAKURA.ne.jp>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/hfsplus/inode.c | 28 +++++++++++++++++++++++-----
1 file changed, 23 insertions(+), 5 deletions(-)
diff --git a/fs/hfsplus/inode.c b/fs/hfsplus/inode.c
index c60d5ceb0d31c..7e1d889dcc07a 100644
--- a/fs/hfsplus/inode.c
+++ b/fs/hfsplus/inode.c
@@ -497,7 +497,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
if (type == HFSPLUS_FOLDER) {
struct hfsplus_cat_folder *folder = &entry.folder;
- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_folder));
+ if (fd->entrylength < sizeof(struct hfsplus_cat_folder)) {
+ pr_err("bad catalog folder entry\n");
+ res = -EIO;
+ goto out;
+ }
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_folder));
hfsplus_get_perms(inode, &folder->permissions, 1);
@@ -517,7 +521,11 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
} else if (type == HFSPLUS_FILE) {
struct hfsplus_cat_file *file = &entry.file;
- WARN_ON(fd->entrylength < sizeof(struct hfsplus_cat_file));
+ if (fd->entrylength < sizeof(struct hfsplus_cat_file)) {
+ pr_err("bad catalog file entry\n");
+ res = -EIO;
+ goto out;
+ }
hfs_bnode_read(fd->bnode, &entry, fd->entryoffset,
sizeof(struct hfsplus_cat_file));
@@ -548,6 +556,7 @@ int hfsplus_cat_read_inode(struct inode *inode, struct hfs_find_data *fd)
pr_err("bad catalog entry used to create inode\n");
res = -EIO;
}
+out:
return res;
}
@@ -556,6 +565,7 @@ int hfsplus_cat_write_inode(struct inode *inode)
struct inode *main_inode = inode;
struct hfs_find_data fd;
hfsplus_cat_entry entry;
+ int res = 0;
if (HFSPLUS_IS_RSRC(inode))
main_inode = HFSPLUS_I(inode)->rsrc_inode;
@@ -574,7 +584,11 @@ int hfsplus_cat_write_inode(struct inode *inode)
if (S_ISDIR(main_inode->i_mode)) {
struct hfsplus_cat_folder *folder = &entry.folder;
- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_folder));
+ if (fd.entrylength < sizeof(struct hfsplus_cat_folder)) {
+ pr_err("bad catalog folder entry\n");
+ res = -EIO;
+ goto out;
+ }
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
sizeof(struct hfsplus_cat_folder));
/* simple node checks? */
@@ -599,7 +613,11 @@ int hfsplus_cat_write_inode(struct inode *inode)
} else {
struct hfsplus_cat_file *file = &entry.file;
- WARN_ON(fd.entrylength < sizeof(struct hfsplus_cat_file));
+ if (fd.entrylength < sizeof(struct hfsplus_cat_file)) {
+ pr_err("bad catalog file entry\n");
+ res = -EIO;
+ goto out;
+ }
hfs_bnode_read(fd.bnode, &entry, fd.entryoffset,
sizeof(struct hfsplus_cat_file));
hfsplus_inode_write_fork(inode, &file->data_fork);
@@ -620,5 +638,5 @@ int hfsplus_cat_write_inode(struct inode *inode)
set_bit(HFSPLUS_I_CAT_DIRTY, &HFSPLUS_I(inode)->flags);
out:
hfs_find_exit(&fd);
- return 0;
+ return res;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 033/211] drm/amd/display: Use DC_LOG_DC in the trasform pixel function
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 032/211] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 034/211] regmap: cache: Return error in cache sync operations for REGCACHE_NONE Greg Kroah-Hartman
` (183 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Harry Wentland, Qingqing Zhuo,
Rodrigo Siqueira, Daniel Wheeler, Alex Deucher, Sasha Levin
From: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
[ Upstream commit 7222f5841ff49709ca666b05ff336776e0664a20 ]
[Why & How]
DC now uses a new commit sequence which is more robust since it
addresses cases where we need to reorganize pipes based on planes and
other parameters. As a result, this new commit sequence reset the DC
state by cleaning plane states and re-creating them accordingly with the
need. For this reason, the dce_transform_set_pixel_storage_depth can be
invoked after a plane state is destroyed and before its re-creation. In
this situation and on DCE devices, DC will hit a condition that will
trigger a dmesg log that looks like this:
Console: switching to colour frame buffer device 240x67
------------[ cut here ]------------
[..]
Hardware name: System manufacturer System Product Name/PRIME X370-PRO, BIOS 5603 07/28/2020
RIP: 0010:dce_transform_set_pixel_storage_depth+0x3f8/0x480 [amdgpu]
[..]
RSP: 0018:ffffc9000202b850 EFLAGS: 00010293
RAX: ffffffffa081d100 RBX: ffff888110790000 RCX: 000000000000000c
RDX: ffff888100bedbf8 RSI: 0000000000001a50 RDI: ffff88810463c900
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000007
R10: 0000000000000001 R11: 0000000000000f00 R12: ffff88810f500010
R13: ffff888100bedbf8 R14: ffff88810f515688 R15: 0000000000000000
FS: 00007ff0159249c0(0000) GS:ffff88840e940000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ff01528e550 CR3: 0000000002a10000 CR4: 00000000003506e0
Call Trace:
<TASK>
? dm_write_reg_func+0x21/0x80 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8]
dc_stream_set_dither_option+0xfb/0x130 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8]
amdgpu_dm_crtc_configure_crc_source+0x10b/0x190 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8]
amdgpu_dm_atomic_commit_tail+0x20a8/0x2a90 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8]
? free_unref_page_commit+0x98/0x170
? free_unref_page+0xcc/0x150
commit_tail+0x94/0x120
drm_atomic_helper_commit+0x10f/0x140
drm_atomic_commit+0x94/0xc0
? drm_plane_get_damage_clips.cold+0x1c/0x1c
drm_client_modeset_commit_atomic+0x203/0x250
drm_client_modeset_commit_locked+0x56/0x150
drm_client_modeset_commit+0x21/0x40
drm_fb_helper_lastclose+0x42/0x70
amdgpu_driver_lastclose_kms+0xa/0x10 [amdgpu 340dadd3f7c8cf4be11cf0bdc850245e99abe0e8]
drm_release+0xda/0x110
__fput+0x89/0x240
task_work_run+0x5c/0x90
do_exit+0x333/0xae0
do_group_exit+0x2d/0x90
__x64_sys_exit_group+0x14/0x20
do_syscall_64+0x5b/0x80
? exit_to_user_mode_prepare+0x1e/0x140
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7ff016ceaca1
Code: Unable to access opcode bytes at RIP 0x7ff016ceac77.
RSP: 002b:00007ffe7a2357e8 EFLAGS: 00000246 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 00007ff016e15a00 RCX: 00007ff016ceaca1
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000000
RBP: 0000000000000000 R08: ffffffffffffff78 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00007ff016e15a00
R13: 0000000000000000 R14: 00007ff016e1aee8 R15: 00007ff016e1af00
</TASK>
Since this issue only happens in a transition state on DC, this commit
replace BREAK_TO_DEBUGGER with DC_LOG_DC.
Reviewed-by: Harry Wentland <Harry.Wentland@amd.com>
Acked-by: Qingqing Zhuo <qingqing.zhuo@amd.com>
Signed-off-by: Rodrigo Siqueira <Rodrigo.Siqueira@amd.com>
Tested-by: Daniel Wheeler <daniel.wheeler@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/dce/dce_transform.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
index e2e79025825f8..a54a309879246 100644
--- a/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
+++ b/drivers/gpu/drm/amd/display/dc/dce/dce_transform.c
@@ -1011,7 +1011,7 @@ static void dce_transform_set_pixel_storage_depth(
color_depth = COLOR_DEPTH_101010;
pixel_depth = 0;
expan_mode = 1;
- BREAK_TO_DEBUGGER();
+ DC_LOG_DC("The pixel depth %d is not valid, set COLOR_DEPTH_101010 instead.", depth);
break;
}
@@ -1025,8 +1025,7 @@ static void dce_transform_set_pixel_storage_depth(
if (!(xfm_dce->lb_pixel_depth_supported & depth)) {
/*we should use unsupported capabilities
* unless it is required by w/a*/
- DC_LOG_WARNING("%s: Capability not supported",
- __func__);
+ DC_LOG_DC("%s: Capability not supported", __func__);
}
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 034/211] regmap: cache: Return error in cache sync operations for REGCACHE_NONE
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 033/211] drm/amd/display: Use DC_LOG_DC in the trasform pixel function Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 035/211] arm64: dts: qcom: msm8996: Add missing DWC3 quirks Greg Kroah-Hartman
` (182 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexander Stein, Mark Brown, Sasha Levin
From: Alexander Stein <alexander.stein@ew.tq-group.com>
[ Upstream commit fd883d79e4dcd2417c2b80756f22a2ff03b0f6e0 ]
There is no sense in doing a cache sync on REGCACHE_NONE regmaps.
Instead of panicking the kernel due to missing cache_ops, return an error
to client driver.
Signed-off-by: Alexander Stein <alexander.stein@ew.tq-group.com>
Link: https://lore.kernel.org/r/20230313071812.13577-1-alexander.stein@ew.tq-group.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/base/regmap/regcache.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/drivers/base/regmap/regcache.c b/drivers/base/regmap/regcache.c
index 7f4b3b62492ca..7fdd702e564ae 100644
--- a/drivers/base/regmap/regcache.c
+++ b/drivers/base/regmap/regcache.c
@@ -343,6 +343,9 @@ int regcache_sync(struct regmap *map)
const char *name;
bool bypass;
+ if (WARN_ON(map->cache_type == REGCACHE_NONE))
+ return -EINVAL;
+
BUG_ON(!map->cache_ops);
map->lock(map->lock_arg);
@@ -412,6 +415,9 @@ int regcache_sync_region(struct regmap *map, unsigned int min,
const char *name;
bool bypass;
+ if (WARN_ON(map->cache_type == REGCACHE_NONE))
+ return -EINVAL;
+
BUG_ON(!map->cache_ops);
map->lock(map->lock_arg);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 035/211] arm64: dts: qcom: msm8996: Add missing DWC3 quirks
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 034/211] regmap: cache: Return error in cache sync operations for REGCACHE_NONE Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 036/211] memstick: r592: Fix UAF bug in r592_remove due to race condition Greg Kroah-Hartman
` (181 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Konrad Dybcio, Bjorn Andersson, Sasha Levin
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit d0af0537e28f6eace02deed63b585396de939213 ]
Add missing dwc3 quirks from msm-3.18. Unfortunately, none of them
make `dwc3-qcom 6af8800.usb: HS-PHY not in L2` go away.
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Signed-off-by: Bjorn Andersson <andersson@kernel.org>
Link: https://lore.kernel.org/r/20230302011849.1873056-1-konrad.dybcio@linaro.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/qcom/msm8996.dtsi | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/arm64/boot/dts/qcom/msm8996.dtsi b/arch/arm64/boot/dts/qcom/msm8996.dtsi
index 02b5f6f1d331e..159cdd03e7c01 100644
--- a/arch/arm64/boot/dts/qcom/msm8996.dtsi
+++ b/arch/arm64/boot/dts/qcom/msm8996.dtsi
@@ -1771,8 +1771,11 @@
interrupts = <0 131 IRQ_TYPE_LEVEL_HIGH>;
phys = <&hsusb_phy1>, <&ssusb_phy_0>;
phy-names = "usb2-phy", "usb3-phy";
+ snps,hird-threshold = /bits/ 8 <0>;
snps,dis_u2_susphy_quirk;
snps,dis_enblslpm_quirk;
+ snps,is-utmi-l1-suspend;
+ tx-fifo-resize;
};
};
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 036/211] memstick: r592: Fix UAF bug in r592_remove due to race condition
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 035/211] arm64: dts: qcom: msm8996: Add missing DWC3 quirks Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 037/211] firmware: arm_sdei: Fix sleep from invalid context BUG Greg Kroah-Hartman
` (180 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Zheng Wang, Ulf Hansson, Sasha Levin
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit 63264422785021704c39b38f65a78ab9e4a186d7 ]
In r592_probe, dev->detect_timer was bound with r592_detect_timer.
In r592_irq function, the timer function will be invoked by mod_timer.
If we remove the module which will call hantro_release to make cleanup,
there may be a unfinished work. The possible sequence is as follows,
which will cause a typical UAF bug.
Fix it by canceling the work before cleanup in r592_remove.
CPU0 CPU1
|r592_detect_timer
r592_remove |
memstick_free_host|
put_device; |
kfree(host); |
|
| queue_work
| &host->media_checker //use
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230307164338.1246287-1-zyytlz.wz@163.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/memstick/host/r592.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/memstick/host/r592.c b/drivers/memstick/host/r592.c
index eaa2a94d18be4..dd06c18495eb6 100644
--- a/drivers/memstick/host/r592.c
+++ b/drivers/memstick/host/r592.c
@@ -828,7 +828,7 @@ static void r592_remove(struct pci_dev *pdev)
/* Stop the processing thread.
That ensures that we won't take any more requests */
kthread_stop(dev->io_thread);
-
+ del_timer_sync(&dev->detect_timer);
r592_enable_device(dev, false);
while (!error && dev->req) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 037/211] firmware: arm_sdei: Fix sleep from invalid context BUG
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 036/211] memstick: r592: Fix UAF bug in r592_remove due to race condition Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 038/211] ACPI: EC: Fix oops when removing custom query handlers Greg Kroah-Hartman
` (179 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, James Morse, Pierre Gondois,
Will Deacon, Sasha Levin
From: Pierre Gondois <pierre.gondois@arm.com>
[ Upstream commit d2c48b2387eb89e0bf2a2e06e30987cf410acad4 ]
Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra
triggers:
BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46
in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0
preempt_count: 0, expected: 0
RCU nest depth: 0, expected: 0
3 locks held by cpuhp/0/24:
#0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248
#1: ffffda30217c7120 (cpuhp_state-up){+.+.}-{0:0}, at: cpuhp_thread_fun+0x5c/0x248
#2: ffffda3021c711f0 (sdei_list_lock){....}-{3:3}, at: sdei_cpuhp_up+0x3c/0x130
irq event stamp: 36
hardirqs last enabled at (35): [<ffffda301e85b7bc>] finish_task_switch+0xb4/0x2b0
hardirqs last disabled at (36): [<ffffda301e812fec>] cpuhp_thread_fun+0x21c/0x248
softirqs last enabled at (0): [<ffffda301e80b184>] copy_process+0x63c/0x1ac0
softirqs last disabled at (0): [<0000000000000000>] 0x0
CPU: 0 PID: 24 Comm: cpuhp/0 Not tainted 5.19.0-rc3-rt5-[...]
Hardware name: WIWYNN Mt.Jade Server [...]
Call trace:
dump_backtrace+0x114/0x120
show_stack+0x20/0x70
dump_stack_lvl+0x9c/0xd8
dump_stack+0x18/0x34
__might_resched+0x188/0x228
rt_spin_lock+0x70/0x120
sdei_cpuhp_up+0x3c/0x130
cpuhp_invoke_callback+0x250/0xf08
cpuhp_thread_fun+0x120/0x248
smpboot_thread_fn+0x280/0x320
kthread+0x130/0x140
ret_from_fork+0x10/0x20
sdei_cpuhp_up() is called in the STARTING hotplug section,
which runs with interrupts disabled. Use a CPUHP_AP_ONLINE_DYN entry
instead to execute the cpuhp cb later, with preemption enabled.
SDEI originally got its own cpuhp slot to allow interacting
with perf. It got superseded by pNMI and this early slot is not
relevant anymore. [1]
Some SDEI calls (e.g. SDEI_1_0_FN_SDEI_PE_MASK) take actions on the
calling CPU. It is checked that preemption is disabled for them.
_ONLINE cpuhp cb are executed in the 'per CPU hotplug thread'.
Preemption is enabled in those threads, but their cpumask is limited
to 1 CPU.
Move 'WARN_ON_ONCE(preemptible())' statements so that SDEI cpuhp cb
don't trigger them.
Also add a check for the SDEI_1_0_FN_SDEI_PRIVATE_RESET SDEI call
which acts on the calling CPU.
[1]:
https://lore.kernel.org/all/5813b8c5-ae3e-87fd-fccc-94c9cd08816d@arm.com/
Suggested-by: James Morse <james.morse@arm.com>
Signed-off-by: Pierre Gondois <pierre.gondois@arm.com>
Reviewed-by: James Morse <james.morse@arm.com>
Link: https://lore.kernel.org/r/20230216084920.144064-1-pierre.gondois@arm.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/arm_sdei.c | 37 ++++++++++++++++++++-----------------
include/linux/cpuhotplug.h | 1 -
2 files changed, 20 insertions(+), 18 deletions(-)
diff --git a/drivers/firmware/arm_sdei.c b/drivers/firmware/arm_sdei.c
index 840754dcc6ca4..5a877d76078f7 100644
--- a/drivers/firmware/arm_sdei.c
+++ b/drivers/firmware/arm_sdei.c
@@ -44,6 +44,8 @@ static asmlinkage void (*sdei_firmware_call)(unsigned long function_id,
/* entry point from firmware to arch asm code */
static unsigned long sdei_entry_point;
+static int sdei_hp_state;
+
struct sdei_event {
/* These three are protected by the sdei_list_lock */
struct list_head list;
@@ -302,8 +304,6 @@ int sdei_mask_local_cpu(void)
{
int err;
- WARN_ON_ONCE(preemptible());
-
err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_MASK, 0, 0, 0, 0, 0, NULL);
if (err && err != -EIO) {
pr_warn_once("failed to mask CPU[%u]: %d\n",
@@ -316,6 +316,7 @@ int sdei_mask_local_cpu(void)
static void _ipi_mask_cpu(void *ignored)
{
+ WARN_ON_ONCE(preemptible());
sdei_mask_local_cpu();
}
@@ -323,8 +324,6 @@ int sdei_unmask_local_cpu(void)
{
int err;
- WARN_ON_ONCE(preemptible());
-
err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PE_UNMASK, 0, 0, 0, 0, 0, NULL);
if (err && err != -EIO) {
pr_warn_once("failed to unmask CPU[%u]: %d\n",
@@ -337,6 +336,7 @@ int sdei_unmask_local_cpu(void)
static void _ipi_unmask_cpu(void *ignored)
{
+ WARN_ON_ONCE(preemptible());
sdei_unmask_local_cpu();
}
@@ -344,6 +344,8 @@ static void _ipi_private_reset(void *ignored)
{
int err;
+ WARN_ON_ONCE(preemptible());
+
err = invoke_sdei_fn(SDEI_1_0_FN_SDEI_PRIVATE_RESET, 0, 0, 0, 0, 0,
NULL);
if (err && err != -EIO)
@@ -390,8 +392,6 @@ static void _local_event_enable(void *data)
int err;
struct sdei_crosscall_args *arg = data;
- WARN_ON_ONCE(preemptible());
-
err = sdei_api_event_enable(arg->event->event_num);
sdei_cross_call_return(arg, err);
@@ -480,8 +480,6 @@ static void _local_event_unregister(void *data)
int err;
struct sdei_crosscall_args *arg = data;
- WARN_ON_ONCE(preemptible());
-
err = sdei_api_event_unregister(arg->event->event_num);
sdei_cross_call_return(arg, err);
@@ -562,8 +560,6 @@ static void _local_event_register(void *data)
struct sdei_registered_event *reg;
struct sdei_crosscall_args *arg = data;
- WARN_ON(preemptible());
-
reg = per_cpu_ptr(arg->event->private_registered, smp_processor_id());
err = sdei_api_event_register(arg->event->event_num, sdei_entry_point,
reg, 0, 0);
@@ -718,6 +714,8 @@ static int sdei_pm_notifier(struct notifier_block *nb, unsigned long action,
{
int rv;
+ WARN_ON_ONCE(preemptible());
+
switch (action) {
case CPU_PM_ENTER:
rv = sdei_mask_local_cpu();
@@ -766,7 +764,7 @@ static int sdei_device_freeze(struct device *dev)
int err;
/* unregister private events */
- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING);
+ cpuhp_remove_state(sdei_entry_point);
err = sdei_unregister_shared();
if (err)
@@ -787,12 +785,15 @@ static int sdei_device_thaw(struct device *dev)
return err;
}
- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI",
+ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI",
&sdei_cpuhp_up, &sdei_cpuhp_down);
- if (err)
+ if (err < 0) {
pr_warn("Failed to re-register CPU hotplug notifier...\n");
+ return err;
+ }
- return err;
+ sdei_hp_state = err;
+ return 0;
}
static int sdei_device_restore(struct device *dev)
@@ -824,7 +825,7 @@ static int sdei_reboot_notifier(struct notifier_block *nb, unsigned long action,
* We are going to reset the interface, after this there is no point
* doing work when we take CPUs offline.
*/
- cpuhp_remove_state(CPUHP_AP_ARM_SDEI_STARTING);
+ cpuhp_remove_state(sdei_hp_state);
sdei_platform_reset();
@@ -1004,13 +1005,15 @@ static int sdei_probe(struct platform_device *pdev)
goto remove_cpupm;
}
- err = cpuhp_setup_state(CPUHP_AP_ARM_SDEI_STARTING, "SDEI",
+ err = cpuhp_setup_state(CPUHP_AP_ONLINE_DYN, "SDEI",
&sdei_cpuhp_up, &sdei_cpuhp_down);
- if (err) {
+ if (err < 0) {
pr_warn("Failed to register CPU hotplug notifier...\n");
goto remove_reboot;
}
+ sdei_hp_state = err;
+
return 0;
remove_reboot:
diff --git a/include/linux/cpuhotplug.h b/include/linux/cpuhotplug.h
index fc945f9df2c1d..cb87247da5ba1 100644
--- a/include/linux/cpuhotplug.h
+++ b/include/linux/cpuhotplug.h
@@ -115,7 +115,6 @@ enum cpuhp_state {
CPUHP_AP_PERF_X86_CSTATE_STARTING,
CPUHP_AP_PERF_XTENSA_STARTING,
CPUHP_AP_MIPS_OP_LOONGSON3_STARTING,
- CPUHP_AP_ARM_SDEI_STARTING,
CPUHP_AP_ARM_VFP_STARTING,
CPUHP_AP_ARM64_DEBUG_MONITORS_STARTING,
CPUHP_AP_PERF_ARM_HW_BREAKPOINT_STARTING,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 038/211] ACPI: EC: Fix oops when removing custom query handlers
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 037/211] firmware: arm_sdei: Fix sleep from invalid context BUG Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 039/211] remoteproc: stm32_rproc: Add mutex protection for workqueue Greg Kroah-Hartman
` (178 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Rafael J. Wysocki, Sasha Levin
From: Armin Wolf <W_Armin@gmx.de>
[ Upstream commit e5b492c6bb900fcf9722e05f4a10924410e170c1 ]
When removing custom query handlers, the handler might still
be used inside the EC query workqueue, causing a kernel oops
if the module holding the callback function was already unloaded.
Fix this by flushing the EC query workqueue when removing
custom query handlers.
Tested on a Acer Travelmate 4002WLMi
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/ec.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/acpi/ec.c b/drivers/acpi/ec.c
index 4707d1808ca54..487884420fb0d 100644
--- a/drivers/acpi/ec.c
+++ b/drivers/acpi/ec.c
@@ -1114,6 +1114,7 @@ static void acpi_ec_remove_query_handlers(struct acpi_ec *ec,
void acpi_ec_remove_query_handler(struct acpi_ec *ec, u8 query_bit)
{
acpi_ec_remove_query_handlers(ec, false, query_bit);
+ flush_workqueue(ec_query_wq);
}
EXPORT_SYMBOL_GPL(acpi_ec_remove_query_handler);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 039/211] remoteproc: stm32_rproc: Add mutex protection for workqueue
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 038/211] ACPI: EC: Fix oops when removing custom query handlers Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 040/211] drm/tegra: Avoid potential 32-bit integer overflow Greg Kroah-Hartman
` (177 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mathieu Poirier, Arnaud Pouliquen,
Sasha Levin
From: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
[ Upstream commit 35bdafda40cc343ad2ba2cce105eba03a70241cc ]
The workqueue may execute late even after remoteproc is stopped or
stopping, some resources (rpmsg device and endpoint) have been
released in rproc_stop_subdevices(), then rproc_vq_interrupt()
accessing these resources will cause kernel dump.
Call trace:
virtqueue_add_inbuf
virtqueue_add_inbuf
rpmsg_recv_single
rpmsg_recv_done
vring_interrupt
stm32_rproc_mb_vq_work
process_one_work
worker_thread
kthread
Suggested-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Arnaud Pouliquen <arnaud.pouliquen@foss.st.com>
Link: https://lore.kernel.org/r/20230331160634.3113031-1-arnaud.pouliquen@foss.st.com
Signed-off-by: Mathieu Poirier <mathieu.poirier@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/remoteproc/stm32_rproc.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/remoteproc/stm32_rproc.c b/drivers/remoteproc/stm32_rproc.c
index 24760d8ea6374..df784fec124f6 100644
--- a/drivers/remoteproc/stm32_rproc.c
+++ b/drivers/remoteproc/stm32_rproc.c
@@ -301,8 +301,16 @@ static void stm32_rproc_mb_vq_work(struct work_struct *work)
struct stm32_mbox *mb = container_of(work, struct stm32_mbox, vq_work);
struct rproc *rproc = dev_get_drvdata(mb->client.dev);
+ mutex_lock(&rproc->lock);
+
+ if (rproc->state != RPROC_RUNNING)
+ goto unlock_mutex;
+
if (rproc_vq_interrupt(rproc, mb->vq_id) == IRQ_NONE)
dev_dbg(&rproc->dev, "no message found in vq%d\n", mb->vq_id);
+
+unlock_mutex:
+ mutex_unlock(&rproc->lock);
}
static void stm32_rproc_mb_callback(struct mbox_client *cl, void *data)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 040/211] drm/tegra: Avoid potential 32-bit integer overflow
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 039/211] remoteproc: stm32_rproc: Add mutex protection for workqueue Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 041/211] ACPICA: Avoid undefined behavior: applying zero offset to null pointer Greg Kroah-Hartman
` (176 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nur Hussein, Thierry Reding, Sasha Levin
From: Nur Hussein <hussein@unixcat.org>
[ Upstream commit 2429b3c529da29d4277d519bd66d034842dcd70c ]
In tegra_sor_compute_config(), the 32-bit value mode->clock is
multiplied by 1000, and assigned to the u64 variable pclk. We can avoid
a potential 32-bit integer overflow by casting mode->clock to u64 before
we do the arithmetic and assignment.
Signed-off-by: Nur Hussein <hussein@unixcat.org>
Signed-off-by: Thierry Reding <treding@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/tegra/sor.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/tegra/sor.c b/drivers/gpu/drm/tegra/sor.c
index 32c83f2e386ca..9d60d1c4cfcea 100644
--- a/drivers/gpu/drm/tegra/sor.c
+++ b/drivers/gpu/drm/tegra/sor.c
@@ -1153,7 +1153,7 @@ static int tegra_sor_compute_config(struct tegra_sor *sor,
struct drm_dp_link *link)
{
const u64 f = 100000, link_rate = link->rate * 1000;
- const u64 pclk = mode->clock * 1000;
+ const u64 pclk = (u64)mode->clock * 1000;
u64 input, output, watermark, num;
struct tegra_sor_params params;
u32 num_syms_per_line;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 041/211] ACPICA: Avoid undefined behavior: applying zero offset to null pointer
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 040/211] drm/tegra: Avoid potential 32-bit integer overflow Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 042/211] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects Greg Kroah-Hartman
` (175 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bob Moore, Rafael J. Wysocki, Sasha Levin
From: Tamir Duberstein <tamird@google.com>
[ Upstream commit 05bb0167c80b8f93c6a4e0451b7da9b96db990c2 ]
ACPICA commit 770653e3ba67c30a629ca7d12e352d83c2541b1e
Before this change we see the following UBSAN stack trace in Fuchsia:
#0 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 <platform-bus-x86.so>+0x233302
#1.2 0x000020d0f660777f in ubsan_get_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:41 <libclang_rt.asan.so>+0x3d77f
#1.1 0x000020d0f660777f in maybe_print_stack_trace() compiler-rt/lib/ubsan/ubsan_diag.cpp:51 <libclang_rt.asan.so>+0x3d77f
#1 0x000020d0f660777f in ~scoped_report() compiler-rt/lib/ubsan/ubsan_diag.cpp:387 <libclang_rt.asan.so>+0x3d77f
#2 0x000020d0f660b96d in handlepointer_overflow_impl() compiler-rt/lib/ubsan/ubsan_handlers.cpp:809 <libclang_rt.asan.so>+0x4196d
#3 0x000020d0f660b50d in compiler-rt/lib/ubsan/ubsan_handlers.cpp:815 <libclang_rt.asan.so>+0x4150d
#4 0x000021e4213b3302 in acpi_ds_init_aml_walk(struct acpi_walk_state*, union acpi_parse_object*, struct acpi_namespace_node*, u8*, u32, struct acpi_evaluate_info*, u8) ../../third_party/acpica/source/components/dispatcher/dswstate.c:682 <platform-bus-x86.so>+0x233302
#5 0x000021e4213e2369 in acpi_ds_call_control_method(struct acpi_thread_state*, struct acpi_walk_state*, union acpi_parse_object*) ../../third_party/acpica/source/components/dispatcher/dsmethod.c:605 <platform-bus-x86.so>+0x262369
#6 0x000021e421437fac in acpi_ps_parse_aml(struct acpi_walk_state*) ../../third_party/acpica/source/components/parser/psparse.c:550 <platform-bus-x86.so>+0x2b7fac
#7 0x000021e4214464d2 in acpi_ps_execute_method(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/parser/psxface.c:244 <platform-bus-x86.so>+0x2c64d2
#8 0x000021e4213aa052 in acpi_ns_evaluate(struct acpi_evaluate_info*) ../../third_party/acpica/source/components/namespace/nseval.c:250 <platform-bus-x86.so>+0x22a052
#9 0x000021e421413dd8 in acpi_ns_init_one_device(acpi_handle, u32, void*, void**) ../../third_party/acpica/source/components/namespace/nsinit.c:735 <platform-bus-x86.so>+0x293dd8
#10 0x000021e421429e98 in acpi_ns_walk_namespace(acpi_object_type, acpi_handle, u32, u32, acpi_walk_callback, acpi_walk_callback, void*, void**) ../../third_party/acpica/source/components/namespace/nswalk.c:298 <platform-bus-x86.so>+0x2a9e98
#11 0x000021e4214131ac in acpi_ns_initialize_devices(u32) ../../third_party/acpica/source/components/namespace/nsinit.c:268 <platform-bus-x86.so>+0x2931ac
#12 0x000021e42147c40d in acpi_initialize_objects(u32) ../../third_party/acpica/source/components/utilities/utxfinit.c:304 <platform-bus-x86.so>+0x2fc40d
#13 0x000021e42126d603 in acpi::acpi_impl::initialize_acpi(acpi::acpi_impl*) ../../src/devices/board/lib/acpi/acpi-impl.cc:224 <platform-bus-x86.so>+0xed603
Add a simple check that avoids incrementing a pointer by zero, but
otherwise behaves as before. Note that our findings are against ACPICA
20221020, but the same code exists on master.
Link: https://github.com/acpica/acpica/commit/770653e3
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dswstate.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/drivers/acpi/acpica/dswstate.c b/drivers/acpi/acpica/dswstate.c
index 809a0c0536b59..f9ba7695be147 100644
--- a/drivers/acpi/acpica/dswstate.c
+++ b/drivers/acpi/acpica/dswstate.c
@@ -576,9 +576,14 @@ acpi_ds_init_aml_walk(struct acpi_walk_state *walk_state,
ACPI_FUNCTION_TRACE(ds_init_aml_walk);
walk_state->parser_state.aml =
- walk_state->parser_state.aml_start = aml_start;
- walk_state->parser_state.aml_end =
- walk_state->parser_state.pkg_end = aml_start + aml_length;
+ walk_state->parser_state.aml_start =
+ walk_state->parser_state.aml_end =
+ walk_state->parser_state.pkg_end = aml_start;
+ /* Avoid undefined behavior: applying zero offset to null pointer */
+ if (aml_length != 0) {
+ walk_state->parser_state.aml_end += aml_length;
+ walk_state->parser_state.pkg_end += aml_length;
+ }
/* The next_op of the next_walk will be the beginning of the method */
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 042/211] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 041/211] ACPICA: Avoid undefined behavior: applying zero offset to null pointer Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 043/211] drm/amd: Fix an out of bounds error in BIOS parser Greg Kroah-Hartman
` (174 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bob Moore, Rafael J. Wysocki, Sasha Levin
From: void0red <30990023+void0red@users.noreply.github.com>
[ Upstream commit ae5a0eccc85fc960834dd66e3befc2728284b86c ]
ACPICA commit 0d5f467d6a0ba852ea3aad68663cbcbd43300fd4
ACPI_ALLOCATE_ZEROED may fails, object_info might be null and will cause
null pointer dereference later.
Link: https://github.com/acpica/acpica/commit/0d5f467d
Signed-off-by: Bob Moore <robert.moore@intel.com>
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/acpi/acpica/dbnames.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/acpi/acpica/dbnames.c b/drivers/acpi/acpica/dbnames.c
index 3615e1a6efd8a..b91155ea9c343 100644
--- a/drivers/acpi/acpica/dbnames.c
+++ b/drivers/acpi/acpica/dbnames.c
@@ -652,6 +652,9 @@ acpi_status acpi_db_display_objects(char *obj_type_arg, char *display_count_arg)
object_info =
ACPI_ALLOCATE_ZEROED(sizeof(struct acpi_object_info));
+ if (!object_info)
+ return (AE_NO_MEMORY);
+
/* Walk the namespace from the root */
(void)acpi_walk_namespace(ACPI_TYPE_ANY, ACPI_ROOT_OBJECT,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 043/211] drm/amd: Fix an out of bounds error in BIOS parser
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 042/211] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 044/211] wifi: ath: Silence memcpy run-time false positive warning Greg Kroah-Hartman
` (173 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, erhard_f, Mario Limonciello,
Harry Wentland, Alex Deucher, Sasha Levin
From: Mario Limonciello <mario.limonciello@amd.com>
[ Upstream commit d116db180decec1b21bba31d2ff495ac4d8e1b83 ]
The array is hardcoded to 8 in atomfirmware.h, but firmware provides
a bigger one sometimes. Deferencing the larger array causes an out
of bounds error.
commit 4fc1ba4aa589 ("drm/amd/display: fix array index out of bound error
in bios parser") fixed some of this, but there are two other cases
not covered by it. Fix those as well.
Reported-by: erhard_f@mailbox.org
Link: https://bugzilla.kernel.org/show_bug.cgi?id=214853
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2473
Signed-off-by: Mario Limonciello <mario.limonciello@amd.com>
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
diff --git a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
index 930d2b7d34489..9dd41eaf32cb5 100644
--- a/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
+++ b/drivers/gpu/drm/amd/display/dc/bios/bios_parser2.c
@@ -406,11 +406,8 @@ static enum bp_result get_gpio_i2c_info(
info->i2c_slave_address = record->i2c_slave_addr;
/* TODO: check how to get register offset for en, Y, etc. */
- info->gpio_info.clk_a_register_index =
- le16_to_cpu(
- header->gpio_pin[table_index].data_a_reg_index);
- info->gpio_info.clk_a_shift =
- header->gpio_pin[table_index].gpio_bitshift;
+ info->gpio_info.clk_a_register_index = le16_to_cpu(pin->data_a_reg_index);
+ info->gpio_info.clk_a_shift = pin->gpio_bitshift;
return BP_RESULT_OK;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 044/211] wifi: ath: Silence memcpy run-time false positive warning
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 043/211] drm/amd: Fix an out of bounds error in BIOS parser Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 045/211] bpf: Annotate data races in bpf_local_storage Greg Kroah-Hartman
` (172 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kalle Valo, David S. Miller,
Eric Dumazet, Jakub Kicinski, Paolo Abeni, linux-wireless,
netdev, Kees Cook, Kalle Valo, Sasha Levin
From: Kees Cook <keescook@chromium.org>
[ Upstream commit bfcc8ba45eb87bfaaff900bbad2b87b204899d41 ]
The memcpy() in ath_key_config() was attempting to write across
neighboring struct members in struct ath_keyval. Introduce a wrapping
struct_group, kv_values, to be the addressable target of the memcpy
without overflowing an individual member. Silences the false positive
run-time warning:
memcpy: detected field-spanning write (size 32) of single field "hk.kv_val" at drivers/net/wireless/ath/key.c:506 (size 16)
Link: https://bbs.archlinux.org/viewtopic.php?id=282254
Cc: Kalle Valo <kvalo@kernel.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-wireless@vger.kernel.org
Cc: netdev@vger.kernel.org
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230210054310.never.554-kees@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath.h | 12 +++++++-----
drivers/net/wireless/ath/key.c | 2 +-
2 files changed, 8 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/ath/ath.h b/drivers/net/wireless/ath/ath.h
index f083fb9038c36..f02a308a9ffc5 100644
--- a/drivers/net/wireless/ath/ath.h
+++ b/drivers/net/wireless/ath/ath.h
@@ -96,11 +96,13 @@ struct ath_keyval {
u8 kv_type;
u8 kv_pad;
u16 kv_len;
- u8 kv_val[16]; /* TK */
- u8 kv_mic[8]; /* Michael MIC key */
- u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
- * supports both MIC keys in the same key cache entry;
- * in that case, kv_mic is the RX key) */
+ struct_group(kv_values,
+ u8 kv_val[16]; /* TK */
+ u8 kv_mic[8]; /* Michael MIC key */
+ u8 kv_txmic[8]; /* Michael MIC TX key (used only if the hardware
+ * supports both MIC keys in the same key cache entry;
+ * in that case, kv_mic is the RX key) */
+ );
};
enum ath_cipher {
diff --git a/drivers/net/wireless/ath/key.c b/drivers/net/wireless/ath/key.c
index 61b59a804e308..b7b61d4f02bae 100644
--- a/drivers/net/wireless/ath/key.c
+++ b/drivers/net/wireless/ath/key.c
@@ -503,7 +503,7 @@ int ath_key_config(struct ath_common *common,
hk.kv_len = key->keylen;
if (key->keylen)
- memcpy(hk.kv_val, key->key, key->keylen);
+ memcpy(&hk.kv_values, key->key, key->keylen);
if (!(key->flags & IEEE80211_KEY_FLAG_PAIRWISE)) {
switch (vif->type) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 045/211] bpf: Annotate data races in bpf_local_storage
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 044/211] wifi: ath: Silence memcpy run-time false positive warning Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 046/211] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Greg Kroah-Hartman
` (171 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin KaFai Lau, KP Singh,
Kumar Kartikeya Dwivedi, Alexei Starovoitov, Sasha Levin
From: Kumar Kartikeya Dwivedi <memxor@gmail.com>
[ Upstream commit 0a09a2f933c73dc76ab0b72da6855f44342a8903 ]
There are a few cases where hlist_node is checked to be unhashed without
holding the lock protecting its modification. In this case, one must use
hlist_unhashed_lockless to avoid load tearing and KCSAN reports. Fix
this by using lockless variant in places not protected by the lock.
Since this is not prompted by any actual KCSAN reports but only from
code review, I have not included a fixes tag.
Cc: Martin KaFai Lau <martin.lau@kernel.org>
Cc: KP Singh <kpsingh@kernel.org>
Signed-off-by: Kumar Kartikeya Dwivedi <memxor@gmail.com>
Link: https://lore.kernel.org/r/20230221200646.2500777-4-memxor@gmail.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/bpf/bpf_local_storage.c | 16 +++++++++++++---
1 file changed, 13 insertions(+), 3 deletions(-)
diff --git a/kernel/bpf/bpf_local_storage.c b/kernel/bpf/bpf_local_storage.c
index 8aaaaef99f09f..f753965726205 100644
--- a/kernel/bpf/bpf_local_storage.c
+++ b/kernel/bpf/bpf_local_storage.c
@@ -48,11 +48,21 @@ owner_storage(struct bpf_local_storage_map *smap, void *owner)
return map->ops->map_owner_storage_ptr(owner);
}
+static bool selem_linked_to_storage_lockless(const struct bpf_local_storage_elem *selem)
+{
+ return !hlist_unhashed_lockless(&selem->snode);
+}
+
static bool selem_linked_to_storage(const struct bpf_local_storage_elem *selem)
{
return !hlist_unhashed(&selem->snode);
}
+static bool selem_linked_to_map_lockless(const struct bpf_local_storage_elem *selem)
+{
+ return !hlist_unhashed_lockless(&selem->map_node);
+}
+
static bool selem_linked_to_map(const struct bpf_local_storage_elem *selem)
{
return !hlist_unhashed(&selem->map_node);
@@ -140,7 +150,7 @@ static void __bpf_selem_unlink_storage(struct bpf_local_storage_elem *selem)
struct bpf_local_storage *local_storage;
bool free_local_storage = false;
- if (unlikely(!selem_linked_to_storage(selem)))
+ if (unlikely(!selem_linked_to_storage_lockless(selem)))
/* selem has already been unlinked from sk */
return;
@@ -167,7 +177,7 @@ void bpf_selem_unlink_map(struct bpf_local_storage_elem *selem)
struct bpf_local_storage_map *smap;
struct bpf_local_storage_map_bucket *b;
- if (unlikely(!selem_linked_to_map(selem)))
+ if (unlikely(!selem_linked_to_map_lockless(selem)))
/* selem has already be unlinked from smap */
return;
@@ -365,7 +375,7 @@ bpf_local_storage_update(void *owner, struct bpf_local_storage_map *smap,
err = check_flags(old_sdata, map_flags);
if (err)
return ERR_PTR(err);
- if (old_sdata && selem_linked_to_storage(SELEM(old_sdata))) {
+ if (old_sdata && selem_linked_to_storage_lockless(SELEM(old_sdata))) {
copy_map_value_locked(&smap->map, old_sdata->data,
value, false);
return old_sdata;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 046/211] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 045/211] bpf: Annotate data races in bpf_local_storage Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 047/211] ext2: Check block size validity during mount Greg Kroah-Hartman
` (170 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Linus Walleij, Arend van Spriel,
Hector Martin, Kalle Valo, Sasha Levin
From: Hector Martin <marcan@marcan.st>
[ Upstream commit 89b89e52153fda2733562776c7c9d9d3ebf8dd6d ]
Apparently the hex passphrase mechanism does not work on newer
chips/firmware (e.g. BCM4387). It seems there was a simple way of
passing it in binary all along, so use that and avoid the hexification.
OpenBSD has been doing it like this from the beginning, so this should
work on all chips.
Also clear the structure before setting the PMK. This was leaking
uninitialized stack contents to the device.
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Reviewed-by: Arend van Spriel <arend.vanspriel@broadcom.com>
Signed-off-by: Hector Martin <marcan@marcan.st>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/20230214092423.15175-6-marcan@marcan.st
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../wireless/broadcom/brcm80211/brcmfmac/cfg80211.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
diff --git a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
index df59706197124..baf5f0afe802e 100644
--- a/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
+++ b/drivers/net/wireless/broadcom/brcm80211/brcmfmac/cfg80211.c
@@ -1350,13 +1350,14 @@ static int brcmf_set_pmk(struct brcmf_if *ifp, const u8 *pmk_data, u16 pmk_len)
{
struct brcmf_pub *drvr = ifp->drvr;
struct brcmf_wsec_pmk_le pmk;
- int i, err;
+ int err;
+
+ memset(&pmk, 0, sizeof(pmk));
- /* convert to firmware key format */
- pmk.key_len = cpu_to_le16(pmk_len << 1);
- pmk.flags = cpu_to_le16(BRCMF_WSEC_PASSPHRASE);
- for (i = 0; i < pmk_len; i++)
- snprintf(&pmk.key[2 * i], 3, "%02x", pmk_data[i]);
+ /* pass pmk directly */
+ pmk.key_len = cpu_to_le16(pmk_len);
+ pmk.flags = cpu_to_le16(0);
+ memcpy(pmk.key, pmk_data, pmk_len);
/* store psk in firmware */
err = brcmf_fil_cmd_data_set(ifp, BRCMF_C_SET_WSEC_PMK,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 047/211] ext2: Check block size validity during mount
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 046/211] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 048/211] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Greg Kroah-Hartman
` (169 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+4fec412f59eba8c01b77,
Jan Kara, Sasha Levin
From: Jan Kara <jack@suse.cz>
[ Upstream commit 62aeb94433fcec80241754b70d0d1836d5926b0a ]
Check that log of block size stored in the superblock has sensible
value. Otherwise the shift computing the block size can overflow leading
to undefined behavior.
Reported-by: syzbot+4fec412f59eba8c01b77@syzkaller.appspotmail.com
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext2/ext2.h | 1 +
fs/ext2/super.c | 7 +++++++
2 files changed, 8 insertions(+)
diff --git a/fs/ext2/ext2.h b/fs/ext2/ext2.h
index 5136b7289e8da..f06367cfd7641 100644
--- a/fs/ext2/ext2.h
+++ b/fs/ext2/ext2.h
@@ -177,6 +177,7 @@ static inline struct ext2_sb_info *EXT2_SB(struct super_block *sb)
#define EXT2_MIN_BLOCK_SIZE 1024
#define EXT2_MAX_BLOCK_SIZE 4096
#define EXT2_MIN_BLOCK_LOG_SIZE 10
+#define EXT2_MAX_BLOCK_LOG_SIZE 16
#define EXT2_BLOCK_SIZE(s) ((s)->s_blocksize)
#define EXT2_ADDR_PER_BLOCK(s) (EXT2_BLOCK_SIZE(s) / sizeof (__u32))
#define EXT2_BLOCK_SIZE_BITS(s) ((s)->s_blocksize_bits)
diff --git a/fs/ext2/super.c b/fs/ext2/super.c
index 9a6475b2ab28b..ab01ec7ac48c5 100644
--- a/fs/ext2/super.c
+++ b/fs/ext2/super.c
@@ -950,6 +950,13 @@ static int ext2_fill_super(struct super_block *sb, void *data, int silent)
goto failed_mount;
}
+ if (le32_to_cpu(es->s_log_block_size) >
+ (EXT2_MAX_BLOCK_LOG_SIZE - BLOCK_SIZE_BITS)) {
+ ext2_msg(sb, KERN_ERR,
+ "Invalid log block size: %u",
+ le32_to_cpu(es->s_log_block_size));
+ goto failed_mount;
+ }
blocksize = BLOCK_SIZE << le32_to_cpu(sbi->s_es->s_log_block_size);
if (test_opt(sb, DAX)) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 048/211] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 047/211] ext2: Check block size validity during mount Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 049/211] net: pasemi: Fix return type of pasemi_mac_start_tx() Greg Kroah-Hartman
` (168 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Tee, Martin K. Petersen, Sasha Levin
From: Justin Tee <justin.tee@broadcom.com>
[ Upstream commit c6087b82a9146826564a55c5ca0164cac40348f5 ]
A static code analysis tool flagged the possibility of buffer overflow when
using copy_from_user() for a debugfs entry.
Currently, it is possible that copy_from_user() copies more bytes than what
would fit in the mybuf char array. Add a min() restriction check between
sizeof(mybuf) - 1 and nbytes passed from the userspace buffer to protect
against buffer overflow.
Link: https://lore.kernel.org/r/20230301231626.9621-2-justintee8345@gmail.com
Signed-off-by: Justin Tee <justin.tee@broadcom.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/lpfc/lpfc_debugfs.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
diff --git a/drivers/scsi/lpfc/lpfc_debugfs.c b/drivers/scsi/lpfc/lpfc_debugfs.c
index fbc76d69ea0b4..2b77cbbcdccb6 100644
--- a/drivers/scsi/lpfc/lpfc_debugfs.c
+++ b/drivers/scsi/lpfc/lpfc_debugfs.c
@@ -2159,10 +2159,13 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
char mybuf[64];
char *pbuf;
int i;
+ size_t bsize;
memset(mybuf, 0, sizeof(mybuf));
- if (copy_from_user(mybuf, buf, nbytes))
+ bsize = min(nbytes, (sizeof(mybuf) - 1));
+
+ if (copy_from_user(mybuf, buf, bsize))
return -EFAULT;
pbuf = &mybuf[0];
@@ -2183,7 +2186,7 @@ lpfc_debugfs_lockstat_write(struct file *file, const char __user *buf,
qp->lock_conflict.wq_access = 0;
}
}
- return nbytes;
+ return bsize;
}
#endif
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 049/211] net: pasemi: Fix return type of pasemi_mac_start_tx()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 048/211] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 050/211] net: Catch invalid index in XPS mapping Greg Kroah-Hartman
` (167 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Horatiu Vultur,
Paolo Abeni, Sasha Levin
From: Nathan Chancellor <nathan@kernel.org>
[ Upstream commit c8384d4a51e7cb0e6587f3143f29099f202c5de1 ]
With clang's kernel control flow integrity (kCFI, CONFIG_CFI_CLANG),
indirect call targets are validated against the expected function
pointer prototype to make sure the call target is valid to help mitigate
ROP attacks. If they are not identical, there is a failure at run time,
which manifests as either a kernel panic or thread getting killed. A
warning in clang aims to catch these at compile time, which reveals:
drivers/net/ethernet/pasemi/pasemi_mac.c:1665:21: error: incompatible function pointer types initializing 'netdev_tx_t (*)(struct sk_buff *, struct net_device *)' (aka 'enum netdev_tx (*)(struct sk_buff *, struct net_device *)') with an expression of type 'int (struct sk_buff *, struct net_device *)' [-Werror,-Wincompatible-function-pointer-types-strict]
.ndo_start_xmit = pasemi_mac_start_tx,
^~~~~~~~~~~~~~~~~~~
1 error generated.
->ndo_start_xmit() in 'struct net_device_ops' expects a return type of
'netdev_tx_t', not 'int'. Adjust the return type of
pasemi_mac_start_tx() to match the prototype's to resolve the warning.
While PowerPC does not currently implement support for kCFI, it could in
the future, which means this warning becomes a fatal CFI failure at run
time.
Link: https://github.com/ClangBuiltLinux/linux/issues/1750
Signed-off-by: Nathan Chancellor <nathan@kernel.org>
Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Link: https://lore.kernel.org/r/20230319-pasemi-incompatible-pointer-types-strict-v1-1-1b9459d8aef0@kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/pasemi/pasemi_mac.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/pasemi/pasemi_mac.c b/drivers/net/ethernet/pasemi/pasemi_mac.c
index 040a15a828b41..c1d7bd168f1d1 100644
--- a/drivers/net/ethernet/pasemi/pasemi_mac.c
+++ b/drivers/net/ethernet/pasemi/pasemi_mac.c
@@ -1423,7 +1423,7 @@ static void pasemi_mac_queue_csdesc(const struct sk_buff *skb,
write_dma_reg(PAS_DMA_TXCHAN_INCR(txring->chan.chno), 2);
}
-static int pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev)
+static netdev_tx_t pasemi_mac_start_tx(struct sk_buff *skb, struct net_device *dev)
{
struct pasemi_mac * const mac = netdev_priv(dev);
struct pasemi_mac_txring * const txring = tx_ring(mac);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 050/211] net: Catch invalid index in XPS mapping
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 049/211] net: pasemi: Fix return type of pasemi_mac_start_tx() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 051/211] scsi: target: iscsit: Free cmds before session free Greg Kroah-Hartman
` (166 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nick Child, Piotr Raczynski,
Jakub Kicinski, Sasha Levin
From: Nick Child <nnac123@linux.ibm.com>
[ Upstream commit 5dd0dfd55baec0742ba8f5625a0dd064aca7db16 ]
When setting the XPS value of a TX queue, warn the user once if the
index of the queue is greater than the number of allocated TX queues.
Previously, this scenario went uncaught. In the best case, it resulted
in unnecessary allocations. In the worst case, it resulted in
out-of-bounds memory references through calls to `netdev_get_tx_queue(
dev, index)`. Therefore, it is important to inform the user but not
worth returning an error and risk downing the netdevice.
Signed-off-by: Nick Child <nnac123@linux.ibm.com>
Reviewed-by: Piotr Raczynski <piotr.raczynski@intel.com>
Link: https://lore.kernel.org/r/20230321150725.127229-1-nnac123@linux.ibm.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/core/dev.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/core/dev.c b/net/core/dev.c
index 1eaf224a90ce5..29e6e11c481c6 100644
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -2628,6 +2628,8 @@ int __netif_set_xps_queue(struct net_device *dev, const unsigned long *mask,
bool active = false;
unsigned int nr_ids;
+ WARN_ON_ONCE(index >= dev->num_tx_queues);
+
if (dev->num_tc) {
/* Do not allow XPS on subordinate device directly */
num_tc = dev->num_tc;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 051/211] scsi: target: iscsit: Free cmds before session free
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 050/211] net: Catch invalid index in XPS mapping Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 052/211] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Greg Kroah-Hartman
` (165 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Forza, Dmitry Bogdanov,
Mike Christie, Maurizio Lombardi, Martin K. Petersen,
Sasha Levin
From: Dmitry Bogdanov <d.bogdanov@yadro.com>
[ Upstream commit d8990b5a4d065f38f35d69bcd627ec5a7f8330ca ]
Commands from recovery entries are freed after session has been closed.
That leads to use-after-free at command free or NPE with such call trace:
Time2Retain timer expired for SID: 1, cleaning up iSCSI session.
BUG: kernel NULL pointer dereference, address: 0000000000000140
RIP: 0010:sbitmap_queue_clear+0x3a/0xa0
Call Trace:
target_release_cmd_kref+0xd1/0x1f0 [target_core_mod]
transport_generic_free_cmd+0xd1/0x180 [target_core_mod]
iscsit_free_cmd+0x53/0xd0 [iscsi_target_mod]
iscsit_free_connection_recovery_entries+0x29d/0x320 [iscsi_target_mod]
iscsit_close_session+0x13a/0x140 [iscsi_target_mod]
iscsit_check_post_dataout+0x440/0x440 [iscsi_target_mod]
call_timer_fn+0x24/0x140
Move cleanup of recovery enrties to before session freeing.
Reported-by: Forza <forza@tnonline.net>
Signed-off-by: Dmitry Bogdanov <d.bogdanov@yadro.com>
Signed-off-by: Mike Christie <michael.christie@oracle.com>
Link: https://lore.kernel.org/r/20230319015620.96006-7-michael.christie@oracle.com
Reviewed-by: Maurizio Lombardi <mlombard@redhat.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/target/iscsi/iscsi_target.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/drivers/target/iscsi/iscsi_target.c b/drivers/target/iscsi/iscsi_target.c
index 6bb8403580729..075e2a6fb474f 100644
--- a/drivers/target/iscsi/iscsi_target.c
+++ b/drivers/target/iscsi/iscsi_target.c
@@ -4385,6 +4385,9 @@ int iscsit_close_session(struct iscsi_session *sess)
iscsit_stop_time2retain_timer(sess);
spin_unlock_bh(&se_tpg->session_lock);
+ if (sess->sess_ops->ErrorRecoveryLevel == 2)
+ iscsit_free_connection_recovery_entries(sess);
+
/*
* transport_deregister_session_configfs() will clear the
* struct se_node_acl->nacl_sess pointer now as a iscsi_np process context
@@ -4412,9 +4415,6 @@ int iscsit_close_session(struct iscsi_session *sess)
transport_deregister_session(sess->se_sess);
- if (sess->sess_ops->ErrorRecoveryLevel == 2)
- iscsit_free_connection_recovery_entries(sess);
-
iscsit_free_all_ooo_cmdsns(sess);
spin_lock_bh(&se_tpg->session_lock);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 052/211] lib: cpu_rmap: Avoid use after free on rmap->obj array entries
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 051/211] scsi: target: iscsit: Free cmds before session free Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 053/211] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Greg Kroah-Hartman
` (164 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Gleixner, Eli Cohen,
Saeed Mahameed, Jacob Keller, Sasha Levin
From: Eli Cohen <elic@nvidia.com>
[ Upstream commit 4e0473f1060aa49621d40a113afde24818101d37 ]
When calling irq_set_affinity_notifier() with NULL at the notify
argument, it will cause freeing of the glue pointer in the
corresponding array entry but will leave the pointer in the array. A
subsequent call to free_irq_cpu_rmap() will try to free this entry again
leading to possible use after free.
Fix that by setting NULL to the array entry and checking that we have
non-zero at the array entry when iterating over the array in
free_irq_cpu_rmap().
The current code does not suffer from this since there are no cases
where irq_set_affinity_notifier(irq, NULL) (note the NULL passed for the
notify arg) is called, followed by a call to free_irq_cpu_rmap() so we
don't hit and issue. Subsequent patches in this series excersize this
flow, hence the required fix.
Cc: Thomas Gleixner <tglx@linutronix.de>
Signed-off-by: Eli Cohen <elic@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Reviewed-by: Jacob Keller <jacob.e.keller@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
lib/cpu_rmap.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/lib/cpu_rmap.c b/lib/cpu_rmap.c
index f08d9c56f712e..e77f12bb3c774 100644
--- a/lib/cpu_rmap.c
+++ b/lib/cpu_rmap.c
@@ -232,7 +232,8 @@ void free_irq_cpu_rmap(struct cpu_rmap *rmap)
for (index = 0; index < rmap->used; index++) {
glue = rmap->obj[index];
- irq_set_affinity_notifier(glue->notify.irq, NULL);
+ if (glue)
+ irq_set_affinity_notifier(glue->notify.irq, NULL);
}
cpu_rmap_put(rmap);
@@ -268,6 +269,7 @@ static void irq_cpu_rmap_release(struct kref *ref)
container_of(ref, struct irq_glue, notify.kref);
cpu_rmap_put(glue->rmap);
+ glue->rmap->obj[glue->index] = NULL;
kfree(glue);
}
@@ -297,6 +299,7 @@ int irq_cpu_rmap_add(struct cpu_rmap *rmap, int irq)
rc = irq_set_affinity_notifier(irq, &glue->notify);
if (rc) {
cpu_rmap_put(glue->rmap);
+ rmap->obj[glue->index] = NULL;
kfree(glue);
}
return rc;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 053/211] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 052/211] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 054/211] gfs2: Fix inode height consistency check Greg Kroah-Hartman
` (163 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zheng Wang, Martin K. Petersen, Sasha Levin
From: Zheng Wang <zyytlz.wz@163.com>
[ Upstream commit f486893288f3e9b171b836f43853a6426515d800 ]
mptlan_probe() calls mpt_register_lan_device() which initializes the
&priv->post_buckets_task workqueue. A call to
mpt_lan_wake_post_buckets_task() will subsequently start the work.
During driver unload in mptlan_remove() the following race may occur:
CPU0 CPU1
|mpt_lan_post_receive_buckets_work()
mptlan_remove() |
free_netdev() |
kfree(dev); |
|
| dev->mtu
| //use
Fix this by finishing the work prior to cleaning up in mptlan_remove().
[mkp: we really should remove mptlan instead of attempting to fix it]
Signed-off-by: Zheng Wang <zyytlz.wz@163.com>
Link: https://lore.kernel.org/r/20230318081635.796479-1-zyytlz.wz@163.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/message/fusion/mptlan.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/message/fusion/mptlan.c b/drivers/message/fusion/mptlan.c
index 7d3784aa20e58..90cc3cd49a5ee 100644
--- a/drivers/message/fusion/mptlan.c
+++ b/drivers/message/fusion/mptlan.c
@@ -1430,7 +1430,9 @@ mptlan_remove(struct pci_dev *pdev)
{
MPT_ADAPTER *ioc = pci_get_drvdata(pdev);
struct net_device *dev = ioc->netdev;
+ struct mpt_lan_priv *priv = netdev_priv(dev);
+ cancel_delayed_work_sync(&priv->post_buckets_task);
if(dev != NULL) {
unregister_netdev(dev);
free_netdev(dev);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 054/211] gfs2: Fix inode height consistency check
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 053/211] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 055/211] ext4: set goal start correctly in ext4_mb_normalize_request Greg Kroah-Hartman
` (162 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+45d4691b1ed3c48eba05,
Andreas Gruenbacher, Sasha Levin
From: Andreas Gruenbacher <agruenba@redhat.com>
[ Upstream commit cfcdb5bad34f600aed7613c3c1a5e618111f77b7 ]
The maximum allowed height of an inode's metadata tree depends on the
filesystem block size; it is lower for bigger-block filesystems. When
reading in an inode, make sure that the height doesn't exceed the
maximum allowed height.
Arrays like sd_heightsize are sized to be big enough for any filesystem
block size; they will often be slightly bigger than what's needed for a
specific filesystem.
Reported-by: syzbot+45d4691b1ed3c48eba05@syzkaller.appspotmail.com
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/gfs2/glops.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/gfs2/glops.c b/fs/gfs2/glops.c
index db28c240dae35..87f8110884663 100644
--- a/fs/gfs2/glops.c
+++ b/fs/gfs2/glops.c
@@ -405,6 +405,7 @@ static int inode_go_demote_ok(const struct gfs2_glock *gl)
static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
{
+ struct gfs2_sbd *sdp = GFS2_SB(&ip->i_inode);
const struct gfs2_dinode *str = buf;
struct timespec64 atime;
u16 height, depth;
@@ -444,7 +445,7 @@ static int gfs2_dinode_in(struct gfs2_inode *ip, const void *buf)
/* i_diskflags and i_eattr must be set before gfs2_set_inode_flags() */
gfs2_set_inode_flags(&ip->i_inode);
height = be16_to_cpu(str->di_height);
- if (unlikely(height > GFS2_MAX_META_HEIGHT))
+ if (unlikely(height > sdp->sd_max_height))
goto corrupt;
ip->i_height = (u8)height;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 055/211] ext4: set goal start correctly in ext4_mb_normalize_request
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 054/211] gfs2: Fix inode height consistency check Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 056/211] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Greg Kroah-Hartman
` (161 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kemeng Shi, Ritesh Harjani (IBM),
Theodore Tso, Sasha Levin
From: Kemeng Shi <shikemeng@huaweicloud.com>
[ Upstream commit b07ffe6927c75d99af534d685282ea188d9f71a6 ]
We need to set ac_g_ex to notify the goal start used in
ext4_mb_find_by_goal. Set ac_g_ex instead of ac_f_ex in
ext4_mb_normalize_request.
Besides we should assure goal start is in range [first_data_block,
blocks_count) as ext4_mb_initialize_context does.
[ Added a check to make sure size is less than ar->pright; otherwise
we could end up passing an underflowed value of ar->pright - size to
ext4_get_group_no_and_offset(), which will trigger a BUG_ON later on.
- TYT ]
Signed-off-by: Kemeng Shi <shikemeng@huaweicloud.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Link: https://lore.kernel.org/r/20230303172120.3800725-2-shikemeng@huaweicloud.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 16 ++++++++++------
1 file changed, 10 insertions(+), 6 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index f18aa35b82b04..63c01e068bcb3 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3512,6 +3512,7 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac,
struct ext4_allocation_request *ar)
{
struct ext4_sb_info *sbi = EXT4_SB(ac->ac_sb);
+ struct ext4_super_block *es = sbi->s_es;
int bsbits, max;
ext4_lblk_t end;
loff_t size, start_off;
@@ -3692,18 +3693,21 @@ ext4_mb_normalize_request(struct ext4_allocation_context *ac,
ac->ac_g_ex.fe_len = EXT4_NUM_B2C(sbi, size);
/* define goal start in order to merge */
- if (ar->pright && (ar->lright == (start + size))) {
+ if (ar->pright && (ar->lright == (start + size)) &&
+ ar->pright >= size &&
+ ar->pright - size >= le32_to_cpu(es->s_first_data_block)) {
/* merge to the right */
ext4_get_group_no_and_offset(ac->ac_sb, ar->pright - size,
- &ac->ac_f_ex.fe_group,
- &ac->ac_f_ex.fe_start);
+ &ac->ac_g_ex.fe_group,
+ &ac->ac_g_ex.fe_start);
ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL;
}
- if (ar->pleft && (ar->lleft + 1 == start)) {
+ if (ar->pleft && (ar->lleft + 1 == start) &&
+ ar->pleft + 1 < ext4_blocks_count(es)) {
/* merge to the left */
ext4_get_group_no_and_offset(ac->ac_sb, ar->pleft + 1,
- &ac->ac_f_ex.fe_group,
- &ac->ac_f_ex.fe_start);
+ &ac->ac_g_ex.fe_group,
+ &ac->ac_g_ex.fe_start);
ac->ac_flags |= EXT4_MB_HINT_TRY_GOAL;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 056/211] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 055/211] ext4: set goal start correctly in ext4_mb_normalize_request Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 057/211] f2fs: fix to drop all dirty pages during umount() if cp_error is set Greg Kroah-Hartman
` (160 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jan Kara, Ojaswin Mujoo,
Ritesh Harjani (IBM),
Theodore Tso, Sasha Levin
From: Ojaswin Mujoo <ojaswin@linux.ibm.com>
[ Upstream commit 93cdf49f6eca5e23f6546b8f28457b2e6a6961d9 ]
When the length of best extent found is less than the length of goal extent
we need to make sure that the best extent atleast covers the start of the
original request. This is done by adjusting the ac_b_ex.fe_logical (logical
start) of the extent.
While doing so, the current logic sometimes results in the best extent's
logical range overflowing the goal extent. Since this best extent is later
added to the inode preallocation list, we have a possibility of introducing
overlapping preallocations. This is discussed in detail here [1].
As per Jan's suggestion, to fix this, replace the existing logic with the
below logic for adjusting best extent as it keeps fragmentation in check
while ensuring logical range of best extent doesn't overflow out of goal
extent:
1. Check if best extent can be kept at end of goal range and still cover
original start.
2. Else, check if best extent can be kept at start of goal range and still
cover original start.
3. Else, keep the best extent at start of original request.
Also, add a few extra BUG_ONs that might help catch errors faster.
[1] https://lore.kernel.org/r/Y+OGkVvzPN0RMv0O@li-bb2b2a4c-3307-11b2-a85c-8fa5c3a69313.ibm.com
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ojaswin Mujoo <ojaswin@linux.ibm.com>
Reviewed-by: Ritesh Harjani (IBM) <ritesh.list@gmail.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Link: https://lore.kernel.org/r/f96aca6d415b36d1f90db86c1a8cd7e2e9d7ab0e.1679731817.git.ojaswin@linux.ibm.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ext4/mballoc.c | 49 ++++++++++++++++++++++++++++++-----------------
1 file changed, 31 insertions(+), 18 deletions(-)
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index 63c01e068bcb3..8a51448b76700 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -3800,6 +3800,7 @@ static void ext4_mb_use_inode_pa(struct ext4_allocation_context *ac,
BUG_ON(start < pa->pa_pstart);
BUG_ON(end > pa->pa_pstart + EXT4_C2B(sbi, pa->pa_len));
BUG_ON(pa->pa_free < len);
+ BUG_ON(ac->ac_b_ex.fe_len <= 0);
pa->pa_free -= len;
mb_debug(ac->ac_sb, "use %llu/%d from inode pa %p\n", start, len, pa);
@@ -4129,10 +4130,8 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
pa = ac->ac_pa;
if (ac->ac_b_ex.fe_len < ac->ac_g_ex.fe_len) {
- int winl;
- int wins;
- int win;
- int offs;
+ int new_bex_start;
+ int new_bex_end;
/* we can't allocate as much as normalizer wants.
* so, found space must get proper lstart
@@ -4140,26 +4139,40 @@ ext4_mb_new_inode_pa(struct ext4_allocation_context *ac)
BUG_ON(ac->ac_g_ex.fe_logical > ac->ac_o_ex.fe_logical);
BUG_ON(ac->ac_g_ex.fe_len < ac->ac_o_ex.fe_len);
- /* we're limited by original request in that
- * logical block must be covered any way
- * winl is window we can move our chunk within */
- winl = ac->ac_o_ex.fe_logical - ac->ac_g_ex.fe_logical;
+ /*
+ * Use the below logic for adjusting best extent as it keeps
+ * fragmentation in check while ensuring logical range of best
+ * extent doesn't overflow out of goal extent:
+ *
+ * 1. Check if best ex can be kept at end of goal and still
+ * cover original start
+ * 2. Else, check if best ex can be kept at start of goal and
+ * still cover original start
+ * 3. Else, keep the best ex at start of original request.
+ */
+ new_bex_end = ac->ac_g_ex.fe_logical +
+ EXT4_C2B(sbi, ac->ac_g_ex.fe_len);
+ new_bex_start = new_bex_end - EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
+ if (ac->ac_o_ex.fe_logical >= new_bex_start)
+ goto adjust_bex;
- /* also, we should cover whole original request */
- wins = EXT4_C2B(sbi, ac->ac_b_ex.fe_len - ac->ac_o_ex.fe_len);
+ new_bex_start = ac->ac_g_ex.fe_logical;
+ new_bex_end =
+ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
+ if (ac->ac_o_ex.fe_logical < new_bex_end)
+ goto adjust_bex;
- /* the smallest one defines real window */
- win = min(winl, wins);
+ new_bex_start = ac->ac_o_ex.fe_logical;
+ new_bex_end =
+ new_bex_start + EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
- offs = ac->ac_o_ex.fe_logical %
- EXT4_C2B(sbi, ac->ac_b_ex.fe_len);
- if (offs && offs < win)
- win = offs;
+adjust_bex:
+ ac->ac_b_ex.fe_logical = new_bex_start;
- ac->ac_b_ex.fe_logical = ac->ac_o_ex.fe_logical -
- EXT4_NUM_B2C(sbi, win);
BUG_ON(ac->ac_o_ex.fe_logical < ac->ac_b_ex.fe_logical);
BUG_ON(ac->ac_o_ex.fe_len > ac->ac_b_ex.fe_len);
+ BUG_ON(new_bex_end > (ac->ac_g_ex.fe_logical +
+ EXT4_C2B(sbi, ac->ac_g_ex.fe_len)));
}
/* preallocation can change ac_b_ex, thus we store actually
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 057/211] f2fs: fix to drop all dirty pages during umount() if cp_error is set
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 056/211] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 058/211] samples/bpf: Fix fout leak in hbms run_bpf_prog Greg Kroah-Hartman
` (159 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chao Yu, Jaegeuk Kim, Sasha Levin
From: Chao Yu <chao@kernel.org>
[ Upstream commit c9b3649a934d131151111354bcbb638076f03a30 ]
xfstest generic/361 reports a bug as below:
f2fs_bug_on(sbi, sbi->fsync_node_num);
kernel BUG at fs/f2fs/super.c:1627!
RIP: 0010:f2fs_put_super+0x3a8/0x3b0
Call Trace:
generic_shutdown_super+0x8c/0x1b0
kill_block_super+0x2b/0x60
kill_f2fs_super+0x87/0x110
deactivate_locked_super+0x39/0x80
deactivate_super+0x46/0x50
cleanup_mnt+0x109/0x170
__cleanup_mnt+0x16/0x20
task_work_run+0x65/0xa0
exit_to_user_mode_prepare+0x175/0x190
syscall_exit_to_user_mode+0x25/0x50
do_syscall_64+0x4c/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
During umount(), if cp_error is set, f2fs_wait_on_all_pages() should
not stop waiting all F2FS_WB_CP_DATA pages to be writebacked, otherwise,
fsync_node_num can be non-zero after f2fs_wait_on_all_pages() causing
this bug.
In this case, to avoid deadloop in f2fs_wait_on_all_pages(), it needs
to drop all dirty pages rather than redirtying them.
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/f2fs/checkpoint.c | 12 ++++++++++--
fs/f2fs/data.c | 3 ++-
2 files changed, 12 insertions(+), 3 deletions(-)
diff --git a/fs/f2fs/checkpoint.c b/fs/f2fs/checkpoint.c
index cd46a64ace1b3..8ca549cc975e4 100644
--- a/fs/f2fs/checkpoint.c
+++ b/fs/f2fs/checkpoint.c
@@ -309,8 +309,15 @@ static int __f2fs_write_meta_page(struct page *page,
trace_f2fs_writepage(page, META);
- if (unlikely(f2fs_cp_error(sbi)))
+ if (unlikely(f2fs_cp_error(sbi))) {
+ if (is_sbi_flag_set(sbi, SBI_IS_CLOSE)) {
+ ClearPageUptodate(page);
+ dec_page_count(sbi, F2FS_DIRTY_META);
+ unlock_page(page);
+ return 0;
+ }
goto redirty_out;
+ }
if (unlikely(is_sbi_flag_set(sbi, SBI_POR_DOING)))
goto redirty_out;
if (wbc->for_reclaim && page->index < GET_SUM_BLOCK(sbi, 0))
@@ -1283,7 +1290,8 @@ void f2fs_wait_on_all_pages(struct f2fs_sb_info *sbi, int type)
if (!get_pages(sbi, type))
break;
- if (unlikely(f2fs_cp_error(sbi)))
+ if (unlikely(f2fs_cp_error(sbi) &&
+ !is_sbi_flag_set(sbi, SBI_IS_CLOSE)))
break;
if (type == F2FS_DIRTY_META)
diff --git a/fs/f2fs/data.c b/fs/f2fs/data.c
index e9481c940895c..e0533cffbb076 100644
--- a/fs/f2fs/data.c
+++ b/fs/f2fs/data.c
@@ -2814,7 +2814,8 @@ int f2fs_write_single_data_page(struct page *page, int *submitted,
* don't drop any dirty dentry pages for keeping lastest
* directory structure.
*/
- if (S_ISDIR(inode->i_mode))
+ if (S_ISDIR(inode->i_mode) &&
+ !is_sbi_flag_set(sbi, SBI_IS_CLOSE))
goto redirty_out;
goto out;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 058/211] samples/bpf: Fix fout leak in hbms run_bpf_prog
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 057/211] f2fs: fix to drop all dirty pages during umount() if cp_error is set Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 059/211] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Greg Kroah-Hartman
` (158 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hao Zeng, Daniel Borkmann, Sasha Levin
From: Hao Zeng <zenghao@kylinos.cn>
[ Upstream commit 23acb14af1914010dd0aae1bbb7fab28bf518b8e ]
Fix fout being fopen'ed but then not subsequently fclose'd. In the affected
branch, fout is otherwise going out of scope.
Signed-off-by: Hao Zeng <zenghao@kylinos.cn>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Link: https://lore.kernel.org/bpf/20230411084349.1999628-1-zenghao@kylinos.cn
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
samples/bpf/hbm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/samples/bpf/hbm.c b/samples/bpf/hbm.c
index ff4c533dfac29..8e48489b96ae9 100644
--- a/samples/bpf/hbm.c
+++ b/samples/bpf/hbm.c
@@ -308,6 +308,7 @@ static int run_bpf_prog(char *prog, int cg_id)
fout = fopen(fname, "w");
fprintf(fout, "id:%d\n", cg_id);
fprintf(fout, "ERROR: Could not lookup queue_stats\n");
+ fclose(fout);
} else if (stats_flag && qstats.lastPacketTime >
qstats.firstPacketTime) {
long long delta_us = (qstats.lastPacketTime -
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 059/211] wifi: iwlwifi: pcie: fix possible NULL pointer dereference
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 058/211] samples/bpf: Fix fout leak in hbms run_bpf_prog Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 060/211] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Greg Kroah-Hartman
` (157 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Daniel Gabay, Gregory Greenman,
Johannes Berg, Sasha Levin
From: Daniel Gabay <daniel.gabay@intel.com>
[ Upstream commit b655b9a9f8467684cfa8906713d33b71ea8c8f54 ]
It is possible that iwl_pci_probe() will fail and free the trans,
then afterwards iwl_pci_remove() will be called and crash by trying
to access trans which is already freed, fix it.
iwlwifi 0000:01:00.0: Detected crf-id 0xa5a5a5a2, cnv-id 0xa5a5a5a2
wfpm id 0xa5a5a5a2
iwlwifi 0000:01:00.0: Can't find a correct rfid for crf id 0x5a2
...
BUG: kernel NULL pointer dereference, address: 0000000000000028
...
RIP: 0010:iwl_pci_remove+0x12/0x30 [iwlwifi]
pci_device_remove+0x3e/0xb0
device_release_driver_internal+0x103/0x1f0
driver_detach+0x4c/0x90
bus_remove_driver+0x5c/0xd0
driver_unregister+0x31/0x50
pci_unregister_driver+0x40/0x90
iwl_pci_unregister_driver+0x15/0x20 [iwlwifi]
__exit_compat+0x9/0x98 [iwlwifi]
__x64_sys_delete_module+0x147/0x260
Signed-off-by: Daniel Gabay <daniel.gabay@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230413213309.082f6e21341b.I0db21d7fa9a828d571ca886713bd0b5d0b6e1e5c@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/drv.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
index 4e43efd5d1ea1..dc0a507213ca6 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/drv.c
@@ -1214,6 +1214,9 @@ static void iwl_pci_remove(struct pci_dev *pdev)
{
struct iwl_trans *trans = pci_get_drvdata(pdev);
+ if (!trans)
+ return;
+
iwl_drv_stop(trans->drv);
iwl_trans_pcie_free(trans);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 060/211] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 059/211] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 061/211] null_blk: Always check queue mode setting from configfs Greg Kroah-Hartman
` (156 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hyunwoo Kim, Gregory Greenman,
Johannes Berg, Sasha Levin
From: Hyunwoo Kim <imv4bel@gmail.com>
[ Upstream commit 58d1b717879bfeabe09b35e41ad667c79933eb2e ]
An integer overflow occurs in the iwl_write_to_user_buf() function,
which is called by the iwl_dbgfs_monitor_data_read() function.
static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
void *buf, ssize_t *size,
ssize_t *bytes_copied)
{
int buf_size_left = count - *bytes_copied;
buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
if (*size > buf_size_left)
*size = buf_size_left;
If the user passes a SIZE_MAX value to the "ssize_t count" parameter,
the ssize_t count parameter is assigned to "int buf_size_left".
Then compare "*size" with "buf_size_left" . Here, "buf_size_left" is a
negative number, so "*size" is assigned "buf_size_left" and goes into
the third argument of the copy_to_user function, causing a heap overflow.
This is not a security vulnerability because iwl_dbgfs_monitor_data_read()
is a debugfs operation with 0400 privileges.
Signed-off-by: Hyunwoo Kim <imv4bel@gmail.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230414130637.2d80ace81532.Iecfba549e0e0be21bbb0324675392e42e75bd5ad@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/pcie/trans.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
index 7f8b7f7697cfd..fac7cc75bc31e 100644
--- a/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
+++ b/drivers/net/wireless/intel/iwlwifi/pcie/trans.c
@@ -2835,7 +2835,7 @@ static bool iwl_write_to_user_buf(char __user *user_buf, ssize_t count,
void *buf, ssize_t *size,
ssize_t *bytes_copied)
{
- int buf_size_left = count - *bytes_copied;
+ ssize_t buf_size_left = count - *bytes_copied;
buf_size_left = buf_size_left - (buf_size_left % sizeof(u32));
if (*size > buf_size_left)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 061/211] null_blk: Always check queue mode setting from configfs
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 060/211] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 062/211] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Greg Kroah-Hartman
` (155 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chaitanya Kulkarni, Damien Le Moal,
Ming Lei, Nitesh Shetty, Jens Axboe, Sasha Levin
From: Chaitanya Kulkarni <kch@nvidia.com>
[ Upstream commit 63f8793ee60513a09f110ea460a6ff2c33811cdb ]
Make sure to check device queue mode in the null_validate_conf() and
return error for NULL_Q_RQ as we don't allow legacy I/O path, without
this patch we get OOPs when queue mode is set to 1 from configfs,
following are repro steps :-
modprobe null_blk nr_devices=0
mkdir config/nullb/nullb0
echo 1 > config/nullb/nullb0/memory_backed
echo 4096 > config/nullb/nullb0/blocksize
echo 20480 > config/nullb/nullb0/size
echo 1 > config/nullb/nullb0/queue_mode
echo 1 > config/nullb/nullb0/power
Entering kdb (current=0xffff88810acdd080, pid 2372) on processor 42 Oops: (null)
due to oops @ 0xffffffffc041c329
CPU: 42 PID: 2372 Comm: sh Tainted: G O N 6.3.0-rc5lblk+ #5
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
RIP: 0010:null_add_dev.part.0+0xd9/0x720 [null_blk]
Code: 01 00 00 85 d2 0f 85 a1 03 00 00 48 83 bb 08 01 00 00 00 0f 85 f7 03 00 00 80 bb 62 01 00 00 00 48 8b 75 20 0f 85 6d 02 00 00 <48> 89 6e 60 48 8b 75 20 bf 06 00 00 00 e8 f5 37 2c c1 48 8b 75 20
RSP: 0018:ffffc900052cbde0 EFLAGS: 00010246
RAX: 0000000000000001 RBX: ffff88811084d800 RCX: 0000000000000001
RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffff888100042e00
RBP: ffff8881053d8200 R08: ffffc900052cbd68 R09: ffff888105db2000
R10: 0000000000000001 R11: 0000000000000000 R12: 0000000000000002
R13: ffff888104765200 R14: ffff88810eec1748 R15: ffff88810eec1740
FS: 00007fd445fd1740(0000) GS:ffff8897dfc80000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000000060 CR3: 0000000166a00000 CR4: 0000000000350ee0
DR0: ffffffff8437a488 DR1: ffffffff8437a489 DR2: ffffffff8437a48a
DR3: ffffffff8437a48b DR6: 00000000ffff0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
nullb_device_power_store+0xd1/0x120 [null_blk]
configfs_write_iter+0xb4/0x120
vfs_write+0x2ba/0x3c0
ksys_write+0x5f/0xe0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
RIP: 0033:0x7fd4460c57a7
Code: 0d 00 f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 25 18 00 00 00 85 c0 75 10 b8 01 00 00 00 0f 05 <48> 3d 00 f0 ff ff 77 51 c3 48 83 ec 28 48 89 54 24 18 48 89 74 24
RSP: 002b:00007ffd3792a4a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 0000000000000002 RCX: 00007fd4460c57a7
RDX: 0000000000000002 RSI: 000055b43c02e4c0 RDI: 0000000000000001
RBP: 000055b43c02e4c0 R08: 000000000000000a R09: 00007fd44615b4e0
R10: 00007fd44615b3e0 R11: 0000000000000246 R12: 0000000000000002
R13: 00007fd446198520 R14: 0000000000000002 R15: 00007fd446198700
</TASK>
Signed-off-by: Chaitanya Kulkarni <kch@nvidia.com>
Reviewed-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Nitesh Shetty <nj.shetty@samsung.com>
Link: https://lore.kernel.org/r/20230416220339.43845-1-kch@nvidia.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/null_blk/main.c | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/drivers/block/null_blk/main.c b/drivers/block/null_blk/main.c
index 25db095e943b7..35b390a785dd4 100644
--- a/drivers/block/null_blk/main.c
+++ b/drivers/block/null_blk/main.c
@@ -1738,6 +1738,11 @@ static int null_init_tag_set(struct nullb *nullb, struct blk_mq_tag_set *set)
static int null_validate_conf(struct nullb_device *dev)
{
+ if (dev->queue_mode == NULL_Q_RQ) {
+ pr_err("legacy IO path is no longer available\n");
+ return -EINVAL;
+ }
+
dev->blocksize = round_down(dev->blocksize, 512);
dev->blocksize = clamp_t(unsigned int, dev->blocksize, 512, 4096);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 062/211] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 061/211] null_blk: Always check queue mode setting from configfs Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 063/211] wifi: ath11k: Fix SKB corruption in REO destination ring Greg Kroah-Hartman
` (154 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Johannes Berg,
Hans de Goede, Johannes Berg, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit ef16799640865f937719f0771c93be5dca18adc6 ]
A received TKIP key may be up to 32 bytes because it may contain
MIC rx/tx keys too. These are not used by iwl and copying these
over overflows the iwl_keyinfo.key field.
Add a check to not copy more data to iwl_keyinfo.key then will fit.
This fixes backtraces like this one:
memcpy: detected field-spanning write (size 32) of single field "sta_cmd.key.key" at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 (size 16)
WARNING: CPU: 1 PID: 946 at drivers/net/wireless/intel/iwlwifi/dvm/sta.c:1103 iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Hardware name: Dell Inc. Latitude E6430/0H3MT5, BIOS A21 05/08/2017
RIP: 0010:iwlagn_send_sta_key+0x375/0x390 [iwldvm]
<snip>
Call Trace:
<TASK>
iwl_set_dynamic_key+0x1f0/0x220 [iwldvm]
iwlagn_mac_set_key+0x1e4/0x280 [iwldvm]
drv_set_key+0xa4/0x1b0 [mac80211]
ieee80211_key_enable_hw_accel+0xa8/0x2d0 [mac80211]
ieee80211_key_replace+0x22d/0x8e0 [mac80211]
<snip>
Link: https://www.alionet.org/index.php?topic=1469.0
Link: https://lore.kernel.org/linux-wireless/20230218191056.never.374-kees@kernel.org/
Link: https://lore.kernel.org/linux-wireless/68760035-7f75-1b23-e355-bfb758a87d83@redhat.com/
Cc: Kees Cook <keescook@chromium.org>
Suggested-by: Johannes Berg <johannes@sipsolutions.net>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/dvm/sta.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
index e622948661fa8..b307f0e527779 100644
--- a/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
+++ b/drivers/net/wireless/intel/iwlwifi/dvm/sta.c
@@ -1086,6 +1086,7 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv,
{
__le16 key_flags;
struct iwl_addsta_cmd sta_cmd;
+ size_t to_copy;
int i;
spin_lock_bh(&priv->sta_lock);
@@ -1105,7 +1106,9 @@ static int iwlagn_send_sta_key(struct iwl_priv *priv,
sta_cmd.key.tkip_rx_tsc_byte2 = tkip_iv32;
for (i = 0; i < 5; i++)
sta_cmd.key.tkip_rx_ttak[i] = cpu_to_le16(tkip_p1k[i]);
- memcpy(sta_cmd.key.key, keyconf->key, keyconf->keylen);
+ /* keyconf may contain MIC rx/tx keys which iwl does not use */
+ to_copy = min_t(size_t, sizeof(sta_cmd.key.key), keyconf->keylen);
+ memcpy(sta_cmd.key.key, keyconf->key, to_copy);
break;
case WLAN_CIPHER_SUITE_WEP104:
key_flags |= STA_KEY_FLG_KEY_SIZE_MSK;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 063/211] wifi: ath11k: Fix SKB corruption in REO destination ring
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 062/211] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 064/211] ipvs: Update width of source for ip_vs_sync_conn_options Greg Kroah-Hartman
` (153 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nagarajan Maran, Kalle Valo, Sasha Levin
From: Nagarajan Maran <quic_nmaran@quicinc.com>
[ Upstream commit f9fff67d2d7ca6fa8066132003a3deef654c55b1 ]
While running traffics for a long time, randomly an RX descriptor
filled with value "0" from REO destination ring is received.
This descriptor which is invalid causes the wrong SKB (SKB stored in
the IDR lookup with buffer id "0") to be fetched which in turn
causes SKB memory corruption issue and the same leads to crash
after some time.
Changed the start id for idr allocation to "1" and the buffer id "0"
is reserved for error validation. Introduced Sanity check to validate
the descriptor, before processing the SKB.
Crash Signature :
Unable to handle kernel paging request at virtual address 3f004900
PC points to "b15_dma_inv_range+0x30/0x50"
LR points to "dma_cache_maint_page+0x8c/0x128".
The Backtrace obtained is as follows:
[<8031716c>] (b15_dma_inv_range) from [<80313a4c>] (dma_cache_maint_page+0x8c/0x128)
[<80313a4c>] (dma_cache_maint_page) from [<80313b90>] (__dma_page_dev_to_cpu+0x28/0xcc)
[<80313b90>] (__dma_page_dev_to_cpu) from [<7fb5dd68>] (ath11k_dp_process_rx+0x1e8/0x4a4 [ath11k])
[<7fb5dd68>] (ath11k_dp_process_rx [ath11k]) from [<7fb53c20>] (ath11k_dp_service_srng+0xb0/0x2ac [ath11k])
[<7fb53c20>] (ath11k_dp_service_srng [ath11k]) from [<7f67bba4>] (ath11k_pci_ext_grp_napi_poll+0x1c/0x78 [ath11k_pci])
[<7f67bba4>] (ath11k_pci_ext_grp_napi_poll [ath11k_pci]) from [<807d5cf4>] (__napi_poll+0x28/0xb8)
[<807d5cf4>] (__napi_poll) from [<807d5f28>] (net_rx_action+0xf0/0x280)
[<807d5f28>] (net_rx_action) from [<80302148>] (__do_softirq+0xd0/0x280)
[<80302148>] (__do_softirq) from [<80320408>] (irq_exit+0x74/0xd4)
[<80320408>] (irq_exit) from [<803638a4>] (__handle_domain_irq+0x90/0xb4)
[<803638a4>] (__handle_domain_irq) from [<805bedec>] (gic_handle_irq+0x58/0x90)
[<805bedec>] (gic_handle_irq) from [<80301a78>] (__irq_svc+0x58/0x8c)
Tested-on: IPQ8074 hw2.0 AHB WLAN.HK.2.7.0.1-01744-QCAHKSWPL_SILICONZ-1
Signed-off-by: Nagarajan Maran <quic_nmaran@quicinc.com>
Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com>
Link: https://lore.kernel.org/r/20230403191533.28114-1-quic_nmaran@quicinc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/ath/ath11k/dp_rx.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/drivers/net/wireless/ath/ath11k/dp_rx.c b/drivers/net/wireless/ath/ath11k/dp_rx.c
index 578fdc446bc03..583bcf148403b 100644
--- a/drivers/net/wireless/ath/ath11k/dp_rx.c
+++ b/drivers/net/wireless/ath/ath11k/dp_rx.c
@@ -324,10 +324,10 @@ int ath11k_dp_rxbufs_replenish(struct ath11k_base *ab, int mac_id,
goto fail_free_skb;
spin_lock_bh(&rx_ring->idr_lock);
- buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 0,
- rx_ring->bufs_max * 3, GFP_ATOMIC);
+ buf_id = idr_alloc(&rx_ring->bufs_idr, skb, 1,
+ (rx_ring->bufs_max * 3) + 1, GFP_ATOMIC);
spin_unlock_bh(&rx_ring->idr_lock);
- if (buf_id < 0)
+ if (buf_id <= 0)
goto fail_dma_unmap;
desc = ath11k_hal_srng_src_get_next_entry(ab, srng);
@@ -2564,6 +2564,9 @@ int ath11k_dp_process_rx(struct ath11k_base *ab, int ring_id,
cookie);
mac_id = FIELD_GET(DP_RXDMA_BUF_COOKIE_PDEV_ID, cookie);
+ if (unlikely(buf_id == 0))
+ continue;
+
ar = ab->pdevs[mac_id].ar;
rx_ring = &ar->dp.rx_refill_buf_ring;
spin_lock_bh(&rx_ring->idr_lock);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 064/211] ipvs: Update width of source for ip_vs_sync_conn_options
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 063/211] wifi: ath11k: Fix SKB corruption in REO destination ring Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 065/211] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Greg Kroah-Hartman
` (152 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Simon Horman, Horatiu Vultur,
Pablo Neira Ayuso, Sasha Levin
From: Simon Horman <horms@kernel.org>
[ Upstream commit e3478c68f6704638d08f437cbc552ca5970c151a ]
In ip_vs_sync_conn_v0() copy is made to struct ip_vs_sync_conn_options.
That structure looks like this:
struct ip_vs_sync_conn_options {
struct ip_vs_seq in_seq;
struct ip_vs_seq out_seq;
};
The source of the copy is the in_seq field of struct ip_vs_conn. Whose
type is struct ip_vs_seq. Thus we can see that the source - is not as
wide as the amount of data copied, which is the width of struct
ip_vs_sync_conn_option.
The copy is safe because the next field in is another struct ip_vs_seq.
Make use of struct_group() to annotate this.
Flagged by gcc-13 as:
In file included from ./include/linux/string.h:254,
from ./include/linux/bitmap.h:11,
from ./include/linux/cpumask.h:12,
from ./arch/x86/include/asm/paravirt.h:17,
from ./arch/x86/include/asm/cpuid.h:62,
from ./arch/x86/include/asm/processor.h:19,
from ./arch/x86/include/asm/timex.h:5,
from ./include/linux/timex.h:67,
from ./include/linux/time32.h:13,
from ./include/linux/time.h:60,
from ./include/linux/stat.h:19,
from ./include/linux/module.h:13,
from net/netfilter/ipvs/ip_vs_sync.c:38:
In function 'fortify_memcpy_chk',
inlined from 'ip_vs_sync_conn_v0' at net/netfilter/ipvs/ip_vs_sync.c:606:3:
./include/linux/fortify-string.h:529:25: error: call to '__read_overflow2_field' declared with attribute warning: detected read beyond size of field (2nd parameter); maybe use struct_group()? [-Werror=attribute-warning]
529 | __read_overflow2_field(q_size_field, size);
|
Compile tested only.
Signed-off-by: Simon Horman <horms@kernel.org>
Reviewed-by: Horatiu Vultur <horatiu.vultur@microchip.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_vs.h | 6 ++++--
net/netfilter/ipvs/ip_vs_sync.c | 2 +-
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/include/net/ip_vs.h b/include/net/ip_vs.h
index d609e957a3ec0..c02c3bb0fe091 100644
--- a/include/net/ip_vs.h
+++ b/include/net/ip_vs.h
@@ -549,8 +549,10 @@ struct ip_vs_conn {
*/
struct ip_vs_app *app; /* bound ip_vs_app object */
void *app_data; /* Application private data */
- struct ip_vs_seq in_seq; /* incoming seq. struct */
- struct ip_vs_seq out_seq; /* outgoing seq. struct */
+ struct_group(sync_conn_opt,
+ struct ip_vs_seq in_seq; /* incoming seq. struct */
+ struct ip_vs_seq out_seq; /* outgoing seq. struct */
+ );
const struct ip_vs_pe *pe;
char *pe_data;
diff --git a/net/netfilter/ipvs/ip_vs_sync.c b/net/netfilter/ipvs/ip_vs_sync.c
index daab857c52a80..fc8db03d3efca 100644
--- a/net/netfilter/ipvs/ip_vs_sync.c
+++ b/net/netfilter/ipvs/ip_vs_sync.c
@@ -603,7 +603,7 @@ static void ip_vs_sync_conn_v0(struct netns_ipvs *ipvs, struct ip_vs_conn *cp,
if (cp->flags & IP_VS_CONN_F_SEQ_MASK) {
struct ip_vs_sync_conn_options *opt =
(struct ip_vs_sync_conn_options *)&s[1];
- memcpy(opt, &cp->in_seq, sizeof(*opt));
+ memcpy(opt, &cp->sync_conn_opt, sizeof(*opt));
}
m->nr_conns++;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 065/211] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 064/211] ipvs: Update width of source for ip_vs_sync_conn_options Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 066/211] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Greg Kroah-Hartman
` (151 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede,
Luiz Augusto von Dentz, Sasha Levin
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 0d218c3642b9ccf71f44987cd03c19320f3bd918 ]
On some devices the BCM Bluetooth adapter does not have a valid bdaddr set.
btbcm.c currently sets HCI_QUIRK_INVALID_BDADDR to indicate when this is
the case. But this requires users to manual setup a btaddr, by doing e.g.:
btmgmt -i hci0 public-addr 'B0:F1:EC:82:1D:B3'
Which means that Bluetooth will not work out of the box on such devices.
To avoid this (where possible) hci_bcm sets: HCI_QUIRK_USE_BDADDR_PROPERTY
which tries to get the bdaddr from devicetree.
But this only works on devicetree platforms. On UEFI based platforms
there is a special Broadcom UEFI variable which when present contains
the devices bdaddr, just like how there is another UEFI variable which
contains wifi nvram contents including the wifi MAC address.
Add support for getting the bdaddr from this Broadcom UEFI variable,
so that Bluetooth will work OOTB for users on devices where this
UEFI variable is present.
This fixes Bluetooth not working on for example Asus T100HA 2-in-1s.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btbcm.c | 47 ++++++++++++++++++++++++++++++++++++---
1 file changed, 44 insertions(+), 3 deletions(-)
diff --git a/drivers/bluetooth/btbcm.c b/drivers/bluetooth/btbcm.c
index d263eac784daa..636db3b7e470b 100644
--- a/drivers/bluetooth/btbcm.c
+++ b/drivers/bluetooth/btbcm.c
@@ -6,6 +6,7 @@
* Copyright (C) 2015 Intel Corporation
*/
+#include <linux/efi.h>
#include <linux/module.h>
#include <linux/firmware.h>
#include <asm/unaligned.h>
@@ -32,6 +33,43 @@
/* For kmalloc-ing the fw-name array instead of putting it on the stack */
typedef char bcm_fw_name[BCM_FW_NAME_LEN];
+#ifdef CONFIG_EFI
+static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev)
+{
+ efi_guid_t guid = EFI_GUID(0x74b00bd9, 0x805a, 0x4d61, 0xb5, 0x1f,
+ 0x43, 0x26, 0x81, 0x23, 0xd1, 0x13);
+ bdaddr_t efi_bdaddr, bdaddr;
+ efi_status_t status;
+ unsigned long len;
+ int ret;
+
+ if (!efi_rt_services_supported(EFI_RT_SUPPORTED_GET_VARIABLE))
+ return -EOPNOTSUPP;
+
+ len = sizeof(efi_bdaddr);
+ status = efi.get_variable(L"BDADDR", &guid, NULL, &len, &efi_bdaddr);
+ if (status != EFI_SUCCESS)
+ return -ENXIO;
+
+ if (len != sizeof(efi_bdaddr))
+ return -EIO;
+
+ baswap(&bdaddr, &efi_bdaddr);
+
+ ret = btbcm_set_bdaddr(hdev, &bdaddr);
+ if (ret)
+ return ret;
+
+ bt_dev_info(hdev, "BCM: Using EFI device address (%pMR)", &bdaddr);
+ return 0;
+}
+#else
+static int btbcm_set_bdaddr_from_efi(struct hci_dev *hdev)
+{
+ return -EOPNOTSUPP;
+}
+#endif
+
int btbcm_check_bdaddr(struct hci_dev *hdev)
{
struct hci_rp_read_bd_addr *bda;
@@ -85,9 +123,12 @@ int btbcm_check_bdaddr(struct hci_dev *hdev)
!bacmp(&bda->bdaddr, BDADDR_BCM4345C5) ||
!bacmp(&bda->bdaddr, BDADDR_BCM43430A0) ||
!bacmp(&bda->bdaddr, BDADDR_BCM43341B)) {
- bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
- &bda->bdaddr);
- set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
+ /* Try falling back to BDADDR EFI variable */
+ if (btbcm_set_bdaddr_from_efi(hdev) != 0) {
+ bt_dev_info(hdev, "BCM: Using default device address (%pMR)",
+ &bda->bdaddr);
+ set_bit(HCI_QUIRK_INVALID_BDADDR, &hdev->quirks);
+ }
}
kfree_skb(skb);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 066/211] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 065/211] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 067/211] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE Greg Kroah-Hartman
` (150 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9519d6b5b79cf7787cf3, Min Li,
Luiz Augusto von Dentz, Sasha Levin
From: Min Li <lm0963hack@gmail.com>
[ Upstream commit 25e97f7b1866e6b8503be349eeea44bb52d661ce ]
conn->chan_lock isn't acquired before l2cap_get_chan_by_scid,
if l2cap_get_chan_by_scid returns NULL, then 'bad unlock balance'
is triggered.
Reported-by: syzbot+9519d6b5b79cf7787cf3@syzkaller.appspotmail.com
Link: https://lore.kernel.org/all/000000000000894f5f05f95e9f4d@google.com/
Signed-off-by: Min Li <lm0963hack@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/l2cap_core.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/net/bluetooth/l2cap_core.c b/net/bluetooth/l2cap_core.c
index f9d2ce9cee369..b85ce276e2a3c 100644
--- a/net/bluetooth/l2cap_core.c
+++ b/net/bluetooth/l2cap_core.c
@@ -4689,7 +4689,6 @@ static inline int l2cap_disconnect_rsp(struct l2cap_conn *conn,
chan = l2cap_get_chan_by_scid(conn, scid);
if (!chan) {
- mutex_unlock(&conn->chan_lock);
return 0;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 067/211] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 066/211] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 068/211] HID: logitech-hidpp: Dont use the USB serial for USB devices Greg Kroah-Hartman
` (149 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Philipp Hortmann, Sasha Levin
From: Philipp Hortmann <philipp.g.hortmann@gmail.com>
[ Upstream commit fda2093860df4812d69052a8cf4997e53853a340 ]
Replace macro RTL_PCI_DEVICE with PCI_DEVICE to get rid of rtl819xp_ops
which is empty.
Signed-off-by: Philipp Hortmann <philipp.g.hortmann@gmail.com>
Link: https://lore.kernel.org/r/8b45ee783fa91196b7c9d6fc840a189496afd2f4.1677133271.git.philipp.g.hortmann@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/staging/rtl8192e/rtl8192e/rtl_core.c | 6 +++---
drivers/staging/rtl8192e/rtl8192e/rtl_core.h | 5 -----
2 files changed, 3 insertions(+), 8 deletions(-)
diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
index 291f98251f7f7..4c201679fc081 100644
--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
+++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.c
@@ -50,9 +50,9 @@ static const struct rtl819x_ops rtl819xp_ops = {
};
static struct pci_device_id rtl8192_pci_id_tbl[] = {
- {RTL_PCI_DEVICE(0x10ec, 0x8192, rtl819xp_ops)},
- {RTL_PCI_DEVICE(0x07aa, 0x0044, rtl819xp_ops)},
- {RTL_PCI_DEVICE(0x07aa, 0x0047, rtl819xp_ops)},
+ {PCI_DEVICE(0x10ec, 0x8192)},
+ {PCI_DEVICE(0x07aa, 0x0044)},
+ {PCI_DEVICE(0x07aa, 0x0047)},
{}
};
diff --git a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h
index 736f1a824cd2e..7bbd884aa5f13 100644
--- a/drivers/staging/rtl8192e/rtl8192e/rtl_core.h
+++ b/drivers/staging/rtl8192e/rtl8192e/rtl_core.h
@@ -55,11 +55,6 @@
#define IS_HARDWARE_TYPE_8192SE(_priv) \
(((struct r8192_priv *)rtllib_priv(dev))->card_8192 == NIC_8192SE)
-#define RTL_PCI_DEVICE(vend, dev, cfg) \
- .vendor = (vend), .device = (dev), \
- .subvendor = PCI_ANY_ID, .subdevice = PCI_ANY_ID, \
- .driver_data = (kernel_ulong_t)&(cfg)
-
#define TOTAL_CAM_ENTRY 32
#define CAM_CONTENT_COUNT 8
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 068/211] HID: logitech-hidpp: Dont use the USB serial for USB devices
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 067/211] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 069/211] HID: logitech-hidpp: Reconcile USB and Unifying serials Greg Kroah-Hartman
` (148 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bastien Nocera, Benjamin Tissoires,
Sasha Levin
From: Bastien Nocera <hadess@hadess.net>
[ Upstream commit 7ad1fe0da0fa91bf920b79ab05ae97bfabecc4f4 ]
For devices that support the 0x0003 feature (Device Information) version 4,
set the serial based on the output of that feature, rather than relying
on the usbhid code setting the USB serial.
This should allow the serial when connected through USB to (nearly)
match the one when connected through a unifying receiver.
For example, on the serials on a G903 wired/wireless mouse:
- Unifying: 4067-e8-ce-cd-45
- USB before patch: 017C385C3837
- USB after patch: c086-e8-ce-cd-45
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Link: https://lore.kernel.org/r/20230302130117.3975-1-hadess@hadess.net
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-hidpp.c | 51 ++++++++++++++++++++++++++++++++
1 file changed, 51 insertions(+)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index f5ea8e1d84452..4921000d8b092 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -922,6 +922,55 @@ static int hidpp_root_get_protocol_version(struct hidpp_device *hidpp)
return 0;
}
+/* -------------------------------------------------------------------------- */
+/* 0x0003: Device Information */
+/* -------------------------------------------------------------------------- */
+
+#define HIDPP_PAGE_DEVICE_INFORMATION 0x0003
+
+#define CMD_GET_DEVICE_INFO 0x00
+
+static int hidpp_get_serial(struct hidpp_device *hidpp, u32 *serial)
+{
+ struct hidpp_report response;
+ u8 feature_type;
+ u8 feature_index;
+ int ret;
+
+ ret = hidpp_root_get_feature(hidpp, HIDPP_PAGE_DEVICE_INFORMATION,
+ &feature_index,
+ &feature_type);
+ if (ret)
+ return ret;
+
+ ret = hidpp_send_fap_command_sync(hidpp, feature_index,
+ CMD_GET_DEVICE_INFO,
+ NULL, 0, &response);
+ if (ret)
+ return ret;
+
+ /* See hidpp_unifying_get_serial() */
+ *serial = *((u32 *)&response.rap.params[1]);
+ return 0;
+}
+
+static int hidpp_serial_init(struct hidpp_device *hidpp)
+{
+ struct hid_device *hdev = hidpp->hid_dev;
+ u32 serial;
+ int ret;
+
+ ret = hidpp_get_serial(hidpp, &serial);
+ if (ret)
+ return ret;
+
+ snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD",
+ hdev->product, &serial);
+ dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq);
+
+ return 0;
+}
+
/* -------------------------------------------------------------------------- */
/* 0x0005: GetDeviceNameType */
/* -------------------------------------------------------------------------- */
@@ -3855,6 +3904,8 @@ static int hidpp_probe(struct hid_device *hdev, const struct hid_device_id *id)
if (hidpp->quirks & HIDPP_QUIRK_UNIFYING)
hidpp_unifying_init(hidpp);
+ else if (hid_is_usb(hidpp->hid_dev))
+ hidpp_serial_init(hidpp);
connected = hidpp_root_get_protocol_version(hidpp) == 0;
atomic_set(&hidpp->connected, connected);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 069/211] HID: logitech-hidpp: Reconcile USB and Unifying serials
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 068/211] HID: logitech-hidpp: Dont use the USB serial for USB devices Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 070/211] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 Greg Kroah-Hartman
` (147 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Bastien Nocera, Benjamin Tissoires,
Sasha Levin
From: Bastien Nocera <hadess@hadess.net>
[ Upstream commit 5b3691d15e04b6d5a32c915577b8dbc5cfb56382 ]
Now that USB HID++ devices can gather a serial number that matches the
one that would be gathered when connected through a Unifying receiver,
remove the last difference by dropping the product ID as devices
usually have different product IDs when connected through USB or
Unifying.
For example, on the serials on a G903 wired/wireless mouse:
- Unifying before patch: 4067-e8-ce-cd-45
- USB before patch: c086-e8-ce-cd-45
- Unifying and USB after patch: e8-ce-cd-45
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Link: https://lore.kernel.org/r/20230302130117.3975-2-hadess@hadess.net
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-hidpp.c | 6 ++----
1 file changed, 2 insertions(+), 4 deletions(-)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 4921000d8b092..2e32a21bbcbfc 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -828,8 +828,7 @@ static int hidpp_unifying_init(struct hidpp_device *hidpp)
if (ret)
return ret;
- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD",
- hdev->product, &serial);
+ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial);
dbg_hid("HID++ Unifying: Got serial: %s\n", hdev->uniq);
name = hidpp_unifying_get_name(hidpp);
@@ -964,8 +963,7 @@ static int hidpp_serial_init(struct hidpp_device *hidpp)
if (ret)
return ret;
- snprintf(hdev->uniq, sizeof(hdev->uniq), "%04x-%4phD",
- hdev->product, &serial);
+ snprintf(hdev->uniq, sizeof(hdev->uniq), "%4phD", &serial);
dbg_hid("HID++ DeviceInformation: Got serial: %s\n", hdev->uniq);
return 0;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 070/211] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 069/211] HID: logitech-hidpp: Reconcile USB and Unifying serials Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 071/211] HID: wacom: generic: Set battery quirk only when we see battery data Greg Kroah-Hartman
` (146 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Groeneveld, Mark Brown, Sasha Levin
From: Kevin Groeneveld <kgroeneveld@lenbrook.com>
[ Upstream commit 87c614175bbf28d3fd076dc2d166bac759e41427 ]
When using gpio based chip select the cs value can go outside the range
0 – 3. The various MX51_ECSPI_* macros did not take this into consideration
resulting in possible corruption of the configuration.
For example for any cs value over 3 the SCLKPHA bits would not be set and
other values in the register possibly corrupted.
One way to fix this is to just mask the cs bits to 2 bits. This still
allows all 4 native chip selects to work as well as gpio chip selects
(which can use any of the 4 chip select configurations).
Signed-off-by: Kevin Groeneveld <kgroeneveld@lenbrook.com>
Link: https://lore.kernel.org/r/20230318222132.3373-1-kgroeneveld@lenbrook.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/spi/spi-imx.c | 24 ++++++++++++++++++------
1 file changed, 18 insertions(+), 6 deletions(-)
diff --git a/drivers/spi/spi-imx.c b/drivers/spi/spi-imx.c
index bbc420865f0fd..21297cc62571a 100644
--- a/drivers/spi/spi-imx.c
+++ b/drivers/spi/spi-imx.c
@@ -242,6 +242,18 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi,
return true;
}
+/*
+ * Note the number of natively supported chip selects for MX51 is 4. Some
+ * devices may have less actual SS pins but the register map supports 4. When
+ * using gpio chip selects the cs values passed into the macros below can go
+ * outside the range 0 - 3. We therefore need to limit the cs value to avoid
+ * corrupting bits outside the allocated locations.
+ *
+ * The simplest way to do this is to just mask the cs bits to 2 bits. This
+ * still allows all 4 native chip selects to work as well as gpio chip selects
+ * (which can use any of the 4 chip select configurations).
+ */
+
#define MX51_ECSPI_CTRL 0x08
#define MX51_ECSPI_CTRL_ENABLE (1 << 0)
#define MX51_ECSPI_CTRL_XCH (1 << 2)
@@ -250,16 +262,16 @@ static bool spi_imx_can_dma(struct spi_master *master, struct spi_device *spi,
#define MX51_ECSPI_CTRL_DRCTL(drctl) ((drctl) << 16)
#define MX51_ECSPI_CTRL_POSTDIV_OFFSET 8
#define MX51_ECSPI_CTRL_PREDIV_OFFSET 12
-#define MX51_ECSPI_CTRL_CS(cs) ((cs) << 18)
+#define MX51_ECSPI_CTRL_CS(cs) ((cs & 3) << 18)
#define MX51_ECSPI_CTRL_BL_OFFSET 20
#define MX51_ECSPI_CTRL_BL_MASK (0xfff << 20)
#define MX51_ECSPI_CONFIG 0x0c
-#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs) + 0))
-#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs) + 4))
-#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs) + 8))
-#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs) + 12))
-#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs) + 20))
+#define MX51_ECSPI_CONFIG_SCLKPHA(cs) (1 << ((cs & 3) + 0))
+#define MX51_ECSPI_CONFIG_SCLKPOL(cs) (1 << ((cs & 3) + 4))
+#define MX51_ECSPI_CONFIG_SBBCTRL(cs) (1 << ((cs & 3) + 8))
+#define MX51_ECSPI_CONFIG_SSBPOL(cs) (1 << ((cs & 3) + 12))
+#define MX51_ECSPI_CONFIG_SCLKCTL(cs) (1 << ((cs & 3) + 20))
#define MX51_ECSPI_INT 0x10
#define MX51_ECSPI_INT_TEEN (1 << 0)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 071/211] HID: wacom: generic: Set battery quirk only when we see battery data
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 070/211] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 072/211] usb: typec: tcpm: fix multiple times discover svids error Greg Kroah-Hartman
` (145 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Mario Limonciello,
Jiri Kosina, Sasha Levin
From: Jason Gerecke <killertofu@gmail.com>
[ Upstream commit bea407a427baa019758f29f4d31b26f008bb8cc6 ]
Some devices will include battery status usages in the HID descriptor
but we won't see that battery data for one reason or another. For example,
AES sensors won't send battery data unless an AES pen is in proximity.
If a user does not have an AES pen but instead only interacts with the
AES touchscreen with their fingers then there is no need for us to create
a battery object. Similarly, if a family of peripherals shares the same
HID descriptor between wired-only and wireless-capable SKUs, users of the
former may never see a battery event and will not want a power_supply
object created.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217062
Link: https://gitlab.gnome.org/GNOME/gnome-control-center/-/issues/2354
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Tested-by: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/wacom_wac.c | 33 +++++++++++----------------------
1 file changed, 11 insertions(+), 22 deletions(-)
diff --git a/drivers/hid/wacom_wac.c b/drivers/hid/wacom_wac.c
index 6c64165fae13e..d82df2393d20c 100644
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -1927,18 +1927,7 @@ static void wacom_map_usage(struct input_dev *input, struct hid_usage *usage,
static void wacom_wac_battery_usage_mapping(struct hid_device *hdev,
struct hid_field *field, struct hid_usage *usage)
{
- struct wacom *wacom = hid_get_drvdata(hdev);
- struct wacom_wac *wacom_wac = &wacom->wacom_wac;
- struct wacom_features *features = &wacom_wac->features;
- unsigned equivalent_usage = wacom_equivalent_usage(usage->hid);
-
- switch (equivalent_usage) {
- case HID_DG_BATTERYSTRENGTH:
- case WACOM_HID_WD_BATTERY_LEVEL:
- case WACOM_HID_WD_BATTERY_CHARGING:
- features->quirks |= WACOM_QUIRK_BATTERY;
- break;
- }
+ return;
}
static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *field,
@@ -1959,18 +1948,21 @@ static void wacom_wac_battery_event(struct hid_device *hdev, struct hid_field *f
wacom_wac->hid_data.bat_connected = 1;
wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO;
}
+ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY;
break;
case WACOM_HID_WD_BATTERY_LEVEL:
value = value * 100 / (field->logical_maximum - field->logical_minimum);
wacom_wac->hid_data.battery_capacity = value;
wacom_wac->hid_data.bat_connected = 1;
wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO;
+ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY;
break;
case WACOM_HID_WD_BATTERY_CHARGING:
wacom_wac->hid_data.bat_charging = value;
wacom_wac->hid_data.ps_connected = value;
wacom_wac->hid_data.bat_connected = 1;
wacom_wac->hid_data.bat_status = WACOM_POWER_SUPPLY_STATUS_AUTO;
+ wacom_wac->features.quirks |= WACOM_QUIRK_BATTERY;
break;
}
}
@@ -1986,18 +1978,15 @@ static void wacom_wac_battery_report(struct hid_device *hdev,
{
struct wacom *wacom = hid_get_drvdata(hdev);
struct wacom_wac *wacom_wac = &wacom->wacom_wac;
- struct wacom_features *features = &wacom_wac->features;
- if (features->quirks & WACOM_QUIRK_BATTERY) {
- int status = wacom_wac->hid_data.bat_status;
- int capacity = wacom_wac->hid_data.battery_capacity;
- bool charging = wacom_wac->hid_data.bat_charging;
- bool connected = wacom_wac->hid_data.bat_connected;
- bool powered = wacom_wac->hid_data.ps_connected;
+ int status = wacom_wac->hid_data.bat_status;
+ int capacity = wacom_wac->hid_data.battery_capacity;
+ bool charging = wacom_wac->hid_data.bat_charging;
+ bool connected = wacom_wac->hid_data.bat_connected;
+ bool powered = wacom_wac->hid_data.ps_connected;
- wacom_notify_battery(wacom_wac, status, capacity, charging,
- connected, powered);
- }
+ wacom_notify_battery(wacom_wac, status, capacity, charging,
+ connected, powered);
}
static void wacom_wac_pad_usage_mapping(struct hid_device *hdev,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 072/211] usb: typec: tcpm: fix multiple times discover svids error
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 071/211] HID: wacom: generic: Set battery quirk only when we see battery data Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 073/211] serial: 8250: Reinit port->pm on port specific driver unbind Greg Kroah-Hartman
` (144 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heikki Krogerus, Frank Wang, Sasha Levin
From: Frank Wang <frank.wang@rock-chips.com>
[ Upstream commit dac3b192107b978198e89ec0f77375738352e0c8 ]
PD3.0 Spec 6.4.4.3.2 say that only Responder supports 12 or more SVIDs,
the Discover SVIDs Command Shall be executed multiple times until a
Discover SVIDs VDO is returned ending either with a SVID value of
0x0000 in the last part of the last VDO or with a VDO containing two
SVIDs with values of 0x0000.
In the current implementation, if the last VDO does not find that the
Discover SVIDs Command would be executed multiple times even if the
Responder SVIDs are less than 12, and we found some odd dockers just
meet this case. So fix it.
Acked-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Signed-off-by: Frank Wang <frank.wang@rock-chips.com>
Link: https://lore.kernel.org/r/20230316081149.24519-1-frank.wang@rock-chips.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/usb/typec/tcpm/tcpm.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/usb/typec/tcpm/tcpm.c b/drivers/usb/typec/tcpm/tcpm.c
index 8333c80b5f7c1..cf0e6a80815ae 100644
--- a/drivers/usb/typec/tcpm/tcpm.c
+++ b/drivers/usb/typec/tcpm/tcpm.c
@@ -1126,7 +1126,21 @@ static bool svdm_consume_svids(struct tcpm_port *port, const u32 *p, int cnt)
pmdata->svids[pmdata->nsvids++] = svid;
tcpm_log(port, "SVID %d: 0x%x", pmdata->nsvids, svid);
}
- return true;
+
+ /*
+ * PD3.0 Spec 6.4.4.3.2: The SVIDs are returned 2 per VDO (see Table
+ * 6-43), and can be returned maximum 6 VDOs per response (see Figure
+ * 6-19). If the Respondersupports 12 or more SVID then the Discover
+ * SVIDs Command Shall be executed multiple times until a Discover
+ * SVIDs VDO is returned ending either with a SVID value of 0x0000 in
+ * the last part of the last VDO or with a VDO containing two SVIDs
+ * with values of 0x0000.
+ *
+ * However, some odd dockers support SVIDs less than 12 but without
+ * 0x0000 in the last VDO, so we need to break the Discover SVIDs
+ * request and return false here.
+ */
+ return cnt == 7;
abort:
tcpm_log(port, "SVID_DISCOVERY_MAX(%d) too low!", SVID_DISCOVERY_MAX);
return false;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 073/211] serial: 8250: Reinit port->pm on port specific driver unbind
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 072/211] usb: typec: tcpm: fix multiple times discover svids error Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 074/211] mcb-pci: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
` (143 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tony Lindgren, Sasha Levin
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 04e82793f068d2f0ffe62fcea03d007a8cdc16a7 ]
When we unbind a serial port hardware specific 8250 driver, the generic
serial8250 driver takes over the port. After that we see an oops about 10
seconds later. This can produce the following at least on some TI SoCs:
Unhandled fault: imprecise external abort (0x1406)
Internal error: : 1406 [#1] SMP ARM
Turns out that we may still have the serial port hardware specific driver
port->pm in use, and serial8250_pm() tries to call it after the port
specific driver is gone:
serial8250_pm [8250_base] from uart_change_pm+0x54/0x8c [serial_base]
uart_change_pm [serial_base] from uart_hangup+0x154/0x198 [serial_base]
uart_hangup [serial_base] from __tty_hangup.part.0+0x328/0x37c
__tty_hangup.part.0 from disassociate_ctty+0x154/0x20c
disassociate_ctty from do_exit+0x744/0xaac
do_exit from do_group_exit+0x40/0x8c
do_group_exit from __wake_up_parent+0x0/0x1c
Let's fix the issue by calling serial8250_set_defaults() in
serial8250_unregister_port(). This will set the port back to using
the serial8250 default functions, and sets the port->pm to point to
serial8250_pm.
Signed-off-by: Tony Lindgren <tony@atomide.com>
Link: https://lore.kernel.org/r/20230418101407.12403-1-tony@atomide.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_core.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/tty/serial/8250/8250_core.c b/drivers/tty/serial/8250/8250_core.c
index 0a7e9491b4d14..43f2eed6df78e 100644
--- a/drivers/tty/serial/8250/8250_core.c
+++ b/drivers/tty/serial/8250/8250_core.c
@@ -1165,6 +1165,7 @@ void serial8250_unregister_port(int line)
uart->port.type = PORT_UNKNOWN;
uart->port.dev = &serial8250_isa_devs->dev;
uart->capabilities = 0;
+ serial8250_init_port(uart);
serial8250_apply_quirks(uart);
uart_add_one_port(&serial8250_reg, &uart->port);
} else {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 074/211] mcb-pci: Reallocate memory region to avoid memory overlapping
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 073/211] serial: 8250: Reinit port->pm on port specific driver unbind Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 075/211] sched: Fix KCSAN noinstr violation Greg Kroah-Hartman
` (142 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jorge Sanjuan Garcia,
Javier Rodriguez, Johannes Thumshirn, Sasha Levin
From: Rodríguez Barbarin, José Javier <JoseJavier.Rodriguez@duagon.com>
[ Upstream commit 9be24faadd085c284890c3afcec7a0184642315a ]
mcb-pci requests a fixed-size memory region to parse the chameleon
table, however, if the chameleon table is smaller that the allocated
region, it could overlap with the IP Cores' memory regions.
After parsing the chameleon table, drop/reallocate the memory region
with the actual chameleon table size.
Co-developed-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
Signed-off-by: Jorge Sanjuan Garcia <jorge.sanjuangarcia@duagon.com>
Signed-off-by: Javier Rodriguez <josejavier.rodriguez@duagon.com>
Signed-off-by: Johannes Thumshirn <jth@kernel.org>
Link: https://lore.kernel.org/r/20230411083329.4506-3-jth@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mcb/mcb-pci.c | 27 +++++++++++++++++++++++++--
1 file changed, 25 insertions(+), 2 deletions(-)
diff --git a/drivers/mcb/mcb-pci.c b/drivers/mcb/mcb-pci.c
index dc88232d9af83..53d9202ff9a7c 100644
--- a/drivers/mcb/mcb-pci.c
+++ b/drivers/mcb/mcb-pci.c
@@ -31,7 +31,7 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
{
struct resource *res;
struct priv *priv;
- int ret;
+ int ret, table_size;
unsigned long flags;
priv = devm_kzalloc(&pdev->dev, sizeof(struct priv), GFP_KERNEL);
@@ -90,7 +90,30 @@ static int mcb_pci_probe(struct pci_dev *pdev, const struct pci_device_id *id)
if (ret < 0)
goto out_mcb_bus;
- dev_dbg(&pdev->dev, "Found %d cells\n", ret);
+ table_size = ret;
+
+ if (table_size < CHAM_HEADER_SIZE) {
+ /* Release the previous resources */
+ devm_iounmap(&pdev->dev, priv->base);
+ devm_release_mem_region(&pdev->dev, priv->mapbase, CHAM_HEADER_SIZE);
+
+ /* Then, allocate it again with the actual chameleon table size */
+ res = devm_request_mem_region(&pdev->dev, priv->mapbase,
+ table_size,
+ KBUILD_MODNAME);
+ if (!res) {
+ dev_err(&pdev->dev, "Failed to request PCI memory\n");
+ ret = -EBUSY;
+ goto out_mcb_bus;
+ }
+
+ priv->base = devm_ioremap(&pdev->dev, priv->mapbase, table_size);
+ if (!priv->base) {
+ dev_err(&pdev->dev, "Cannot ioremap\n");
+ ret = -ENOMEM;
+ goto out_mcb_bus;
+ }
+ }
mcb_bus_add_devices(priv->bus);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 075/211] sched: Fix KCSAN noinstr violation
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 074/211] mcb-pci: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 076/211] recordmcount: Fix memory leaks in the uwrite function Greg Kroah-Hartman
` (141 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josh Poimboeuf,
Peter Zijlstra (Intel),
Sasha Levin
From: Josh Poimboeuf <jpoimboe@kernel.org>
[ Upstream commit e0b081d17a9f4e5c0cbb0e5fbeb1abe3de0f7e4e ]
With KCSAN enabled, end_of_stack() can get out-of-lined. Force it
inline.
Fixes the following warnings:
vmlinux.o: warning: objtool: check_stackleak_irqoff+0x2b: call to end_of_stack() leaves .noinstr.text section
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/r/cc1b4d73d3a428a00d206242a68fdf99a934ca7b.1681320026.git.jpoimboe@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/linux/sched/task_stack.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/include/linux/sched/task_stack.h b/include/linux/sched/task_stack.h
index d10150587d819..f24575942dabe 100644
--- a/include/linux/sched/task_stack.h
+++ b/include/linux/sched/task_stack.h
@@ -23,7 +23,7 @@ static inline void *task_stack_page(const struct task_struct *task)
#define setup_thread_stack(new,old) do { } while(0)
-static inline unsigned long *end_of_stack(const struct task_struct *task)
+static __always_inline unsigned long *end_of_stack(const struct task_struct *task)
{
#ifdef CONFIG_STACK_GROWSUP
return (unsigned long *)((unsigned long)task->stack + THREAD_SIZE) - 1;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 076/211] recordmcount: Fix memory leaks in the uwrite function
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 075/211] sched: Fix KCSAN noinstr violation Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 077/211] RDMA/core: Fix multiple -Warray-bounds warnings Greg Kroah-Hartman
` (140 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hao Zeng, Steven Rostedt, Sasha Levin
From: Hao Zeng <zenghao@kylinos.cn>
[ Upstream commit fa359d068574d29e7d2f0fdd0ebe4c6a12b5cfb9 ]
Common realloc mistake: 'file_append' nulled but not freed upon failure
Link: https://lkml.kernel.org/r/20230426010527.703093-1-zenghao@kylinos.cn
Signed-off-by: Hao Zeng <zenghao@kylinos.cn>
Suggested-by: Steven Rostedt <rostedt@goodmis.org>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
scripts/recordmcount.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/scripts/recordmcount.c b/scripts/recordmcount.c
index cce12e1971d85..ec692af8ce9eb 100644
--- a/scripts/recordmcount.c
+++ b/scripts/recordmcount.c
@@ -102,6 +102,7 @@ static ssize_t uwrite(void const *const buf, size_t const count)
{
size_t cnt = count;
off_t idx = 0;
+ void *p = NULL;
file_updated = 1;
@@ -109,7 +110,10 @@ static ssize_t uwrite(void const *const buf, size_t const count)
off_t aoffset = (file_ptr + count) - file_end;
if (aoffset > file_append_size) {
- file_append = realloc(file_append, aoffset);
+ p = realloc(file_append, aoffset);
+ if (!p)
+ free(file_append);
+ file_append = p;
file_append_size = aoffset;
}
if (!file_append) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 077/211] RDMA/core: Fix multiple -Warray-bounds warnings
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 076/211] recordmcount: Fix memory leaks in the uwrite function Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 078/211] iommu/arm-smmu-qcom: Limit the SMR groups to 128 Greg Kroah-Hartman
` (139 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gustavo A. R. Silva,
Leon Romanovsky, Sasha Levin
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit aa4d540b4150052ae3b36d286b9c833a961ce291 ]
GCC-13 (and Clang)[1] does not like to access a partially allocated
object, since it cannot reason about it for bounds checking.
In this case 140 bytes are allocated for an object of type struct
ib_umad_packet:
packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL);
However, notice that sizeof(*packet) is only 104 bytes:
struct ib_umad_packet {
struct ib_mad_send_buf * msg; /* 0 8 */
struct ib_mad_recv_wc * recv_wc; /* 8 8 */
struct list_head list; /* 16 16 */
int length; /* 32 4 */
/* XXX 4 bytes hole, try to pack */
struct ib_user_mad mad __attribute__((__aligned__(8))); /* 40 64 */
/* size: 104, cachelines: 2, members: 5 */
/* sum members: 100, holes: 1, sum holes: 4 */
/* forced alignments: 1, forced holes: 1, sum forced holes: 4 */
/* last cacheline: 40 bytes */
} __attribute__((__aligned__(8)));
and 36 bytes extra bytes are allocated for a flexible-array member in
struct ib_user_mad:
include/rdma/ib_mad.h:
120 enum {
...
123 IB_MGMT_RMPP_HDR = 36,
... }
struct ib_user_mad {
struct ib_user_mad_hdr hdr; /* 0 64 */
/* --- cacheline 1 boundary (64 bytes) --- */
__u64 data[] __attribute__((__aligned__(8))); /* 64 0 */
/* size: 64, cachelines: 1, members: 2 */
/* forced alignments: 1 */
} __attribute__((__aligned__(8)));
So we have sizeof(*packet) + IB_MGMT_RMPP_HDR == 140 bytes
Then the address of the flex-array member (for which only 36 bytes were
allocated) is casted and copied into a pointer to struct ib_rmpp_mad,
which, in turn, is of size 256 bytes:
rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;
struct ib_rmpp_mad {
struct ib_mad_hdr mad_hdr; /* 0 24 */
struct ib_rmpp_hdr rmpp_hdr; /* 24 12 */
u8 data[220]; /* 36 220 */
/* size: 256, cachelines: 4, members: 3 */
};
The thing is that those 36 bytes allocated for flex-array member data
in struct ib_user_mad onlly account for the size of both struct ib_mad_hdr
and struct ib_rmpp_hdr, but nothing is left for array u8 data[220].
So, the compiler is legitimately complaining about accessing an object
for which not enough memory was allocated.
Apparently, the only members of struct ib_rmpp_mad that are relevant
(that are actually being used) in function ib_umad_write() are mad_hdr
and rmpp_hdr. So, instead of casting packet->mad.data to
(struct ib_rmpp_mad *) create a new structure
struct ib_rmpp_mad_hdr {
struct ib_mad_hdr mad_hdr;
struct ib_rmpp_hdr rmpp_hdr;
} __packed;
and cast packet->mad.data to (struct ib_rmpp_mad_hdr *).
Notice that
IB_MGMT_RMPP_HDR == sizeof(struct ib_rmpp_mad_hdr) == 36 bytes
Refactor the rest of the code, accordingly.
Fix the following warnings seen under GCC-13 and -Warray-bounds:
drivers/infiniband/core/user_mad.c:564:50: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:566:42: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:618:25: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
drivers/infiniband/core/user_mad.c:622:44: warning: array subscript ‘struct ib_rmpp_mad[0]’ is partly outside array bounds of ‘unsigned char[140]’ [-Warray-bounds=]
Link: https://github.com/KSPP/linux/issues/273
Link: https://godbolt.org/z/oYWaGM4Yb [1]
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Link: https://lore.kernel.org/r/ZBpB91qQcB10m3Fw@work
Signed-off-by: Leon Romanovsky <leon@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/infiniband/core/user_mad.c | 23 ++++++++++++++---------
1 file changed, 14 insertions(+), 9 deletions(-)
diff --git a/drivers/infiniband/core/user_mad.c b/drivers/infiniband/core/user_mad.c
index 4688a6657c875..3bd0dcde8576d 100644
--- a/drivers/infiniband/core/user_mad.c
+++ b/drivers/infiniband/core/user_mad.c
@@ -131,6 +131,11 @@ struct ib_umad_packet {
struct ib_user_mad mad;
};
+struct ib_rmpp_mad_hdr {
+ struct ib_mad_hdr mad_hdr;
+ struct ib_rmpp_hdr rmpp_hdr;
+} __packed;
+
#define CREATE_TRACE_POINTS
#include <trace/events/ib_umad.h>
@@ -494,11 +499,11 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
size_t count, loff_t *pos)
{
struct ib_umad_file *file = filp->private_data;
+ struct ib_rmpp_mad_hdr *rmpp_mad_hdr;
struct ib_umad_packet *packet;
struct ib_mad_agent *agent;
struct rdma_ah_attr ah_attr;
struct ib_ah *ah;
- struct ib_rmpp_mad *rmpp_mad;
__be64 *tid;
int ret, data_len, hdr_len, copy_offset, rmpp_active;
u8 base_version;
@@ -506,7 +511,7 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
if (count < hdr_size(file) + IB_MGMT_RMPP_HDR)
return -EINVAL;
- packet = kzalloc(sizeof *packet + IB_MGMT_RMPP_HDR, GFP_KERNEL);
+ packet = kzalloc(sizeof(*packet) + IB_MGMT_RMPP_HDR, GFP_KERNEL);
if (!packet)
return -ENOMEM;
@@ -560,13 +565,13 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
goto err_up;
}
- rmpp_mad = (struct ib_rmpp_mad *) packet->mad.data;
- hdr_len = ib_get_mad_data_offset(rmpp_mad->mad_hdr.mgmt_class);
+ rmpp_mad_hdr = (struct ib_rmpp_mad_hdr *)packet->mad.data;
+ hdr_len = ib_get_mad_data_offset(rmpp_mad_hdr->mad_hdr.mgmt_class);
- if (ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class)
+ if (ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class)
&& ib_mad_kernel_rmpp_agent(agent)) {
copy_offset = IB_MGMT_RMPP_HDR;
- rmpp_active = ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) &
+ rmpp_active = ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) &
IB_MGMT_RMPP_FLAG_ACTIVE;
} else {
copy_offset = IB_MGMT_MAD_HDR;
@@ -615,12 +620,12 @@ static ssize_t ib_umad_write(struct file *filp, const char __user *buf,
tid = &((struct ib_mad_hdr *) packet->msg->mad)->tid;
*tid = cpu_to_be64(((u64) agent->hi_tid) << 32 |
(be64_to_cpup(tid) & 0xffffffff));
- rmpp_mad->mad_hdr.tid = *tid;
+ rmpp_mad_hdr->mad_hdr.tid = *tid;
}
if (!ib_mad_kernel_rmpp_agent(agent)
- && ib_is_mad_class_rmpp(rmpp_mad->mad_hdr.mgmt_class)
- && (ib_get_rmpp_flags(&rmpp_mad->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) {
+ && ib_is_mad_class_rmpp(rmpp_mad_hdr->mad_hdr.mgmt_class)
+ && (ib_get_rmpp_flags(&rmpp_mad_hdr->rmpp_hdr) & IB_MGMT_RMPP_FLAG_ACTIVE)) {
spin_lock_irq(&file->send_lock);
list_add_tail(&packet->list, &file->send_list);
spin_unlock_irq(&file->send_lock);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 078/211] iommu/arm-smmu-qcom: Limit the SMR groups to 128
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 077/211] RDMA/core: Fix multiple -Warray-bounds warnings Greg Kroah-Hartman
@ 2023-05-28 19:09 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 079/211] clk: tegra20: fix gcc-7 constant overflow warning Greg Kroah-Hartman
` (138 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:09 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johan Hovold, Manivannan Sadhasivam,
Will Deacon, Sasha Levin
From: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
[ Upstream commit 12261134732689b7e30c59db9978f81230965181 ]
Some platforms support more than 128 stream matching groups than what is
defined by the ARM SMMU architecture specification. But due to some unknown
reasons, those additional groups don't exhibit the same behavior as the
architecture supported ones.
For instance, the additional groups will not detect the quirky behavior of
some firmware versions intercepting writes to S2CR register, thus skipping
the quirk implemented in the driver and causing boot crash.
So let's limit the groups to 128 for now until the issue with those groups
are fixed and issue a notice to users in that case.
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Signed-off-by: Manivannan Sadhasivam <manivannan.sadhasivam@linaro.org>
Link: https://lore.kernel.org/r/20230327080029.11584-1-manivannan.sadhasivam@linaro.org
[will: Reworded the comment slightly]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
diff --git a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
index 63f7173b241f0..1598a1ddbf694 100644
--- a/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
+++ b/drivers/iommu/arm/arm-smmu/arm-smmu-qcom.c
@@ -32,12 +32,26 @@ static const struct of_device_id qcom_smmu_client_of_match[] __maybe_unused = {
static int qcom_smmu_cfg_probe(struct arm_smmu_device *smmu)
{
- unsigned int last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
struct qcom_smmu *qsmmu = to_qcom_smmu(smmu);
+ unsigned int last_s2cr;
u32 reg;
u32 smr;
int i;
+ /*
+ * Some platforms support more than the Arm SMMU architected maximum of
+ * 128 stream matching groups. For unknown reasons, the additional
+ * groups don't exhibit the same behavior as the architected registers,
+ * so limit the groups to 128 until the behavior is fixed for the other
+ * groups.
+ */
+ if (smmu->num_mapping_groups > 128) {
+ dev_notice(smmu->dev, "\tLimiting the stream matching groups to 128\n");
+ smmu->num_mapping_groups = 128;
+ }
+
+ last_s2cr = ARM_SMMU_GR0_S2CR(smmu->num_mapping_groups - 1);
+
/*
* With some firmware versions writes to S2CR of type FAULT are
* ignored, and writing BYPASS will end up written as FAULT in the
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 079/211] clk: tegra20: fix gcc-7 constant overflow warning
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2023-05-28 19:09 ` [PATCH 5.10 078/211] iommu/arm-smmu-qcom: Limit the SMR groups to 128 Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 080/211] iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any Greg Kroah-Hartman
` (137 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Stephen Boyd, Sasha Levin
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit b4a2adbf3586efa12fe78b9dec047423e01f3010 ]
Older gcc versions get confused by comparing a u32 value to a negative
constant in a switch()/case block:
drivers/clk/tegra/clk-tegra20.c: In function 'tegra20_clk_measure_input_freq':
drivers/clk/tegra/clk-tegra20.c:581:2: error: case label does not reduce to an integer constant
case OSC_CTRL_OSC_FREQ_12MHZ:
^~~~
drivers/clk/tegra/clk-tegra20.c:593:2: error: case label does not reduce to an integer constant
case OSC_CTRL_OSC_FREQ_26MHZ:
Make the constants unsigned instead.
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Link: https://lore.kernel.org/r/20230227085914.2560984-1-arnd@kernel.org
Signed-off-by: Stephen Boyd <sboyd@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/clk/tegra/clk-tegra20.c | 28 ++++++++++++++--------------
1 file changed, 14 insertions(+), 14 deletions(-)
diff --git a/drivers/clk/tegra/clk-tegra20.c b/drivers/clk/tegra/clk-tegra20.c
index d60ee6e318a55..fb1da5d63f4b2 100644
--- a/drivers/clk/tegra/clk-tegra20.c
+++ b/drivers/clk/tegra/clk-tegra20.c
@@ -18,24 +18,24 @@
#define MISC_CLK_ENB 0x48
#define OSC_CTRL 0x50
-#define OSC_CTRL_OSC_FREQ_MASK (3<<30)
-#define OSC_CTRL_OSC_FREQ_13MHZ (0<<30)
-#define OSC_CTRL_OSC_FREQ_19_2MHZ (1<<30)
-#define OSC_CTRL_OSC_FREQ_12MHZ (2<<30)
-#define OSC_CTRL_OSC_FREQ_26MHZ (3<<30)
-#define OSC_CTRL_MASK (0x3f2 | OSC_CTRL_OSC_FREQ_MASK)
-
-#define OSC_CTRL_PLL_REF_DIV_MASK (3<<28)
-#define OSC_CTRL_PLL_REF_DIV_1 (0<<28)
-#define OSC_CTRL_PLL_REF_DIV_2 (1<<28)
-#define OSC_CTRL_PLL_REF_DIV_4 (2<<28)
+#define OSC_CTRL_OSC_FREQ_MASK (3u<<30)
+#define OSC_CTRL_OSC_FREQ_13MHZ (0u<<30)
+#define OSC_CTRL_OSC_FREQ_19_2MHZ (1u<<30)
+#define OSC_CTRL_OSC_FREQ_12MHZ (2u<<30)
+#define OSC_CTRL_OSC_FREQ_26MHZ (3u<<30)
+#define OSC_CTRL_MASK (0x3f2u | OSC_CTRL_OSC_FREQ_MASK)
+
+#define OSC_CTRL_PLL_REF_DIV_MASK (3u<<28)
+#define OSC_CTRL_PLL_REF_DIV_1 (0u<<28)
+#define OSC_CTRL_PLL_REF_DIV_2 (1u<<28)
+#define OSC_CTRL_PLL_REF_DIV_4 (2u<<28)
#define OSC_FREQ_DET 0x58
-#define OSC_FREQ_DET_TRIG (1<<31)
+#define OSC_FREQ_DET_TRIG (1u<<31)
#define OSC_FREQ_DET_STATUS 0x5c
-#define OSC_FREQ_DET_BUSY (1<<31)
-#define OSC_FREQ_DET_CNT_MASK 0xFFFF
+#define OSC_FREQ_DET_BUSYu (1<<31)
+#define OSC_FREQ_DET_CNT_MASK 0xFFFFu
#define TEGRA20_CLK_PERIPH_BANKS 3
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 080/211] iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 079/211] clk: tegra20: fix gcc-7 constant overflow warning Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 081/211] Input: xpad - add constants for GIP interface numbers Greg Kroah-Hartman
` (136 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Tomas Krcka, Will Deacon, Sasha Levin
From: Tomas Krcka <krckatom@amazon.de>
[ Upstream commit 67ea0b7ce41844eae7c10bb04dfe66a23318c224 ]
When an overflow occurs in the PRI queue, the SMMU toggles the overflow
flag in the PROD register. To exit the overflow condition, the PRI thread
is supposed to acknowledge it by toggling this flag in the CONS register.
Unacknowledged overflow causes the queue to stop adding anything new.
Currently, the priq thread always writes the CONS register back to the
SMMU after clearing the queue.
The writeback is not necessary if the OVFLG in the PROD register has not
been changed, no overflow has occured.
This commit checks the difference of the overflow flag between CONS and
PROD register. If it's different, toggles the OVACKFLG flag in the CONS
register and write it to the SMMU.
The situation is similar for the event queue.
The acknowledge register is also toggled after clearing the event
queue but never propagated to the hardware. This would only be done the
next time when executing evtq thread.
Unacknowledged event queue overflow doesn't affect the event
queue, because the SMMU still adds elements to that queue when the
overflow condition is active.
But it feel nicer to keep SMMU in sync when possible, so use the same
way here as well.
Signed-off-by: Tomas Krcka <krckatom@amazon.de>
Link: https://lore.kernel.org/r/20230329123420.34641-1-tomas.krcka@gmail.com
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c | 19 ++++++++++++++-----
1 file changed, 14 insertions(+), 5 deletions(-)
diff --git a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
index bc4cbc7542ce2..982c42c873102 100644
--- a/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
+++ b/drivers/iommu/arm/arm-smmu-v3/arm-smmu-v3.c
@@ -162,6 +162,18 @@ static void queue_inc_cons(struct arm_smmu_ll_queue *q)
q->cons = Q_OVF(q->cons) | Q_WRP(q, cons) | Q_IDX(q, cons);
}
+static void queue_sync_cons_ovf(struct arm_smmu_queue *q)
+{
+ struct arm_smmu_ll_queue *llq = &q->llq;
+
+ if (likely(Q_OVF(llq->prod) == Q_OVF(llq->cons)))
+ return;
+
+ llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
+ Q_IDX(llq, llq->cons);
+ queue_sync_cons_out(q);
+}
+
static int queue_sync_prod_in(struct arm_smmu_queue *q)
{
u32 prod;
@@ -1380,8 +1392,7 @@ static irqreturn_t arm_smmu_evtq_thread(int irq, void *dev)
} while (!queue_empty(llq));
/* Sync our overflow flag, as we believe we're up to speed */
- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
- Q_IDX(llq, llq->cons);
+ queue_sync_cons_ovf(q);
return IRQ_HANDLED;
}
@@ -1439,9 +1450,7 @@ static irqreturn_t arm_smmu_priq_thread(int irq, void *dev)
} while (!queue_empty(llq));
/* Sync our overflow flag, as we believe we're up to speed */
- llq->cons = Q_OVF(llq->prod) | Q_WRP(llq, llq->cons) |
- Q_IDX(llq, llq->cons);
- queue_sync_cons_out(q);
+ queue_sync_cons_ovf(q);
return IRQ_HANDLED;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 081/211] Input: xpad - add constants for GIP interface numbers
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 080/211] iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 082/211] phy: st: miphy28lp: use _poll_timeout functions for waits Greg Kroah-Hartman
` (135 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vicki Pfau, Dmitry Torokhov, Sasha Levin
From: Vicki Pfau <vi@endrift.com>
[ Upstream commit f9b2e603c6216824e34dc9a67205d98ccc9a41ca ]
Wired GIP devices present multiple interfaces with the same USB identification
other than the interface number. This adds constants for differentiating two of
them and uses them where appropriate
Signed-off-by: Vicki Pfau <vi@endrift.com>
Link: https://lore.kernel.org/r/20230411031650.960322-2-vi@endrift.com
Signed-off-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/input/joystick/xpad.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/input/joystick/xpad.c b/drivers/input/joystick/xpad.c
index 70dedc0f7827c..0bd55e1fca372 100644
--- a/drivers/input/joystick/xpad.c
+++ b/drivers/input/joystick/xpad.c
@@ -489,6 +489,9 @@ struct xboxone_init_packet {
}
+#define GIP_WIRED_INTF_DATA 0
+#define GIP_WIRED_INTF_AUDIO 1
+
/*
* This packet is required for all Xbox One pads with 2015
* or later firmware installed (or present from the factory).
@@ -1813,7 +1816,7 @@ static int xpad_probe(struct usb_interface *intf, const struct usb_device_id *id
}
if (xpad->xtype == XTYPE_XBOXONE &&
- intf->cur_altsetting->desc.bInterfaceNumber != 0) {
+ intf->cur_altsetting->desc.bInterfaceNumber != GIP_WIRED_INTF_DATA) {
/*
* The Xbox One controller lists three interfaces all with the
* same interface class, subclass and protocol. Differentiate by
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 082/211] phy: st: miphy28lp: use _poll_timeout functions for waits
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 081/211] Input: xpad - add constants for GIP interface numbers Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 083/211] mfd: dln2: Fix memory leak in dln2_probe() Greg Kroah-Hartman
` (134 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alain Volmat, Patrice Chotard,
Vinod Koul, Sasha Levin
From: Alain Volmat <avolmat@me.com>
[ Upstream commit e3be4dd2c8d8aabfd2c3127d0e2e5754d3ae82d6 ]
This commit introduces _poll_timeout functions usage instead of
wait loops waiting for a status bit.
Signed-off-by: Alain Volmat <avolmat@me.com>
Reviewed-by: Patrice Chotard <patrice.chotard@foss.st.com>
Link: https://lore.kernel.org/r/20230210224309.98452-1-avolmat@me.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/st/phy-miphy28lp.c | 42 ++++++++--------------------------
1 file changed, 10 insertions(+), 32 deletions(-)
diff --git a/drivers/phy/st/phy-miphy28lp.c b/drivers/phy/st/phy-miphy28lp.c
index 068160a34f5cc..e30305b77f0d1 100644
--- a/drivers/phy/st/phy-miphy28lp.c
+++ b/drivers/phy/st/phy-miphy28lp.c
@@ -9,6 +9,7 @@
#include <linux/platform_device.h>
#include <linux/io.h>
+#include <linux/iopoll.h>
#include <linux/kernel.h>
#include <linux/module.h>
#include <linux/of.h>
@@ -484,19 +485,11 @@ static inline void miphy28lp_pcie_config_gen(struct miphy28lp_phy *miphy_phy)
static inline int miphy28lp_wait_compensation(struct miphy28lp_phy *miphy_phy)
{
- unsigned long finish = jiffies + 5 * HZ;
u8 val;
/* Waiting for Compensation to complete */
- do {
- val = readb_relaxed(miphy_phy->base + MIPHY_COMP_FSM_6);
-
- if (time_after_eq(jiffies, finish))
- return -EBUSY;
- cpu_relax();
- } while (!(val & COMP_DONE));
-
- return 0;
+ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_COMP_FSM_6,
+ val, val & COMP_DONE, 1, 5 * USEC_PER_SEC);
}
@@ -805,7 +798,6 @@ static inline void miphy28lp_configure_usb3(struct miphy28lp_phy *miphy_phy)
static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy)
{
- unsigned long finish = jiffies + 5 * HZ;
u8 mask = HFC_PLL | HFC_RDY;
u8 val;
@@ -816,21 +808,14 @@ static inline int miphy_is_ready(struct miphy28lp_phy *miphy_phy)
if (miphy_phy->type == PHY_TYPE_SATA)
mask |= PHY_RDY;
- do {
- val = readb_relaxed(miphy_phy->base + MIPHY_STATUS_1);
- if ((val & mask) != mask)
- cpu_relax();
- else
- return 0;
- } while (!time_after_eq(jiffies, finish));
-
- return -EBUSY;
+ return readb_relaxed_poll_timeout(miphy_phy->base + MIPHY_STATUS_1,
+ val, (val & mask) == mask, 1,
+ 5 * USEC_PER_SEC);
}
static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy)
{
struct miphy28lp_dev *miphy_dev = miphy_phy->phydev;
- unsigned long finish = jiffies + 5 * HZ;
u32 val;
if (!miphy_phy->osc_rdy)
@@ -839,17 +824,10 @@ static int miphy_osc_is_ready(struct miphy28lp_phy *miphy_phy)
if (!miphy_phy->syscfg_reg[SYSCFG_STATUS])
return -EINVAL;
- do {
- regmap_read(miphy_dev->regmap,
- miphy_phy->syscfg_reg[SYSCFG_STATUS], &val);
-
- if ((val & MIPHY_OSC_RDY) != MIPHY_OSC_RDY)
- cpu_relax();
- else
- return 0;
- } while (!time_after_eq(jiffies, finish));
-
- return -EBUSY;
+ return regmap_read_poll_timeout(miphy_dev->regmap,
+ miphy_phy->syscfg_reg[SYSCFG_STATUS],
+ val, val & MIPHY_OSC_RDY, 1,
+ 5 * USEC_PER_SEC);
}
static int miphy28lp_get_resource_byname(struct device_node *child,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 083/211] mfd: dln2: Fix memory leak in dln2_probe()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 082/211] phy: st: miphy28lp: use _poll_timeout functions for waits Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 084/211] btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c Greg Kroah-Hartman
` (133 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qiang Ning, Lee Jones, Sasha Levin
From: Qiang Ning <qning0106@126.com>
[ Upstream commit 96da8f148396329ba769246cb8ceaa35f1ddfc48 ]
When dln2_setup_rx_urbs() in dln2_probe() fails, error out_free forgets
to call usb_put_dev() to decrease the refcount of dln2->usb_dev.
Fix this by adding usb_put_dev() in the error handling code of
dln2_probe().
Signed-off-by: Qiang Ning <qning0106@126.com>
Signed-off-by: Lee Jones <lee@kernel.org>
Link: https://lore.kernel.org/r/20230330024353.4503-1-qning0106@126.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/mfd/dln2.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/mfd/dln2.c b/drivers/mfd/dln2.c
index 852129ea07666..fc65f9e25fda8 100644
--- a/drivers/mfd/dln2.c
+++ b/drivers/mfd/dln2.c
@@ -836,6 +836,7 @@ static int dln2_probe(struct usb_interface *interface,
dln2_stop_rx_urbs(dln2);
out_free:
+ usb_put_dev(dln2->usb_dev);
dln2_free(dln2);
return ret;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 084/211] btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 083/211] mfd: dln2: Fix memory leak in dln2_probe() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 085/211] btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid Greg Kroah-Hartman
` (132 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Borisov, David Sterba, Sasha Levin
From: Nikolay Borisov <nborisov@suse.com>
[ Upstream commit ec7d6dfd73b2de1c6bc36f832542061b0ca0e0ff ]
Those functions are going to be used even after inode cache is removed
so moved them to a more appropriate place.
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 0004ff15ea26 ("btrfs: fix space cache inconsistency after error loading it from disk")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/disk-io.c | 55 ++++++++++++++++++++++++++++++++++++++++++++
fs/btrfs/disk-io.h | 2 ++
fs/btrfs/inode-map.c | 55 --------------------------------------------
fs/btrfs/inode-map.h | 3 ---
4 files changed, 57 insertions(+), 58 deletions(-)
diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
index 2a7778a88f03b..095c9e4f92248 100644
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4780,3 +4780,58 @@ static int btrfs_cleanup_transaction(struct btrfs_fs_info *fs_info)
return 0;
}
+
+int btrfs_find_highest_objectid(struct btrfs_root *root, u64 *objectid)
+{
+ struct btrfs_path *path;
+ int ret;
+ struct extent_buffer *l;
+ struct btrfs_key search_key;
+ struct btrfs_key found_key;
+ int slot;
+
+ path = btrfs_alloc_path();
+ if (!path)
+ return -ENOMEM;
+
+ search_key.objectid = BTRFS_LAST_FREE_OBJECTID;
+ search_key.type = -1;
+ search_key.offset = (u64)-1;
+ ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
+ if (ret < 0)
+ goto error;
+ BUG_ON(ret == 0); /* Corruption */
+ if (path->slots[0] > 0) {
+ slot = path->slots[0] - 1;
+ l = path->nodes[0];
+ btrfs_item_key_to_cpu(l, &found_key, slot);
+ *objectid = max_t(u64, found_key.objectid,
+ BTRFS_FIRST_FREE_OBJECTID - 1);
+ } else {
+ *objectid = BTRFS_FIRST_FREE_OBJECTID - 1;
+ }
+ ret = 0;
+error:
+ btrfs_free_path(path);
+ return ret;
+}
+
+int btrfs_find_free_objectid(struct btrfs_root *root, u64 *objectid)
+{
+ int ret;
+ mutex_lock(&root->objectid_mutex);
+
+ if (unlikely(root->highest_objectid >= BTRFS_LAST_FREE_OBJECTID)) {
+ btrfs_warn(root->fs_info,
+ "the objectid of root %llu reaches its highest value",
+ root->root_key.objectid);
+ ret = -ENOSPC;
+ goto out;
+ }
+
+ *objectid = ++root->highest_objectid;
+ ret = 0;
+out:
+ mutex_unlock(&root->objectid_mutex);
+ return ret;
+}
diff --git a/fs/btrfs/disk-io.h b/fs/btrfs/disk-io.h
index 182540bdcea0f..e3b96944ce10c 100644
--- a/fs/btrfs/disk-io.h
+++ b/fs/btrfs/disk-io.h
@@ -131,6 +131,8 @@ struct btrfs_root *btrfs_create_tree(struct btrfs_trans_handle *trans,
int btree_lock_page_hook(struct page *page, void *data,
void (*flush_fn)(void *));
int btrfs_get_num_tolerated_disk_barrier_failures(u64 flags);
+int btrfs_find_free_objectid(struct btrfs_root *root, u64 *objectid);
+int btrfs_find_highest_objectid(struct btrfs_root *root, u64 *objectid);
int __init btrfs_end_io_wq_init(void);
void __cold btrfs_end_io_wq_exit(void);
diff --git a/fs/btrfs/inode-map.c b/fs/btrfs/inode-map.c
index 76d2e43817eae..c74340d22624e 100644
--- a/fs/btrfs/inode-map.c
+++ b/fs/btrfs/inode-map.c
@@ -525,58 +525,3 @@ int btrfs_save_ino_cache(struct btrfs_root *root,
extent_changeset_free(data_reserved);
return ret;
}
-
-int btrfs_find_highest_objectid(struct btrfs_root *root, u64 *objectid)
-{
- struct btrfs_path *path;
- int ret;
- struct extent_buffer *l;
- struct btrfs_key search_key;
- struct btrfs_key found_key;
- int slot;
-
- path = btrfs_alloc_path();
- if (!path)
- return -ENOMEM;
-
- search_key.objectid = BTRFS_LAST_FREE_OBJECTID;
- search_key.type = -1;
- search_key.offset = (u64)-1;
- ret = btrfs_search_slot(NULL, root, &search_key, path, 0, 0);
- if (ret < 0)
- goto error;
- BUG_ON(ret == 0); /* Corruption */
- if (path->slots[0] > 0) {
- slot = path->slots[0] - 1;
- l = path->nodes[0];
- btrfs_item_key_to_cpu(l, &found_key, slot);
- *objectid = max_t(u64, found_key.objectid,
- BTRFS_FIRST_FREE_OBJECTID - 1);
- } else {
- *objectid = BTRFS_FIRST_FREE_OBJECTID - 1;
- }
- ret = 0;
-error:
- btrfs_free_path(path);
- return ret;
-}
-
-int btrfs_find_free_objectid(struct btrfs_root *root, u64 *objectid)
-{
- int ret;
- mutex_lock(&root->objectid_mutex);
-
- if (unlikely(root->highest_objectid >= BTRFS_LAST_FREE_OBJECTID)) {
- btrfs_warn(root->fs_info,
- "the objectid of root %llu reaches its highest value",
- root->root_key.objectid);
- ret = -ENOSPC;
- goto out;
- }
-
- *objectid = ++root->highest_objectid;
- ret = 0;
-out:
- mutex_unlock(&root->objectid_mutex);
- return ret;
-}
diff --git a/fs/btrfs/inode-map.h b/fs/btrfs/inode-map.h
index 7a962811dffe0..629baf9aefb15 100644
--- a/fs/btrfs/inode-map.h
+++ b/fs/btrfs/inode-map.h
@@ -10,7 +10,4 @@ int btrfs_find_free_ino(struct btrfs_root *root, u64 *objectid);
int btrfs_save_ino_cache(struct btrfs_root *root,
struct btrfs_trans_handle *trans);
-int btrfs_find_free_objectid(struct btrfs_root *root, u64 *objectid);
-int btrfs_find_highest_objectid(struct btrfs_root *root, u64 *objectid);
-
#endif
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 085/211] btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 084/211] btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 086/211] btrfs: fix space cache inconsistency after error loading it from disk Greg Kroah-Hartman
` (131 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nikolay Borisov, David Sterba, Sasha Levin
From: Nikolay Borisov <nborisov@suse.com>
[ Upstream commit abadc1fcd72e887a8f875dabe4a07aa8c28ac8af ]
The former is going away as part of the inode map removal so switch
callers to btrfs_find_free_objectid. No functional changes since with
INODE_MAP disabled (default) find_free_objectid was called anyway.
Signed-off-by: Nikolay Borisov <nborisov@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Stable-dep-of: 0004ff15ea26 ("btrfs: fix space cache inconsistency after error loading it from disk")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/inode.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/btrfs/inode.c b/fs/btrfs/inode.c
index 779b7745cdc48..c900a39666e38 100644
--- a/fs/btrfs/inode.c
+++ b/fs/btrfs/inode.c
@@ -6273,7 +6273,7 @@ static int btrfs_mknod(struct inode *dir, struct dentry *dentry,
if (IS_ERR(trans))
return PTR_ERR(trans);
- err = btrfs_find_free_ino(root, &objectid);
+ err = btrfs_find_free_objectid(root, &objectid);
if (err)
goto out_unlock;
@@ -6337,7 +6337,7 @@ static int btrfs_create(struct inode *dir, struct dentry *dentry,
if (IS_ERR(trans))
return PTR_ERR(trans);
- err = btrfs_find_free_ino(root, &objectid);
+ err = btrfs_find_free_objectid(root, &objectid);
if (err)
goto out_unlock;
@@ -6481,7 +6481,7 @@ static int btrfs_mkdir(struct inode *dir, struct dentry *dentry, umode_t mode)
if (IS_ERR(trans))
return PTR_ERR(trans);
- err = btrfs_find_free_ino(root, &objectid);
+ err = btrfs_find_free_objectid(root, &objectid);
if (err)
goto out_fail;
@@ -9135,7 +9135,7 @@ static int btrfs_whiteout_for_rename(struct btrfs_trans_handle *trans,
u64 objectid;
u64 index;
- ret = btrfs_find_free_ino(root, &objectid);
+ ret = btrfs_find_free_objectid(root, &objectid);
if (ret)
return ret;
@@ -9631,7 +9631,7 @@ static int btrfs_symlink(struct inode *dir, struct dentry *dentry,
if (IS_ERR(trans))
return PTR_ERR(trans);
- err = btrfs_find_free_ino(root, &objectid);
+ err = btrfs_find_free_objectid(root, &objectid);
if (err)
goto out_unlock;
@@ -9962,7 +9962,7 @@ static int btrfs_tmpfile(struct inode *dir, struct dentry *dentry, umode_t mode)
if (IS_ERR(trans))
return PTR_ERR(trans);
- ret = btrfs_find_free_ino(root, &objectid);
+ ret = btrfs_find_free_objectid(root, &objectid);
if (ret)
goto out;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 086/211] btrfs: fix space cache inconsistency after error loading it from disk
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 085/211] btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 087/211] xfrm: dont check the default policy if the policy allows the packet Greg Kroah-Hartman
` (130 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anand Jain, Filipe Manana,
David Sterba, Sasha Levin
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 0004ff15ea26015a0a3a6182dca3b9d1df32e2b7 ]
When loading a free space cache from disk, at __load_free_space_cache(),
if we fail to insert a bitmap entry, we still increment the number of
total bitmaps in the btrfs_free_space_ctl structure, which is incorrect
since we failed to add the bitmap entry. On error we then empty the
cache by calling __btrfs_remove_free_space_cache(), which will result
in getting the total bitmaps counter set to 1.
A failure to load a free space cache is not critical, so if a failure
happens we just rebuild the cache by scanning the extent tree, which
happens at block-group.c:caching_thread(). Yet the failure will result
in having the total bitmaps of the btrfs_free_space_ctl always bigger
by 1 then the number of bitmap entries we have. So fix this by having
the total bitmaps counter be incremented only if we successfully added
the bitmap entry.
Fixes: a67509c30079 ("Btrfs: add a io_ctl struct and helpers for dealing with the space cache")
Reviewed-by: Anand Jain <anand.jain@oracle.com>
CC: stable@vger.kernel.org # 4.4+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/free-space-cache.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/free-space-cache.c b/fs/btrfs/free-space-cache.c
index ba280707d5ec2..4989c60b1df9c 100644
--- a/fs/btrfs/free-space-cache.c
+++ b/fs/btrfs/free-space-cache.c
@@ -794,15 +794,16 @@ static int __load_free_space_cache(struct btrfs_root *root, struct inode *inode,
}
spin_lock(&ctl->tree_lock);
ret = link_free_space(ctl, e);
- ctl->total_bitmaps++;
- ctl->op->recalc_thresholds(ctl);
- spin_unlock(&ctl->tree_lock);
if (ret) {
+ spin_unlock(&ctl->tree_lock);
btrfs_err(fs_info,
"Duplicate entries in free space cache, dumping");
kmem_cache_free(btrfs_free_space_cachep, e);
goto free_cache;
}
+ ctl->total_bitmaps++;
+ ctl->op->recalc_thresholds(ctl);
+ spin_unlock(&ctl->tree_lock);
list_add_tail(&e->list, &bitmaps);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 087/211] xfrm: dont check the default policy if the policy allows the packet
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 086/211] btrfs: fix space cache inconsistency after error loading it from disk Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 088/211] Revert "Fix XFRM-I support for nested ESP tunnels" Greg Kroah-Hartman
` (129 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sabrina Dubroca, Steffen Klassert,
Sasha Levin
From: Sabrina Dubroca <sd@queasysnail.net>
[ Upstream commit 430cac487400494c19a8b85299e979bb07b4671f ]
The current code doesn't let a simple "allow" policy counteract a
default policy blocking all incoming packets:
ip x p setdefault in block
ip x p a src 192.168.2.1/32 dst 192.168.2.2/32 dir in action allow
At this stage, we have an allow policy (with or without transforms)
for this packet. It doesn't matter what the default policy says, since
the policy we looked up lets the packet through. The case of a
blocking policy is already handled separately, so we can remove this
check.
Fixes: 2d151d39073a ("xfrm: Add possibility to set the default to block if we have no policy")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_policy.c | 6 ------
1 file changed, 6 deletions(-)
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index d15aa62887de0..8ebe305f6ddd7 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3677,12 +3677,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
}
xfrm_nr = ti;
- if (net->xfrm.policy_default[dir] == XFRM_USERPOLICY_BLOCK &&
- !xfrm_nr) {
- XFRM_INC_STATS(net, LINUX_MIB_XFRMINNOSTATES);
- goto reject;
- }
-
if (npols > 1) {
xfrm_tmpl_sort(stp, tpp, xfrm_nr, family);
tpp = stp;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 088/211] Revert "Fix XFRM-I support for nested ESP tunnels"
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 087/211] xfrm: dont check the default policy if the policy allows the packet Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 089/211] drm/msm/dp: unregister audio driver during unbind Greg Kroah-Hartman
` (128 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Willi, Steffen Klassert, Sasha Levin
From: Martin Willi <martin@strongswan.org>
[ Upstream commit 5fc46f94219d1d103ffb5f0832be9da674d85a73 ]
This reverts commit b0355dbbf13c0052931dd14c38c789efed64d3de.
The reverted commit clears the secpath on packets received via xfrm interfaces
to support nested IPsec tunnels. This breaks Netfilter policy matching using
xt_policy in the FORWARD chain, as the secpath is missing during forwarding.
Additionally, Benedict Wong reports that it breaks Transport-in-Tunnel mode.
Fix this regression by reverting the commit until we have a better approach
for nested IPsec tunnels.
Fixes: b0355dbbf13c ("Fix XFRM-I support for nested ESP tunnels")
Link: https://lore.kernel.org/netdev/20230412085615.124791-1-martin@strongswan.org/
Signed-off-by: Martin Willi <martin@strongswan.org>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/xfrm/xfrm_interface.c | 54 +++------------------------------------
net/xfrm/xfrm_policy.c | 3 ---
2 files changed, 4 insertions(+), 53 deletions(-)
diff --git a/net/xfrm/xfrm_interface.c b/net/xfrm/xfrm_interface.c
index e4f21a6924153..da518b4ca84c6 100644
--- a/net/xfrm/xfrm_interface.c
+++ b/net/xfrm/xfrm_interface.c
@@ -207,52 +207,6 @@ static void xfrmi_scrub_packet(struct sk_buff *skb, bool xnet)
skb->mark = 0;
}
-static int xfrmi_input(struct sk_buff *skb, int nexthdr, __be32 spi,
- int encap_type, unsigned short family)
-{
- struct sec_path *sp;
-
- sp = skb_sec_path(skb);
- if (sp && (sp->len || sp->olen) &&
- !xfrm_policy_check(NULL, XFRM_POLICY_IN, skb, family))
- goto discard;
-
- XFRM_SPI_SKB_CB(skb)->family = family;
- if (family == AF_INET) {
- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct iphdr, daddr);
- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip4 = NULL;
- } else {
- XFRM_SPI_SKB_CB(skb)->daddroff = offsetof(struct ipv6hdr, daddr);
- XFRM_TUNNEL_SKB_CB(skb)->tunnel.ip6 = NULL;
- }
-
- return xfrm_input(skb, nexthdr, spi, encap_type);
-discard:
- kfree_skb(skb);
- return 0;
-}
-
-static int xfrmi4_rcv(struct sk_buff *skb)
-{
- return xfrmi_input(skb, ip_hdr(skb)->protocol, 0, 0, AF_INET);
-}
-
-static int xfrmi6_rcv(struct sk_buff *skb)
-{
- return xfrmi_input(skb, skb_network_header(skb)[IP6CB(skb)->nhoff],
- 0, 0, AF_INET6);
-}
-
-static int xfrmi4_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
-{
- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET);
-}
-
-static int xfrmi6_input(struct sk_buff *skb, int nexthdr, __be32 spi, int encap_type)
-{
- return xfrmi_input(skb, nexthdr, spi, encap_type, AF_INET6);
-}
-
static int xfrmi_rcv_cb(struct sk_buff *skb, int err)
{
const struct xfrm_mode *inner_mode;
@@ -826,8 +780,8 @@ static struct pernet_operations xfrmi_net_ops = {
};
static struct xfrm6_protocol xfrmi_esp6_protocol __read_mostly = {
- .handler = xfrmi6_rcv,
- .input_handler = xfrmi6_input,
+ .handler = xfrm6_rcv,
+ .input_handler = xfrm_input,
.cb_handler = xfrmi_rcv_cb,
.err_handler = xfrmi6_err,
.priority = 10,
@@ -877,8 +831,8 @@ static struct xfrm6_tunnel xfrmi_ip6ip_handler __read_mostly = {
#endif
static struct xfrm4_protocol xfrmi_esp4_protocol __read_mostly = {
- .handler = xfrmi4_rcv,
- .input_handler = xfrmi4_input,
+ .handler = xfrm4_rcv,
+ .input_handler = xfrm_input,
.cb_handler = xfrmi_rcv_cb,
.err_handler = xfrmi4_err,
.priority = 10,
diff --git a/net/xfrm/xfrm_policy.c b/net/xfrm/xfrm_policy.c
index 8ebe305f6ddd7..2956854928537 100644
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3704,9 +3704,6 @@ int __xfrm_policy_check(struct sock *sk, int dir, struct sk_buff *skb,
goto reject;
}
- if (if_id)
- secpath_reset(skb);
-
xfrm_pols_put(pols, npols);
return 1;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 089/211] drm/msm/dp: unregister audio driver during unbind
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 088/211] Revert "Fix XFRM-I support for nested ESP tunnels" Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 090/211] drm/msm/dpu: Remove duplicate register defines from INTF Greg Kroah-Hartman
` (127 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Abhinav Kumar,
Sasha Levin
From: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
[ Upstream commit 85c636284cb63b7740b4ae98881ace92158068d3 ]
while binding the code always registers a audio driver, however there
is no corresponding unregistration done in unbind. This leads to multiple
redundant audio platform devices if dp_display_bind and dp_display_unbind
happens multiple times during startup. On X13s platform this resulted in
6 to 9 audio codec device instead of just 3 codec devices for 3 dp ports.
Fix this by unregistering codecs on unbind.
Signed-off-by: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Fixes: d13e36d7d222 ("drm/msm/dp: add audio support for Display Port on MSM")
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/533324/
Link: https://lore.kernel.org/r/20230421145657.12186-1-srinivas.kandagatla@linaro.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/dp/dp_audio.c | 12 ++++++++++++
drivers/gpu/drm/msm/dp/dp_audio.h | 2 ++
drivers/gpu/drm/msm/dp/dp_display.c | 1 +
3 files changed, 15 insertions(+)
diff --git a/drivers/gpu/drm/msm/dp/dp_audio.c b/drivers/gpu/drm/msm/dp/dp_audio.c
index d7e4a39a904e2..0eaaaa94563a3 100644
--- a/drivers/gpu/drm/msm/dp/dp_audio.c
+++ b/drivers/gpu/drm/msm/dp/dp_audio.c
@@ -577,6 +577,18 @@ static struct hdmi_codec_pdata codec_data = {
.i2s = 1,
};
+void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio)
+{
+ struct dp_audio_private *audio_priv;
+
+ audio_priv = container_of(dp_audio, struct dp_audio_private, dp_audio);
+
+ if (audio_priv->audio_pdev) {
+ platform_device_unregister(audio_priv->audio_pdev);
+ audio_priv->audio_pdev = NULL;
+ }
+}
+
int dp_register_audio_driver(struct device *dev,
struct dp_audio *dp_audio)
{
diff --git a/drivers/gpu/drm/msm/dp/dp_audio.h b/drivers/gpu/drm/msm/dp/dp_audio.h
index 84e5f4a5d26ba..4ab78880af829 100644
--- a/drivers/gpu/drm/msm/dp/dp_audio.h
+++ b/drivers/gpu/drm/msm/dp/dp_audio.h
@@ -53,6 +53,8 @@ struct dp_audio *dp_audio_get(struct platform_device *pdev,
int dp_register_audio_driver(struct device *dev,
struct dp_audio *dp_audio);
+void dp_unregister_audio_driver(struct device *dev, struct dp_audio *dp_audio);
+
/**
* dp_audio_put()
*
diff --git a/drivers/gpu/drm/msm/dp/dp_display.c b/drivers/gpu/drm/msm/dp/dp_display.c
index 1c3dcbc6cce8c..0bcccf422192c 100644
--- a/drivers/gpu/drm/msm/dp/dp_display.c
+++ b/drivers/gpu/drm/msm/dp/dp_display.c
@@ -276,6 +276,7 @@ static void dp_display_unbind(struct device *dev, struct device *master,
kthread_stop(dp->ev_tsk);
dp_power_client_deinit(dp->power);
+ dp_unregister_audio_driver(dev, dp->audio);
dp_aux_unregister(dp->aux);
priv->dp = NULL;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 090/211] drm/msm/dpu: Remove duplicate register defines from INTF
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 089/211] drm/msm/dp: unregister audio driver during unbind Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 091/211] cpupower: Make TSC read per CPU for Mperf monitor Greg Kroah-Hartman
` (126 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marijn Suijten, Konrad Dybcio,
Dmitry Baryshkov, Abhinav Kumar, Sasha Levin
From: Marijn Suijten <marijn.suijten@somainline.org>
[ Upstream commit 202c044203ac5860e3025169105368d99f9bc6a2 ]
The INTF_FRAME_LINE_COUNT_EN, INTF_FRAME_COUNT and INTF_LINE_COUNT
registers are already defined higher up, in the right place when sorted
numerically.
Fixes: 25fdd5933e4c ("drm/msm: Add SDM845 DPU support")
Signed-off-by: Marijn Suijten <marijn.suijten@somainline.org>
Reviewed-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Reviewed-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Patchwork: https://patchwork.freedesktop.org/patch/534231/
Link: https://lore.kernel.org/r/20230411-dpu-intf-te-v4-8-27ce1a5ab5c6@somainline.org
Signed-off-by: Abhinav Kumar <quic_abhinavk@quicinc.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c | 5 -----
1 file changed, 5 deletions(-)
diff --git a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
index 108882bbd2b8b..7aa6accb74ad3 100644
--- a/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
+++ b/drivers/gpu/drm/msm/disp/dpu1/dpu_hw_intf.c
@@ -51,11 +51,6 @@
#define INTF_TPG_RGB_MAPPING 0x11C
#define INTF_PROG_FETCH_START 0x170
#define INTF_PROG_ROT_START 0x174
-
-#define INTF_FRAME_LINE_COUNT_EN 0x0A8
-#define INTF_FRAME_COUNT 0x0AC
-#define INTF_LINE_COUNT 0x0B0
-
#define INTF_MUX 0x25C
static const struct dpu_intf_cfg *_intf_offset(enum dpu_intf intf,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 091/211] cpupower: Make TSC read per CPU for Mperf monitor
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 090/211] drm/msm/dpu: Remove duplicate register defines from INTF Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 092/211] af_key: Reject optional tunnel/BEET mode templates in outbound policies Greg Kroah-Hartman
` (125 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Renninger, Shuah Khan,
Dominik Brodowski, Wyes Karny, Shuah Khan, Sasha Levin
From: Wyes Karny <wyes.karny@amd.com>
[ Upstream commit c2adb1877b76fc81ae041e1db1a6ed2078c6746b ]
System-wide TSC read could cause a drift in C0 percentage calculation.
Because if first TSC is read and then one by one mperf is read for all
cpus, this introduces drift between mperf reading of later CPUs and TSC
reading. To lower this drift read TSC per CPU and also just after mperf
read. This technique improves C0 percentage calculation in Mperf monitor.
Before fix: (System 100% busy)
| Mperf || RAPL || Idle_Stats
PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
0| 0| 0| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 0| 256| 84.62| 15.38| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 1| 1| 87.15| 12.85| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 1| 257| 84.08| 15.92| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 2| 2| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 2| 258| 83.26| 16.74| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 3| 3| 86.61| 13.39| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 3| 259| 83.60| 16.40| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 4| 4| 86.33| 13.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 4| 260| 83.33| 16.67| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 5| 5| 86.06| 13.94| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 5| 261| 83.05| 16.95| 2695||168659003|3970468|| 0.00| 0.00| 0.00
0| 6| 6| 85.51| 14.49| 2695||168659003|3970468|| 0.00| 0.00| 0.00
After fix: (System 100% busy)
| Mperf || RAPL || Idle_Stats
PKG|CORE| CPU| C0 | Cx | Freq || pack | core || POLL | C1 | C2
0| 0| 0| 98.03| 1.97| 2415||163295480|3811189|| 0.00| 0.00| 0.00
0| 0| 256| 98.50| 1.50| 2394||163295480|3811189|| 0.00| 0.00| 0.00
0| 1| 1| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 1| 257| 99.99| 0.01| 2375||163295480|3811189|| 0.00| 0.00| 0.00
0| 2| 2| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 2| 258|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 3| 3|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 3| 259| 99.99| 0.01| 2435||163295480|3811189|| 0.00| 0.00| 0.00
0| 4| 4|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 4| 260|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
0| 5| 5| 99.99| 0.01| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 5| 261|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
0| 6| 6|100.00| 0.00| 2401||163295480|3811189|| 0.00| 0.00| 0.00
0| 6| 262|100.00| 0.00| 2435||163295480|3811189|| 0.00| 0.00| 0.00
Cc: Thomas Renninger <trenn@suse.com>
Cc: Shuah Khan <shuah@kernel.org>
Cc: Dominik Brodowski <linux@dominikbrodowski.net>
Fixes: 7fe2f6399a84 ("cpupowerutils - cpufrequtils extended with quite some features")
Signed-off-by: Wyes Karny <wyes.karny@amd.com>
Signed-off-by: Shuah Khan <skhan@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../utils/idle_monitor/mperf_monitor.c | 31 +++++++++----------
1 file changed, 14 insertions(+), 17 deletions(-)
diff --git a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
index e7d48cb563c0e..ae6af354a81db 100644
--- a/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
+++ b/tools/power/cpupower/utils/idle_monitor/mperf_monitor.c
@@ -70,8 +70,8 @@ static int max_freq_mode;
*/
static unsigned long max_frequency;
-static unsigned long long tsc_at_measure_start;
-static unsigned long long tsc_at_measure_end;
+static unsigned long long *tsc_at_measure_start;
+static unsigned long long *tsc_at_measure_end;
static unsigned long long *mperf_previous_count;
static unsigned long long *aperf_previous_count;
static unsigned long long *mperf_current_count;
@@ -169,7 +169,7 @@ static int mperf_get_count_percent(unsigned int id, double *percent,
aperf_diff = aperf_current_count[cpu] - aperf_previous_count[cpu];
if (max_freq_mode == MAX_FREQ_TSC_REF) {
- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
+ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
*percent = 100.0 * mperf_diff / tsc_diff;
dprint("%s: TSC Ref - mperf_diff: %llu, tsc_diff: %llu\n",
mperf_cstates[id].name, mperf_diff, tsc_diff);
@@ -206,7 +206,7 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
if (max_freq_mode == MAX_FREQ_TSC_REF) {
/* Calculate max_freq from TSC count */
- tsc_diff = tsc_at_measure_end - tsc_at_measure_start;
+ tsc_diff = tsc_at_measure_end[cpu] - tsc_at_measure_start[cpu];
time_diff = timespec_diff_us(time_start, time_end);
max_frequency = tsc_diff / time_diff;
}
@@ -225,33 +225,27 @@ static int mperf_get_count_freq(unsigned int id, unsigned long long *count,
static int mperf_start(void)
{
int cpu;
- unsigned long long dbg;
clock_gettime(CLOCK_REALTIME, &time_start);
- mperf_get_tsc(&tsc_at_measure_start);
- for (cpu = 0; cpu < cpu_count; cpu++)
+ for (cpu = 0; cpu < cpu_count; cpu++) {
+ mperf_get_tsc(&tsc_at_measure_start[cpu]);
mperf_init_stats(cpu);
+ }
- mperf_get_tsc(&dbg);
- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_start);
return 0;
}
static int mperf_stop(void)
{
- unsigned long long dbg;
int cpu;
- for (cpu = 0; cpu < cpu_count; cpu++)
+ for (cpu = 0; cpu < cpu_count; cpu++) {
mperf_measure_stats(cpu);
+ mperf_get_tsc(&tsc_at_measure_end[cpu]);
+ }
- mperf_get_tsc(&tsc_at_measure_end);
clock_gettime(CLOCK_REALTIME, &time_end);
-
- mperf_get_tsc(&dbg);
- dprint("TSC diff: %llu\n", dbg - tsc_at_measure_end);
-
return 0;
}
@@ -353,7 +347,8 @@ struct cpuidle_monitor *mperf_register(void)
aperf_previous_count = calloc(cpu_count, sizeof(unsigned long long));
mperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
aperf_current_count = calloc(cpu_count, sizeof(unsigned long long));
-
+ tsc_at_measure_start = calloc(cpu_count, sizeof(unsigned long long));
+ tsc_at_measure_end = calloc(cpu_count, sizeof(unsigned long long));
mperf_monitor.name_len = strlen(mperf_monitor.name);
return &mperf_monitor;
}
@@ -364,6 +359,8 @@ void mperf_unregister(void)
free(aperf_previous_count);
free(mperf_current_count);
free(aperf_current_count);
+ free(tsc_at_measure_start);
+ free(tsc_at_measure_end);
free(is_valid);
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 092/211] af_key: Reject optional tunnel/BEET mode templates in outbound policies
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 091/211] cpupower: Make TSC read per CPU for Mperf monitor Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 093/211] net: fec: Better handle pm_runtime_get() failing in .remove() Greg Kroah-Hartman
` (124 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tobias Brunner, Herbert Xu,
Steffen Klassert, Sasha Levin
From: Tobias Brunner <tobias@strongswan.org>
[ Upstream commit cf3128a7aca55b2eefb68281d44749c683bdc96f ]
xfrm_state_find() uses `encap_family` of the current template with
the passed local and remote addresses to find a matching state.
If an optional tunnel or BEET mode template is skipped in a mixed-family
scenario, there could be a mismatch causing an out-of-bounds read as
the addresses were not replaced to match the family of the next template.
While there are theoretical use cases for optional templates in outbound
policies, the only practical one is to skip IPComp states in inbound
policies if uncompressed packets are received that are handled by an
implicitly created IPIP state instead.
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Signed-off-by: Tobias Brunner <tobias@strongswan.org>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/key/af_key.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/net/key/af_key.c b/net/key/af_key.c
index 8bc7d399987b2..fff2bd5f03e37 100644
--- a/net/key/af_key.c
+++ b/net/key/af_key.c
@@ -1944,7 +1944,8 @@ static u32 gen_reqid(struct net *net)
}
static int
-parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
+parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_policy *pol,
+ struct sadb_x_ipsecrequest *rq)
{
struct net *net = xp_net(xp);
struct xfrm_tmpl *t = xp->xfrm_vec + xp->xfrm_nr;
@@ -1962,9 +1963,12 @@ parse_ipsecrequest(struct xfrm_policy *xp, struct sadb_x_ipsecrequest *rq)
if ((mode = pfkey_mode_to_xfrm(rq->sadb_x_ipsecrequest_mode)) < 0)
return -EINVAL;
t->mode = mode;
- if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE)
+ if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_USE) {
+ if ((mode == XFRM_MODE_TUNNEL || mode == XFRM_MODE_BEET) &&
+ pol->sadb_x_policy_dir == IPSEC_DIR_OUTBOUND)
+ return -EINVAL;
t->optional = 1;
- else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
+ } else if (rq->sadb_x_ipsecrequest_level == IPSEC_LEVEL_UNIQUE) {
t->reqid = rq->sadb_x_ipsecrequest_reqid;
if (t->reqid > IPSEC_MANUAL_REQID_MAX)
t->reqid = 0;
@@ -2006,7 +2010,7 @@ parse_ipsecrequests(struct xfrm_policy *xp, struct sadb_x_policy *pol)
rq->sadb_x_ipsecrequest_len < sizeof(*rq))
return -EINVAL;
- if ((err = parse_ipsecrequest(xp, rq)) < 0)
+ if ((err = parse_ipsecrequest(xp, pol, rq)) < 0)
return err;
len -= rq->sadb_x_ipsecrequest_len;
rq = (void*)((u8*)rq + rq->sadb_x_ipsecrequest_len);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 093/211] net: fec: Better handle pm_runtime_get() failing in .remove()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 092/211] af_key: Reject optional tunnel/BEET mode templates in outbound policies Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 094/211] net: phy: dp83867: add w/a for packet errors seen with short cables Greg Kroah-Hartman
` (123 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Uwe Kleine-König, Andrew Lunn,
Jakub Kicinski, Sasha Levin
From: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
[ Upstream commit f816b9829b19394d318e01953aa3b2721bca040d ]
In the (unlikely) event that pm_runtime_get() (disguised as
pm_runtime_resume_and_get()) fails, the remove callback returned an
error early. The problem with this is that the driver core ignores the
error value and continues removing the device. This results in a
resource leak. Worse the devm allocated resources are freed and so if a
callback of the driver is called later the register mapping is already
gone which probably results in a crash.
Fixes: a31eda65ba21 ("net: fec: fix clock count mis-match")
Signed-off-by: Uwe Kleine-König <u.kleine-koenig@pengutronix.de>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/20230510200020.1534610-1-u.kleine-koenig@pengutronix.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/freescale/fec_main.c | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/freescale/fec_main.c b/drivers/net/ethernet/freescale/fec_main.c
index 686bb873125cc..e18b3b72fc0df 100644
--- a/drivers/net/ethernet/freescale/fec_main.c
+++ b/drivers/net/ethernet/freescale/fec_main.c
@@ -3850,9 +3850,11 @@ fec_drv_remove(struct platform_device *pdev)
struct device_node *np = pdev->dev.of_node;
int ret;
- ret = pm_runtime_resume_and_get(&pdev->dev);
+ ret = pm_runtime_get_sync(&pdev->dev);
if (ret < 0)
- return ret;
+ dev_err(&pdev->dev,
+ "Failed to resume device in remove callback (%pe)\n",
+ ERR_PTR(ret));
cancel_work_sync(&fep->tx_timeout_work);
fec_ptp_stop(pdev);
@@ -3865,8 +3867,13 @@ fec_drv_remove(struct platform_device *pdev)
of_phy_deregister_fixed_link(np);
of_node_put(fep->phy_node);
- clk_disable_unprepare(fep->clk_ahb);
- clk_disable_unprepare(fep->clk_ipg);
+ /* After pm_runtime_get_sync() failed, the clks are still off, so skip
+ * disabling them again.
+ */
+ if (ret >= 0) {
+ clk_disable_unprepare(fep->clk_ahb);
+ clk_disable_unprepare(fep->clk_ipg);
+ }
pm_runtime_put_noidle(&pdev->dev);
pm_runtime_disable(&pdev->dev);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 094/211] net: phy: dp83867: add w/a for packet errors seen with short cables
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 093/211] net: fec: Better handle pm_runtime_get() failing in .remove() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 095/211] ALSA: firewire-digi00x: prevent potential use after free Greg Kroah-Hartman
` (122 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Grygorii Strashko,
Siddharth Vadapalli, Simon Horman, David S. Miller, Sasha Levin
From: Grygorii Strashko <grygorii.strashko@ti.com>
[ Upstream commit 0b01db274028f5acd207332686ffc92ac77491ac ]
Introduce the W/A for packet errors seen with short cables (<1m) between
two DP83867 PHYs.
The W/A recommended by DM requires FFE Equalizer Configuration tuning by
writing value 0x0E81 to DSP_FFE_CFG register (0x012C), surrounded by hard
and soft resets as follows:
write_reg(0x001F, 0x8000); //hard reset
write_reg(DSP_FFE_CFG, 0x0E81);
write_reg(0x001F, 0x4000); //soft reset
Since DP83867 PHY DM says "Changing this register to 0x0E81, will not
affect Long Cable performance.", enable the W/A by default.
Fixes: 2a10154abcb7 ("net: phy: dp83867: Add TI dp83867 phy")
Signed-off-by: Grygorii Strashko <grygorii.strashko@ti.com>
Signed-off-by: Siddharth Vadapalli <s-vadapalli@ti.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/phy/dp83867.c | 22 +++++++++++++++++++++-
1 file changed, 21 insertions(+), 1 deletion(-)
diff --git a/drivers/net/phy/dp83867.c b/drivers/net/phy/dp83867.c
index c8031e297faf4..5fabcd15ef77a 100644
--- a/drivers/net/phy/dp83867.c
+++ b/drivers/net/phy/dp83867.c
@@ -41,6 +41,7 @@
#define DP83867_STRAP_STS1 0x006E
#define DP83867_STRAP_STS2 0x006f
#define DP83867_RGMIIDCTL 0x0086
+#define DP83867_DSP_FFE_CFG 0x012c
#define DP83867_RXFCFG 0x0134
#define DP83867_RXFPMD1 0x0136
#define DP83867_RXFPMD2 0x0137
@@ -807,8 +808,27 @@ static int dp83867_phy_reset(struct phy_device *phydev)
usleep_range(10, 20);
- return phy_modify(phydev, MII_DP83867_PHYCTRL,
+ err = phy_modify(phydev, MII_DP83867_PHYCTRL,
DP83867_PHYCR_FORCE_LINK_GOOD, 0);
+ if (err < 0)
+ return err;
+
+ /* Configure the DSP Feedforward Equalizer Configuration register to
+ * improve short cable (< 1 meter) performance. This will not affect
+ * long cable performance.
+ */
+ err = phy_write_mmd(phydev, DP83867_DEVADDR, DP83867_DSP_FFE_CFG,
+ 0x0e81);
+ if (err < 0)
+ return err;
+
+ err = phy_write(phydev, DP83867_CTRL, DP83867_SW_RESTART);
+ if (err < 0)
+ return err;
+
+ usleep_range(10, 20);
+
+ return 0;
}
static void dp83867_link_change_notify(struct phy_device *phydev)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 095/211] ALSA: firewire-digi00x: prevent potential use after free
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 094/211] net: phy: dp83867: add w/a for packet errors seen with short cables Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 096/211] ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 Greg Kroah-Hartman
` (121 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Takashi Iwai, Sasha Levin
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit c0e72058d5e21982e61a29de6b098f7c1f0db498 ]
This code was supposed to return an error code if init_stream()
failed, but it instead freed dg00x->rx_stream and returned success.
This potentially leads to a use after free.
Fixes: 9a08067ec318 ("ALSA: firewire-digi00x: support AMDTP domain")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/c224cbd5-d9e2-4cd4-9bcf-2138eb1d35c6@kili.mountain
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/firewire/digi00x/digi00x-stream.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/sound/firewire/digi00x/digi00x-stream.c b/sound/firewire/digi00x/digi00x-stream.c
index 405d6903bfbc3..62a54f5ab84d7 100644
--- a/sound/firewire/digi00x/digi00x-stream.c
+++ b/sound/firewire/digi00x/digi00x-stream.c
@@ -259,8 +259,10 @@ int snd_dg00x_stream_init_duplex(struct snd_dg00x *dg00x)
return err;
err = init_stream(dg00x, &dg00x->tx_stream);
- if (err < 0)
+ if (err < 0) {
destroy_stream(dg00x, &dg00x->rx_stream);
+ return err;
+ }
err = amdtp_domain_init(&dg00x->domain);
if (err < 0) {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 096/211] ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 095/211] ALSA: firewire-digi00x: prevent potential use after free Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 097/211] vsock: avoid to close connected socket after the timeout Greg Kroah-Hartman
` (120 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryan Underwood, Takashi Iwai, Sasha Levin
From: Ryan C. Underwood <nemesis@icequake.net>
[ Upstream commit 92553ee03166ef8fa978e7683f9f4af30c9c4e6b ]
The Pavilion 15 line has B&O top speakers similar to the x360 and
applying the same profile produces good sound. Without this, the
sound would be tinny and underpowered without either applying
model=alc295-hp-x360 or booting another OS first.
Signed-off-by: Ryan Underwood <nemesis@icequake.net>
Fixes: 563785edfcef ("ALSA: hda/realtek - Add quirk entry for HP Pavilion 15")
Link: https://lore.kernel.org/r/ZF0mpcMz3ezP9KQw@icequake.net
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/pci/hda/patch_realtek.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/pci/hda/patch_realtek.c b/sound/pci/hda/patch_realtek.c
index 18309fa17fb87..c7e25d19c9d92 100644
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -8944,7 +8944,7 @@ static const struct snd_pci_quirk alc269_fixup_tbl[] = {
SND_PCI_QUIRK(0x103c, 0x802f, "HP Z240", ALC221_FIXUP_HP_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x103c, 0x8077, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
SND_PCI_QUIRK(0x103c, 0x8158, "HP", ALC256_FIXUP_HP_HEADSET_MIC),
- SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC269_FIXUP_HP_MUTE_LED_MIC3),
+ SND_PCI_QUIRK(0x103c, 0x820d, "HP Pavilion 15", ALC295_FIXUP_HP_X360),
SND_PCI_QUIRK(0x103c, 0x8256, "HP", ALC221_FIXUP_HP_FRONT_MIC),
SND_PCI_QUIRK(0x103c, 0x827e, "HP x360", ALC295_FIXUP_HP_X360),
SND_PCI_QUIRK(0x103c, 0x827f, "HP x360", ALC269_FIXUP_HP_MUTE_LED_MIC3),
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 097/211] vsock: avoid to close connected socket after the timeout
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 096/211] ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 098/211] ipv4/tcp: do not use per netns ctl sockets Greg Kroah-Hartman
` (119 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhuang Shengen, Stefano Garzarella,
David S. Miller, Sasha Levin
From: Zhuang Shengen <zhuangshengen@huawei.com>
[ Upstream commit 6d4486efe9c69626cab423456169e250a5cd3af5 ]
When client and server establish a connection through vsock,
the client send a request to the server to initiate the connection,
then start a timer to wait for the server's response. When the server's
RESPONSE message arrives, the timer also times out and exits. The
server's RESPONSE message is processed first, and the connection is
established. However, the client's timer also times out, the original
processing logic of the client is to directly set the state of this vsock
to CLOSE and return ETIMEDOUT. It will not notify the server when the port
is released, causing the server port remain.
when client's vsock_connect timeout,it should check sk state is
ESTABLISHED or not. if sk state is ESTABLISHED, it means the connection
is established, the client should not set the sk state to CLOSE
Note: I encountered this issue on kernel-4.18, which can be fixed by
this patch. Then I checked the latest code in the community
and found similar issue.
Fixes: d021c344051a ("VSOCK: Introduce VM Sockets")
Signed-off-by: Zhuang Shengen <zhuangshengen@huawei.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/vmw_vsock/af_vsock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/vmw_vsock/af_vsock.c b/net/vmw_vsock/af_vsock.c
index 7829a5018ef9f..ce14374bbacad 100644
--- a/net/vmw_vsock/af_vsock.c
+++ b/net/vmw_vsock/af_vsock.c
@@ -1372,7 +1372,7 @@ static int vsock_stream_connect(struct socket *sock, struct sockaddr *addr,
vsock_transport_cancel_pkt(vsk);
vsock_remove_connected(vsk);
goto out_wait;
- } else if (timeout == 0) {
+ } else if ((sk->sk_state != TCP_ESTABLISHED) && (timeout == 0)) {
err = -ETIMEDOUT;
sk->sk_state = TCP_CLOSE;
sock->state = SS_UNCONNECTED;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 098/211] ipv4/tcp: do not use per netns ctl sockets
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 097/211] vsock: avoid to close connected socket after the timeout Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 099/211] net: Find dst with sks xfrm policy not ctl_sk Greg Kroah-Hartman
` (118 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 37ba017dcc3b1123206808979834655ddcf93251 ]
TCP ipv4 uses per-cpu/per-netns ctl sockets in order to send
RST and some ACK packets (on behalf of TIMEWAIT sockets).
This adds memory and cpu costs, which do not seem needed.
Now typical servers have 256 or more cores, this adds considerable
tax to netns users.
tcp sockets are used from BH context, are not receiving packets,
and do not store any persistent state but the 'struct net' pointer
in order to be able to use IPv4 output functions.
Note that I attempted a related change in the past, that had
to be hot-fixed in commit bdbbb8527b6f ("ipv4: tcp: get rid of ugly unicast_sock")
This patch could very well surface old bugs, on layers not
taking care of sk->sk_kern_sock properly.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 1e306ec49a1f ("tcp: fix possible sk_priority leak in tcp_v4_send_reset()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/netns/ipv4.h | 1 -
net/ipv4/tcp_ipv4.c | 61 ++++++++++++++++++----------------------
2 files changed, 27 insertions(+), 35 deletions(-)
diff --git a/include/net/netns/ipv4.h b/include/net/netns/ipv4.h
index d8b320cf54ba0..4a4a5270ff6f2 100644
--- a/include/net/netns/ipv4.h
+++ b/include/net/netns/ipv4.h
@@ -71,7 +71,6 @@ struct netns_ipv4 {
struct sock *mc_autojoin_sk;
struct inet_peer_base *peers;
- struct sock * __percpu *tcp_sk;
struct fqdir *fqdir;
#ifdef CONFIG_NETFILTER
struct xt_table *iptable_filter;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 8bd7b1ec3b6a3..275ae42be99e0 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -91,6 +91,8 @@ static int tcp_v4_md5_hash_hdr(char *md5_hash, const struct tcp_md5sig_key *key,
struct inet_hashinfo tcp_hashinfo;
EXPORT_SYMBOL(tcp_hashinfo);
+static DEFINE_PER_CPU(struct sock *, ipv4_tcp_sk);
+
static u32 tcp_v4_init_seq(const struct sk_buff *skb)
{
return secure_tcp_seq(ip_hdr(skb)->daddr,
@@ -794,7 +796,8 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
arg.tos = ip_hdr(skb)->tos;
arg.uid = sock_net_uid(net, sk && sk_fullsock(sk) ? sk : NULL);
local_bh_disable();
- ctl_sk = this_cpu_read(*net->ipv4.tcp_sk);
+ ctl_sk = this_cpu_read(ipv4_tcp_sk);
+ sock_net_set(ctl_sk, net);
if (sk) {
ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ?
inet_twsk(sk)->tw_mark : sk->sk_mark;
@@ -809,6 +812,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
transmit_time);
ctl_sk->sk_mark = 0;
+ sock_net_set(ctl_sk, &init_net);
__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
__TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
local_bh_enable();
@@ -892,7 +896,8 @@ static void tcp_v4_send_ack(const struct sock *sk,
arg.tos = tos;
arg.uid = sock_net_uid(net, sk_fullsock(sk) ? sk : NULL);
local_bh_disable();
- ctl_sk = this_cpu_read(*net->ipv4.tcp_sk);
+ ctl_sk = this_cpu_read(ipv4_tcp_sk);
+ sock_net_set(ctl_sk, net);
ctl_sk->sk_mark = (sk->sk_state == TCP_TIME_WAIT) ?
inet_twsk(sk)->tw_mark : sk->sk_mark;
ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ?
@@ -905,6 +910,7 @@ static void tcp_v4_send_ack(const struct sock *sk,
transmit_time);
ctl_sk->sk_mark = 0;
+ sock_net_set(ctl_sk, &init_net);
__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
local_bh_enable();
}
@@ -2828,41 +2834,14 @@ EXPORT_SYMBOL(tcp_prot);
static void __net_exit tcp_sk_exit(struct net *net)
{
- int cpu;
-
if (net->ipv4.tcp_congestion_control)
bpf_module_put(net->ipv4.tcp_congestion_control,
net->ipv4.tcp_congestion_control->owner);
-
- for_each_possible_cpu(cpu)
- inet_ctl_sock_destroy(*per_cpu_ptr(net->ipv4.tcp_sk, cpu));
- free_percpu(net->ipv4.tcp_sk);
}
static int __net_init tcp_sk_init(struct net *net)
{
- int res, cpu, cnt;
-
- net->ipv4.tcp_sk = alloc_percpu(struct sock *);
- if (!net->ipv4.tcp_sk)
- return -ENOMEM;
-
- for_each_possible_cpu(cpu) {
- struct sock *sk;
-
- res = inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW,
- IPPROTO_TCP, net);
- if (res)
- goto fail;
- sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
-
- /* Please enforce IP_DF and IPID==0 for RST and
- * ACK sent in SYN-RECV and TIME-WAIT state.
- */
- inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO;
-
- *per_cpu_ptr(net->ipv4.tcp_sk, cpu) = sk;
- }
+ int cnt;
net->ipv4.sysctl_tcp_ecn = 2;
net->ipv4.sysctl_tcp_ecn_fallback = 1;
@@ -2947,10 +2926,6 @@ static int __net_init tcp_sk_init(struct net *net)
net->ipv4.tcp_congestion_control = &tcp_reno;
return 0;
-fail:
- tcp_sk_exit(net);
-
- return res;
}
static void __net_exit tcp_sk_exit_batch(struct list_head *net_exit_list)
@@ -3027,6 +3002,24 @@ static void __init bpf_iter_register(void)
void __init tcp_v4_init(void)
{
+ int cpu, res;
+
+ for_each_possible_cpu(cpu) {
+ struct sock *sk;
+
+ res = inet_ctl_sock_create(&sk, PF_INET, SOCK_RAW,
+ IPPROTO_TCP, &init_net);
+ if (res)
+ panic("Failed to create the TCP control socket.\n");
+ sock_set_flag(sk, SOCK_USE_WRITE_QUEUE);
+
+ /* Please enforce IP_DF and IPID==0 for RST and
+ * ACK sent in SYN-RECV and TIME-WAIT state.
+ */
+ inet_sk(sk)->pmtudisc = IP_PMTUDISC_DO;
+
+ per_cpu(ipv4_tcp_sk, cpu) = sk;
+ }
if (register_pernet_subsys(&tcp_sk_ops))
panic("Failed to create the TCP control socket.\n");
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 099/211] net: Find dst with sks xfrm policy not ctl_sk
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 098/211] ipv4/tcp: do not use per netns ctl sockets Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 100/211] tcp: fix possible sk_priority leak in tcp_v4_send_reset() Greg Kroah-Hartman
` (117 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maciej Żenczykowski,
Eric Dumazet, Steffen Klassert, Sehee Lee, Sewook Seo,
David S. Miller, Sasha Levin
From: sewookseo <sewookseo@google.com>
[ Upstream commit e22aa14866684f77b4f6b6cae98539e520ddb731 ]
If we set XFRM security policy by calling setsockopt with option
IPV6_XFRM_POLICY, the policy will be stored in 'sock_policy' in 'sock'
struct. However tcp_v6_send_response doesn't look up dst_entry with the
actual socket but looks up with tcp control socket. This may cause a
problem that a RST packet is sent without ESP encryption & peer's TCP
socket can't receive it.
This patch will make the function look up dest_entry with actual socket,
if the socket has XFRM policy(sock_policy), so that the TCP response
packet via this function can be encrypted, & aligned on the encrypted
TCP socket.
Tested: We encountered this problem when a TCP socket which is encrypted
in ESP transport mode encryption, receives challenge ACK at SYN_SENT
state. After receiving challenge ACK, TCP needs to send RST to
establish the socket at next SYN try. But the RST was not encrypted &
peer TCP socket still remains on ESTABLISHED state.
So we verified this with test step as below.
[Test step]
1. Making a TCP state mismatch between client(IDLE) & server(ESTABLISHED).
2. Client tries a new connection on the same TCP ports(src & dst).
3. Server will return challenge ACK instead of SYN,ACK.
4. Client will send RST to server to clear the SOCKET.
5. Client will retransmit SYN to server on the same TCP ports.
[Expected result]
The TCP connection should be established.
Cc: Maciej Żenczykowski <maze@google.com>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Sehee Lee <seheele@google.com>
Signed-off-by: Sewook Seo <sewookseo@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 1e306ec49a1f ("tcp: fix possible sk_priority leak in tcp_v4_send_reset()")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/xfrm.h | 2 ++
net/ipv4/ip_output.c | 2 +-
net/ipv4/tcp_ipv4.c | 2 ++
net/ipv6/tcp_ipv6.c | 5 ++++-
4 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/include/net/xfrm.h b/include/net/xfrm.h
index 8a9943d935f14..726a2dbb407f1 100644
--- a/include/net/xfrm.h
+++ b/include/net/xfrm.h
@@ -1198,6 +1198,8 @@ int __xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk);
static inline int xfrm_sk_clone_policy(struct sock *sk, const struct sock *osk)
{
+ if (!sk_fullsock(osk))
+ return 0;
sk->sk_policy[0] = NULL;
sk->sk_policy[1] = NULL;
if (unlikely(osk->sk_policy[0] || osk->sk_policy[1]))
diff --git a/net/ipv4/ip_output.c b/net/ipv4/ip_output.c
index 1e07df2821773..6fd04f2f8b40c 100644
--- a/net/ipv4/ip_output.c
+++ b/net/ipv4/ip_output.c
@@ -1723,7 +1723,7 @@ void ip_send_unicast_reply(struct sock *sk, struct sk_buff *skb,
tcp_hdr(skb)->source, tcp_hdr(skb)->dest,
arg->uid);
security_skb_classify_flow(skb, flowi4_to_flowi_common(&fl4));
- rt = ip_route_output_key(net, &fl4);
+ rt = ip_route_output_flow(net, &fl4, sk);
if (IS_ERR(rt))
return;
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 275ae42be99e0..1995d46afb214 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -804,6 +804,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
ctl_sk->sk_priority = (sk->sk_state == TCP_TIME_WAIT) ?
inet_twsk(sk)->tw_priority : sk->sk_priority;
transmit_time = tcp_transmit_time(sk);
+ xfrm_sk_clone_policy(ctl_sk, sk);
}
ip_send_unicast_reply(ctl_sk,
skb, &TCP_SKB_CB(skb)->header.h4.opt,
@@ -812,6 +813,7 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
transmit_time);
ctl_sk->sk_mark = 0;
+ xfrm_sk_free_policy(ctl_sk);
sock_net_set(ctl_sk, &init_net);
__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
__TCP_INC_STATS(net, TCP_MIB_OUTRSTS);
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 2347740d3cc7c..fe29bc66aeac7 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -984,7 +984,10 @@ static void tcp_v6_send_response(const struct sock *sk, struct sk_buff *skb, u32
* Underlying function will use this to retrieve the network
* namespace
*/
- dst = ip6_dst_lookup_flow(sock_net(ctl_sk), ctl_sk, &fl6, NULL);
+ if (sk && sk->sk_state != TCP_TIME_WAIT)
+ dst = ip6_dst_lookup_flow(net, sk, &fl6, NULL); /*sk's xfrm_policy can be referred*/
+ else
+ dst = ip6_dst_lookup_flow(net, ctl_sk, &fl6, NULL);
if (!IS_ERR(dst)) {
skb_dst_set(buff, dst);
ip6_xmit(ctl_sk, buff, &fl6, fl6.flowi6_mark, NULL,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 100/211] tcp: fix possible sk_priority leak in tcp_v4_send_reset()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 099/211] net: Find dst with sks xfrm policy not ctl_sk Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 101/211] serial: arc_uart: fix of_iomap leak in `arc_serial_probe` Greg Kroah-Hartman
` (116 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Antoine Tenart,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit 1e306ec49a1f206fd2cc89a42fac6e6f592a8cc1 ]
When tcp_v4_send_reset() is called with @sk == NULL,
we do not change ctl_sk->sk_priority, which could have been
set from a prior invocation.
Change tcp_v4_send_reset() to set sk_priority and sk_mark
fields before calling ip_send_unicast_reply().
This means tcp_v4_send_reset() and tcp_v4_send_ack()
no longer have to clear ctl_sk->sk_mark after
their call to ip_send_unicast_reply().
Fixes: f6c0f5d209fa ("tcp: honor SO_PRIORITY in TIME_WAIT state")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Antoine Tenart <atenart@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_ipv4.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 1995d46afb214..270b20e0907c2 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -805,6 +805,9 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
inet_twsk(sk)->tw_priority : sk->sk_priority;
transmit_time = tcp_transmit_time(sk);
xfrm_sk_clone_policy(ctl_sk, sk);
+ } else {
+ ctl_sk->sk_mark = 0;
+ ctl_sk->sk_priority = 0;
}
ip_send_unicast_reply(ctl_sk,
skb, &TCP_SKB_CB(skb)->header.h4.opt,
@@ -812,7 +815,6 @@ static void tcp_v4_send_reset(const struct sock *sk, struct sk_buff *skb)
&arg, arg.iov[0].iov_len,
transmit_time);
- ctl_sk->sk_mark = 0;
xfrm_sk_free_policy(ctl_sk);
sock_net_set(ctl_sk, &init_net);
__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
@@ -911,7 +913,6 @@ static void tcp_v4_send_ack(const struct sock *sk,
&arg, arg.iov[0].iov_len,
transmit_time);
- ctl_sk->sk_mark = 0;
sock_net_set(ctl_sk, &init_net);
__TCP_INC_STATS(net, TCP_MIB_OUTSEGS);
local_bh_enable();
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 101/211] serial: arc_uart: fix of_iomap leak in `arc_serial_probe`
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 100/211] tcp: fix possible sk_priority leak in tcp_v4_send_reset() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 102/211] erspan: get the proto with the md version for collect_md Greg Kroah-Hartman
` (115 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ke Zhang, Dongliang Mu, Sasha Levin
From: Ke Zhang <m202171830@hust.edu.cn>
[ Upstream commit 8ab5fc55d7f65d58a3c3aeadf11bdf60267cd2bd ]
Smatch reports:
drivers/tty/serial/arc_uart.c:631 arc_serial_probe() warn:
'port->membase' from of_iomap() not released on lines: 631.
In arc_serial_probe(), if uart_add_one_port() fails,
port->membase is not released, which would cause a resource leak.
To fix this, I replace of_iomap with devm_platform_ioremap_resource.
Fixes: 8dbe1d5e09a7 ("serial/arc: inline the probe helper")
Signed-off-by: Ke Zhang <m202171830@hust.edu.cn>
Reviewed-by: Dongliang Mu <dzm91@hust.edu.cn>
Link: https://lore.kernel.org/r/20230428031636.44642-1-m202171830@hust.edu.cn
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/arc_uart.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
diff --git a/drivers/tty/serial/arc_uart.c b/drivers/tty/serial/arc_uart.c
index 17c3fc398fc65..6f7a7d2dcf3aa 100644
--- a/drivers/tty/serial/arc_uart.c
+++ b/drivers/tty/serial/arc_uart.c
@@ -609,10 +609,11 @@ static int arc_serial_probe(struct platform_device *pdev)
}
uart->baud = val;
- port->membase = of_iomap(np, 0);
- if (!port->membase)
+ port->membase = devm_platform_ioremap_resource(pdev, 0);
+ if (IS_ERR(port->membase)) {
/* No point of dev_err since UART itself is hosed here */
- return -ENXIO;
+ return PTR_ERR(port->membase);
+ }
port->irq = irq_of_parse_and_map(np, 0);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 102/211] erspan: get the proto with the md version for collect_md
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 101/211] serial: arc_uart: fix of_iomap leak in `arc_serial_probe` Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 103/211] net: hns3: fix sending pfc frames after reset issue Greg Kroah-Hartman
` (114 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kevin Traynor, Xin Long,
Simon Horman, William Tu, David S. Miller, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit d80fc101d2eb9b3188c228d61223890aeea480a4 ]
In commit 20704bd1633d ("erspan: build the header with the right proto
according to erspan_ver"), it gets the proto with t->parms.erspan_ver,
but t->parms.erspan_ver is not used by collect_md branch, and instead
it should get the proto with md->version for collect_md.
Thanks to Kevin for pointing this out.
Fixes: 20704bd1633d ("erspan: build the header with the right proto according to erspan_ver")
Fixes: 94d7d8f29287 ("ip6_gre: add erspan v2 support")
Reported-by: Kevin Traynor <ktraynor@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Reviewed-by: William Tu <u9012063@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv6/ip6_gre.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
diff --git a/net/ipv6/ip6_gre.c b/net/ipv6/ip6_gre.c
index 2332b5b81c551..7b50e1811678e 100644
--- a/net/ipv6/ip6_gre.c
+++ b/net/ipv6/ip6_gre.c
@@ -1015,12 +1015,14 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
ntohl(tun_id),
ntohl(md->u.index), truncate,
false);
+ proto = htons(ETH_P_ERSPAN);
} else if (md->version == 2) {
erspan_build_header_v2(skb,
ntohl(tun_id),
md->u.md2.dir,
get_hwid(&md->u.md2),
truncate, false);
+ proto = htons(ETH_P_ERSPAN2);
} else {
goto tx_err;
}
@@ -1043,24 +1045,25 @@ static netdev_tx_t ip6erspan_tunnel_xmit(struct sk_buff *skb,
break;
}
- if (t->parms.erspan_ver == 1)
+ if (t->parms.erspan_ver == 1) {
erspan_build_header(skb, ntohl(t->parms.o_key),
t->parms.index,
truncate, false);
- else if (t->parms.erspan_ver == 2)
+ proto = htons(ETH_P_ERSPAN);
+ } else if (t->parms.erspan_ver == 2) {
erspan_build_header_v2(skb, ntohl(t->parms.o_key),
t->parms.dir,
t->parms.hwid,
truncate, false);
- else
+ proto = htons(ETH_P_ERSPAN2);
+ } else {
goto tx_err;
+ }
fl6.daddr = t->parms.raddr;
}
/* Push GRE header. */
- proto = (t->parms.erspan_ver == 1) ? htons(ETH_P_ERSPAN)
- : htons(ETH_P_ERSPAN2);
gre_build_header(skb, 8, TUNNEL_SEQ, proto, 0, htonl(atomic_fetch_inc(&t->o_seqno)));
/* TooBig packet may have updated dst->dev's mtu */
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 103/211] net: hns3: fix sending pfc frames after reset issue
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 102/211] erspan: get the proto with the md version for collect_md Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 104/211] net: hns3: fix reset delay time to avoid configuration timeout Greg Kroah-Hartman
` (113 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jijie Shao, Hao Lan,
David S. Miller, Sasha Levin
From: Jijie Shao <shaojijie@huawei.com>
[ Upstream commit f14db07064727dd3bc0906c77a6d2759c1bbb395 ]
To prevent the system from abnormally sending PFC frames after an
abnormal reset. The hns3 driver notifies the firmware to disable pfc
before reset.
Fixes: 35d93a30040c ("net: hns3: adjust the process of PF reset")
Signed-off-by: Jijie Shao <shaojijie@huawei.com>
Signed-off-by: Hao Lan <lanhao@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../ethernet/hisilicon/hns3/hns3pf/hclge_main.c | 15 +++++++++------
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c | 4 ++--
.../net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h | 5 +++++
3 files changed, 16 insertions(+), 8 deletions(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
index 2070e26a3a358..1ec1709446bab 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_main.c
@@ -7023,12 +7023,15 @@ static void hclge_ae_stop(struct hnae3_handle *handle)
/* If it is not PF reset or FLR, the firmware will disable the MAC,
* so it only need to stop phy here.
*/
- if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state) &&
- hdev->reset_type != HNAE3_FUNC_RESET &&
- hdev->reset_type != HNAE3_FLR_RESET) {
- hclge_mac_stop_phy(hdev);
- hclge_update_link_status(hdev);
- return;
+ if (test_bit(HCLGE_STATE_RST_HANDLING, &hdev->state)) {
+ hclge_pfc_pause_en_cfg(hdev, HCLGE_PFC_TX_RX_DISABLE,
+ HCLGE_PFC_DISABLE);
+ if (hdev->reset_type != HNAE3_FUNC_RESET &&
+ hdev->reset_type != HNAE3_FLR_RESET) {
+ hclge_mac_stop_phy(hdev);
+ hclge_update_link_status(hdev);
+ return;
+ }
}
for (i = 0; i < handle->kinfo.num_tqps; i++)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
index 9168e39b63641..b3ceaaaeacaeb 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.c
@@ -169,8 +169,8 @@ int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx)
return hclge_cmd_send(&hdev->hw, &desc, 1);
}
-static int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
- u8 pfc_bitmap)
+int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
+ u8 pfc_bitmap)
{
struct hclge_desc desc;
struct hclge_pfc_en_cmd *pfc = (struct hclge_pfc_en_cmd *)desc.data;
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
index bb2a2d8e92591..42932c879b360 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3pf/hclge_tm.h
@@ -117,6 +117,9 @@ struct hclge_bp_to_qs_map_cmd {
u32 rsvd1;
};
+#define HCLGE_PFC_DISABLE 0
+#define HCLGE_PFC_TX_RX_DISABLE 0
+
struct hclge_pfc_en_cmd {
u8 tx_rx_en_bitmap;
u8 pri_en_bitmap;
@@ -164,6 +167,8 @@ void hclge_tm_schd_info_update(struct hclge_dev *hdev, u8 num_tc);
void hclge_tm_pfc_info_update(struct hclge_dev *hdev);
int hclge_tm_dwrr_cfg(struct hclge_dev *hdev);
int hclge_tm_init_hw(struct hclge_dev *hdev, bool init);
+int hclge_pfc_pause_en_cfg(struct hclge_dev *hdev, u8 tx_rx_bitmap,
+ u8 pfc_bitmap);
int hclge_mac_pause_en_cfg(struct hclge_dev *hdev, bool tx, bool rx);
int hclge_pause_addr_cfg(struct hclge_dev *hdev, const u8 *mac_addr);
int hclge_pfc_rx_stats_get(struct hclge_dev *hdev, u64 *stats);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 104/211] net: hns3: fix reset delay time to avoid configuration timeout
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 103/211] net: hns3: fix sending pfc frames after reset issue Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 105/211] media: netup_unidvb: fix use-after-free at del_timer() Greg Kroah-Hartman
` (112 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jie Wang, Hao Lan, David S. Miller,
Sasha Levin
From: Jie Wang <wangjie125@huawei.com>
[ Upstream commit 814d0c786068e858d889ada3153bff82f64223ad ]
Currently the hns3 vf function reset delays 5000ms before vf rebuild
process. In product applications, this delay is too long for application
configurations and causes configuration timeout.
According to the tests, 500ms delay is enough for reset process except PF
FLR. So this patch modifies delay to 500ms in these scenarios.
Fixes: 6988eb2a9b77 ("net: hns3: Add support to reset the enet/ring mgmt layer")
Signed-off-by: Jie Wang <wangjie125@huawei.com>
Signed-off-by: Hao Lan <lanhao@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
index f7f3e4bbc4770..7d05915c35e38 100644
--- a/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
+++ b/drivers/net/ethernet/hisilicon/hns3/hns3vf/hclgevf_main.c
@@ -1772,7 +1772,10 @@ static int hclgevf_reset_wait(struct hclgevf_dev *hdev)
* might happen in case reset assertion was made by PF. Yes, this also
* means we might end up waiting bit more even for VF reset.
*/
- msleep(5000);
+ if (hdev->reset_type == HNAE3_VF_FULL_RESET)
+ msleep(5000);
+ else
+ msleep(500);
return 0;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 105/211] media: netup_unidvb: fix use-after-free at del_timer()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 104/211] net: hns3: fix reset delay time to avoid configuration timeout Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 106/211] SUNRPC: Fix trace_svc_register() call site Greg Kroah-Hartman
` (111 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Duoming Zhou, Mauro Carvalho Chehab,
Sasha Levin
From: Duoming Zhou <duoming@zju.edu.cn>
[ Upstream commit 0f5bb36bf9b39a2a96e730bf4455095b50713f63 ]
When Universal DVB card is detaching, netup_unidvb_dma_fini()
uses del_timer() to stop dma->timeout timer. But when timer
handler netup_unidvb_dma_timeout() is running, del_timer()
could not stop it. As a result, the use-after-free bug could
happen. The process is shown below:
(cleanup routine) | (timer routine)
| mod_timer(&dev->tx_sim_timer, ..)
netup_unidvb_finidev() | (wait a time)
netup_unidvb_dma_fini() | netup_unidvb_dma_timeout()
del_timer(&dma->timeout); |
| ndev->pci_dev->dev //USE
Fix by changing del_timer() to del_timer_sync().
Link: https://lore.kernel.org/linux-media/20230308125514.4208-1-duoming@zju.edu.cn
Fixes: 52b1eaf4c59a ("[media] netup_unidvb: NetUP Universal DVB-S/S2/T/T2/C PCI-E card driver")
Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
Signed-off-by: Mauro Carvalho Chehab <mchehab@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/media/pci/netup_unidvb/netup_unidvb_core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
index 77bae14685513..a71814e2772d1 100644
--- a/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
+++ b/drivers/media/pci/netup_unidvb/netup_unidvb_core.c
@@ -697,7 +697,7 @@ static void netup_unidvb_dma_fini(struct netup_unidvb_dev *ndev, int num)
netup_unidvb_dma_enable(dma, 0);
msleep(50);
cancel_work_sync(&dma->work);
- del_timer(&dma->timeout);
+ del_timer_sync(&dma->timeout);
}
static int netup_unidvb_dma_setup(struct netup_unidvb_dev *ndev)
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 106/211] SUNRPC: Fix trace_svc_register() call site
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 105/211] media: netup_unidvb: fix use-after-free at del_timer() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 107/211] drm/exynos: fix g2d_open/close helper function definitions Greg Kroah-Hartman
` (110 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chuck Lever, Sasha Levin
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 07a27305938559fb35f7a46fb90a5e37728bdee6 ]
The trace event recorded incorrect values for the registered family,
protocol, and port because the arguments are in the wrong order.
Fixes: b4af59328c25 ("SUNRPC: Trace server-side rpcbind registration events")
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/svc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index af657a482ad2d..495ebe7fad6dd 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -995,7 +995,7 @@ static int __svc_register(struct net *net, const char *progname,
#endif
}
- trace_svc_register(progname, version, protocol, port, family, error);
+ trace_svc_register(progname, version, family, protocol, port, error);
return error;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 107/211] drm/exynos: fix g2d_open/close helper function definitions
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 106/211] SUNRPC: Fix trace_svc_register() call site Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 108/211] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() Greg Kroah-Hartman
` (109 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Andi Shyti, Inki Dae,
Sasha Levin
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 2ef0785b30bd6549ddbc124979f1b6596e065ae2 ]
The empty stub functions are defined as global functions, which
causes a warning because of missing prototypes:
drivers/gpu/drm/exynos/exynos_drm_g2d.h:37:5: error: no previous prototype for 'g2d_open'
drivers/gpu/drm/exynos/exynos_drm_g2d.h:42:5: error: no previous prototype for 'g2d_close'
Mark them as 'static inline' to avoid the warning and to make
them behave as intended.
Fixes: eb4d9796fa34 ("drm/exynos: g2d: Convert to driver component API")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Andi Shyti <andi.shyti@kernel.org>
Signed-off-by: Inki Dae <inki.dae@samsung.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/exynos/exynos_drm_g2d.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/exynos/exynos_drm_g2d.h b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
index 74ea3c26deadc..1a5ae781b56c6 100644
--- a/drivers/gpu/drm/exynos/exynos_drm_g2d.h
+++ b/drivers/gpu/drm/exynos/exynos_drm_g2d.h
@@ -34,11 +34,11 @@ static inline int exynos_g2d_exec_ioctl(struct drm_device *dev, void *data,
return -ENODEV;
}
-int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
+static inline int g2d_open(struct drm_device *drm_dev, struct drm_file *file)
{
return 0;
}
-void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
+static inline void g2d_close(struct drm_device *drm_dev, struct drm_file *file)
{ }
#endif
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 108/211] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 107/211] drm/exynos: fix g2d_open/close helper function definitions Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 109/211] net/tipc: fix tipc header files for kernel-doc Greg Kroah-Hartman
` (108 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+632b5d9964208bfef8c0,
Eric Dumazet, Dong Chenchen, David S. Miller, Sasha Levin
From: Dong Chenchen <dongchenchen2@huawei.com>
[ Upstream commit c83b49383b595be50647f0c764a48c78b5f3c4f8 ]
As the call trace shows, skb_panic was caused by wrong skb->mac_header
in nsh_gso_segment():
invalid opcode: 0000 [#1] PREEMPT SMP KASAN PTI
CPU: 3 PID: 2737 Comm: syz Not tainted 6.3.0-next-20230505 #1
RIP: 0010:skb_panic+0xda/0xe0
call Trace:
skb_push+0x91/0xa0
nsh_gso_segment+0x4f3/0x570
skb_mac_gso_segment+0x19e/0x270
__skb_gso_segment+0x1e8/0x3c0
validate_xmit_skb+0x452/0x890
validate_xmit_skb_list+0x99/0xd0
sch_direct_xmit+0x294/0x7c0
__dev_queue_xmit+0x16f0/0x1d70
packet_xmit+0x185/0x210
packet_snd+0xc15/0x1170
packet_sendmsg+0x7b/0xa0
sock_sendmsg+0x14f/0x160
The root cause is:
nsh_gso_segment() use skb->network_header - nhoff to reset mac_header
in skb_gso_error_unwind() if inner-layer protocol gso fails.
However, skb->network_header may be reset by inner-layer protocol
gso function e.g. mpls_gso_segment. skb->mac_header reset by the
inaccurate network_header will be larger than skb headroom.
nsh_gso_segment
nhoff = skb->network_header - skb->mac_header;
__skb_pull(skb,nsh_len)
skb_mac_gso_segment
mpls_gso_segment
skb_reset_network_header(skb);//skb->network_header+=nsh_len
return -EINVAL;
skb_gso_error_unwind
skb_push(skb, nsh_len);
skb->mac_header = skb->network_header - nhoff;
// skb->mac_header > skb->headroom, cause skb_push panic
Use correct mac_offset to restore mac_header and get rid of nhoff.
Fixes: c411ed854584 ("nsh: add GSO support")
Reported-by: syzbot+632b5d9964208bfef8c0@syzkaller.appspotmail.com
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/nsh/nsh.c | 8 +++-----
1 file changed, 3 insertions(+), 5 deletions(-)
diff --git a/net/nsh/nsh.c b/net/nsh/nsh.c
index e9ca007718b7e..0f23e5e8e03eb 100644
--- a/net/nsh/nsh.c
+++ b/net/nsh/nsh.c
@@ -77,13 +77,12 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
netdev_features_t features)
{
struct sk_buff *segs = ERR_PTR(-EINVAL);
+ u16 mac_offset = skb->mac_header;
unsigned int nsh_len, mac_len;
__be16 proto;
- int nhoff;
skb_reset_network_header(skb);
- nhoff = skb->network_header - skb->mac_header;
mac_len = skb->mac_len;
if (unlikely(!pskb_may_pull(skb, NSH_BASE_HDR_LEN)))
@@ -108,15 +107,14 @@ static struct sk_buff *nsh_gso_segment(struct sk_buff *skb,
segs = skb_mac_gso_segment(skb, features);
if (IS_ERR_OR_NULL(segs)) {
skb_gso_error_unwind(skb, htons(ETH_P_NSH), nsh_len,
- skb->network_header - nhoff,
- mac_len);
+ mac_offset, mac_len);
goto out;
}
for (skb = segs; skb; skb = skb->next) {
skb->protocol = htons(ETH_P_NSH);
__skb_push(skb, nsh_len);
- skb_set_mac_header(skb, -nhoff);
+ skb->mac_header = mac_offset;
skb->network_header = skb->mac_header + mac_len;
skb->mac_len = mac_len;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 109/211] net/tipc: fix tipc header files for kernel-doc
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 108/211] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 110/211] tipc: add tipc_bearer_min_mtu to calculate min mtu Greg Kroah-Hartman
` (107 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Randy Dunlap, Jakub Kicinski, Sasha Levin
From: Randy Dunlap <rdunlap@infradead.org>
[ Upstream commit ff10527e89826aaf76480ee47e6fd05213189963 ]
Fix tipc header files for adding to the networking docbook.
Remove some uses of "/**" that were not kernel-doc notation.
Fix some source formatting to eliminate Sphinx warnings.
Add missing struct member and function argument kernel-doc descriptions.
Correct the description of a couple of struct members that were
marked as "(FIXME)".
Documentation/networking/tipc:18: ../net/tipc/name_table.h:65: WARNING: Unexpected indentation.
Documentation/networking/tipc:18: ../net/tipc/name_table.h:66: WARNING: Block quote ends without a blank line; unexpected unindent.
../net/tipc/bearer.h:128: warning: Function parameter or member 'min_win' not described in 'tipc_media'
../net/tipc/bearer.h:128: warning: Function parameter or member 'max_win' not described in 'tipc_media'
../net/tipc/bearer.h:171: warning: Function parameter or member 'min_win' not described in 'tipc_bearer'
../net/tipc/bearer.h:171: warning: Function parameter or member 'max_win' not described in 'tipc_bearer'
../net/tipc/bearer.h:171: warning: Function parameter or member 'disc' not described in 'tipc_bearer'
../net/tipc/bearer.h:171: warning: Function parameter or member 'up' not described in 'tipc_bearer'
../net/tipc/bearer.h:171: warning: Function parameter or member 'refcnt' not described in 'tipc_bearer'
../net/tipc/name_distr.h:68: warning: Function parameter or member 'port' not described in 'distr_item'
../net/tipc/name_table.h:111: warning: Function parameter or member 'services' not described in 'name_table'
../net/tipc/name_table.h:111: warning: Function parameter or member 'cluster_scope_lock' not described in 'name_table'
../net/tipc/name_table.h:111: warning: Function parameter or member 'rc_dests' not described in 'name_table'
../net/tipc/name_table.h:111: warning: Function parameter or member 'snd_nxt' not described in 'name_table'
../net/tipc/subscr.h:67: warning: Function parameter or member 'kref' not described in 'tipc_subscription'
../net/tipc/subscr.h:67: warning: Function parameter or member 'net' not described in 'tipc_subscription'
../net/tipc/subscr.h:67: warning: Function parameter or member 'service_list' not described in 'tipc_subscription'
../net/tipc/subscr.h:67: warning: Function parameter or member 'conid' not described in 'tipc_subscription'
../net/tipc/subscr.h:67: warning: Function parameter or member 'inactive' not described in 'tipc_subscription'
../net/tipc/subscr.h:67: warning: Function parameter or member 'lock' not described in 'tipc_subscription'
Signed-off-by: Randy Dunlap <rdunlap@infradead.org>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/bearer.h | 10 +++++++---
net/tipc/crypto.h | 6 +++---
net/tipc/name_distr.h | 2 +-
net/tipc/name_table.h | 9 ++++++---
net/tipc/subscr.h | 11 +++++++----
5 files changed, 24 insertions(+), 14 deletions(-)
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index bc0023119da2f..6bf4550aa1ac1 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -93,7 +93,8 @@ struct tipc_bearer;
* @raw2addr: convert from raw addr format to media addr format
* @priority: default link (and bearer) priority
* @tolerance: default time (in ms) before declaring link failure
- * @window: default window (in packets) before declaring link congestion
+ * @min_win: minimum window (in packets) before declaring link congestion
+ * @max_win: maximum window (in packets) before declaring link congestion
* @mtu: max packet size bearer can support for media type not dependent on
* underlying device MTU
* @type_id: TIPC media identifier
@@ -138,12 +139,15 @@ struct tipc_media {
* @pt: packet type for bearer
* @rcu: rcu struct for tipc_bearer
* @priority: default link priority for bearer
- * @window: default window size for bearer
+ * @min_win: minimum window (in packets) before declaring link congestion
+ * @max_win: maximum window (in packets) before declaring link congestion
* @tolerance: default link tolerance for bearer
* @domain: network domain to which links can be established
* @identity: array index of this bearer within TIPC bearer array
- * @link_req: ptr to (optional) structure making periodic link setup requests
+ * @disc: ptr to link setup request
* @net_plane: network plane ('A' through 'H') currently associated with bearer
+ * @up: bearer up flag (bit 0)
+ * @refcnt: tipc_bearer reference counter
*
* Note: media-specific code is responsible for initialization of the fields
* indicated below when a bearer is enabled; TIPC's generic bearer code takes
diff --git a/net/tipc/crypto.h b/net/tipc/crypto.h
index e71193bd5e369..ce7d4cc8a9e0c 100644
--- a/net/tipc/crypto.h
+++ b/net/tipc/crypto.h
@@ -1,5 +1,5 @@
/* SPDX-License-Identifier: GPL-2.0 */
-/**
+/*
* net/tipc/crypto.h: Include file for TIPC crypto
*
* Copyright (c) 2019, Ericsson AB
@@ -53,7 +53,7 @@
#define TIPC_AES_GCM_IV_SIZE 12
#define TIPC_AES_GCM_TAG_SIZE 16
-/**
+/*
* TIPC crypto modes:
* - CLUSTER_KEY:
* One single key is used for both TX & RX in all nodes in the cluster.
@@ -69,7 +69,7 @@ enum {
extern int sysctl_tipc_max_tfms __read_mostly;
extern int sysctl_tipc_key_exchange_enabled __read_mostly;
-/**
+/*
* TIPC encryption message format:
*
* 3 3 2 2 2 2 2 2 2 2 2 2 1 1 1 1 1 1 1 1 1 1 0 0 0 0 0 0 0 0 0 0
diff --git a/net/tipc/name_distr.h b/net/tipc/name_distr.h
index 092323158f060..e231e6964d611 100644
--- a/net/tipc/name_distr.h
+++ b/net/tipc/name_distr.h
@@ -46,7 +46,7 @@
* @type: name sequence type
* @lower: name sequence lower bound
* @upper: name sequence upper bound
- * @ref: publishing port reference
+ * @port: publishing port reference
* @key: publication key
*
* ===> All fields are stored in network byte order. <===
diff --git a/net/tipc/name_table.h b/net/tipc/name_table.h
index 8064e1986e2c8..5a82a01369d67 100644
--- a/net/tipc/name_table.h
+++ b/net/tipc/name_table.h
@@ -60,8 +60,8 @@ struct tipc_group;
* @key: publication key, unique across the cluster
* @id: publication id
* @binding_node: all publications from the same node which bound this one
- * - Remote publications: in node->publ_list
- * Used by node/name distr to withdraw publications when node is lost
+ * - Remote publications: in node->publ_list;
+ * Used by node/name distr to withdraw publications when node is lost
* - Local/node scope publications: in name_table->node_scope list
* - Local/cluster scope publications: in name_table->cluster_scope list
* @binding_sock: all publications from the same socket which bound this one
@@ -92,13 +92,16 @@ struct publication {
/**
* struct name_table - table containing all existing port name publications
- * @seq_hlist: name sequence hash lists
+ * @services: name sequence hash lists
* @node_scope: all local publications with node scope
* - used by name_distr during re-init of name table
* @cluster_scope: all local publications with cluster scope
* - used by name_distr to send bulk updates to new nodes
* - used by name_distr during re-init of name table
+ * @cluster_scope_lock: lock for accessing @cluster_scope
* @local_publ_count: number of publications issued by this node
+ * @rc_dests: destination node counter
+ * @snd_nxt: next sequence number to be used
*/
struct name_table {
struct hlist_head services[TIPC_NAMETBL_SIZE];
diff --git a/net/tipc/subscr.h b/net/tipc/subscr.h
index 6ebbec1bedd1a..63bdce9358fe6 100644
--- a/net/tipc/subscr.h
+++ b/net/tipc/subscr.h
@@ -47,12 +47,15 @@ struct tipc_conn;
/**
* struct tipc_subscription - TIPC network topology subscription object
- * @subscriber: pointer to its subscriber
- * @seq: name sequence associated with subscription
+ * @kref: reference count for this subscription
+ * @net: network namespace associated with subscription
* @timer: timer governing subscription duration (optional)
- * @nameseq_list: adjacent subscriptions in name sequence's subscription list
+ * @service_list: adjacent subscriptions in name sequence's subscription list
* @sub_list: adjacent subscriptions in subscriber's subscription list
* @evt: template for events generated by subscription
+ * @conid: connection identifier of topology server
+ * @inactive: true if this subscription is inactive
+ * @lock: serialize up/down and timer events
*/
struct tipc_subscription {
struct kref kref;
@@ -63,7 +66,7 @@ struct tipc_subscription {
struct tipc_event evt;
int conid;
bool inactive;
- spinlock_t lock; /* serialize up/down and timer events */
+ spinlock_t lock;
};
struct tipc_subscription *tipc_sub_subscribe(struct net *net,
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 110/211] tipc: add tipc_bearer_min_mtu to calculate min mtu
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 109/211] net/tipc: fix tipc header files for kernel-doc Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 111/211] tipc: do not update mtu if msg_max is too small in mtu negotiation Greg Kroah-Hartman
` (106 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Jon Maloy,
David S. Miller, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 3ae6d66b605be604644d4bb5708a7ffd9cf1abe8 ]
As different media may requires different min mtu, and even the
same media with different net family requires different min mtu,
add tipc_bearer_min_mtu() to calculate min mtu accordingly.
This API will be used to check the new mtu when doing the link
mtu negotiation in the next patch.
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: 56077b56cd3f ("tipc: do not update mtu if msg_max is too small in mtu negotiation")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/bearer.c | 13 +++++++++++++
net/tipc/bearer.h | 3 +++
net/tipc/udp_media.c | 5 +++--
3 files changed, 19 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index 72c31ef985eb3..c6a9b3446ff89 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -525,6 +525,19 @@ int tipc_bearer_mtu(struct net *net, u32 bearer_id)
return mtu;
}
+int tipc_bearer_min_mtu(struct net *net, u32 bearer_id)
+{
+ int mtu = TIPC_MIN_BEARER_MTU;
+ struct tipc_bearer *b;
+
+ rcu_read_lock();
+ b = bearer_get(net, bearer_id);
+ if (b)
+ mtu += b->encap_hlen;
+ rcu_read_unlock();
+ return mtu;
+}
+
/* tipc_bearer_xmit_skb - sends buffer to destination over bearer
*/
void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
diff --git a/net/tipc/bearer.h b/net/tipc/bearer.h
index 6bf4550aa1ac1..711a50f449934 100644
--- a/net/tipc/bearer.h
+++ b/net/tipc/bearer.h
@@ -146,6 +146,7 @@ struct tipc_media {
* @identity: array index of this bearer within TIPC bearer array
* @disc: ptr to link setup request
* @net_plane: network plane ('A' through 'H') currently associated with bearer
+ * @encap_hlen: encap headers length
* @up: bearer up flag (bit 0)
* @refcnt: tipc_bearer reference counter
*
@@ -170,6 +171,7 @@ struct tipc_bearer {
u32 identity;
struct tipc_discoverer *disc;
char net_plane;
+ u16 encap_hlen;
unsigned long up;
refcount_t refcnt;
};
@@ -232,6 +234,7 @@ int tipc_bearer_setup(void);
void tipc_bearer_cleanup(void);
void tipc_bearer_stop(struct net *net);
int tipc_bearer_mtu(struct net *net, u32 bearer_id);
+int tipc_bearer_min_mtu(struct net *net, u32 bearer_id);
bool tipc_bearer_bcast_support(struct net *net, u32 bearer_id);
void tipc_bearer_xmit_skb(struct net *net, u32 bearer_id,
struct sk_buff *skb,
diff --git a/net/tipc/udp_media.c b/net/tipc/udp_media.c
index a236281082726..3e47501f024fd 100644
--- a/net/tipc/udp_media.c
+++ b/net/tipc/udp_media.c
@@ -730,8 +730,8 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
udp_conf.local_ip.s_addr = local.ipv4.s_addr;
udp_conf.use_udp_checksums = false;
ub->ifindex = dev->ifindex;
- if (tipc_mtu_bad(dev, sizeof(struct iphdr) +
- sizeof(struct udphdr))) {
+ b->encap_hlen = sizeof(struct iphdr) + sizeof(struct udphdr);
+ if (tipc_mtu_bad(dev, b->encap_hlen)) {
err = -EINVAL;
goto err;
}
@@ -752,6 +752,7 @@ static int tipc_udp_enable(struct net *net, struct tipc_bearer *b,
else
udp_conf.local_ip6 = local.ipv6;
ub->ifindex = dev->ifindex;
+ b->encap_hlen = sizeof(struct ipv6hdr) + sizeof(struct udphdr);
b->mtu = 1280;
#endif
} else {
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 111/211] tipc: do not update mtu if msg_max is too small in mtu negotiation
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 110/211] tipc: add tipc_bearer_min_mtu to calculate min mtu Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 112/211] tipc: check the bearer min mtu properly when setting it by netlink Greg Kroah-Hartman
` (105 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shuang Li, Xin Long, Jon Maloy,
David S. Miller, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 56077b56cd3fb78e1c8619e29581ba25a5c55e86 ]
When doing link mtu negotiation, a malicious peer may send Activate msg
with a very small mtu, e.g. 4 in Shuang's testing, without checking for
the minimum mtu, l->mtu will be set to 4 in tipc_link_proto_rcv(), then
n->links[bearer_id].mtu is set to 4294967228, which is a overflow of
'4 - INT_H_SIZE - EMSG_OVERHEAD' in tipc_link_mss().
With tipc_link.mtu = 4, tipc_link_xmit() kept printing the warning:
tipc: Too large msg, purging xmit list 1 5 0 40 4!
tipc: Too large msg, purging xmit list 1 15 0 60 4!
And with tipc_link_entry.mtu 4294967228, a huge skb was allocated in
named_distribute(), and when purging it in tipc_link_xmit(), a crash
was even caused:
general protection fault, probably for non-canonical address 0x2100001011000dd: 0000 [#1] PREEMPT SMP PTI
CPU: 0 PID: 0 Comm: swapper/0 Kdump: loaded Not tainted 6.3.0.neta #19
RIP: 0010:kfree_skb_list_reason+0x7e/0x1f0
Call Trace:
<IRQ>
skb_release_data+0xf9/0x1d0
kfree_skb_reason+0x40/0x100
tipc_link_xmit+0x57a/0x740 [tipc]
tipc_node_xmit+0x16c/0x5c0 [tipc]
tipc_named_node_up+0x27f/0x2c0 [tipc]
tipc_node_write_unlock+0x149/0x170 [tipc]
tipc_rcv+0x608/0x740 [tipc]
tipc_udp_recv+0xdc/0x1f0 [tipc]
udp_queue_rcv_one_skb+0x33e/0x620
udp_unicast_rcv_skb.isra.72+0x75/0x90
__udp4_lib_rcv+0x56d/0xc20
ip_protocol_deliver_rcu+0x100/0x2d0
This patch fixes it by checking the new mtu against tipc_bearer_min_mtu(),
and not updating mtu if it is too small.
Fixes: ed193ece2649 ("tipc: simplify link mtu negotiation")
Reported-by: Shuang Li <shuali@redhat.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/link.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
diff --git a/net/tipc/link.c b/net/tipc/link.c
index c1e56d1f21b38..dbb1bc722ba9b 100644
--- a/net/tipc/link.c
+++ b/net/tipc/link.c
@@ -2164,7 +2164,7 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
struct tipc_msg *hdr = buf_msg(skb);
struct tipc_gap_ack_blks *ga = NULL;
bool reply = msg_probe(hdr), retransmitted = false;
- u32 dlen = msg_data_sz(hdr), glen = 0;
+ u32 dlen = msg_data_sz(hdr), glen = 0, msg_max;
u16 peers_snd_nxt = msg_next_sent(hdr);
u16 peers_tol = msg_link_tolerance(hdr);
u16 peers_prio = msg_linkprio(hdr);
@@ -2203,6 +2203,9 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
switch (mtyp) {
case RESET_MSG:
case ACTIVATE_MSG:
+ msg_max = msg_max_pkt(hdr);
+ if (msg_max < tipc_bearer_min_mtu(l->net, l->bearer_id))
+ break;
/* Complete own link name with peer's interface name */
if_name = strrchr(l->name, ':') + 1;
if (sizeof(l->name) - (if_name - l->name) <= TIPC_MAX_IF_NAME)
@@ -2247,8 +2250,8 @@ static int tipc_link_proto_rcv(struct tipc_link *l, struct sk_buff *skb,
l->peer_session = msg_session(hdr);
l->in_session = true;
l->peer_bearer_id = msg_bearer_id(hdr);
- if (l->mtu > msg_max_pkt(hdr))
- l->mtu = msg_max_pkt(hdr);
+ if (l->mtu > msg_max)
+ l->mtu = msg_max;
break;
case STATE_MSG:
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 112/211] tipc: check the bearer min mtu properly when setting it by netlink
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 111/211] tipc: do not update mtu if msg_max is too small in mtu negotiation Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 113/211] net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() Greg Kroah-Hartman
` (104 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xin Long, Jon Maloy,
David S. Miller, Sasha Levin
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 35a089b5d793d2bfd2cc7cfa6104545184de2ce7 ]
Checking the bearer min mtu with tipc_udp_mtu_bad() only works for
IPv4 UDP bearer, and IPv6 UDP bearer has a different value for the
min mtu. This patch checks with encap_hlen + TIPC_MIN_BEARER_MTU
for min mtu, which works for both IPv4 and IPv6 UDP bearer.
Note that tipc_udp_mtu_bad() is still used to check media min mtu
in __tipc_nl_media_set(), as m->mtu currently is only used by the
IPv4 UDP bearer as its default mtu value.
Fixes: 682cd3cf946b ("tipc: confgiure and apply UDP bearer MTU on running links")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Jon Maloy <jmaloy@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tipc/bearer.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/tipc/bearer.c b/net/tipc/bearer.c
index c6a9b3446ff89..91e678fa3feb5 100644
--- a/net/tipc/bearer.c
+++ b/net/tipc/bearer.c
@@ -1135,8 +1135,8 @@ int __tipc_nl_bearer_set(struct sk_buff *skb, struct genl_info *info)
return -EINVAL;
}
#ifdef CONFIG_TIPC_MEDIA_UDP
- if (tipc_udp_mtu_bad(nla_get_u32
- (props[TIPC_NLA_PROP_MTU]))) {
+ if (nla_get_u32(props[TIPC_NLA_PROP_MTU]) <
+ b->encap_hlen + TIPC_MIN_BEARER_MTU) {
NL_SET_ERR_MSG(info->extack,
"MTU value is out-of-range");
return -EINVAL;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 113/211] net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 112/211] tipc: check the bearer min mtu properly when setting it by netlink Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 114/211] net: bcmgenet: Restore phy_stop() depending upon suspend/close Greg Kroah-Hartman
` (103 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, David S. Miller,
Sasha Levin
From: Florian Fainelli <f.fainelli@gmail.com>
[ Upstream commit 93e0401e0fc0c54b0ac05b687cd135c2ac38187c ]
The call to phy_stop() races with the later call to phy_disconnect(),
resulting in concurrent phy_suspend() calls being run from different
CPUs. The final call to phy_disconnect() ensures that the PHY is
stopped and suspended, too.
Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 7667cbb5adfd6..20b161620fee9 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3412,7 +3412,6 @@ static void bcmgenet_netif_stop(struct net_device *dev)
/* Disable MAC transmit. TX DMA disabled must be done before this */
umac_enable_set(priv, CMD_TX_EN, false);
- phy_stop(dev->phydev);
bcmgenet_disable_rx_napi(priv);
bcmgenet_intr_disable(priv);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 114/211] net: bcmgenet: Restore phy_stop() depending upon suspend/close
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 113/211] net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 115/211] wifi: mac80211: fix min center freq offset tracing Greg Kroah-Hartman
` (102 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Florian Fainelli, Pavan Chebbi,
Paolo Abeni, Sasha Levin
From: Florian Fainelli <f.fainelli@gmail.com>
[ Upstream commit 225c657945c4a6307741cb3cc89467eadcc26e9b ]
Removing the phy_stop() from bcmgenet_netif_stop() ended up causing
warnings from the PHY library that phy_start() is called from the
RUNNING state since we are no longer stopping the PHY state machine
during bcmgenet_suspend().
Restore the call to phy_stop() but make it conditional on being called
from the close or suspend path.
Fixes: c96e731c93ff ("net: bcmgenet: connect and disconnect from the PHY state machine")
Fixes: 93e0401e0fc0 ("net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop()")
Signed-off-by: Florian Fainelli <f.fainelli@gmail.com>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Link: https://lore.kernel.org/r/20230515025608.2587012-1-f.fainelli@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/broadcom/genet/bcmgenet.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/net/ethernet/broadcom/genet/bcmgenet.c b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
index 20b161620fee9..145488449f133 100644
--- a/drivers/net/ethernet/broadcom/genet/bcmgenet.c
+++ b/drivers/net/ethernet/broadcom/genet/bcmgenet.c
@@ -3397,7 +3397,7 @@ static int bcmgenet_open(struct net_device *dev)
return ret;
}
-static void bcmgenet_netif_stop(struct net_device *dev)
+static void bcmgenet_netif_stop(struct net_device *dev, bool stop_phy)
{
struct bcmgenet_priv *priv = netdev_priv(dev);
@@ -3412,6 +3412,8 @@ static void bcmgenet_netif_stop(struct net_device *dev)
/* Disable MAC transmit. TX DMA disabled must be done before this */
umac_enable_set(priv, CMD_TX_EN, false);
+ if (stop_phy)
+ phy_stop(dev->phydev);
bcmgenet_disable_rx_napi(priv);
bcmgenet_intr_disable(priv);
@@ -3437,7 +3439,7 @@ static int bcmgenet_close(struct net_device *dev)
netif_dbg(priv, ifdown, dev, "bcmgenet_close\n");
- bcmgenet_netif_stop(dev);
+ bcmgenet_netif_stop(dev, false);
/* Really kill the PHY state machine and disconnect from it */
phy_disconnect(dev->phydev);
@@ -4239,7 +4241,7 @@ static int bcmgenet_suspend(struct device *d)
netif_device_detach(dev);
- bcmgenet_netif_stop(dev);
+ bcmgenet_netif_stop(dev, true);
if (!device_may_wakeup(d))
phy_suspend(dev->phydev);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 115/211] wifi: mac80211: fix min center freq offset tracing
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 114/211] net: bcmgenet: Restore phy_stop() depending upon suspend/close Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 116/211] wifi: iwlwifi: mvm: dont trust firmware n_channels Greg Kroah-Hartman
` (101 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Gregory Greenman,
Sasha Levin
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 248e4776514bf70236e6b1a54c65aa5324c8b1eb ]
We need to set the correct trace variable, otherwise we're
overwriting something else instead and the right one that
we print later is not initialized.
Fixes: b6011960f392 ("mac80211: handle channel frequency offset")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230504134511.828474-2-gregory.greenman@intel.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/trace.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/mac80211/trace.h b/net/mac80211/trace.h
index 89723907a0945..5ddaa7c824773 100644
--- a/net/mac80211/trace.h
+++ b/net/mac80211/trace.h
@@ -67,7 +67,7 @@
__entry->min_freq_offset = (c)->chan ? (c)->chan->freq_offset : 0; \
__entry->min_chan_width = (c)->width; \
__entry->min_center_freq1 = (c)->center_freq1; \
- __entry->freq1_offset = (c)->freq1_offset; \
+ __entry->min_freq1_offset = (c)->freq1_offset; \
__entry->min_center_freq2 = (c)->center_freq2;
#define MIN_CHANDEF_PR_FMT " min_control:%d.%03d MHz min_width:%d min_center: %d.%03d/%d MHz"
#define MIN_CHANDEF_PR_ARG __entry->min_control_freq, __entry->min_freq_offset, \
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 116/211] wifi: iwlwifi: mvm: dont trust firmware n_channels
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 115/211] wifi: mac80211: fix min center freq offset tracing Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 117/211] scsi: storvsc: Dont pass unused PFNs to Hyper-V host Greg Kroah-Hartman
` (100 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Gregory Greenman,
Sasha Levin
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 682b6dc29d98e857e6ca4bbc077c7dc2899b7473 ]
If the firmware sends us a corrupted MCC response with
n_channels much larger than the command response can be,
we might copy far too much (uninitialized) memory and
even crash if the n_channels is large enough to make it
run out of the one page allocated for the FW response.
Fix that by checking the lengths. Doing a < comparison
would be sufficient, but the firmware should be doing
it correctly, so check more strictly.
Fixes: dcaf9f5ecb6f ("iwlwifi: mvm: add MCC update FW API")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230514120631.d7b233139eb4.I51fd319df8e9d41881fc8450e83d78049518a79a@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/nvm.c | 10 ++++++++++
1 file changed, 10 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
index 60296a754af26..34be3f75c2e96 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/nvm.c
@@ -502,6 +502,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
struct iwl_mcc_update_resp *mcc_resp = (void *)pkt->data;
n_channels = __le32_to_cpu(mcc_resp->n_channels);
+ if (iwl_rx_packet_payload_len(pkt) !=
+ struct_size(mcc_resp, channels, n_channels)) {
+ resp_cp = ERR_PTR(-EINVAL);
+ goto exit;
+ }
resp_len = sizeof(struct iwl_mcc_update_resp) +
n_channels * sizeof(__le32);
resp_cp = kmemdup(mcc_resp, resp_len, GFP_KERNEL);
@@ -513,6 +518,11 @@ iwl_mvm_update_mcc(struct iwl_mvm *mvm, const char *alpha2,
struct iwl_mcc_update_resp_v3 *mcc_resp_v3 = (void *)pkt->data;
n_channels = __le32_to_cpu(mcc_resp_v3->n_channels);
+ if (iwl_rx_packet_payload_len(pkt) !=
+ struct_size(mcc_resp_v3, channels, n_channels)) {
+ resp_cp = ERR_PTR(-EINVAL);
+ goto exit;
+ }
resp_len = sizeof(struct iwl_mcc_update_resp) +
n_channels * sizeof(__le32);
resp_cp = kzalloc(resp_len, GFP_KERNEL);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 117/211] scsi: storvsc: Dont pass unused PFNs to Hyper-V host
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 116/211] wifi: iwlwifi: mvm: dont trust firmware n_channels Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 118/211] cassini: Fix a memory leak in the error handling path of cas_init_one() Greg Kroah-Hartman
` (99 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, John Starks, Michael Kelley,
Martin K. Petersen, Sasha Levin
From: Michael Kelley <mikelley@microsoft.com>
[ Upstream commit 4e81a6cba517cb33584308a331f14f5e3fec369b ]
In a SCSI request, storvsc pre-allocates space for up to
MAX_PAGE_BUFFER_COUNT physical frame numbers to be passed to Hyper-V. If
the size of the I/O request requires more PFNs, a separate memory area of
exactly the correct size is dynamically allocated.
But when the pre-allocated area is used, current code always passes
MAX_PAGE_BUFFER_COUNT PFNs to Hyper-V, even if fewer are needed. While
this doesn't break anything because the additional PFNs are always zero,
more bytes than necessary are copied into the VMBus channel ring buffer.
This takes CPU cycles and wastes space in the ring buffer. For a typical 4
Kbyte I/O that requires only a single PFN, 248 unnecessary bytes are
copied.
Fix this by setting the payload_sz based on the actual number of PFNs
required, not the size of the pre-allocated space.
Reported-by: John Starks <jostarks@microsoft.com>
Fixes: 8f43710543ef ("scsi: storvsc: Support PAGE_SIZE larger than 4K")
Signed-off-by: Michael Kelley <mikelley@microsoft.com>
Link: https://lore.kernel.org/r/1684171241-16209-1-git-send-email-mikelley@microsoft.com
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/scsi/storvsc_drv.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/scsi/storvsc_drv.c b/drivers/scsi/storvsc_drv.c
index e38aebcabb26f..70b4868fe2f7d 100644
--- a/drivers/scsi/storvsc_drv.c
+++ b/drivers/scsi/storvsc_drv.c
@@ -1756,7 +1756,7 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
length = scsi_bufflen(scmnd);
payload = (struct vmbus_packet_mpb_array *)&cmd_request->mpb;
- payload_sz = sizeof(cmd_request->mpb);
+ payload_sz = 0;
if (sg_count) {
unsigned int hvpgoff = 0;
@@ -1764,10 +1764,10 @@ static int storvsc_queuecommand(struct Scsi_Host *host, struct scsi_cmnd *scmnd)
unsigned int hvpg_count = HVPFN_UP(offset_in_hvpg + length);
u64 hvpfn;
- if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
+ payload_sz = (hvpg_count * sizeof(u64) +
+ sizeof(struct vmbus_packet_mpb_array));
- payload_sz = (hvpg_count * sizeof(u64) +
- sizeof(struct vmbus_packet_mpb_array));
+ if (hvpg_count > MAX_PAGE_BUFFER_COUNT) {
payload = kzalloc(payload_sz, GFP_ATOMIC);
if (!payload)
return SCSI_MLQUEUE_DEVICE_BUSY;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 118/211] cassini: Fix a memory leak in the error handling path of cas_init_one()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 117/211] scsi: storvsc: Dont pass unused PFNs to Hyper-V host Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 119/211] igb: fix bit_shift to be in [1..8] range Greg Kroah-Hartman
` (98 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Pavan Chebbi,
Simon Horman, David S. Miller, Sasha Levin
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
[ Upstream commit 412cd77a2c24b191c65ea53025222418db09817c ]
cas_saturn_firmware_init() allocates some memory using vmalloc(). This
memory is freed in the .remove() function but not it the error handling
path of the probe.
Add the missing vfree() to avoid a memory leak, should an error occur.
Fixes: fcaa40669cd7 ("cassini: use request_firmware")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Pavan Chebbi <pavan.chebbi@broadcom.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/sun/cassini.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/sun/cassini.c b/drivers/net/ethernet/sun/cassini.c
index 9ff894ba8d3ea..d245f6e21e8ca 100644
--- a/drivers/net/ethernet/sun/cassini.c
+++ b/drivers/net/ethernet/sun/cassini.c
@@ -5122,6 +5122,8 @@ static int cas_init_one(struct pci_dev *pdev, const struct pci_device_id *ent)
cas_shutdown(cp);
mutex_unlock(&cp->pm_mutex);
+ vfree(cp->fw_data);
+
pci_iounmap(pdev, cp->regs);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 119/211] igb: fix bit_shift to be in [1..8] range
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 118/211] cassini: Fix a memory leak in the error handling path of cas_init_one() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 120/211] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() Greg Kroah-Hartman
` (97 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aleksandr Loktionov, Tony Nguyen,
David S. Miller, Sasha Levin, Pucha Himasekhar Reddy
From: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
[ Upstream commit 60d758659f1fb49e0d5b6ac2691ede8c0958795b ]
In igb_hash_mc_addr() the expression:
"mc_addr[4] >> 8 - bit_shift", right shifting "mc_addr[4]"
shift by more than 7 bits always yields zero, so hash becomes not so different.
Add initialization with bit_shift = 1 and add a loop condition to ensure
bit_shift will be always in [1..8] range.
Fixes: 9d5c824399de ("igb: PCI-Express 82575 Gigabit Ethernet driver")
Signed-off-by: Aleksandr Loktionov <aleksandr.loktionov@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Tony Nguyen <anthony.l.nguyen@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/intel/igb/e1000_mac.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/intel/igb/e1000_mac.c b/drivers/net/ethernet/intel/igb/e1000_mac.c
index fd8eb2f9ab9dc..57e813405b311 100644
--- a/drivers/net/ethernet/intel/igb/e1000_mac.c
+++ b/drivers/net/ethernet/intel/igb/e1000_mac.c
@@ -426,7 +426,7 @@ void igb_mta_set(struct e1000_hw *hw, u32 hash_value)
static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
{
u32 hash_value, hash_mask;
- u8 bit_shift = 0;
+ u8 bit_shift = 1;
/* Register count multiplied by bits per register */
hash_mask = (hw->mac.mta_reg_count * 32) - 1;
@@ -434,7 +434,7 @@ static u32 igb_hash_mc_addr(struct e1000_hw *hw, u8 *mc_addr)
/* For a mc_filter_type of 0, bit_shift is the number of left-shifts
* where 0xFF would still fall within the hash mask.
*/
- while (hash_mask >> bit_shift != 0xFF)
+ while (hash_mask >> bit_shift != 0xFF && bit_shift < 4)
bit_shift++;
/* The portion of the address that is used for the hash table
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 120/211] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 119/211] igb: fix bit_shift to be in [1..8] range Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 121/211] netfilter: nft_set_rbtree: fix null deref on element insertion Greg Kroah-Hartman
` (96 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
David S. Miller, Sasha Levin
From: Eric Dumazet <edumazet@google.com>
[ Upstream commit dacab578c7c6cd06c50c89dfa36b0e0f10decd4e ]
syzbot triggered the following splat [1], sending an empty message
through pppoe_sendmsg().
When VLAN_FLAG_REORDER_HDR flag is set, vlan_dev_hard_header()
does not push extra bytes for the VLAN header, because vlan is offloaded.
Unfortunately vlan_dev_hard_start_xmit() first reads veth->h_vlan_proto
before testing (vlan->flags & VLAN_FLAG_REORDER_HDR).
We need to swap the two conditions.
[1]
BUG: KMSAN: uninit-value in vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
vlan_dev_hard_start_xmit+0x171/0x7f0 net/8021q/vlan_dev.c:111
__netdev_start_xmit include/linux/netdevice.h:4883 [inline]
netdev_start_xmit include/linux/netdevice.h:4897 [inline]
xmit_one net/core/dev.c:3580 [inline]
dev_hard_start_xmit+0x253/0xa20 net/core/dev.c:3596
__dev_queue_xmit+0x3c7f/0x5ac0 net/core/dev.c:4246
dev_queue_xmit include/linux/netdevice.h:3053 [inline]
pppoe_sendmsg+0xa93/0xb80 drivers/net/ppp/pppoe.c:900
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
Uninit was created at:
slab_post_alloc_hook+0x12d/0xb60 mm/slab.h:774
slab_alloc_node mm/slub.c:3452 [inline]
kmem_cache_alloc_node+0x543/0xab0 mm/slub.c:3497
kmalloc_reserve+0x148/0x470 net/core/skbuff.c:520
__alloc_skb+0x3a7/0x850 net/core/skbuff.c:606
alloc_skb include/linux/skbuff.h:1277 [inline]
sock_wmalloc+0xfe/0x1a0 net/core/sock.c:2583
pppoe_sendmsg+0x3af/0xb80 drivers/net/ppp/pppoe.c:867
sock_sendmsg_nosec net/socket.c:724 [inline]
sock_sendmsg net/socket.c:747 [inline]
____sys_sendmsg+0xa24/0xe40 net/socket.c:2501
___sys_sendmsg+0x2a1/0x3f0 net/socket.c:2555
__sys_sendmmsg+0x411/0xa50 net/socket.c:2641
__do_sys_sendmmsg net/socket.c:2670 [inline]
__se_sys_sendmmsg net/socket.c:2667 [inline]
__x64_sys_sendmmsg+0xbc/0x120 net/socket.c:2667
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
CPU: 0 PID: 29770 Comm: syz-executor.0 Not tainted 6.3.0-rc6-syzkaller-gc478e5b17829 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/30/2023
Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/8021q/vlan_dev.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/8021q/vlan_dev.c b/net/8021q/vlan_dev.c
index 929f85c6cf112..8edac9307868a 100644
--- a/net/8021q/vlan_dev.c
+++ b/net/8021q/vlan_dev.c
@@ -108,8 +108,8 @@ static netdev_tx_t vlan_dev_hard_start_xmit(struct sk_buff *skb,
* NOTE: THIS ASSUMES DIX ETHERNET, SPECIFICALLY NOT SUPPORTING
* OTHER THINGS LIKE FDDI/TokenRing/802.3 SNAPs...
*/
- if (veth->h_vlan_proto != vlan->vlan_proto ||
- vlan->flags & VLAN_FLAG_REORDER_HDR) {
+ if (vlan->flags & VLAN_FLAG_REORDER_HDR ||
+ veth->h_vlan_proto != vlan->vlan_proto) {
u16 vlan_tci;
vlan_tci = vlan->vlan_id;
vlan_tci |= vlan_dev_get_egress_qos_mask(dev, skb->priority);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 121/211] netfilter: nft_set_rbtree: fix null deref on element insertion
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 120/211] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 122/211] bridge: always declare tunnel functions Greg Kroah-Hartman
` (95 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Florian Westphal, Sasha Levin
From: Florian Westphal <fw@strlen.de>
[ Upstream commit 61ae320a29b0540c16931816299eb86bf2b66c08 ]
There is no guarantee that rb_prev() will not return NULL in nft_rbtree_gc_elem():
general protection fault, probably for non-canonical address 0xdffffc0000000003: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000018-0x000000000000001f]
nft_add_set_elem+0x14b0/0x2990
nf_tables_newsetelem+0x528/0xb30
Furthermore, there is a possible use-after-free while iterating,
'node' can be free'd so we need to cache the next value to use.
Fixes: c9e6978e2725 ("netfilter: nft_set_rbtree: Switch to node list walk for overlap detection")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/netfilter/nft_set_rbtree.c | 20 +++++++++++++-------
1 file changed, 13 insertions(+), 7 deletions(-)
diff --git a/net/netfilter/nft_set_rbtree.c b/net/netfilter/nft_set_rbtree.c
index 4b9a499fe8f4d..1ffb24f4c74ca 100644
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -220,7 +220,7 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
{
struct nft_set *set = (struct nft_set *)__set;
struct rb_node *prev = rb_prev(&rbe->node);
- struct nft_rbtree_elem *rbe_prev;
+ struct nft_rbtree_elem *rbe_prev = NULL;
struct nft_set_gc_batch *gcb;
gcb = nft_set_gc_batch_check(set, NULL, GFP_ATOMIC);
@@ -228,17 +228,21 @@ static int nft_rbtree_gc_elem(const struct nft_set *__set,
return -ENOMEM;
/* search for expired end interval coming before this element. */
- do {
+ while (prev) {
rbe_prev = rb_entry(prev, struct nft_rbtree_elem, node);
if (nft_rbtree_interval_end(rbe_prev))
break;
prev = rb_prev(prev);
- } while (prev != NULL);
+ }
+
+ if (rbe_prev) {
+ rb_erase(&rbe_prev->node, &priv->root);
+ atomic_dec(&set->nelems);
+ }
- rb_erase(&rbe_prev->node, &priv->root);
rb_erase(&rbe->node, &priv->root);
- atomic_sub(2, &set->nelems);
+ atomic_dec(&set->nelems);
nft_set_gc_batch_add(gcb, rbe);
nft_set_gc_batch_complete(gcb);
@@ -267,7 +271,7 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
struct nft_set_ext **ext)
{
struct nft_rbtree_elem *rbe, *rbe_le = NULL, *rbe_ge = NULL;
- struct rb_node *node, *parent, **p, *first = NULL;
+ struct rb_node *node, *next, *parent, **p, *first = NULL;
struct nft_rbtree *priv = nft_set_priv(set);
u8 genmask = nft_genmask_next(net);
int d, err;
@@ -306,7 +310,9 @@ static int __nft_rbtree_insert(const struct net *net, const struct nft_set *set,
* Values stored in the tree are in reversed order, starting from
* highest to lowest value.
*/
- for (node = first; node != NULL; node = rb_next(node)) {
+ for (node = first; node != NULL; node = next) {
+ next = rb_next(node);
+
rbe = rb_entry(node, struct nft_rbtree_elem, node);
if (!nft_set_elem_active(&rbe->ext, genmask))
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 122/211] bridge: always declare tunnel functions
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 121/211] netfilter: nft_set_rbtree: fix null deref on element insertion Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 123/211] ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go Greg Kroah-Hartman
` (94 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arnd Bergmann, Nikolay Aleksandrov,
Jakub Kicinski, Sasha Levin
From: Arnd Bergmann <arnd@arndb.de>
[ Upstream commit 89dcd87ce534a3a7f267cfd58505803006f51301 ]
When CONFIG_BRIDGE_VLAN_FILTERING is disabled, two functions are still
defined but have no prototype or caller. This causes a W=1 warning for
the missing prototypes:
net/bridge/br_netlink_tunnel.c:29:6: error: no previous prototype for 'vlan_tunid_inrange' [-Werror=missing-prototypes]
net/bridge/br_netlink_tunnel.c:199:5: error: no previous prototype for 'br_vlan_tunnel_info' [-Werror=missing-prototypes]
The functions are already contitional on CONFIG_BRIDGE_VLAN_FILTERING,
and I coulnd't easily figure out the right set of #ifdefs, so just
move the declarations out of the #ifdef to avoid the warning,
at a small cost in code size over a more elaborate fix.
Fixes: 188c67dd1906 ("net: bridge: vlan options: add support for tunnel id dumping")
Fixes: 569da0822808 ("net: bridge: vlan options: add support for tunnel mapping set/del")
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Acked-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20230516194625.549249-3-arnd@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bridge/br_private_tunnel.h | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/net/bridge/br_private_tunnel.h b/net/bridge/br_private_tunnel.h
index c54cc26211d7c..f6c65dc088d60 100644
--- a/net/bridge/br_private_tunnel.h
+++ b/net/bridge/br_private_tunnel.h
@@ -27,6 +27,10 @@ int br_process_vlan_tunnel_info(const struct net_bridge *br,
int br_get_vlan_tunnel_info_size(struct net_bridge_vlan_group *vg);
int br_fill_vlan_tunnel_info(struct sk_buff *skb,
struct net_bridge_vlan_group *vg);
+bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
+ const struct net_bridge_vlan *v_last);
+int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
+ u16 vid, u32 tun_id, bool *changed);
#ifdef CONFIG_BRIDGE_VLAN_FILTERING
/* br_vlan_tunnel.c */
@@ -43,10 +47,6 @@ int br_handle_ingress_vlan_tunnel(struct sk_buff *skb,
struct net_bridge_vlan_group *vg);
int br_handle_egress_vlan_tunnel(struct sk_buff *skb,
struct net_bridge_vlan *vlan);
-bool vlan_tunid_inrange(const struct net_bridge_vlan *v_curr,
- const struct net_bridge_vlan *v_last);
-int br_vlan_tunnel_info(const struct net_bridge_port *p, int cmd,
- u16 vid, u32 tun_id, bool *changed);
#else
static inline int vlan_tunnel_init(struct net_bridge_vlan_group *vg)
{
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 123/211] ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 122/211] bridge: always declare tunnel functions Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 124/211] USB: usbtmc: Fix direction for 0-length ioctl control messages Greg Kroah-Hartman
` (93 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, John Humlick, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 359b4315471181f108723c61612d96e383e56179 upstream.
Line6 Pod Go (0e41:424b) requires the similar workaround for the fixed
48k sample rate like other Line6 models. This patch adds the
corresponding entry to line6_parse_audio_format_rate_quirk().
Reported-by: John Humlick <john@humlick.org>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230512075858.22813-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/usb/format.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/usb/format.c
+++ b/sound/usb/format.c
@@ -419,6 +419,7 @@ static int line6_parse_audio_format_rate
case USB_ID(0x0e41, 0x4248): /* Line6 Helix >= fw 2.82 */
case USB_ID(0x0e41, 0x4249): /* Line6 Helix Rack >= fw 2.82 */
case USB_ID(0x0e41, 0x424a): /* Line6 Helix LT >= fw 2.82 */
+ case USB_ID(0x0e41, 0x424b): /* Line6 Pod Go */
case USB_ID(0x19f7, 0x0011): /* Rode Rodecaster Pro */
return set_fixed_rate(fp, 48000, SNDRV_PCM_RATE_48000);
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 124/211] USB: usbtmc: Fix direction for 0-length ioctl control messages
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 123/211] ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 125/211] usb-storage: fix deadlock when a scsi command timeouts more than once Greg Kroah-Hartman
` (92 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, syzbot+ce77725b89b7bd52425c
From: Alan Stern <stern@rowland.harvard.edu>
commit 94d25e9128988c6a1fc9070f6e98215a95795bd8 upstream.
The syzbot fuzzer found a problem in the usbtmc driver: When a user
submits an ioctl for a 0-length control transfer, the driver does not
check that the direction is set to OUT:
------------[ cut here ]------------
usb 3-1: BOGUS control dir, pipe 80000b80 doesn't match bRequestType fd
WARNING: CPU: 0 PID: 5100 at drivers/usb/core/urb.c:411 usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
Modules linked in:
CPU: 0 PID: 5100 Comm: syz-executor428 Not tainted 6.3.0-syzkaller-12049-g58390c8ce1bd #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
RIP: 0010:usb_submit_urb+0x14a7/0x1880 drivers/usb/core/urb.c:411
Code: 7c 24 40 e8 1b 13 5c fb 48 8b 7c 24 40 e8 21 1d f0 fe 45 89 e8 44 89 f1 4c 89 e2 48 89 c6 48 c7 c7 e0 b5 fc 8a e8 19 c8 23 fb <0f> 0b e9 9f ee ff ff e8 ed 12 5c fb 0f b6 1d 12 8a 3c 08 31 ff 41
RSP: 0018:ffffc90003d2fb00 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffff8880789e9058 RCX: 0000000000000000
RDX: ffff888029593b80 RSI: ffffffff814c1447 RDI: 0000000000000001
RBP: ffff88801ea742f8 R08: 0000000000000001 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000001 R12: ffff88802915e528
R13: 00000000000000fd R14: 0000000080000b80 R15: ffff8880222b3100
FS: 0000555556ca63c0(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f9ef4d18150 CR3: 0000000073e5b000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_internal_control_msg drivers/usb/core/message.c:102 [inline]
usb_control_msg+0x320/0x4a0 drivers/usb/core/message.c:153
usbtmc_ioctl_request drivers/usb/class/usbtmc.c:1954 [inline]
usbtmc_ioctl+0x1b3d/0x2840 drivers/usb/class/usbtmc.c:2097
To fix this, we must override the direction in the bRequestType field
of the control request structure when the length is 0.
Reported-and-tested-by: syzbot+ce77725b89b7bd52425c@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/linux-usb/000000000000716a3705f9adb8ee@google.com/
CC: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/ede1ee02-b718-49e7-a44c-51339fec706b@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/class/usbtmc.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/usb/class/usbtmc.c
+++ b/drivers/usb/class/usbtmc.c
@@ -1898,6 +1898,8 @@ static int usbtmc_ioctl_request(struct u
if (request.req.wLength > USBTMC_BUFSIZE)
return -EMSGSIZE;
+ if (request.req.wLength == 0) /* Length-0 requests are never IN */
+ request.req.bRequestType &= ~USB_DIR_IN;
is_in = request.req.bRequestType & USB_DIR_IN;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 125/211] usb-storage: fix deadlock when a scsi command timeouts more than once
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 124/211] USB: usbtmc: Fix direction for 0-length ioctl control messages Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 126/211] USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value Greg Kroah-Hartman
` (91 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxime Bizon, linux-usb, stable, Alan Stern
From: Maxime Bizon <mbizon@freebox.fr>
commit a398d5eac6984316e71474e25b975688f282379b upstream.
With faulty usb-storage devices, read/write can timeout, in that case
the SCSI layer will abort and re-issue the command. USB storage has no
internal timeout, it relies on SCSI layer aborting commands via
.eh_abort_handler() for non those responsive devices.
After two consecutive timeouts of the same command, SCSI layer calls
.eh_device_reset_handler(), without calling .eh_abort_handler() first.
With usb-storage, this causes a deadlock:
-> .eh_device_reset_handler
-> device_reset
-> mutex_lock(&(us->dev_mutex));
mutex already by usb_stor_control_thread(), which is waiting for
command completion:
-> usb_stor_control_thread (mutex taken here)
-> usb_stor_invoke_transport
-> usb_stor_Bulk_transport
-> usb_stor_bulk_srb
-> usb_stor_bulk_transfer_sglist
-> usb_sg_wait
Make sure we cancel any pending command in .eh_device_reset_handler()
to avoid this.
Signed-off-by: Maxime Bizon <mbizon@freebox.fr>
Cc: linux-usb@vger.kernel.org
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/all/ZEllnjMKT8ulZbJh@sakura/
Reviewed-by: Alan Stern <stern@rowland.harvard.edu>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20230505114759.1189741-1-mbizon@freebox.fr
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/storage/scsiglue.c | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
--- a/drivers/usb/storage/scsiglue.c
+++ b/drivers/usb/storage/scsiglue.c
@@ -407,22 +407,25 @@ static DEF_SCSI_QCMD(queuecommand)
***********************************************************************/
/* Command timeout and abort */
-static int command_abort(struct scsi_cmnd *srb)
+static int command_abort_matching(struct us_data *us, struct scsi_cmnd *srb_match)
{
- struct us_data *us = host_to_us(srb->device->host);
-
- usb_stor_dbg(us, "%s called\n", __func__);
-
/*
* us->srb together with the TIMED_OUT, RESETTING, and ABORTING
* bits are protected by the host lock.
*/
scsi_lock(us_to_host(us));
- /* Is this command still active? */
- if (us->srb != srb) {
+ /* is there any active pending command to abort ? */
+ if (!us->srb) {
scsi_unlock(us_to_host(us));
usb_stor_dbg(us, "-- nothing to abort\n");
+ return SUCCESS;
+ }
+
+ /* Does the command match the passed srb if any ? */
+ if (srb_match && us->srb != srb_match) {
+ scsi_unlock(us_to_host(us));
+ usb_stor_dbg(us, "-- pending command mismatch\n");
return FAILED;
}
@@ -445,6 +448,14 @@ static int command_abort(struct scsi_cmn
return SUCCESS;
}
+static int command_abort(struct scsi_cmnd *srb)
+{
+ struct us_data *us = host_to_us(srb->device->host);
+
+ usb_stor_dbg(us, "%s called\n", __func__);
+ return command_abort_matching(us, srb);
+}
+
/*
* This invokes the transport reset mechanism to reset the state of the
* device
@@ -456,6 +467,9 @@ static int device_reset(struct scsi_cmnd
usb_stor_dbg(us, "%s called\n", __func__);
+ /* abort any pending command before reset */
+ command_abort_matching(us, NULL);
+
/* lock the device pointers and do the reset */
mutex_lock(&(us->dev_mutex));
result = us->transport_reset(us);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 126/211] USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 125/211] usb-storage: fix deadlock when a scsi command timeouts more than once Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 127/211] usb: dwc3: debugfs: Resume dwc3 before accessing registers Greg Kroah-Hartman
` (90 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern, Weitao Wang
From: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
commit dddb342b5b9e482bb213aecc08cbdb201ea4f8da upstream.
OverCurrent condition is not standardized in the UHCI spec.
Zhaoxin UHCI controllers report OverCurrent bit active off.
In order to handle OverCurrent condition correctly, the uhci-hcd
driver needs to be told to expect the active-off behavior.
Suggested-by: Alan Stern <stern@rowland.harvard.edu>
Cc: stable@vger.kernel.org
Signed-off-by: Weitao Wang <WeitaoWang-oc@zhaoxin.com>
Acked-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/20230423105952.4526-1-WeitaoWang-oc@zhaoxin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/host/uhci-pci.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
--- a/drivers/usb/host/uhci-pci.c
+++ b/drivers/usb/host/uhci-pci.c
@@ -119,11 +119,13 @@ static int uhci_pci_init(struct usb_hcd
uhci->rh_numports = uhci_count_ports(hcd);
- /* Intel controllers report the OverCurrent bit active on.
- * VIA controllers report it active off, so we'll adjust the
- * bit value. (It's not standardized in the UHCI spec.)
+ /*
+ * Intel controllers report the OverCurrent bit active on. VIA
+ * and ZHAOXIN controllers report it active off, so we'll adjust
+ * the bit value. (It's not standardized in the UHCI spec.)
*/
- if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA)
+ if (to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_VIA ||
+ to_pci_dev(uhci_dev(uhci))->vendor == PCI_VENDOR_ID_ZHAOXIN)
uhci->oc_low = 1;
/* HP's server management chip requires a longer port reset delay. */
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 127/211] usb: dwc3: debugfs: Resume dwc3 before accessing registers
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 126/211] USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 128/211] usb: gadget: u_ether: Fix host MAC address case Greg Kroah-Hartman
` (89 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Udipto Goswami, Johan Hovold, Thinh Nguyen
From: Udipto Goswami <quic_ugoswami@quicinc.com>
commit 614ce6a2ea50068b45339257891e51e639ac9001 upstream.
When the dwc3 device is runtime suspended, various required clocks are in
disabled state and it is not guaranteed that access to any registers would
work. Depending on the SoC glue, a register read could be as benign as
returning 0 or be fatal enough to hang the system.
In order to prevent such scenarios of fatal errors, make sure to resume
dwc3 then allow the function to proceed.
Fixes: 72246da40f37 ("usb: Introduce DesignWare USB3 DRD Driver")
Cc: stable@vger.kernel.org #3.2: 30332eeefec8: debugfs: regset32: Add Runtime PM support
Signed-off-by: Udipto Goswami <quic_ugoswami@quicinc.com>
Reviewed-by: Johan Hovold <johan+linaro@kernel.org>
Tested-by: Johan Hovold <johan+linaro@kernel.org>
Acked-by: Thinh Nguyen <Thinh.Nguyen@synopsys.com>
Link: https://lore.kernel.org/r/20230509144836.6803-1-quic_ugoswami@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/dwc3/debugfs.c | 109 +++++++++++++++++++++++++++++++++++++++++++++
1 file changed, 109 insertions(+)
--- a/drivers/usb/dwc3/debugfs.c
+++ b/drivers/usb/dwc3/debugfs.c
@@ -327,6 +327,11 @@ static int dwc3_lsp_show(struct seq_file
unsigned int current_mode;
unsigned long flags;
u32 reg;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
reg = dwc3_readl(dwc->regs, DWC3_GSTS);
@@ -345,6 +350,8 @@ static int dwc3_lsp_show(struct seq_file
}
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -390,6 +397,11 @@ static int dwc3_mode_show(struct seq_fil
struct dwc3 *dwc = s->private;
unsigned long flags;
u32 reg;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
reg = dwc3_readl(dwc->regs, DWC3_GCTL);
@@ -409,6 +421,8 @@ static int dwc3_mode_show(struct seq_fil
seq_printf(s, "UNKNOWN %08x\n", DWC3_GCTL_PRTCAP(reg));
}
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -458,6 +472,11 @@ static int dwc3_testmode_show(struct seq
struct dwc3 *dwc = s->private;
unsigned long flags;
u32 reg;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
reg = dwc3_readl(dwc->regs, DWC3_DCTL);
@@ -488,6 +507,8 @@ static int dwc3_testmode_show(struct seq
seq_printf(s, "UNKNOWN %d\n", reg);
}
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -504,6 +525,7 @@ static ssize_t dwc3_testmode_write(struc
unsigned long flags;
u32 testmode = 0;
char buf[32];
+ int ret;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
@@ -521,10 +543,16 @@ static ssize_t dwc3_testmode_write(struc
else
testmode = 0;
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
+
spin_lock_irqsave(&dwc->lock, flags);
dwc3_gadget_set_test_mode(dwc, testmode);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return count;
}
@@ -543,12 +571,18 @@ static int dwc3_link_state_show(struct s
enum dwc3_link_state state;
u32 reg;
u8 speed;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
reg = dwc3_readl(dwc->regs, DWC3_GSTS);
if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
seq_puts(s, "Not available\n");
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
return 0;
}
@@ -561,6 +595,8 @@ static int dwc3_link_state_show(struct s
dwc3_gadget_hs_link_string(state));
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -579,6 +615,7 @@ static ssize_t dwc3_link_state_write(str
char buf[32];
u32 reg;
u8 speed;
+ int ret;
if (copy_from_user(&buf, ubuf, min_t(size_t, sizeof(buf) - 1, count)))
return -EFAULT;
@@ -598,10 +635,15 @@ static ssize_t dwc3_link_state_write(str
else
return -EINVAL;
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
+
spin_lock_irqsave(&dwc->lock, flags);
reg = dwc3_readl(dwc->regs, DWC3_GSTS);
if (DWC3_GSTS_CURMOD(reg) != DWC3_GSTS_CURMOD_DEVICE) {
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
return -EINVAL;
}
@@ -611,12 +653,15 @@ static ssize_t dwc3_link_state_write(str
if (speed < DWC3_DSTS_SUPERSPEED &&
state != DWC3_LINK_STATE_RECOV) {
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
return -EINVAL;
}
dwc3_gadget_set_link_state(dwc, state);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return count;
}
@@ -640,6 +685,11 @@ static int dwc3_tx_fifo_size_show(struct
unsigned long flags;
int mdwidth;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_TXFIFO);
@@ -654,6 +704,8 @@ static int dwc3_tx_fifo_size_show(struct
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -664,6 +716,11 @@ static int dwc3_rx_fifo_size_show(struct
unsigned long flags;
int mdwidth;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_RXFIFO);
@@ -678,6 +735,8 @@ static int dwc3_rx_fifo_size_show(struct
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -687,12 +746,19 @@ static int dwc3_tx_request_queue_show(st
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_TXREQQ);
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -702,12 +768,19 @@ static int dwc3_rx_request_queue_show(st
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_RXREQQ);
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -717,12 +790,19 @@ static int dwc3_rx_info_queue_show(struc
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_RXINFOQ);
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -732,12 +812,19 @@ static int dwc3_descriptor_fetch_queue_s
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_DESCFETCHQ);
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -747,12 +834,19 @@ static int dwc3_event_queue_show(struct
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
u32 val;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
val = dwc3_core_fifo_space(dep, DWC3_EVENTQ);
seq_printf(s, "%u\n", val);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -797,6 +891,11 @@ static int dwc3_trb_ring_show(struct seq
struct dwc3 *dwc = dep->dwc;
unsigned long flags;
int i;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
if (dep->number <= 1) {
@@ -826,6 +925,8 @@ static int dwc3_trb_ring_show(struct seq
out:
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -838,6 +939,11 @@ static int dwc3_ep_info_register_show(st
u32 lower_32_bits;
u32 upper_32_bits;
u32 reg;
+ int ret;
+
+ ret = pm_runtime_resume_and_get(dwc->dev);
+ if (ret < 0)
+ return ret;
spin_lock_irqsave(&dwc->lock, flags);
reg = DWC3_GDBGLSPMUX_EPSELECT(dep->number);
@@ -850,6 +956,8 @@ static int dwc3_ep_info_register_show(st
seq_printf(s, "0x%016llx\n", ep_info);
spin_unlock_irqrestore(&dwc->lock, flags);
+ pm_runtime_put_sync(dwc->dev);
+
return 0;
}
@@ -911,6 +1019,7 @@ void dwc3_debugfs_init(struct dwc3 *dwc)
dwc->regset->regs = dwc3_regs;
dwc->regset->nregs = ARRAY_SIZE(dwc3_regs);
dwc->regset->base = dwc->regs - DWC3_GLOBALS_REGS_START;
+ dwc->regset->dev = dwc->dev;
root = debugfs_create_dir(dev_name(dwc->dev), usb_debug_root);
dwc->root = root;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 128/211] usb: gadget: u_ether: Fix host MAC address case
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 127/211] usb: dwc3: debugfs: Resume dwc3 before accessing registers Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 129/211] usb: typec: altmodes/displayport: fix pin_assignment_show Greg Kroah-Hartman
` (88 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Konrad Gräfe
From: Konrad Gräfe <k.graefe@gateware.de>
commit 3c0f4f09c063e143822393d99cb2b19a85451c07 upstream.
The CDC-ECM specification [1] requires to send the host MAC address as
an uppercase hexadecimal string in chapter "5.4 Ethernet Networking
Functional Descriptor":
The Unicode character is chosen from the set of values 30h through
39h and 41h through 46h (0-9 and A-F).
However, snprintf(.., "%pm", ..) generates a lowercase MAC address
string. While most host drivers are tolerant to this, UsbNcm.sys on
Windows 10 is not. Instead it uses a different MAC address with all
bytes set to zero including and after the first byte containing a
lowercase letter. On Windows 11 Microsoft fixed it, but apparently they
did not backport the fix.
This change fixes the issue by upper-casing the MAC to comply with the
specification.
[1]: https://www.usb.org/document-library/class-definitions-communication-devices-12, file ECM120.pdf
Fixes: bcd4a1c40bee ("usb: gadget: u_ether: construct with default values and add setters/getters")
Cc: stable@vger.kernel.org
Signed-off-by: Konrad Gräfe <k.graefe@gateware.de>
Link: https://lore.kernel.org/r/20230505143640.443014-1-k.graefe@gateware.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/gadget/function/u_ether.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/usb/gadget/function/u_ether.c
+++ b/drivers/usb/gadget/function/u_ether.c
@@ -17,6 +17,7 @@
#include <linux/etherdevice.h>
#include <linux/ethtool.h>
#include <linux/if_vlan.h>
+#include <linux/string_helpers.h>
#include "u_ether.h"
@@ -974,6 +975,8 @@ int gether_get_host_addr_cdc(struct net_
dev = netdev_priv(net);
snprintf(host_addr, len, "%pm", dev->host_mac);
+ string_upper(host_addr, host_addr);
+
return strlen(host_addr);
}
EXPORT_SYMBOL_GPL(gether_get_host_addr_cdc);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 129/211] usb: typec: altmodes/displayport: fix pin_assignment_show
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 128/211] usb: gadget: u_ether: Fix host MAC address case Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 130/211] ALSA: hda: Fix Oops by 9.1 surround channel names Greg Kroah-Hartman
` (87 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Badhri Jagan Sridharan, Heikki Krogerus
From: Badhri Jagan Sridharan <badhri@google.com>
commit d8f28269dd4bf9b55c3fb376ae31512730a96fce upstream.
This patch fixes negative indexing of buf array in pin_assignment_show
when get_current_pin_assignments returns 0 i.e. no compatible pin
assignments are found.
BUG: KASAN: use-after-free in pin_assignment_show+0x26c/0x33c
...
Call trace:
dump_backtrace+0x110/0x204
dump_stack_lvl+0x84/0xbc
print_report+0x358/0x974
kasan_report+0x9c/0xfc
__do_kernel_fault+0xd4/0x2d4
do_bad_area+0x48/0x168
do_tag_check_fault+0x24/0x38
do_mem_abort+0x6c/0x14c
el1_abort+0x44/0x68
el1h_64_sync_handler+0x64/0xa4
el1h_64_sync+0x78/0x7c
pin_assignment_show+0x26c/0x33c
dev_attr_show+0x50/0xc0
Fixes: 0e3bb7d6894d ("usb: typec: Add driver for DisplayPort alternate mode")
Cc: stable@vger.kernel.org
Signed-off-by: Badhri Jagan Sridharan <badhri@google.com>
Reviewed-by: Heikki Krogerus <heikki.krogerus@linux.intel.com>
Link: https://lore.kernel.org/r/20230508214443.893436-1-badhri@google.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/typec/altmodes/displayport.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/usb/typec/altmodes/displayport.c
+++ b/drivers/usb/typec/altmodes/displayport.c
@@ -503,6 +503,10 @@ static ssize_t pin_assignment_show(struc
mutex_unlock(&dp->lock);
+ /* get_current_pin_assignments can return 0 when no matching pin assignments are found */
+ if (len == 0)
+ len++;
+
buf[len - 1] = '\n';
return len;
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 130/211] ALSA: hda: Fix Oops by 9.1 surround channel names
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 129/211] usb: typec: altmodes/displayport: fix pin_assignment_show Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 131/211] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table Greg Kroah-Hartman
` (86 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Olliver Schinagl, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 3b44ec8c5c44790a82f07e90db45643c762878c6 upstream.
get_line_out_pfx() may trigger an Oops by overflowing the static array
with more than 8 channels. This was reported for MacBookPro 12,1 with
Cirrus codec.
As a workaround, extend for the 9.1 channels and also fix the
potential Oops by unifying the code paths accessing the same array
with the proper size check.
Reported-by: Olliver Schinagl <oliver@schinagl.nl>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/64d95eb0-dbdb-cff8-a8b1-988dc22b24cd@schinagl.nl
Link: https://lore.kernel.org/r/20230516184412.24078-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/hda_generic.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/sound/pci/hda/hda_generic.c
+++ b/sound/pci/hda/hda_generic.c
@@ -1153,8 +1153,8 @@ static bool path_has_mixer(struct hda_co
return path && path->ctls[ctl_type];
}
-static const char * const channel_name[4] = {
- "Front", "Surround", "CLFE", "Side"
+static const char * const channel_name[] = {
+ "Front", "Surround", "CLFE", "Side", "Back",
};
/* give some appropriate ctl name prefix for the given line out channel */
@@ -1180,7 +1180,7 @@ static const char *get_line_out_pfx(stru
/* multi-io channels */
if (ch >= cfg->line_outs)
- return channel_name[ch];
+ goto fixed_name;
switch (cfg->line_out_type) {
case AUTO_PIN_SPEAKER_OUT:
@@ -1232,6 +1232,7 @@ static const char *get_line_out_pfx(stru
if (cfg->line_outs == 1 && !spec->multi_ios)
return "Line Out";
+ fixed_name:
if (ch >= ARRAY_SIZE(channel_name)) {
snd_BUG();
return "PCM";
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 131/211] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 130/211] ALSA: hda: Fix Oops by 9.1 surround channel names Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 132/211] ALSA: hda/realtek: Add quirk for Clevo L140AU Greg Kroah-Hartman
` (85 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Nikhil Mahale, Takashi Iwai
From: Nikhil Mahale <nmahale@nvidia.com>
commit dc4f2ccaedddb489a83e7b12ebbdc347272aacc9 upstream.
These IDs are for AD102, AD103, AD104, AD106, and AD107 gpus with
audio functions that are largely similar to the existing ones.
Tested audio using gnome-settings, over HDMI, DP-SST and DP-MST
connections on AD106 gpu.
Signed-off-by: Nikhil Mahale <nmahale@nvidia.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230517090736.15088-1-nmahale@nvidia.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_hdmi.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/sound/pci/hda/patch_hdmi.c
+++ b/sound/pci/hda/patch_hdmi.c
@@ -4374,6 +4374,11 @@ HDA_CODEC_ENTRY(0x10de009d, "GPU 9d HDMI
HDA_CODEC_ENTRY(0x10de009e, "GPU 9e HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de009f, "GPU 9f HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de00a0, "GPU a0 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a3, "GPU a3 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a4, "GPU a4 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a5, "GPU a5 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a6, "GPU a6 HDMI/DP", patch_nvhdmi),
+HDA_CODEC_ENTRY(0x10de00a7, "GPU a7 HDMI/DP", patch_nvhdmi),
HDA_CODEC_ENTRY(0x10de8001, "MCP73 HDMI", patch_nvhdmi_2ch),
HDA_CODEC_ENTRY(0x10de8067, "MCP67/68 HDMI", patch_nvhdmi_2ch),
HDA_CODEC_ENTRY(0x11069f80, "VX900 HDMI/DP", patch_via_hdmi),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 132/211] ALSA: hda/realtek: Add quirk for Clevo L140AU
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 131/211] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 133/211] ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 Greg Kroah-Hartman
` (84 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeremy Soller, Tim Crawford, Takashi Iwai
From: Jeremy Soller <jeremy@system76.com>
commit 0a6b36c5dc3dda0196f4fb65bdb34c38b8d060c3 upstream.
Fixes headset detection on Clevo L140AU.
Signed-off-by: Jeremy Soller <jeremy@system76.com>
Signed-off-by: Tim Crawford <tcrawford@system76.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230505163651.21257-1-tcrawford@system76.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9136,6 +9136,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1558, 0x7716, "Clevo NS50PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x7717, "Clevo NS70PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x7718, "Clevo L140PU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
+ SND_PCI_QUIRK(0x1558, 0x7724, "Clevo L140AU", ALC256_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x8228, "Clevo NR40BU", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x8520, "Clevo NH50D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1558, 0x8521, "Clevo NH77D[CD]", ALC293_FIXUP_SYSTEM76_MIC_NO_PRESENCE),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 133/211] ALSA: hda/realtek: Add a quirk for HP EliteDesk 805
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 132/211] ALSA: hda/realtek: Add quirk for Clevo L140AU Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 134/211] ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 Greg Kroah-Hartman
` (83 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ai Chao, Takashi Iwai
From: Ai Chao <aichao@kylinos.cn>
commit 90670ef774a8b6700c38ce1222e6aa263be54d5f upstream.
Add a quirk for HP EliteDesk 805 to fixup ALC3867 headset MIC no sound.
Signed-off-by: Ai Chao <aichao@kylinos.cn>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230506022653.2074343-1-aichao@kylinos.cn
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -11159,6 +11159,7 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x103c, 0x1632, "HP RP5800", ALC662_FIXUP_HP_RP5800),
SND_PCI_QUIRK(0x103c, 0x870c, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
SND_PCI_QUIRK(0x103c, 0x8719, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
+ SND_PCI_QUIRK(0x103c, 0x872b, "HP", ALC897_FIXUP_HP_HSMIC_VERB),
SND_PCI_QUIRK(0x103c, 0x873e, "HP", ALC671_FIXUP_HP_HEADSET_MIC2),
SND_PCI_QUIRK(0x103c, 0x877e, "HP 288 Pro G6", ALC671_FIXUP_HP_HEADSET_MIC2),
SND_PCI_QUIRK(0x103c, 0x885f, "HP 288 Pro G8", ALC671_FIXUP_HP_HEADSET_MIC2),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 134/211] ALSA: hda/realtek: Add quirk for 2nd ASUS GU603
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 133/211] ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 135/211] can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag Greg Kroah-Hartman
` (82 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luke D. Jones, Takashi Iwai
From: Luke D. Jones <luke@ljones.dev>
commit a4671b7fba59775845ee60cfbdfc4ba64300211b upstream.
Add quirk for GU603 with 0x1c62 variant of codec.
Signed-off-by: Luke D. Jones <luke@ljones.dev>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230505235824.49607-2-luke@ljones.dev
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9044,6 +9044,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1043, 0x1b13, "Asus U41SV", ALC269_FIXUP_INV_DMIC),
SND_PCI_QUIRK(0x1043, 0x1bbd, "ASUS Z550MA", ALC255_FIXUP_ASUS_MIC_NO_PRESENCE),
SND_PCI_QUIRK(0x1043, 0x1c23, "Asus X55U", ALC269_FIXUP_LIMIT_INT_MIC_BOOST),
+ SND_PCI_QUIRK(0x1043, 0x1c62, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x1c92, "ASUS ROG Strix G15", ALC285_FIXUP_ASUS_G533Z_PINS),
SND_PCI_QUIRK(0x1043, 0x1ccd, "ASUS X555UB", ALC256_FIXUP_ASUS_MIC),
SND_PCI_QUIRK(0x1043, 0x1d42, "ASUS Zephyrus G14 2022", ALC289_FIXUP_ASUS_GA401),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 135/211] can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 134/211] ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 136/211] can: isotp: " Greg Kroah-Hartman
` (81 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Marc Kleine-Budde,
Oliver Hartkopp
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit 1db080cbdbab28752bbb1c86d64daf96253a5da1 upstream.
The control message provided by J1939 support MSG_CMSG_COMPAT but
blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
space on 64 bit kernels.
Link: https://github.com/hartkopp/can-isotp/issues/59
Cc: Oleksij Rempel <o.rempel@pengutronix.de>
Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Tested-by: Oleksij Rempel <o.rempel@pengutronix.de>
Acked-by: Oleksij Rempel <o.rempel@pengutronix.de>
Fixes: 9d71dd0c7009 ("can: add support of SAE J1939 protocol")
Link: https://lore.kernel.org/20230505110308.81087-3-mkl@pengutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/j1939/socket.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/can/j1939/socket.c
+++ b/net/can/j1939/socket.c
@@ -798,7 +798,7 @@ static int j1939_sk_recvmsg(struct socke
struct j1939_sk_buff_cb *skcb;
int ret = 0;
- if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE))
+ if (flags & ~(MSG_DONTWAIT | MSG_ERRQUEUE | MSG_CMSG_COMPAT))
return -EINVAL;
if (flags & MSG_ERRQUEUE)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 136/211] can: isotp: recvmsg(): allow MSG_CMSG_COMPAT flag
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 135/211] can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 137/211] can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() Greg Kroah-Hartman
` (80 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Oleksij Rempel, Marc Kleine-Budde,
Oliver Hartkopp
From: Oliver Hartkopp <socketcan@hartkopp.net>
commit db2773d65b02aed319a93efdfb958087771d4e19 upstream.
The control message provided by isotp support MSG_CMSG_COMPAT but
blocked recvmsg() syscalls that have set this flag, i.e. on 32bit user
space on 64 bit kernels.
Link: https://github.com/hartkopp/can-isotp/issues/59
Cc: Oleksij Rempel <o.rempel@pengutronix.de>
Suggested-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Oliver Hartkopp <socketcan@hartkopp.net>
Fixes: 42bf50a1795a ("can: isotp: support MSG_TRUNC flag when reading from socket")
Link: https://lore.kernel.org/20230505110308.81087-2-mkl@pengutronix.de
Cc: stable@vger.kernel.org
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/can/isotp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/can/isotp.c
+++ b/net/can/isotp.c
@@ -1016,7 +1016,7 @@ static int isotp_recvmsg(struct socket *
int noblock = flags & MSG_DONTWAIT;
int ret = 0;
- if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK))
+ if (flags & ~(MSG_DONTWAIT | MSG_TRUNC | MSG_PEEK | MSG_CMSG_COMPAT))
return -EINVAL;
if (!so->bound)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 137/211] can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 136/211] can: isotp: " Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 138/211] can: kvaser_pciefd: Call request_irq() before enabling interrupts Greg Kroah-Hartman
` (79 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit aed0e6ca7dbb8fbea9bc69c9ac663d5533c8c5d8 upstream.
Set can.state to CAN_STATE_STOPPED in kvaser_pciefd_stop().
Without this fix, wrong CAN state was repported after the interface was
brought down.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-2-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -721,6 +721,7 @@ static int kvaser_pciefd_stop(struct net
iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
del_timer(&can->bec_poll_timer);
}
+ can->can.state = CAN_STATE_STOPPED;
close_candev(netdev);
return ret;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 138/211] can: kvaser_pciefd: Call request_irq() before enabling interrupts
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 137/211] can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() Greg Kroah-Hartman
@ 2023-05-28 19:10 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 139/211] can: kvaser_pciefd: Empty SRB buffer in probe Greg Kroah-Hartman
` (78 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:10 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit 84762d8da89d29ba842317eb842973e628c27391 upstream.
Make sure the interrupt handler is registered before enabling interrupts.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-4-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -1825,6 +1825,11 @@ static int kvaser_pciefd_probe(struct pc
if (err)
goto err_teardown_can_ctrls;
+ err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
+ IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
+ if (err)
+ goto err_teardown_can_ctrls;
+
iowrite32(KVASER_PCIEFD_SRB_IRQ_DPD0 | KVASER_PCIEFD_SRB_IRQ_DPD1,
pcie->reg_base + KVASER_PCIEFD_SRB_IRQ_REG);
@@ -1845,11 +1850,6 @@ static int kvaser_pciefd_probe(struct pc
iowrite32(KVASER_PCIEFD_SRB_CMD_RDB1,
pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
- err = request_irq(pcie->pci->irq, kvaser_pciefd_irq_handler,
- IRQF_SHARED, KVASER_PCIEFD_DRV_NAME, pcie);
- if (err)
- goto err_teardown_can_ctrls;
-
err = kvaser_pciefd_reg_candev(pcie);
if (err)
goto err_free_irq;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 139/211] can: kvaser_pciefd: Empty SRB buffer in probe
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2023-05-28 19:10 ` [PATCH 5.10 138/211] can: kvaser_pciefd: Call request_irq() before enabling interrupts Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 140/211] can: kvaser_pciefd: Clear listen-only bit if not explicitly requested Greg Kroah-Hartman
` (77 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit c589557dd1426f5adf90c7a919d4fde5a3e4ef64 upstream.
Empty the "Shared receive buffer" (SRB) in probe, to assure we start in a
known state, and don't process any irrelevant packets.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-5-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -70,10 +70,12 @@ MODULE_DESCRIPTION("CAN driver for Kvase
#define KVASER_PCIEFD_SYSID_BUILD_REG (KVASER_PCIEFD_SYSID_BASE + 0x14)
/* Shared receive buffer registers */
#define KVASER_PCIEFD_SRB_BASE 0x1f200
+#define KVASER_PCIEFD_SRB_FIFO_LAST_REG (KVASER_PCIEFD_SRB_BASE + 0x1f4)
#define KVASER_PCIEFD_SRB_CMD_REG (KVASER_PCIEFD_SRB_BASE + 0x200)
#define KVASER_PCIEFD_SRB_IEN_REG (KVASER_PCIEFD_SRB_BASE + 0x204)
#define KVASER_PCIEFD_SRB_IRQ_REG (KVASER_PCIEFD_SRB_BASE + 0x20c)
#define KVASER_PCIEFD_SRB_STAT_REG (KVASER_PCIEFD_SRB_BASE + 0x210)
+#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG (KVASER_PCIEFD_SRB_BASE + 0x214)
#define KVASER_PCIEFD_SRB_CTRL_REG (KVASER_PCIEFD_SRB_BASE + 0x218)
/* EPCS flash controller registers */
#define KVASER_PCIEFD_SPI_BASE 0x1fc00
@@ -110,6 +112,9 @@ MODULE_DESCRIPTION("CAN driver for Kvase
/* DMA support */
#define KVASER_PCIEFD_SRB_STAT_DMA BIT(24)
+/* SRB current packet level */
+#define KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK 0xff
+
/* DMA Enable */
#define KVASER_PCIEFD_SRB_CTRL_DMA_ENABLE BIT(0)
@@ -1055,6 +1060,7 @@ static int kvaser_pciefd_setup_dma(struc
{
int i;
u32 srb_status;
+ u32 srb_packet_count;
dma_addr_t dma_addr[KVASER_PCIEFD_DMA_COUNT];
/* Disable the DMA */
@@ -1082,6 +1088,15 @@ static int kvaser_pciefd_setup_dma(struc
KVASER_PCIEFD_SRB_CMD_RDB1,
pcie->reg_base + KVASER_PCIEFD_SRB_CMD_REG);
+ /* Empty Rx FIFO */
+ srb_packet_count = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_RX_NR_PACKETS_REG) &
+ KVASER_PCIEFD_SRB_RX_NR_PACKETS_MASK;
+ while (srb_packet_count) {
+ /* Drop current packet in FIFO */
+ ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_FIFO_LAST_REG);
+ srb_packet_count--;
+ }
+
srb_status = ioread32(pcie->reg_base + KVASER_PCIEFD_SRB_STAT_REG);
if (!(srb_status & KVASER_PCIEFD_SRB_STAT_DI)) {
dev_err(&pcie->pci->dev, "DMA not idle before enabling\n");
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 140/211] can: kvaser_pciefd: Clear listen-only bit if not explicitly requested
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 139/211] can: kvaser_pciefd: Empty SRB buffer in probe Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 141/211] can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt Greg Kroah-Hartman
` (76 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit bf7ac55e991ca177f1ac16be51152f1ef291a4df upstream.
The listen-only bit was never cleared, causing the controller to
always use listen-only mode, if previously set.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-3-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -561,6 +561,8 @@ static void kvaser_pciefd_setup_controll
if (can->can.ctrlmode & CAN_CTRLMODE_LISTENONLY)
mode |= KVASER_PCIEFD_KCAN_MODE_LOM;
+ else
+ mode &= ~KVASER_PCIEFD_KCAN_MODE_LOM;
mode |= KVASER_PCIEFD_KCAN_MODE_EEN;
mode |= KVASER_PCIEFD_KCAN_MODE_EPEN;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 141/211] can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 140/211] can: kvaser_pciefd: Clear listen-only bit if not explicitly requested Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 142/211] can: kvaser_pciefd: Disable interrupts in probe error path Greg Kroah-Hartman
` (75 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit 262d7a52ba27525e3c1203230c9f0524e48bbb34 upstream.
Under certain circumstances we send two EFLUSH commands, resulting in two
EFLUSH ack packets, while only expecting a single EFLUSH ack.
This can cause the driver Tx flush completion to get out of sync.
To avoid this problem, don't enable the "Transmit buffer flush done" (TFD)
interrupt and remove the code handling it.
Now we only send EFLUSH command after receiving status packet with
"Init detected" (IDET) bit set.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-6-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 21 ++++-----------------
1 file changed, 4 insertions(+), 17 deletions(-)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -533,7 +533,7 @@ static int kvaser_pciefd_set_tx_irq(stru
KVASER_PCIEFD_KCAN_IRQ_TOF | KVASER_PCIEFD_KCAN_IRQ_ABD |
KVASER_PCIEFD_KCAN_IRQ_TAE | KVASER_PCIEFD_KCAN_IRQ_TAL |
KVASER_PCIEFD_KCAN_IRQ_FDIC | KVASER_PCIEFD_KCAN_IRQ_BPP |
- KVASER_PCIEFD_KCAN_IRQ_TAR | KVASER_PCIEFD_KCAN_IRQ_TFD;
+ KVASER_PCIEFD_KCAN_IRQ_TAR;
iowrite32(msk, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
@@ -581,7 +581,7 @@ static void kvaser_pciefd_start_controll
spin_lock_irqsave(&can->lock, irq);
iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
+ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
status = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_STAT_REG);
@@ -624,7 +624,7 @@ static int kvaser_pciefd_bus_on(struct k
iowrite32(0, can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD | KVASER_PCIEFD_KCAN_IRQ_TFD,
+ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
mode = ioread32(can->reg_base + KVASER_PCIEFD_KCAN_MODE_REG);
@@ -1011,8 +1011,7 @@ static int kvaser_pciefd_setup_can_ctrls
SET_NETDEV_DEV(netdev, &pcie->pci->dev);
iowrite32(-1, can->reg_base + KVASER_PCIEFD_KCAN_IRQ_REG);
- iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD |
- KVASER_PCIEFD_KCAN_IRQ_TFD,
+ iowrite32(KVASER_PCIEFD_KCAN_IRQ_ABD,
can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
pcie->can[i] = can;
@@ -1441,9 +1440,6 @@ static int kvaser_pciefd_handle_status_p
cmd = KVASER_PCIEFD_KCAN_CMD_AT;
cmd |= ++can->cmd_seq << KVASER_PCIEFD_KCAN_CMD_SEQ_SHIFT;
iowrite32(cmd, can->reg_base + KVASER_PCIEFD_KCAN_CMD_REG);
-
- iowrite32(KVASER_PCIEFD_KCAN_IRQ_TFD,
- can->reg_base + KVASER_PCIEFD_KCAN_IEN_REG);
} else if (p->header[0] & KVASER_PCIEFD_SPACK_IDET &&
p->header[0] & KVASER_PCIEFD_SPACK_IRM &&
cmdseq == (p->header[1] & KVASER_PCIEFD_PACKET_SEQ_MSK) &&
@@ -1732,15 +1728,6 @@ static int kvaser_pciefd_transmit_irq(st
if (irq & KVASER_PCIEFD_KCAN_IRQ_TOF)
netdev_err(can->can.dev, "Tx FIFO overflow\n");
- if (irq & KVASER_PCIEFD_KCAN_IRQ_TFD) {
- u8 count = ioread32(can->reg_base +
- KVASER_PCIEFD_KCAN_TX_NPACKETS_REG) & 0xff;
-
- if (count == 0)
- iowrite32(KVASER_PCIEFD_KCAN_CTRL_EFLUSH,
- can->reg_base + KVASER_PCIEFD_KCAN_CTRL_REG);
- }
-
if (irq & KVASER_PCIEFD_KCAN_IRQ_BPP)
netdev_err(can->can.dev,
"Fail to change bittiming, when not in reset mode\n");
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 142/211] can: kvaser_pciefd: Disable interrupts in probe error path
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 141/211] can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 143/211] statfs: enforce statfs[64] structure initialization Greg Kroah-Hartman
` (74 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jimmy Assarsson, Marc Kleine-Budde
From: Jimmy Assarsson <extja@kvaser.com>
commit 11164bc39459335ab93c6e99d53b7e4292fba38b upstream.
Disable interrupts in error path of probe function.
Fixes: 26ad340e582d ("can: kvaser_pciefd: Add driver for Kvaser PCIEcan devices")
Cc: stable@vger.kernel.org
Signed-off-by: Jimmy Assarsson <extja@kvaser.com>
Link: https://lore.kernel.org/r/20230516134318.104279-7-extja@kvaser.com
Signed-off-by: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/can/kvaser_pciefd.c | 2 ++
1 file changed, 2 insertions(+)
--- a/drivers/net/can/kvaser_pciefd.c
+++ b/drivers/net/can/kvaser_pciefd.c
@@ -1861,6 +1861,8 @@ static int kvaser_pciefd_probe(struct pc
return 0;
err_free_irq:
+ /* Disable PCI interrupts */
+ iowrite32(0, pcie->reg_base + KVASER_PCIEFD_IEN_REG);
free_irq(pcie->pci->irq, pcie);
err_teardown_can_ctrls:
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 143/211] statfs: enforce statfs[64] structure initialization
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 142/211] can: kvaser_pciefd: Disable interrupts in probe error path Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 144/211] serial: Add support for Advantech PCI-1611U card Greg Kroah-Hartman
` (73 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiko Carstens, Ilya Leoshkevich,
Andrew Morton, Alexander Gordeev
From: Ilya Leoshkevich <iii@linux.ibm.com>
commit ed40866ec7d328b3dfb70db7e2011640a16202c3 upstream.
s390's struct statfs and struct statfs64 contain padding, which
field-by-field copying does not set. Initialize the respective structs
with zeros before filling them and copying them to userspace, like it's
already done for the compat versions of these structs.
Found by KMSAN.
[agordeev@linux.ibm.com: fixed typo in patch description]
Acked-by: Heiko Carstens <hca@linux.ibm.com>
Cc: stable@vger.kernel.org # v4.14+
Signed-off-by: Ilya Leoshkevich <iii@linux.ibm.com>
Reviewed-by: Andrew Morton <akpm@linux-foundation.org>
Link: https://lore.kernel.org/r/20230504144021.808932-2-iii@linux.ibm.com
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/statfs.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/fs/statfs.c
+++ b/fs/statfs.c
@@ -130,6 +130,7 @@ static int do_statfs_native(struct kstat
if (sizeof(buf) == sizeof(*st))
memcpy(&buf, st, sizeof(*st));
else {
+ memset(&buf, 0, sizeof(buf));
if (sizeof buf.f_blocks == 4) {
if ((st->f_blocks | st->f_bfree | st->f_bavail |
st->f_bsize | st->f_frsize) &
@@ -158,7 +159,6 @@ static int do_statfs_native(struct kstat
buf.f_namelen = st->f_namelen;
buf.f_frsize = st->f_frsize;
buf.f_flags = st->f_flags;
- memset(buf.f_spare, 0, sizeof(buf.f_spare));
}
if (copy_to_user(p, &buf, sizeof(buf)))
return -EFAULT;
@@ -171,6 +171,7 @@ static int do_statfs64(struct kstatfs *s
if (sizeof(buf) == sizeof(*st))
memcpy(&buf, st, sizeof(*st));
else {
+ memset(&buf, 0, sizeof(buf));
buf.f_type = st->f_type;
buf.f_bsize = st->f_bsize;
buf.f_blocks = st->f_blocks;
@@ -182,7 +183,6 @@ static int do_statfs64(struct kstatfs *s
buf.f_namelen = st->f_namelen;
buf.f_frsize = st->f_frsize;
buf.f_flags = st->f_flags;
- memset(buf.f_spare, 0, sizeof(buf.f_spare));
}
if (copy_to_user(p, &buf, sizeof(buf)))
return -EFAULT;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 144/211] serial: Add support for Advantech PCI-1611U card
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 143/211] statfs: enforce statfs[64] structure initialization Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 145/211] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF Greg Kroah-Hartman
` (72 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Vitaliy Tomin, stable
From: Vitaliy Tomin <tomin@iszf.irk.ru>
commit d2b00516de0e1d696724247098f6733a6ea53908 upstream.
Add support for Advantech PCI-1611U card
Advantech provides opensource drivers for this and many others card
based on legacy copy of 8250_pci driver called adv950
https://www.advantech.com/emt/support/details/driver?id=1-TDOIMJ
It is hard to maintain to run as out of tree module on newer kernels.
Just adding PCI ID to kernel 8250_pci works perfect.
Signed-off-by: Vitaliy Tomin <tomin@iszf.irk.ru>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/20230423034512.2671157-1-tomin@iszf.irk.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/serial/8250/8250_pci.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/tty/serial/8250/8250_pci.c
+++ b/drivers/tty/serial/8250/8250_pci.c
@@ -1839,6 +1839,8 @@ pci_moxa_setup(struct serial_private *pr
#define PCI_SUBDEVICE_ID_SIIG_DUAL_30 0x2530
#define PCI_VENDOR_ID_ADVANTECH 0x13fe
#define PCI_DEVICE_ID_INTEL_CE4100_UART 0x2e66
+#define PCI_DEVICE_ID_ADVANTECH_PCI1600 0x1600
+#define PCI_DEVICE_ID_ADVANTECH_PCI1600_1611 0x1611
#define PCI_DEVICE_ID_ADVANTECH_PCI3620 0x3620
#define PCI_DEVICE_ID_ADVANTECH_PCI3618 0x3618
#define PCI_DEVICE_ID_ADVANTECH_PCIf618 0xf618
@@ -4185,6 +4187,9 @@ static SIMPLE_DEV_PM_OPS(pciserial_pm_op
pciserial_resume_one);
static const struct pci_device_id serial_pci_tbl[] = {
+ { PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI1600,
+ PCI_DEVICE_ID_ADVANTECH_PCI1600_1611, PCI_ANY_ID, 0, 0,
+ pbn_b0_4_921600 },
/* Advantech use PCI_DEVICE_ID_ADVANTECH_PCI3620 (0x3620) as 'PCI_SUBVENDOR_ID' */
{ PCI_VENDOR_ID_ADVANTECH, PCI_DEVICE_ID_ADVANTECH_PCI3620,
PCI_DEVICE_ID_ADVANTECH_PCI3620, 0x0001, 0, 0,
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 145/211] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 144/211] serial: Add support for Advantech PCI-1611U card Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 146/211] ceph: force updating the msg pointer in non-split case Greg Kroah-Hartman
` (71 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, syzkaller, George Kennedy,
Thomas Weißschuh
From: George Kennedy <george.kennedy@oracle.com>
commit 8fb9ea65c9d1338b0d2bb0a9122dc942cdd32357 upstream.
After a call to console_unlock() in vcs_write() the vc_data struct can be
freed by vc_port_destruct(). Because of that, the struct vc_data pointer
must be reloaded in the while loop in vcs_write() after console_lock() to
avoid a UAF when vcs_size() is called.
Syzkaller reported a UAF in vcs_size().
BUG: KASAN: slab-use-after-free in vcs_size (drivers/tty/vt/vc_screen.c:215)
Read of size 4 at addr ffff8880beab89a8 by task repro_vcs_size/4119
Call Trace:
<TASK>
__asan_report_load4_noabort (mm/kasan/report_generic.c:380)
vcs_size (drivers/tty/vt/vc_screen.c:215)
vcs_write (drivers/tty/vt/vc_screen.c:664)
vfs_write (fs/read_write.c:582 fs/read_write.c:564)
...
<TASK>
Allocated by task 1213:
kmalloc_trace (mm/slab_common.c:1064)
vc_allocate (./include/linux/slab.h:559 ./include/linux/slab.h:680
drivers/tty/vt/vt.c:1078 drivers/tty/vt/vt.c:1058)
con_install (drivers/tty/vt/vt.c:3334)
tty_init_dev (drivers/tty/tty_io.c:1303 drivers/tty/tty_io.c:1415
drivers/tty/tty_io.c:1392)
tty_open (drivers/tty/tty_io.c:2082 drivers/tty/tty_io.c:2128)
chrdev_open (fs/char_dev.c:415)
do_dentry_open (fs/open.c:921)
vfs_open (fs/open.c:1052)
...
Freed by task 4116:
kfree (mm/slab_common.c:1016)
vc_port_destruct (drivers/tty/vt/vt.c:1044)
tty_port_destructor (drivers/tty/tty_port.c:296)
tty_port_put (drivers/tty/tty_port.c:312)
vt_disallocate_all (drivers/tty/vt/vt_ioctl.c:662 (discriminator 2))
vt_ioctl (drivers/tty/vt/vt_ioctl.c:903)
tty_ioctl (drivers/tty/tty_io.c:2778)
...
The buggy address belongs to the object at ffff8880beab8800
which belongs to the cache kmalloc-1k of size 1024
The buggy address is located 424 bytes inside of
freed 1024-byte region [ffff8880beab8800, ffff8880beab8c00)
The buggy address belongs to the physical page:
page:00000000afc77580 refcount:1 mapcount:0 mapping:0000000000000000
index:0x0 pfn:0xbeab8
head:00000000afc77580 order:3 entire_mapcount:0 nr_pages_mapped:0
pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
page_type: 0xffffffff()
raw: 000fffffc0010200 ffff888100042dc0 ffffea000426de00 dead000000000002
raw: 0000000000000000 0000000000100010 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff8880beab8880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff8880beab8980: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff8880beab8a00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff8880beab8a80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Disabling lock debugging due to kernel taint
Fixes: ac751efa6a0d ("console: rename acquire/release_console_sem() to console_lock/unlock()")
Cc: stable <stable@kernel.org>
Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
Reviewed-by: Thomas Weißschuh <linux@weissschuh.net>
Link: https://lore.kernel.org/r/1683889728-10411-1-git-send-email-george.kennedy@oracle.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/tty/vt/vc_screen.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- a/drivers/tty/vt/vc_screen.c
+++ b/drivers/tty/vt/vc_screen.c
@@ -656,10 +656,17 @@ vcs_write(struct file *file, const char
}
}
- /* The vcs_size might have changed while we slept to grab
- * the user buffer, so recheck.
+ /* The vc might have been freed or vcs_size might have changed
+ * while we slept to grab the user buffer, so recheck.
* Return data written up to now on failure.
*/
+ vc = vcs_vc(inode, &viewed);
+ if (!vc) {
+ if (written)
+ break;
+ ret = -ENXIO;
+ goto unlock_out;
+ }
size = vcs_size(vc, attr, false);
if (size < 0) {
if (written)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 146/211] ceph: force updating the msg pointer in non-split case
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 145/211] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 147/211] tpm/tpm_tis: Disable interrupts for more Lenovo devices Greg Kroah-Hartman
` (70 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Schilder, Xiubo Li, Ilya Dryomov
From: Xiubo Li <xiubli@redhat.com>
commit 4cafd0400bcb6187c0d4ab4d4b0229a89ac4f8c2 upstream.
When the MClientSnap reqeust's op is not CEPH_SNAP_OP_SPLIT the
request may still contain a list of 'split_realms', and we need
to skip it anyway. Or it will be parsed as a corrupt snaptrace.
Cc: stable@vger.kernel.org
Link: https://tracker.ceph.com/issues/61200
Reported-by: Frank Schilder <frans@dtu.dk>
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/snap.c | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -1008,6 +1008,19 @@ skip_inode:
continue;
adjust_snap_realm_parent(mdsc, child, realm->ino);
}
+ } else {
+ /*
+ * In the non-split case both 'num_split_inos' and
+ * 'num_split_realms' should be 0, making this a no-op.
+ * However the MDS happens to populate 'split_realms' list
+ * in one of the UPDATE op cases by mistake.
+ *
+ * Skip both lists just in case to ensure that 'p' is
+ * positioned at the start of realm info, as expected by
+ * ceph_update_snap_trace().
+ */
+ p += sizeof(u64) * num_split_inos;
+ p += sizeof(u64) * num_split_realms;
}
/*
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 147/211] tpm/tpm_tis: Disable interrupts for more Lenovo devices
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 146/211] ceph: force updating the msg pointer in non-split case Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 148/211] powerpc/64s/radix: Fix soft dirty tracking Greg Kroah-Hartman
` (69 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jerry Snitselaar, Jarkko Sakkinen,
Peter Zijlstra
From: Jerry Snitselaar <jsnitsel@redhat.com>
commit e7d3e5c4b1dd50a70b31524c3228c62bb41bbab2 upstream.
The P360 Tiny suffers from an irq storm issue like the T490s, so add
an entry for it to tpm_tis_dmi_table, and force polling. There also
previously was a report from the previous attempt to enable interrupts
that involved a ThinkPad L490. So an entry is added for it as well.
Cc: stable@vger.kernel.org
Reported-by: Peter Zijlstra <peterz@infradead.org> # P360 Tiny
Closes: https://lore.kernel.org/linux-integrity/20230505130731.GO83892@hirez.programming.kicks-ass.net/
Signed-off-by: Jerry Snitselaar <jsnitsel@redhat.com>
Signed-off-by: Jarkko Sakkinen <jarkko@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/char/tpm/tpm_tis.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
--- a/drivers/char/tpm/tpm_tis.c
+++ b/drivers/char/tpm/tpm_tis.c
@@ -83,6 +83,22 @@ static const struct dmi_system_id tpm_ti
DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad T490s"),
},
},
+ {
+ .callback = tpm_tis_disable_irq,
+ .ident = "ThinkStation P360 Tiny",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkStation P360 Tiny"),
+ },
+ },
+ {
+ .callback = tpm_tis_disable_irq,
+ .ident = "ThinkPad L490",
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "LENOVO"),
+ DMI_MATCH(DMI_PRODUCT_VERSION, "ThinkPad L490"),
+ },
+ },
{}
};
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 148/211] powerpc/64s/radix: Fix soft dirty tracking
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 147/211] tpm/tpm_tis: Disable interrupts for more Lenovo devices Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 149/211] nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() Greg Kroah-Hartman
` (68 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Horák, Michael Ellerman
From: Michael Ellerman <mpe@ellerman.id.au>
commit 66b2ca086210732954a7790d63d35542936fc664 upstream.
It was reported that soft dirty tracking doesn't work when using the
Radix MMU.
The tracking is supposed to work by clearing the soft dirty bit for a
mapping and then write protecting the PTE. If/when the page is written
to, a page fault occurs and the soft dirty bit is added back via
pte_mkdirty(). For example in wp_page_reuse():
entry = maybe_mkwrite(pte_mkdirty(entry), vma);
if (ptep_set_access_flags(vma, vmf->address, vmf->pte, entry, 1))
update_mmu_cache(vma, vmf->address, vmf->pte);
Unfortunately on radix _PAGE_SOFTDIRTY is being dropped by
radix__ptep_set_access_flags(), called from ptep_set_access_flags(),
meaning the soft dirty bit is not set even though the page has been
written to.
Fix it by adding _PAGE_SOFTDIRTY to the set of bits that are able to be
changed in radix__ptep_set_access_flags().
Fixes: b0b5e9b13047 ("powerpc/mm/radix: Add radix pte #defines")
Cc: stable@vger.kernel.org # v4.7+
Reported-by: Dan Horák <dan@danny.cz>
Link: https://lore.kernel.org/r/20230511095558.56663a50f86bdc4cd97700b7@danny.cz
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230511114224.977423-1-mpe@ellerman.id.au
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/mm/book3s64/radix_pgtable.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/powerpc/mm/book3s64/radix_pgtable.c
+++ b/arch/powerpc/mm/book3s64/radix_pgtable.c
@@ -1064,8 +1064,8 @@ void radix__ptep_set_access_flags(struct
pte_t entry, unsigned long address, int psize)
{
struct mm_struct *mm = vma->vm_mm;
- unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_ACCESSED |
- _PAGE_RW | _PAGE_EXEC);
+ unsigned long set = pte_val(entry) & (_PAGE_DIRTY | _PAGE_SOFT_DIRTY |
+ _PAGE_ACCESSED | _PAGE_RW | _PAGE_EXEC);
unsigned long change = pte_val(entry) ^ pte_val(*ptep);
/*
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 149/211] nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 148/211] powerpc/64s/radix: Fix soft dirty tracking Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 150/211] HID: wacom: Force pen out of prox if no events have been received in a while Greg Kroah-Hartman
` (67 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ryusuke Konishi,
syzbot+78d4495558999f55d1da, Andrew Morton
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit 9b5a04ac3ad9898c4745cba46ea26de74ba56a8e upstream.
During unmount process of nilfs2, nothing holds nilfs_root structure after
nilfs2 detaches its writer in nilfs_detach_log_writer(). However, since
nilfs_evict_inode() uses nilfs_root for some cleanup operations, it may
cause use-after-free read if inodes are left in "garbage_list" and
released by nilfs_dispose_list() at the end of nilfs_detach_log_writer().
Fix this issue by modifying nilfs_evict_inode() to only clear inode
without additional metadata changes that use nilfs_root if the file system
is degraded to read-only or the writer is detached.
Link: https://lkml.kernel.org/r/20230509152956.8313-1-konishi.ryusuke@gmail.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: syzbot+78d4495558999f55d1da@syzkaller.appspotmail.com
Closes: https://lkml.kernel.org/r/00000000000099e5ac05fb1c3b85@google.com
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/inode.c | 18 ++++++++++++++++++
1 file changed, 18 insertions(+)
--- a/fs/nilfs2/inode.c
+++ b/fs/nilfs2/inode.c
@@ -921,6 +921,7 @@ void nilfs_evict_inode(struct inode *ino
struct nilfs_transaction_info ti;
struct super_block *sb = inode->i_sb;
struct nilfs_inode_info *ii = NILFS_I(inode);
+ struct the_nilfs *nilfs;
int ret;
if (inode->i_nlink || !ii->i_root || unlikely(is_bad_inode(inode))) {
@@ -933,6 +934,23 @@ void nilfs_evict_inode(struct inode *ino
truncate_inode_pages_final(&inode->i_data);
+ nilfs = sb->s_fs_info;
+ if (unlikely(sb_rdonly(sb) || !nilfs->ns_writer)) {
+ /*
+ * If this inode is about to be disposed after the file system
+ * has been degraded to read-only due to file system corruption
+ * or after the writer has been detached, do not make any
+ * changes that cause writes, just clear it.
+ * Do this check after read-locking ns_segctor_sem by
+ * nilfs_transaction_begin() in order to avoid a race with
+ * the writer detach operation.
+ */
+ clear_inode(inode);
+ nilfs_clear_inode(inode);
+ nilfs_transaction_abort(sb);
+ return;
+ }
+
/* TODO: some of the following operations may fail. */
nilfs_truncate_bmap(ii, 0);
nilfs_mark_inode_dirty(inode);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 150/211] HID: wacom: Force pen out of prox if no events have been received in a while
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 149/211] nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 151/211] HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs Greg Kroah-Hartman
` (66 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jason Gerecke, Jiri Kosina, Ping Cheng
From: Jason Gerecke <killertofu@gmail.com>
commit 94b179052f95c294d83e9c9c34f7833cf3cd4305 upstream.
Prox-out events may not be reliably sent by some AES firmware. This can
cause problems for users, particularly due to arbitration logic disabling
touch input while the pen is in prox.
This commit adds a timer which is reset every time a new prox event is
received. When the timer expires we check to see if the pen is still in
prox and force it out if necessary. This is patterend off of the same
solution used by 'hid-letsketch' driver which has a similar problem.
Link: https://github.com/linuxwacom/input-wacom/issues/310
Signed-off-by: Jason Gerecke <jason.gerecke@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Ping Cheng <pinglinux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom.h | 3 +++
drivers/hid/wacom_sys.c | 2 ++
drivers/hid/wacom_wac.c | 39 +++++++++++++++++++++++++++++++++++++++
3 files changed, 44 insertions(+)
--- a/drivers/hid/wacom.h
+++ b/drivers/hid/wacom.h
@@ -91,6 +91,7 @@
#include <linux/leds.h>
#include <linux/usb/input.h>
#include <linux/power_supply.h>
+#include <linux/timer.h>
#include <asm/unaligned.h>
/*
@@ -167,6 +168,7 @@ struct wacom {
struct delayed_work init_work;
struct wacom_remote *remote;
struct work_struct mode_change_work;
+ struct timer_list idleprox_timer;
bool generic_has_leds;
struct wacom_leds {
struct wacom_group_leds *groups;
@@ -239,4 +241,5 @@ struct wacom_led *wacom_led_find(struct
struct wacom_led *wacom_led_next(struct wacom *wacom, struct wacom_led *cur);
int wacom_equivalent_usage(int usage);
int wacom_initialize_leds(struct wacom *wacom);
+void wacom_idleprox_timeout(struct timer_list *list);
#endif
--- a/drivers/hid/wacom_sys.c
+++ b/drivers/hid/wacom_sys.c
@@ -2781,6 +2781,7 @@ static int wacom_probe(struct hid_device
INIT_WORK(&wacom->battery_work, wacom_battery_work);
INIT_WORK(&wacom->remote_work, wacom_remote_work);
INIT_WORK(&wacom->mode_change_work, wacom_mode_change_work);
+ timer_setup(&wacom->idleprox_timer, &wacom_idleprox_timeout, TIMER_DEFERRABLE);
/* ask for the report descriptor to be loaded by HID */
error = hid_parse(hdev);
@@ -2825,6 +2826,7 @@ static void wacom_remove(struct hid_devi
cancel_work_sync(&wacom->battery_work);
cancel_work_sync(&wacom->remote_work);
cancel_work_sync(&wacom->mode_change_work);
+ del_timer_sync(&wacom->idleprox_timer);
if (hdev->bus == BUS_BLUETOOTH)
device_remove_file(&hdev->dev, &dev_attr_speed);
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -11,6 +11,7 @@
#include "wacom_wac.h"
#include "wacom.h"
#include <linux/input/mt.h>
+#include <linux/jiffies.h>
/* resolution for penabled devices */
#define WACOM_PL_RES 20
@@ -41,6 +42,43 @@ static int wacom_numbered_button_to_key(
static void wacom_update_led(struct wacom *wacom, int button_count, int mask,
int group);
+
+static void wacom_force_proxout(struct wacom_wac *wacom_wac)
+{
+ struct input_dev *input = wacom_wac->pen_input;
+
+ wacom_wac->shared->stylus_in_proximity = 0;
+
+ input_report_key(input, BTN_TOUCH, 0);
+ input_report_key(input, BTN_STYLUS, 0);
+ input_report_key(input, BTN_STYLUS2, 0);
+ input_report_key(input, BTN_STYLUS3, 0);
+ input_report_key(input, wacom_wac->tool[0], 0);
+ if (wacom_wac->serial[0]) {
+ input_report_abs(input, ABS_MISC, 0);
+ }
+ input_report_abs(input, ABS_PRESSURE, 0);
+
+ wacom_wac->tool[0] = 0;
+ wacom_wac->id[0] = 0;
+ wacom_wac->serial[0] = 0;
+
+ input_sync(input);
+}
+
+void wacom_idleprox_timeout(struct timer_list *list)
+{
+ struct wacom *wacom = from_timer(wacom, list, idleprox_timer);
+ struct wacom_wac *wacom_wac = &wacom->wacom_wac;
+
+ if (!wacom_wac->hid_data.sense_state) {
+ return;
+ }
+
+ hid_warn(wacom->hdev, "%s: tool appears to be hung in-prox. forcing it out.\n", __func__);
+ wacom_force_proxout(wacom_wac);
+}
+
/*
* Percent of battery capacity for Graphire.
* 8th value means AC online and show 100% capacity.
@@ -2328,6 +2366,7 @@ static void wacom_wac_pen_event(struct h
value = field->logical_maximum - value;
break;
case HID_DG_INRANGE:
+ mod_timer(&wacom->idleprox_timer, jiffies + msecs_to_jiffies(100));
wacom_wac->hid_data.inrange_state = value;
if (!(features->quirks & WACOM_QUIRK_SENSE))
wacom_wac->hid_data.sense_state = value;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 151/211] HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 150/211] HID: wacom: Force pen out of prox if no events have been received in a while Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 152/211] HID: wacom: add three styli to wacom_intuos_get_tool_type Greg Kroah-Hartman
` (65 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ping Cheng, Aaron Armstrong Skomra,
Jiri Kosina, Ping Cheng
From: Ping Cheng <pinglinux@gmail.com>
commit 0627f3df95e1609693f89e7ceb4156ac5db6e358 upstream.
Add the new PIDs to wacom_wac.c to support the new model in the Intuos Pro series.
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Tested-by: Aaron Armstrong Skomra <aaron.skomra@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Cc: Ping Cheng <pinglinux@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_wac.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -4840,6 +4840,10 @@ static const struct wacom_features wacom
static const struct wacom_features wacom_features_0x3c8 =
{ "Wacom Intuos BT M", 21600, 13500, 4095, 63,
INTUOSHT3_BT, WACOM_INTUOS_RES, WACOM_INTUOS_RES, 4 };
+static const struct wacom_features wacom_features_0x3dd =
+ { "Wacom Intuos Pro S", 31920, 19950, 8191, 63,
+ INTUOSP2S_BT, WACOM_INTUOS3_RES, WACOM_INTUOS3_RES, 7,
+ .touch_max = 10 };
static const struct wacom_features wacom_features_HID_ANY_ID =
{ "Wacom HID", .type = HID_GENERIC, .oVid = HID_ANY_ID, .oPid = HID_ANY_ID };
@@ -5019,6 +5023,7 @@ const struct hid_device_id wacom_ids[] =
{ BT_DEVICE_WACOM(0x393) },
{ BT_DEVICE_WACOM(0x3c6) },
{ BT_DEVICE_WACOM(0x3c8) },
+ { BT_DEVICE_WACOM(0x3dd) },
{ USB_DEVICE_WACOM(0x4001) },
{ USB_DEVICE_WACOM(0x4004) },
{ USB_DEVICE_WACOM(0x5000) },
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 152/211] HID: wacom: add three styli to wacom_intuos_get_tool_type
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 151/211] HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 153/211] KVM: arm64: Link position-independent string routines into .hyp.text Greg Kroah-Hartman
` (64 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ping Cheng, Jiri Kosina
From: Ping Cheng <pinglinux@gmail.com>
commit bfdc750c4cb2f3461b9b00a2755e2145ac195c9a upstream.
We forgot to add the 3D pen ID a year ago. There are two new pro pen
IDs to be added.
Signed-off-by: Ping Cheng <ping.cheng@wacom.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hid/wacom_wac.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/hid/wacom_wac.c
+++ b/drivers/hid/wacom_wac.c
@@ -713,11 +713,14 @@ static int wacom_intuos_get_tool_type(in
case 0x802: /* Intuos4/5 13HD/24HD General Pen */
case 0x8e2: /* IntuosHT2 pen */
case 0x022:
+ case 0x200: /* Pro Pen 3 */
+ case 0x04200: /* Pro Pen 3 */
case 0x10842: /* MobileStudio Pro Pro Pen slim */
case 0x14802: /* Intuos4/5 13HD/24HD Classic Pen */
case 0x16802: /* Cintiq 13HD Pro Pen */
case 0x18802: /* DTH2242 Pen */
case 0x10802: /* Intuos4/5 13HD/24HD General Pen */
+ case 0x80842: /* Intuos Pro and Cintiq Pro 3D Pen */
tool_type = BTN_TOOL_PEN;
break;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 153/211] KVM: arm64: Link position-independent string routines into .hyp.text
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 152/211] HID: wacom: add three styli to wacom_intuos_get_tool_type Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 154/211] serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards Greg Kroah-Hartman
` (63 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Will Deacon, Quentin Perret,
Marc Zyngier, Sudip Mukherjee
From: Will Deacon <will@kernel.org>
commit 7b4a7b5e6fefd15f708f959dd43e188444e252ec upstream
Pull clear_page(), copy_page(), memcpy() and memset() into the nVHE hyp
code and ensure that we always execute the '__pi_' entry point on the
offchance that it changes in future.
[ qperret: Commit title nits and added linker script alias ]
Signed-off-by: Will Deacon <will@kernel.org>
Signed-off-by: Quentin Perret <qperret@google.com>
Signed-off-by: Marc Zyngier <maz@kernel.org>
Link: https://lore.kernel.org/r/20210319100146.1149909-3-qperret@google.com
[sudip: adjust context]
Signed-off-by: Sudip Mukherjee <sudipm.mukherjee@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/include/asm/hyp_image.h | 3 +++
arch/arm64/kernel/image-vars.h | 11 +++++++++++
arch/arm64/kvm/hyp/nvhe/Makefile | 4 ++++
3 files changed, 18 insertions(+)
--- a/arch/arm64/include/asm/hyp_image.h
+++ b/arch/arm64/include/asm/hyp_image.h
@@ -31,6 +31,9 @@
*/
#define KVM_NVHE_ALIAS(sym) kvm_nvhe_sym(sym) = sym;
+/* Defines a linker script alias for KVM nVHE hyp symbols */
+#define KVM_NVHE_ALIAS_HYP(first, sec) kvm_nvhe_sym(first) = kvm_nvhe_sym(sec);
+
#endif /* LINKER_SCRIPT */
#endif /* __ARM64_HYP_IMAGE_H__ */
--- a/arch/arm64/kernel/image-vars.h
+++ b/arch/arm64/kernel/image-vars.h
@@ -103,6 +103,17 @@ KVM_NVHE_ALIAS(gic_nonsecure_priorities)
KVM_NVHE_ALIAS(__start___kvm_ex_table);
KVM_NVHE_ALIAS(__stop___kvm_ex_table);
+/* Position-independent library routines */
+KVM_NVHE_ALIAS_HYP(clear_page, __pi_clear_page);
+KVM_NVHE_ALIAS_HYP(copy_page, __pi_copy_page);
+KVM_NVHE_ALIAS_HYP(memcpy, __pi_memcpy);
+KVM_NVHE_ALIAS_HYP(memset, __pi_memset);
+
+#ifdef CONFIG_KASAN
+KVM_NVHE_ALIAS_HYP(__memcpy, __pi_memcpy);
+KVM_NVHE_ALIAS_HYP(__memset, __pi_memset);
+#endif
+
#endif /* CONFIG_KVM */
#endif /* __ARM64_KERNEL_IMAGE_VARS_H */
--- a/arch/arm64/kvm/hyp/nvhe/Makefile
+++ b/arch/arm64/kvm/hyp/nvhe/Makefile
@@ -6,9 +6,13 @@
asflags-y := -D__KVM_NVHE_HYPERVISOR__
ccflags-y := -D__KVM_NVHE_HYPERVISOR__
+lib-objs := clear_page.o copy_page.o memcpy.o memset.o
+lib-objs := $(addprefix ../../../lib/, $(lib-objs))
+
obj-y := timer-sr.o sysreg-sr.o debug-sr.o switch.o tlb.o hyp-init.o host.o hyp-main.o
obj-y += ../vgic-v3-sr.o ../aarch32.o ../vgic-v2-cpuif-proxy.o ../entry.o \
../fpsimd.o ../hyp-entry.o
+obj-y += $(lib-objs)
##
## Build rules for compiling nVHE hyp code
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 154/211] serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 153/211] KVM: arm64: Link position-independent string routines into .hyp.text Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 155/211] serial: exar: Add support for Sealevel 7xxxC serial cards Greg Kroah-Hartman
` (62 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Sasha Levin
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
[ Upstream commit 8e4413aaf6a2e3a46e99a0718ca54c0cf8609cb2 ]
In the similar way how it's done in 8250_pericom, derive the number of
the UART ports from PCI ID for Acces I/O cards.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20220127180608.71509-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 95d698869b40 ("serial: 8250_exar: Add support for USR298x PCI Modems")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 37 ++++++++++-------------------
1 file changed, 13 insertions(+), 24 deletions(-)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 2d0e7c7e408dc..3d82902bfe5b9 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -596,7 +596,12 @@ exar_pci_probe(struct pci_dev *pcidev, const struct pci_device_id *ent)
maxnr = pci_resource_len(pcidev, bar) >> (board->reg_shift + 3);
- nr_ports = board->num_ports ? board->num_ports : pcidev->device & 0x0f;
+ if (pcidev->vendor == PCI_VENDOR_ID_ACCESSIO)
+ nr_ports = BIT(((pcidev->device & 0x38) >> 3) - 1);
+ else if (board->num_ports)
+ nr_ports = board->num_ports;
+ else
+ nr_ports = pcidev->device & 0x0f;
priv = devm_kzalloc(&pcidev->dev, struct_size(priv, line, nr_ports), GFP_KERNEL);
if (!priv)
@@ -695,22 +700,6 @@ static int __maybe_unused exar_resume(struct device *dev)
static SIMPLE_DEV_PM_OPS(exar_pci_pm, exar_suspend, exar_resume);
-static const struct exar8250_board acces_com_2x = {
- .num_ports = 2,
- .setup = pci_xr17c154_setup,
-};
-
-static const struct exar8250_board acces_com_4x = {
- .num_ports = 4,
- .setup = pci_xr17c154_setup,
-};
-
-static const struct exar8250_board acces_com_8x = {
- .num_ports = 8,
- .setup = pci_xr17c154_setup,
-};
-
-
static const struct exar8250_board pbn_fastcom335_2 = {
.num_ports = 2,
.setup = pci_fastcom335_setup,
@@ -795,13 +784,13 @@ static const struct exar8250_board pbn_exar_XR17V8358 = {
}
static const struct pci_device_id exar_pci_tbl[] = {
- EXAR_DEVICE(ACCESSIO, COM_2S, acces_com_2x),
- EXAR_DEVICE(ACCESSIO, COM_4S, acces_com_4x),
- EXAR_DEVICE(ACCESSIO, COM_8S, acces_com_8x),
- EXAR_DEVICE(ACCESSIO, COM232_8, acces_com_8x),
- EXAR_DEVICE(ACCESSIO, COM_2SM, acces_com_2x),
- EXAR_DEVICE(ACCESSIO, COM_4SM, acces_com_4x),
- EXAR_DEVICE(ACCESSIO, COM_8SM, acces_com_8x),
+ EXAR_DEVICE(ACCESSIO, COM_2S, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_4S, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_8S, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM232_8, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_2SM, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_4SM, pbn_exar_XR17C15x),
+ EXAR_DEVICE(ACCESSIO, COM_8SM, pbn_exar_XR17C15x),
CONNECT_DEVICE(XR17C152, UART_2_232, pbn_connect),
CONNECT_DEVICE(XR17C154, UART_4_232, pbn_connect),
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 155/211] serial: exar: Add support for Sealevel 7xxxC serial cards
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 154/211] serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 156/211] serial: 8250_exar: Add support for USR298x PCI Modems Greg Kroah-Hartman
` (61 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Matthew Howell, stable, Sasha Levin
From: Matthew Howell <matthew.howell@sealevel.com>
[ Upstream commit 14ee78d5932afeb710c8305196a676a715bfdea8 ]
Add support for Sealevel 7xxxC serial cards.
This patch:
* Adds IDs to recognize 7xxxC cards from Sealevel Systems.
* Updates exar_pci_probe() to set nr_ports to last two bytes of primary
dev ID for these cards.
Signed-off-by: Matthew Howell <matthew.howell@sealevel.com>
Cc: stable <stable@kernel.org>
Link: https://lore.kernel.org/r/alpine.DEB.2.21.2301191440010.22558@tstest-VirtualBox
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Stable-dep-of: 95d698869b40 ("serial: 8250_exar: Add support for USR298x PCI Modems")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 3d82902bfe5b9..2c9f721091125 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -43,6 +43,12 @@
#define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358
#define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358
+#define PCI_DEVICE_ID_SEALEVEL_710xC 0x1001
+#define PCI_DEVICE_ID_SEALEVEL_720xC 0x1002
+#define PCI_DEVICE_ID_SEALEVEL_740xC 0x1004
+#define PCI_DEVICE_ID_SEALEVEL_780xC 0x1008
+#define PCI_DEVICE_ID_SEALEVEL_716xC 0x1010
+
#define UART_EXAR_INT0 0x80
#define UART_EXAR_8XMODE 0x88 /* 8X sampling rate select */
#define UART_EXAR_SLEEP 0x8b /* Sleep mode */
@@ -600,6 +606,8 @@ exar_pci_probe(struct pci_dev *pcidev, const struct pci_device_id *ent)
nr_ports = BIT(((pcidev->device & 0x38) >> 3) - 1);
else if (board->num_ports)
nr_ports = board->num_ports;
+ else if (pcidev->vendor == PCI_VENDOR_ID_SEALEVEL)
+ nr_ports = pcidev->device & 0xff;
else
nr_ports = pcidev->device & 0x0f;
@@ -826,6 +834,12 @@ static const struct pci_device_id exar_pci_tbl[] = {
EXAR_DEVICE(COMMTECH, 4224PCI335, pbn_fastcom335_4),
EXAR_DEVICE(COMMTECH, 2324PCI335, pbn_fastcom335_4),
EXAR_DEVICE(COMMTECH, 2328PCI335, pbn_fastcom335_8),
+
+ EXAR_DEVICE(SEALEVEL, 710xC, pbn_exar_XR17V35x),
+ EXAR_DEVICE(SEALEVEL, 720xC, pbn_exar_XR17V35x),
+ EXAR_DEVICE(SEALEVEL, 740xC, pbn_exar_XR17V35x),
+ EXAR_DEVICE(SEALEVEL, 780xC, pbn_exar_XR17V35x),
+ EXAR_DEVICE(SEALEVEL, 716xC, pbn_exar_XR17V35x),
{ 0, }
};
MODULE_DEVICE_TABLE(pci, exar_pci_tbl);
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 156/211] serial: 8250_exar: Add support for USR298x PCI Modems
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 155/211] serial: exar: Add support for Sealevel 7xxxC serial cards Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 157/211] s390/qdio: get rid of register asm Greg Kroah-Hartman
` (60 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Andrew Davis, stable,
Andy Shevchenko, Sasha Levin
From: Andrew Davis <afd@ti.com>
[ Upstream commit 95d698869b404772cc8b72560df71548491c10bc ]
Possibly the last PCI controller-based (i.e. not a soft/winmodem)
dial-up modem one can still buy.
Looks to have a stock XR17C154 PCI UART chip for communication, but for
some reason when provisioning the PCI IDs they swapped the vendor and
subvendor IDs. Otherwise this card would have worked out of the box.
Searching online, some folks seem to not have this issue and others do,
so it is possible only some batches of cards have this error.
Create a new macro to handle the switched IDs and add support here.
Signed-off-by: Andrew Davis <afd@ti.com>
Cc: stable <stable@kernel.org>
Reviewed-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20230420160209.28221-1-afd@ti.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/tty/serial/8250/8250_exar.c | 17 +++++++++++++++++
1 file changed, 17 insertions(+)
diff --git a/drivers/tty/serial/8250/8250_exar.c b/drivers/tty/serial/8250/8250_exar.c
index 2c9f721091125..5c2adf14049b7 100644
--- a/drivers/tty/serial/8250/8250_exar.c
+++ b/drivers/tty/serial/8250/8250_exar.c
@@ -40,9 +40,13 @@
#define PCI_DEVICE_ID_COMMTECH_4224PCIE 0x0020
#define PCI_DEVICE_ID_COMMTECH_4228PCIE 0x0021
#define PCI_DEVICE_ID_COMMTECH_4222PCIE 0x0022
+
#define PCI_DEVICE_ID_EXAR_XR17V4358 0x4358
#define PCI_DEVICE_ID_EXAR_XR17V8358 0x8358
+#define PCI_SUBDEVICE_ID_USR_2980 0x0128
+#define PCI_SUBDEVICE_ID_USR_2981 0x0129
+
#define PCI_DEVICE_ID_SEALEVEL_710xC 0x1001
#define PCI_DEVICE_ID_SEALEVEL_720xC 0x1002
#define PCI_DEVICE_ID_SEALEVEL_740xC 0x1004
@@ -791,6 +795,15 @@ static const struct exar8250_board pbn_exar_XR17V8358 = {
(kernel_ulong_t)&bd \
}
+#define USR_DEVICE(devid, sdevid, bd) { \
+ PCI_DEVICE_SUB( \
+ PCI_VENDOR_ID_USR, \
+ PCI_DEVICE_ID_EXAR_##devid, \
+ PCI_VENDOR_ID_EXAR, \
+ PCI_SUBDEVICE_ID_USR_##sdevid), 0, 0, \
+ (kernel_ulong_t)&bd \
+ }
+
static const struct pci_device_id exar_pci_tbl[] = {
EXAR_DEVICE(ACCESSIO, COM_2S, pbn_exar_XR17C15x),
EXAR_DEVICE(ACCESSIO, COM_4S, pbn_exar_XR17C15x),
@@ -815,6 +828,10 @@ static const struct pci_device_id exar_pci_tbl[] = {
IBM_DEVICE(XR17C152, SATURN_SERIAL_ONE_PORT, pbn_exar_ibm_saturn),
+ /* USRobotics USR298x-OEM PCI Modems */
+ USR_DEVICE(XR17C152, 2980, pbn_exar_XR17C15x),
+ USR_DEVICE(XR17C152, 2981, pbn_exar_XR17C15x),
+
/* Exar Corp. XR17C15[248] Dual/Quad/Octal UART */
EXAR_DEVICE(EXAR, XR17C152, pbn_exar_XR17C15x),
EXAR_DEVICE(EXAR, XR17C154, pbn_exar_XR17C15x),
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 157/211] s390/qdio: get rid of register asm
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 156/211] serial: 8250_exar: Add support for USR298x PCI Modems Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 158/211] s390/qdio: fix do_sqbs() inline assembly constraint Greg Kroah-Hartman
` (59 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Block, Heiko Carstens,
Vasily Gorbik, Sasha Levin
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit d3e2ff5436d6ee38b572ba5c01dc7994769bec54 ]
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Stable-dep-of: 2862a2fdfae8 ("s390/qdio: fix do_sqbs() inline assembly constraint")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/qdio.h | 25 ++++++++-------
drivers/s390/cio/qdio_main.c | 62 +++++++++++++++++++-----------------
2 files changed, 46 insertions(+), 41 deletions(-)
diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h
index cd2df4ff8e0ef..854a21e1d3b7b 100644
--- a/drivers/s390/cio/qdio.h
+++ b/drivers/s390/cio/qdio.h
@@ -88,15 +88,15 @@ enum qdio_irq_states {
static inline int do_sqbs(u64 token, unsigned char state, int queue,
int *start, int *count)
{
- register unsigned long _ccq asm ("0") = *count;
- register unsigned long _token asm ("1") = token;
unsigned long _queuestart = ((unsigned long)queue << 32) | *start;
+ unsigned long _ccq = *count;
asm volatile(
- " .insn rsy,0xeb000000008A,%1,0,0(%2)"
- : "+d" (_ccq), "+d" (_queuestart)
- : "d" ((unsigned long)state), "d" (_token)
- : "memory", "cc");
+ " lgr 1,%[token]\n"
+ " .insn rsy,0xeb000000008a,%[qs],%[ccq],0(%[state])"
+ : [ccq] "+&d" (_ccq), [qs] "+&d" (_queuestart)
+ : [state] "d" ((unsigned long)state), [token] "d" (token)
+ : "memory", "cc", "1");
*count = _ccq & 0xff;
*start = _queuestart & 0xff;
@@ -106,16 +106,17 @@ static inline int do_sqbs(u64 token, unsigned char state, int queue,
static inline int do_eqbs(u64 token, unsigned char *state, int queue,
int *start, int *count, int ack)
{
- register unsigned long _ccq asm ("0") = *count;
- register unsigned long _token asm ("1") = token;
unsigned long _queuestart = ((unsigned long)queue << 32) | *start;
unsigned long _state = (unsigned long)ack << 63;
+ unsigned long _ccq = *count;
asm volatile(
- " .insn rrf,0xB99c0000,%1,%2,0,0"
- : "+d" (_ccq), "+d" (_queuestart), "+d" (_state)
- : "d" (_token)
- : "memory", "cc");
+ " lgr 1,%[token]\n"
+ " .insn rrf,0xb99c0000,%[qs],%[state],%[ccq],0"
+ : [ccq] "+&d" (_ccq), [qs] "+&d" (_queuestart),
+ [state] "+&d" (_state)
+ : [token] "d" (token)
+ : "memory", "cc", "1");
*count = _ccq & 0xff;
*start = _queuestart & 0xff;
*state = _state & 0xff;
diff --git a/drivers/s390/cio/qdio_main.c b/drivers/s390/cio/qdio_main.c
index 3e29c26f01856..e3c55fc2363ac 100644
--- a/drivers/s390/cio/qdio_main.c
+++ b/drivers/s390/cio/qdio_main.c
@@ -31,38 +31,41 @@ MODULE_DESCRIPTION("QDIO base support");
MODULE_LICENSE("GPL");
static inline int do_siga_sync(unsigned long schid,
- unsigned int out_mask, unsigned int in_mask,
+ unsigned long out_mask, unsigned long in_mask,
unsigned int fc)
{
- register unsigned long __fc asm ("0") = fc;
- register unsigned long __schid asm ("1") = schid;
- register unsigned long out asm ("2") = out_mask;
- register unsigned long in asm ("3") = in_mask;
int cc;
asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[schid]\n"
+ " lgr 2,%[out]\n"
+ " lgr 3,%[in]\n"
" siga 0\n"
- " ipm %0\n"
- " srl %0,28\n"
- : "=d" (cc)
- : "d" (__fc), "d" (__schid), "d" (out), "d" (in) : "cc");
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=&d" (cc)
+ : [fc] "d" (fc), [schid] "d" (schid),
+ [out] "d" (out_mask), [in] "d" (in_mask)
+ : "cc", "0", "1", "2", "3");
return cc;
}
-static inline int do_siga_input(unsigned long schid, unsigned int mask,
- unsigned int fc)
+static inline int do_siga_input(unsigned long schid, unsigned long mask,
+ unsigned long fc)
{
- register unsigned long __fc asm ("0") = fc;
- register unsigned long __schid asm ("1") = schid;
- register unsigned long __mask asm ("2") = mask;
int cc;
asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[schid]\n"
+ " lgr 2,%[mask]\n"
" siga 0\n"
- " ipm %0\n"
- " srl %0,28\n"
- : "=d" (cc)
- : "d" (__fc), "d" (__schid), "d" (__mask) : "cc");
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=&d" (cc)
+ : [fc] "d" (fc), [schid] "d" (schid), [mask] "d" (mask)
+ : "cc", "0", "1", "2");
return cc;
}
@@ -78,23 +81,24 @@ static inline int do_siga_input(unsigned long schid, unsigned int mask,
* Note: For IQDC unicast queues only the highest priority queue is processed.
*/
static inline int do_siga_output(unsigned long schid, unsigned long mask,
- unsigned int *bb, unsigned int fc,
+ unsigned int *bb, unsigned long fc,
unsigned long aob)
{
- register unsigned long __fc asm("0") = fc;
- register unsigned long __schid asm("1") = schid;
- register unsigned long __mask asm("2") = mask;
- register unsigned long __aob asm("3") = aob;
int cc;
asm volatile(
+ " lgr 0,%[fc]\n"
+ " lgr 1,%[schid]\n"
+ " lgr 2,%[mask]\n"
+ " lgr 3,%[aob]\n"
" siga 0\n"
- " ipm %0\n"
- " srl %0,28\n"
- : "=d" (cc), "+d" (__fc), "+d" (__aob)
- : "d" (__schid), "d" (__mask)
- : "cc");
- *bb = __fc >> 31;
+ " lgr %[fc],0\n"
+ " ipm %[cc]\n"
+ " srl %[cc],28\n"
+ : [cc] "=&d" (cc), [fc] "+&d" (fc)
+ : [schid] "d" (schid), [mask] "d" (mask), [aob] "d" (aob)
+ : "cc", "0", "1", "2", "3");
+ *bb = fc >> 31;
return cc;
}
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 158/211] s390/qdio: fix do_sqbs() inline assembly constraint
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 157/211] s390/qdio: get rid of register asm Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 159/211] watchdog: sp5100_tco: Immediately trigger upon starting Greg Kroah-Hartman
` (58 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Block, Steffen Maier,
Heiko Carstens, Alexander Gordeev, Sasha Levin
From: Heiko Carstens <hca@linux.ibm.com>
[ Upstream commit 2862a2fdfae875888e3c1c3634e3422e01d98147 ]
Use "a" constraint instead of "d" constraint to pass the state parameter to
the do_sqbs() inline assembly. This prevents that general purpose register
zero is used for the state parameter.
If the compiler would select general purpose register zero this would be
problematic for the used instruction in rsy format: the register used for
the state parameter is a base register. If the base register is general
purpose register zero the contents of the register are unexpectedly ignored
when the instruction is executed.
This only applies to z/VM guests using QIOASSIST with dedicated (pass through)
QDIO-based devices such as FCP [zfcp driver] as well as real OSA or
HiperSockets [qeth driver].
A possible symptom for this case using zfcp is the following repeating kernel
message pattern:
zfcp <devbusid>: A QDIO problem occurred
zfcp <devbusid>: A QDIO problem occurred
zfcp <devbusid>: qdio: ZFCP on SC <sc> using AI:1 QEBSM:1 PRI:1 TDD:1 SIGA: W
zfcp <devbusid>: A QDIO problem occurred
zfcp <devbusid>: A QDIO problem occurred
Each of the qdio problem message can be accompanied by the following entries
for the affected subchannel <sc> in
/sys/kernel/debug/s390dbf/qdio_error/hex_ascii for zfcp or qeth:
<sc> ccq: 69....
<sc> SQBS ERROR.
Reviewed-by: Benjamin Block <bblock@linux.ibm.com>
Cc: Steffen Maier <maier@linux.ibm.com>
Fixes: 8129ee164267 ("[PATCH] s390: qdio V=V pass-through")
Cc: <stable@vger.kernel.org>
Signed-off-by: Heiko Carstens <hca@linux.ibm.com>
Signed-off-by: Alexander Gordeev <agordeev@linux.ibm.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/s390/cio/qdio.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/s390/cio/qdio.h b/drivers/s390/cio/qdio.h
index 854a21e1d3b7b..919d106141664 100644
--- a/drivers/s390/cio/qdio.h
+++ b/drivers/s390/cio/qdio.h
@@ -95,7 +95,7 @@ static inline int do_sqbs(u64 token, unsigned char state, int queue,
" lgr 1,%[token]\n"
" .insn rsy,0xeb000000008a,%[qs],%[ccq],0(%[state])"
: [ccq] "+&d" (_ccq), [qs] "+&d" (_queuestart)
- : [state] "d" ((unsigned long)state), [token] "d" (token)
+ : [state] "a" ((unsigned long)state), [token] "d" (token)
: "memory", "cc", "1");
*count = _ccq & 0xff;
*start = _queuestart & 0xff;
--
2.39.2
^ permalink raw reply related [flat|nested] 218+ messages in thread
* [PATCH 5.10 159/211] watchdog: sp5100_tco: Immediately trigger upon starting.
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 158/211] s390/qdio: fix do_sqbs() inline assembly constraint Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 160/211] ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 Greg Kroah-Hartman
` (57 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gregory Oakes, Guenter Roeck,
Wim Van Sebroeck, Mario Limonciello
From: Gregory Oakes <gregory.oakes@amd.com>
commit 4eda19cc8a29cde3580ed73bf11dc73b4e757697 upstream.
The watchdog countdown is supposed to begin when the device file is
opened. Instead, it would begin countdown upon the first write to or
close of the device file. Now, the ping operation is called within the
start operation which ensures the countdown begins. From experimenation,
it does not appear possible to do this with a single write including
both the start bit and the trigger bit. So, it is done as two distinct
writes.
Signed-off-by: Gregory Oakes <gregory.oakes@amd.com>
Reviewed-by: Guenter Roeck <linux@roeck-us.net>
Link: https://lore.kernel.org/r/20230316201312.17538-1-gregory.oakes@amd.com
Signed-off-by: Guenter Roeck <linux@roeck-us.net>
Signed-off-by: Wim Van Sebroeck <wim@linux-watchdog.org>
Cc: Mario Limonciello <mario.limonciello@amd.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/watchdog/sp5100_tco.c | 4 ++++
1 file changed, 4 insertions(+)
--- a/drivers/watchdog/sp5100_tco.c
+++ b/drivers/watchdog/sp5100_tco.c
@@ -104,6 +104,10 @@ static int tco_timer_start(struct watchd
val |= SP5100_WDT_START_STOP_BIT;
writel(val, SP5100_WDT_CONTROL(tco->tcobase));
+ /* This must be a distinct write. */
+ val |= SP5100_WDT_TRIGGER_BIT;
+ writel(val, SP5100_WDT_CONTROL(tco->tcobase));
+
return 0;
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 160/211] ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 159/211] watchdog: sp5100_tco: Immediately trigger upon starting Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 161/211] writeback, cgroup: remove extra percpu_ref_exit() Greg Kroah-Hartman
` (56 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Olivier Moysan, Alexandre Torgue,
Marek Vasut
From: Olivier Moysan <olivier.moysan@foss.st.com>
commit ee2aacb6f3a901a95b1dd68964b69c92cdbbf213 upstream.
Replace sai2a-2 node name by sai2a-sleep-2, to avoid name
duplication.
Fixes: 1a9a9d226f0f ("ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15")
Signed-off-by: Olivier Moysan <olivier.moysan@foss.st.com>
Signed-off-by: Alexandre Torgue <alexandre.torgue@foss.st.com>
Cc: Marek Vasut <marex@denx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm/boot/dts/stm32mp15-pinctrl.dtsi | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi
+++ b/arch/arm/boot/dts/stm32mp15-pinctrl.dtsi
@@ -1102,7 +1102,7 @@
};
};
- sai2a_sleep_pins_c: sai2a-2 {
+ sai2a_sleep_pins_c: sai2a-sleep-2 {
pins {
pinmux = <STM32_PINMUX('D', 13, ANALOG)>, /* SAI2_SCK_A */
<STM32_PINMUX('D', 11, ANALOG)>, /* SAI2_SD_A */
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 161/211] writeback, cgroup: remove extra percpu_ref_exit()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 160/211] ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 162/211] net/sched: act_mirred: refactor the handle of xmit Greg Kroah-Hartman
` (55 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Greg Thelen
From: Greg Thelen <gthelen@google.com>
5.10 stable commit 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref
write in bdi_split_work_to_wbs") is a backport of upstream 6.3 commit
1ba1199ec574.
In the 5.10 stable commit backport percpu_ref_exit() is called twice:
first in cgwb_release_workfn() and then in cgwb_free_rcu(). The 2nd call
is benign as percpu_ref_exit() internally detects there's nothing to do.
This fixes an non-upstream issue that only applies to 5.10.y.
Fixes: 2b00b2a0e642 ("writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs")
Signed-off-by: Greg Thelen <gthelen@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/backing-dev.c | 1 -
1 file changed, 1 deletion(-)
--- a/mm/backing-dev.c
+++ b/mm/backing-dev.c
@@ -404,7 +404,6 @@ static void cgwb_release_workfn(struct w
blkcg_unpin_online(blkcg);
fprop_local_destroy_percpu(&wb->memcg_completions);
- percpu_ref_exit(&wb->refcnt);
wb_exit(wb);
call_rcu(&wb->rcu, cgwb_free_rcu);
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 162/211] net/sched: act_mirred: refactor the handle of xmit
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 161/211] writeback, cgroup: remove extra percpu_ref_exit() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 163/211] net/sched: act_mirred: better wording on protection against excessive stack growth Greg Kroah-Hartman
` (54 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wenxu, Jakub Kicinski, Dragos-Marian Panait
From: wenxu <wenxu@ucloud.cn>
[ Upstream commit fa6d639930ee5cd3f932cc314f3407f07a06582d ]
This one is prepare for the next patch.
Signed-off-by: wenxu <wenxu@ucloud.cn>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
[DP: adjusted context for linux-5.10.y]
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sch_generic.h | 5 -----
net/sched/act_mirred.c | 21 +++++++++++++++------
2 files changed, 15 insertions(+), 11 deletions(-)
--- a/include/net/sch_generic.h
+++ b/include/net/sch_generic.h
@@ -1320,11 +1320,6 @@ void mini_qdisc_pair_init(struct mini_Qd
void mini_qdisc_pair_block_init(struct mini_Qdisc_pair *miniqp,
struct tcf_block *block);
-static inline int skb_tc_reinsert(struct sk_buff *skb, struct tcf_result *res)
-{
- return res->ingress ? netif_receive_skb(skb) : dev_queue_xmit(skb);
-}
-
/* Make sure qdisc is no longer in SCHED state. */
static inline void qdisc_synchronize(const struct Qdisc *q)
{
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -206,6 +206,18 @@ release_idr:
return err;
}
+static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
+{
+ int err;
+
+ if (!want_ingress)
+ err = dev_queue_xmit(skb);
+ else
+ err = netif_receive_skb(skb);
+
+ return err;
+}
+
static int tcf_mirred_act(struct sk_buff *skb, const struct tc_action *a,
struct tcf_result *res)
{
@@ -295,18 +307,15 @@ static int tcf_mirred_act(struct sk_buff
/* let's the caller reinsert the packet, if possible */
if (use_reinsert) {
res->ingress = want_ingress;
- if (skb_tc_reinsert(skb, res))
+ err = tcf_mirred_forward(res->ingress, skb);
+ if (err)
tcf_action_inc_overlimit_qstats(&m->common);
__this_cpu_dec(mirred_rec_level);
return TC_ACT_CONSUMED;
}
}
- if (!want_ingress)
- err = dev_queue_xmit(skb2);
- else
- err = netif_receive_skb(skb2);
-
+ err = tcf_mirred_forward(want_ingress, skb2);
if (err) {
out:
tcf_action_inc_overlimit_qstats(&m->common);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 163/211] net/sched: act_mirred: better wording on protection against excessive stack growth
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 162/211] net/sched: act_mirred: refactor the handle of xmit Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 164/211] act_mirred: use the backlog for nested calls to mirred ingress Greg Kroah-Hartman
` (53 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jamal Hadi Salim, Davide Caratti,
Marcelo Ricardo Leitner, Paolo Abeni, Dragos-Marian Panait
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit 78dcdffe0418ac8f3f057f26fe71ccf4d8ed851f ]
with commit e2ca070f89ec ("net: sched: protect against stack overflow in
TC act_mirred"), act_mirred protected itself against excessive stack growth
using per_cpu counter of nested calls to tcf_mirred_act(), and capping it
to MIRRED_RECURSION_LIMIT. However, such protection does not detect
recursion/loops in case the packet is enqueued to the backlog (for example,
when the mirred target device has RPS or skb timestamping enabled). Change
the wording from "recursion" to "nesting" to make it more clear to readers.
CC: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Stable-dep-of: ca22da2fbd69 ("act_mirred: use the backlog for nested calls to mirred ingress")
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_mirred.c | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -28,8 +28,8 @@
static LIST_HEAD(mirred_list);
static DEFINE_SPINLOCK(mirred_list_lock);
-#define MIRRED_RECURSION_LIMIT 4
-static DEFINE_PER_CPU(unsigned int, mirred_rec_level);
+#define MIRRED_NEST_LIMIT 4
+static DEFINE_PER_CPU(unsigned int, mirred_nest_level);
static bool tcf_mirred_is_act_redirect(int action)
{
@@ -225,7 +225,7 @@ static int tcf_mirred_act(struct sk_buff
struct sk_buff *skb2 = skb;
bool m_mac_header_xmit;
struct net_device *dev;
- unsigned int rec_level;
+ unsigned int nest_level;
int retval, err = 0;
bool use_reinsert;
bool want_ingress;
@@ -236,11 +236,11 @@ static int tcf_mirred_act(struct sk_buff
int mac_len;
bool at_nh;
- rec_level = __this_cpu_inc_return(mirred_rec_level);
- if (unlikely(rec_level > MIRRED_RECURSION_LIMIT)) {
+ nest_level = __this_cpu_inc_return(mirred_nest_level);
+ if (unlikely(nest_level > MIRRED_NEST_LIMIT)) {
net_warn_ratelimited("Packet exceeded mirred recursion limit on dev %s\n",
netdev_name(skb->dev));
- __this_cpu_dec(mirred_rec_level);
+ __this_cpu_dec(mirred_nest_level);
return TC_ACT_SHOT;
}
@@ -310,7 +310,7 @@ static int tcf_mirred_act(struct sk_buff
err = tcf_mirred_forward(res->ingress, skb);
if (err)
tcf_action_inc_overlimit_qstats(&m->common);
- __this_cpu_dec(mirred_rec_level);
+ __this_cpu_dec(mirred_nest_level);
return TC_ACT_CONSUMED;
}
}
@@ -322,7 +322,7 @@ out:
if (tcf_mirred_is_act_redirect(m_eaction))
retval = TC_ACT_SHOT;
}
- __this_cpu_dec(mirred_rec_level);
+ __this_cpu_dec(mirred_nest_level);
return retval;
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 164/211] act_mirred: use the backlog for nested calls to mirred ingress
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 163/211] net/sched: act_mirred: better wording on protection against excessive stack growth Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 165/211] spi: fsl-spi: Re-organise transfer bits_per_word adaptation Greg Kroah-Hartman
` (52 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, William Zhao, Xin Long,
Davide Caratti, Marcelo Ricardo Leitner, Jamal Hadi Salim,
Paolo Abeni, Dragos-Marian Panait
From: Davide Caratti <dcaratti@redhat.com>
[ Upstream commit ca22da2fbd693b54dc8e3b7b54ccc9f7e9ba3640 ]
William reports kernel soft-lockups on some OVS topologies when TC mirred
egress->ingress action is hit by local TCP traffic [1].
The same can also be reproduced with SCTP (thanks Xin for verifying), when
client and server reach themselves through mirred egress to ingress, and
one of the two peers sends a "heartbeat" packet (from within a timer).
Enqueueing to backlog proved to fix this soft lockup; however, as Cong
noticed [2], we should preserve - when possible - the current mirred
behavior that counts as "overlimits" any eventual packet drop subsequent to
the mirred forwarding action [3]. A compromise solution might use the
backlog only when tcf_mirred_act() has a nest level greater than one:
change tcf_mirred_forward() accordingly.
Also, add a kselftest that can reproduce the lockup and verifies TC mirred
ability to account for further packet drops after TC mirred egress->ingress
(when the nest level is 1).
[1] https://lore.kernel.org/netdev/33dc43f587ec1388ba456b4915c75f02a8aae226.1663945716.git.dcaratti@redhat.com/
[2] https://lore.kernel.org/netdev/Y0w%2FWWY60gqrtGLp@pop-os.localdomain/
[3] such behavior is not guaranteed: for example, if RPS or skb RX
timestamping is enabled on the mirred target device, the kernel
can defer receiving the skb and return NET_RX_SUCCESS inside
tcf_mirred_forward().
Reported-by: William Zhao <wizhao@redhat.com>
CC: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Davide Caratti <dcaratti@redhat.com>
Reviewed-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
[DP: adjusted context for linux-5.10.y]
Signed-off-by: Dragos-Marian Panait <dragos.panait@windriver.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/act_mirred.c | 7 ++
tools/testing/selftests/net/forwarding/tc_actions.sh | 48 ++++++++++++++++++-
2 files changed, 54 insertions(+), 1 deletion(-)
--- a/net/sched/act_mirred.c
+++ b/net/sched/act_mirred.c
@@ -206,12 +206,19 @@ release_idr:
return err;
}
+static bool is_mirred_nested(void)
+{
+ return unlikely(__this_cpu_read(mirred_nest_level) > 1);
+}
+
static int tcf_mirred_forward(bool want_ingress, struct sk_buff *skb)
{
int err;
if (!want_ingress)
err = dev_queue_xmit(skb);
+ else if (is_mirred_nested())
+ err = netif_rx(skb);
else
err = netif_receive_skb(skb);
--- a/tools/testing/selftests/net/forwarding/tc_actions.sh
+++ b/tools/testing/selftests/net/forwarding/tc_actions.sh
@@ -3,7 +3,7 @@
ALL_TESTS="gact_drop_and_ok_test mirred_egress_redirect_test \
mirred_egress_mirror_test matchall_mirred_egress_mirror_test \
- gact_trap_test"
+ gact_trap_test mirred_egress_to_ingress_tcp_test"
NUM_NETIFS=4
source tc_common.sh
source lib.sh
@@ -153,6 +153,52 @@ gact_trap_test()
log_test "trap ($tcflags)"
}
+mirred_egress_to_ingress_tcp_test()
+{
+ local tmpfile=$(mktemp) tmpfile1=$(mktemp)
+
+ RET=0
+ dd conv=sparse status=none if=/dev/zero bs=1M count=2 of=$tmpfile
+ tc filter add dev $h1 protocol ip pref 100 handle 100 egress flower \
+ $tcflags ip_proto tcp src_ip 192.0.2.1 dst_ip 192.0.2.2 \
+ action ct commit nat src addr 192.0.2.2 pipe \
+ action ct clear pipe \
+ action ct commit nat dst addr 192.0.2.1 pipe \
+ action ct clear pipe \
+ action skbedit ptype host pipe \
+ action mirred ingress redirect dev $h1
+ tc filter add dev $h1 protocol ip pref 101 handle 101 egress flower \
+ $tcflags ip_proto icmp \
+ action mirred ingress redirect dev $h1
+ tc filter add dev $h1 protocol ip pref 102 handle 102 ingress flower \
+ ip_proto icmp \
+ action drop
+
+ ip vrf exec v$h1 nc --recv-only -w10 -l -p 12345 -o $tmpfile1 &
+ local rpid=$!
+ ip vrf exec v$h1 nc -w1 --send-only 192.0.2.2 12345 <$tmpfile
+ wait -n $rpid
+ cmp -s $tmpfile $tmpfile1
+ check_err $? "server output check failed"
+
+ $MZ $h1 -c 10 -p 64 -a $h1mac -b $h1mac -A 192.0.2.1 -B 192.0.2.1 \
+ -t icmp "ping,id=42,seq=5" -q
+ tc_check_packets "dev $h1 egress" 101 10
+ check_err $? "didn't mirred redirect ICMP"
+ tc_check_packets "dev $h1 ingress" 102 10
+ check_err $? "didn't drop mirred ICMP"
+ local overlimits=$(tc_rule_stats_get ${h1} 101 egress .overlimits)
+ test ${overlimits} = 10
+ check_err $? "wrong overlimits, expected 10 got ${overlimits}"
+
+ tc filter del dev $h1 egress protocol ip pref 100 handle 100 flower
+ tc filter del dev $h1 egress protocol ip pref 101 handle 101 flower
+ tc filter del dev $h1 ingress protocol ip pref 102 handle 102 flower
+
+ rm -f $tmpfile $tmpfile1
+ log_test "mirred_egress_to_ingress_tcp ($tcflags)"
+}
+
setup_prepare()
{
h1=${NETIFS[p1]}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 165/211] spi: fsl-spi: Re-organise transfer bits_per_word adaptation
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 164/211] act_mirred: use the backlog for nested calls to mirred ingress Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 166/211] spi: fsl-cpm: Use 16 bit mode for large transfers with even size Greg Kroah-Hartman
` (51 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Mark Brown
From: Christophe Leroy <christophe.leroy@csgroup.eu>
(backported from upstream 8a5299a1278eadf1e08a598a5345c376206f171e)
For different reasons, fsl-spi driver performs bits_per_word
modifications for different reasons:
- On CPU mode, to minimise amount of interrupts
- On CPM/QE mode to work around controller byte order
For CPU mode that's done in fsl_spi_prepare_message() while
for CPM mode that's done in fsl_spi_setup_transfer().
Reunify all of it in fsl_spi_prepare_message(), and catch
impossible cases early through master's bits_per_word_mask
instead of returning EINVAL later.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://lore.kernel.org/r/0ce96fe96e8b07cba0613e4097cfd94d09b8919a.1680371809.git.christophe.leroy@csgroup.eu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-spi.c | 50 +++++++++++++++++++++-------------------------
1 file changed, 23 insertions(+), 27 deletions(-)
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -203,26 +203,6 @@ static int mspi_apply_cpu_mode_quirks(st
return bits_per_word;
}
-static int mspi_apply_qe_mode_quirks(struct spi_mpc8xxx_cs *cs,
- struct spi_device *spi,
- int bits_per_word)
-{
- /* CPM/QE uses Little Endian for words > 8
- * so transform 16 and 32 bits words into 8 bits
- * Unfortnatly that doesn't work for LSB so
- * reject these for now */
- /* Note: 32 bits word, LSB works iff
- * tfcr/rfcr is set to CPMFCR_GBL */
- if (spi->mode & SPI_LSB_FIRST &&
- bits_per_word > 8)
- return -EINVAL;
- if (bits_per_word <= 8)
- return bits_per_word;
- if (bits_per_word == 16 || bits_per_word == 32)
- return 8; /* pretend its 8 bits */
- return -EINVAL;
-}
-
static int fsl_spi_setup_transfer(struct spi_device *spi,
struct spi_transfer *t)
{
@@ -250,9 +230,6 @@ static int fsl_spi_setup_transfer(struct
bits_per_word = mspi_apply_cpu_mode_quirks(cs, spi,
mpc8xxx_spi,
bits_per_word);
- else
- bits_per_word = mspi_apply_qe_mode_quirks(cs, spi,
- bits_per_word);
if (bits_per_word < 0)
return bits_per_word;
@@ -370,14 +347,27 @@ static int fsl_spi_do_one_msg(struct spi
* In CPU mode, optimize large byte transfers to use larger
* bits_per_word values to reduce number of interrupts taken.
*/
- if (!(mpc8xxx_spi->flags & SPI_CPM_MODE)) {
- list_for_each_entry(t, &m->transfers, transfer_list) {
+ list_for_each_entry(t, &m->transfers, transfer_list) {
+ if (!(mpc8xxx_spi->flags & SPI_CPM_MODE)) {
if (t->len < 256 || t->bits_per_word != 8)
continue;
if ((t->len & 3) == 0)
t->bits_per_word = 32;
else if ((t->len & 1) == 0)
t->bits_per_word = 16;
+ } else {
+ /*
+ * CPM/QE uses Little Endian for words > 8
+ * so transform 16 and 32 bits words into 8 bits
+ * Unfortnatly that doesn't work for LSB so
+ * reject these for now
+ * Note: 32 bits word, LSB works iff
+ * tfcr/rfcr is set to CPMFCR_GBL
+ */
+ if (m->spi->mode & SPI_LSB_FIRST && t->bits_per_word > 8)
+ return -EINVAL;
+ if (t->bits_per_word == 16 || t->bits_per_word == 32)
+ t->bits_per_word = 8; /* pretend its 8 bits */
}
}
@@ -635,8 +625,14 @@ static struct spi_master *fsl_spi_probe(
if (mpc8xxx_spi->type == TYPE_GRLIB)
fsl_spi_grlib_probe(dev);
- master->bits_per_word_mask =
- (SPI_BPW_RANGE_MASK(4, 16) | SPI_BPW_MASK(32)) &
+ if (mpc8xxx_spi->flags & SPI_CPM_MODE)
+ master->bits_per_word_mask =
+ (SPI_BPW_RANGE_MASK(4, 8) | SPI_BPW_MASK(16) | SPI_BPW_MASK(32));
+ else
+ master->bits_per_word_mask =
+ (SPI_BPW_RANGE_MASK(4, 16) | SPI_BPW_MASK(32));
+
+ master->bits_per_word_mask &=
SPI_BPW_RANGE_MASK(1, mpc8xxx_spi->max_bits_per_word);
if (mpc8xxx_spi->flags & SPI_QE_CPU_MODE)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 166/211] spi: fsl-cpm: Use 16 bit mode for large transfers with even size
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 165/211] spi: fsl-spi: Re-organise transfer bits_per_word adaptation Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 167/211] ocfs2: Switch to security_inode_init_security() Greg Kroah-Hartman
` (50 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Mark Brown
From: Christophe Leroy <christophe.leroy@csgroup.eu>
(cherry picked from upstream fc96ec826bced75cc6b9c07a4ac44bbf651337ab)
On CPM, the RISC core is a lot more efficiant when doing transfers
in 16-bits chunks than in 8-bits chunks, but unfortunately the
words need to be byte swapped as seen in a previous commit.
So, for large tranfers with an even size, allocate a temporary tx
buffer and byte-swap data before and after transfer.
This change allows setting higher speed for transfer. For instance
on an MPC 8xx (CPM1 comms RISC processor), the documentation tells
that transfer in byte mode at 1 kbit/s uses 0.200% of CPM load
at 25 MHz while a word transfer at the same speed uses 0.032%
of CPM load. This means the speed can be 6 times higher in
word mode for the same CPM load.
For the time being, only do it on CPM1 as there must be a
trade-off between the CPM load reduction and the CPU load required
to byte swap the data.
Signed-off-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Link: https://lore.kernel.org/r/f2e981f20f92dd28983c3949702a09248c23845c.1680371809.git.christophe.leroy@csgroup.eu
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/spi/spi-fsl-cpm.c | 23 +++++++++++++++++++++++
drivers/spi/spi-fsl-spi.c | 3 +++
2 files changed, 26 insertions(+)
--- a/drivers/spi/spi-fsl-cpm.c
+++ b/drivers/spi/spi-fsl-cpm.c
@@ -21,6 +21,7 @@
#include <linux/spi/spi.h>
#include <linux/types.h>
#include <linux/platform_device.h>
+#include <linux/byteorder/generic.h>
#include "spi-fsl-cpm.h"
#include "spi-fsl-lib.h"
@@ -120,6 +121,21 @@ int fsl_spi_cpm_bufs(struct mpc8xxx_spi
mspi->rx_dma = mspi->dma_dummy_rx;
mspi->map_rx_dma = 0;
}
+ if (t->bits_per_word == 16 && t->tx_buf) {
+ const u16 *src = t->tx_buf;
+ u16 *dst;
+ int i;
+
+ dst = kmalloc(t->len, GFP_KERNEL);
+ if (!dst)
+ return -ENOMEM;
+
+ for (i = 0; i < t->len >> 1; i++)
+ dst[i] = cpu_to_le16p(src + i);
+
+ mspi->tx = dst;
+ mspi->map_tx_dma = 1;
+ }
if (mspi->map_tx_dma) {
void *nonconst_tx = (void *)mspi->tx; /* shut up gcc */
@@ -173,6 +189,13 @@ void fsl_spi_cpm_bufs_complete(struct mp
if (mspi->map_rx_dma)
dma_unmap_single(dev, mspi->rx_dma, t->len, DMA_FROM_DEVICE);
mspi->xfer_in_progress = NULL;
+
+ if (t->bits_per_word == 16 && t->rx_buf) {
+ int i;
+
+ for (i = 0; i < t->len; i += 2)
+ le16_to_cpus(t->rx_buf + i);
+ }
}
EXPORT_SYMBOL_GPL(fsl_spi_cpm_bufs_complete);
--- a/drivers/spi/spi-fsl-spi.c
+++ b/drivers/spi/spi-fsl-spi.c
@@ -368,6 +368,9 @@ static int fsl_spi_do_one_msg(struct spi
return -EINVAL;
if (t->bits_per_word == 16 || t->bits_per_word == 32)
t->bits_per_word = 8; /* pretend its 8 bits */
+ if (t->bits_per_word == 8 && t->len >= 256 &&
+ (mpc8xxx_spi->flags & SPI_CPM1))
+ t->bits_per_word = 16;
}
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 167/211] ocfs2: Switch to security_inode_init_security()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 166/211] spi: fsl-cpm: Use 16 bit mode for large transfers with even size Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 168/211] ALSA: hda/ca0132: add quirk for EVGA X299 DARK Greg Kroah-Hartman
` (49 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roberto Sassu, Casey Schaufler,
Joseph Qi, Mimi Zohar, Paul Moore
From: Roberto Sassu <roberto.sassu@huawei.com>
commit de3004c874e740304cc4f4a83d6200acb511bbda upstream.
In preparation for removing security_old_inode_init_security(), switch to
security_inode_init_security().
Extend the existing ocfs2_initxattrs() to take the
ocfs2_security_xattr_info structure from fs_info, and populate the
name/value/len triple with the first xattr provided by LSMs.
As fs_info was not used before, ocfs2_initxattrs() can now handle the case
of replicating the behavior of security_old_inode_init_security(), i.e.
just obtaining the xattr, in addition to setting all xattrs provided by
LSMs.
Supporting multiple xattrs is not currently supported where
security_old_inode_init_security() was called (mknod, symlink), as it
requires non-trivial changes that can be done at a later time. Like for
reiserfs, even if EVM is invoked, it will not provide an xattr (if it is
not the first to set it, its xattr will be discarded; if it is the first,
it does not have xattrs to calculate the HMAC on).
Finally, since security_inode_init_security(), unlike
security_old_inode_init_security(), returns zero instead of -EOPNOTSUPP if
no xattrs were provided by LSMs or if inodes are private, additionally
check in ocfs2_init_security_get() if the xattr name is set.
If not, act as if security_old_inode_init_security() returned -EOPNOTSUPP,
and set si->enable to zero to notify to the functions following
ocfs2_init_security_get() that no xattrs are available.
Signed-off-by: Roberto Sassu <roberto.sassu@huawei.com>
Reviewed-by: Casey Schaufler <casey@schaufler-ca.com>
Acked-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Reviewed-by: Mimi Zohar <zohar@linux.ibm.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ocfs2/namei.c | 2 ++
fs/ocfs2/xattr.c | 30 ++++++++++++++++++++++++++----
2 files changed, 28 insertions(+), 4 deletions(-)
--- a/fs/ocfs2/namei.c
+++ b/fs/ocfs2/namei.c
@@ -242,6 +242,7 @@ static int ocfs2_mknod(struct inode *dir
int want_meta = 0;
int xattr_credits = 0;
struct ocfs2_security_xattr_info si = {
+ .name = NULL,
.enable = 1,
};
int did_quota_inode = 0;
@@ -1801,6 +1802,7 @@ static int ocfs2_symlink(struct inode *d
int want_clusters = 0;
int xattr_credits = 0;
struct ocfs2_security_xattr_info si = {
+ .name = NULL,
.enable = 1,
};
int did_quota = 0, did_quota_inode = 0;
--- a/fs/ocfs2/xattr.c
+++ b/fs/ocfs2/xattr.c
@@ -7260,9 +7260,21 @@ static int ocfs2_xattr_security_set(cons
static int ocfs2_initxattrs(struct inode *inode, const struct xattr *xattr_array,
void *fs_info)
{
+ struct ocfs2_security_xattr_info *si = fs_info;
const struct xattr *xattr;
int err = 0;
+ if (si) {
+ si->value = kmemdup(xattr_array->value, xattr_array->value_len,
+ GFP_KERNEL);
+ if (!si->value)
+ return -ENOMEM;
+
+ si->name = xattr_array->name;
+ si->value_len = xattr_array->value_len;
+ return 0;
+ }
+
for (xattr = xattr_array; xattr->name != NULL; xattr++) {
err = ocfs2_xattr_set(inode, OCFS2_XATTR_INDEX_SECURITY,
xattr->name, xattr->value,
@@ -7278,13 +7290,23 @@ int ocfs2_init_security_get(struct inode
const struct qstr *qstr,
struct ocfs2_security_xattr_info *si)
{
+ int ret;
+
/* check whether ocfs2 support feature xattr */
if (!ocfs2_supports_xattr(OCFS2_SB(dir->i_sb)))
return -EOPNOTSUPP;
- if (si)
- return security_old_inode_init_security(inode, dir, qstr,
- &si->name, &si->value,
- &si->value_len);
+ if (si) {
+ ret = security_inode_init_security(inode, dir, qstr,
+ &ocfs2_initxattrs, si);
+ /*
+ * security_inode_init_security() does not return -EOPNOTSUPP,
+ * we have to check the xattr ourselves.
+ */
+ if (!ret && !si->name)
+ si->enable = 0;
+
+ return ret;
+ }
return security_inode_init_security(inode, dir, qstr,
&ocfs2_initxattrs, NULL);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 168/211] ALSA: hda/ca0132: add quirk for EVGA X299 DARK
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 167/211] ocfs2: Switch to security_inode_init_security() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 169/211] ALSA: hda: Fix unhandled register update during auto-suspend period Greg Kroah-Hartman
` (48 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adam Stylinski, Takashi Iwai
From: Adam Stylinski <kungfujesus06@gmail.com>
commit 7843380d07bbeffd3ce6504e73cf61f840ae76ca upstream.
This quirk is necessary for surround and other DSP effects to work
with the onboard ca0132 based audio chipset for the EVGA X299 dark
mainboard.
Signed-off-by: Adam Stylinski <kungfujesus06@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://bugzilla.kernel.org/show_bug.cgi?id=67071
Link: https://lore.kernel.org/r/ZGopOe19T1QOwizS@eggsbenedict.adamsnet
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_ca0132.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_ca0132.c
+++ b/sound/pci/hda/patch_ca0132.c
@@ -1272,6 +1272,7 @@ static const struct snd_pci_quirk ca0132
SND_PCI_QUIRK(0x1458, 0xA026, "Gigabyte G1.Sniper Z97", QUIRK_R3DI),
SND_PCI_QUIRK(0x1458, 0xA036, "Gigabyte GA-Z170X-Gaming 7", QUIRK_R3DI),
SND_PCI_QUIRK(0x3842, 0x1038, "EVGA X99 Classified", QUIRK_R3DI),
+ SND_PCI_QUIRK(0x3842, 0x104b, "EVGA X299 Dark", QUIRK_R3DI),
SND_PCI_QUIRK(0x3842, 0x1055, "EVGA Z390 DARK", QUIRK_R3DI),
SND_PCI_QUIRK(0x1102, 0x0013, "Recon3D", QUIRK_R3D),
SND_PCI_QUIRK(0x1102, 0x0018, "Recon3D", QUIRK_R3D),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 169/211] ALSA: hda: Fix unhandled register update during auto-suspend period
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 168/211] ALSA: hda/ca0132: add quirk for EVGA X299 DARK Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 170/211] ALSA: hda/realtek: Enable headset onLenovo M70/M90 Greg Kroah-Hartman
` (47 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Amadeusz Sławiński,
Cezary Rojewski, Takashi Iwai
From: Takashi Iwai <tiwai@suse.de>
commit 81302b1c7c997e8a56c1c2fc63a296ebeb0cd2d0 upstream.
It's reported that the recording started right after the driver probe
doesn't work properly, and it turned out that this is related with the
codec auto-suspend. Namely, after the probe phase, the usage count
goes zero, and the auto-suspend is programmed, but the codec is kept
still active until the auto-suspend expiration. When an application
(e.g. alsactl) updates the mixer values at this moment, the values are
cached but not actually written. Then, starting arecord thereafter
also results in the silence because of the missing unmute.
The root cause is the handling of "lazy update" mode; when a mixer
value is updated *after* the suspend, it should update only the cache
and exits. At the resume, the cached value is written to the device,
in turn. The problem is that the current code misinterprets the state
of auto-suspend as if it were already suspended.
Although we can add the check of the actual device state after
pm_runtime_get_if_in_use() for catching the missing state, this won't
suffice; the second call of regmap_update_bits_check() will skip
writing the register because the cache has been already updated by the
first call. So we'd need fixes in two different places.
OTOH, a simpler fix is to replace pm_runtime_get_if_in_use() with
pm_runtime_get_if_active() (with ign_usage_count=true). This change
implies that the driver takes the pm refcount if the device is still
in ACTIVE state and continues the processing. A small caveat is that
this will leave the auto-suspend timer. But, since the timer callback
itself checks the device state and aborts gracefully when it's active,
this won't be any substantial problem.
Long story short: we address the missing register-write problem just
by replacing the pm_runtime_*() call in snd_hda_keep_power_up().
Fixes: fc4f000bf8c0 ("ALSA: hda - Fix unexpected resume through regmap code path")
Reported-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Closes: https://lore.kernel.org/r/a7478636-af11-92ab-731c-9b13c582a70d@linux.intel.com
Suggested-by: Cezary Rojewski <cezary.rojewski@intel.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230518113520.15213-1-tiwai@suse.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/hda/hdac_device.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/hda/hdac_device.c
+++ b/sound/hda/hdac_device.c
@@ -611,7 +611,7 @@ EXPORT_SYMBOL_GPL(snd_hdac_power_up_pm);
int snd_hdac_keep_power_up(struct hdac_device *codec)
{
if (!atomic_inc_not_zero(&codec->in_pm)) {
- int ret = pm_runtime_get_if_in_use(&codec->dev);
+ int ret = pm_runtime_get_if_active(&codec->dev, true);
if (!ret)
return -1;
if (ret < 0)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 170/211] ALSA: hda/realtek: Enable headset onLenovo M70/M90
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 169/211] ALSA: hda: Fix unhandled register update during auto-suspend period Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 171/211] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Greg Kroah-Hartman
` (46 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Bin Li, Takashi Iwai
From: Bin Li <bin.li@canonical.com>
commit 4ca110cab46561cd74a2acd9b447435acb4bec5f upstream.
Lenovo M70/M90 Gen4 are equipped with ALC897, and they need
ALC897_FIXUP_HEADSET_MIC_PIN quirk to make its headset mic work.
The previous quirk for M70/M90 is for Gen3.
Signed-off-by: Bin Li <bin.li@canonical.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20230524113755.1346928-1-bin.li@canonical.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 2 ++
1 file changed, 2 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -11187,6 +11187,8 @@ static const struct snd_pci_quirk alc662
SND_PCI_QUIRK(0x17aa, 0x32cb, "Lenovo ThinkCentre M70", ALC897_FIXUP_HEADSET_MIC_PIN),
SND_PCI_QUIRK(0x17aa, 0x32cf, "Lenovo ThinkCentre M950", ALC897_FIXUP_HEADSET_MIC_PIN),
SND_PCI_QUIRK(0x17aa, 0x32f7, "Lenovo ThinkCentre M90", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x3321, "Lenovo ThinkCentre M70 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
+ SND_PCI_QUIRK(0x17aa, 0x331b, "Lenovo ThinkCentre M90 Gen4", ALC897_FIXUP_HEADSET_MIC_PIN),
SND_PCI_QUIRK(0x17aa, 0x3742, "Lenovo TianYi510Pro-14IOB", ALC897_FIXUP_HEADSET_MIC_PIN2),
SND_PCI_QUIRK(0x17aa, 0x38af, "Lenovo Ideapad Y550P", ALC662_FIXUP_IDEAPAD),
SND_PCI_QUIRK(0x17aa, 0x3a0d, "Lenovo Ideapad Y550", ALC662_FIXUP_IDEAPAD),
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 171/211] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 170/211] ALSA: hda/realtek: Enable headset onLenovo M70/M90 Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 172/211] m68k: Move signal frame following exception on 68020/030 Greg Kroah-Hartman
` (45 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9f575a1f15fc0c01ed69,
Tudor Ambarus, Simon Horman, Jakub Kicinski
From: Tudor Ambarus <tudor.ambarus@linaro.org>
commit 7e01c7f7046efc2c7c192c3619db43292b98e997 upstream.
Currently in cdc_ncm_check_tx_max(), if dwNtbOutMaxSize is lower than
the calculated "min" value, but greater than zero, the logic sets
tx_max to dwNtbOutMaxSize. This is then used to allocate a new SKB in
cdc_ncm_fill_tx_frame() where all the data is handled.
For small values of dwNtbOutMaxSize the memory allocated during
alloc_skb(dwNtbOutMaxSize, GFP_ATOMIC) will have the same size, due to
how size is aligned at alloc time:
size = SKB_DATA_ALIGN(size);
size += SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
Thus we hit the same bug that we tried to squash with
commit 2be6d4d16a084 ("net: cdc_ncm: Allow for dwNtbOutMaxSize to be unset or zero")
Low values of dwNtbOutMaxSize do not cause an issue presently because at
alloc_skb() time more memory (512b) is allocated than required for the
SKB headers alone (320b), leaving some space (512b - 320b = 192b)
for CDC data (172b).
However, if more elements (for example 3 x u64 = [24b]) were added to
one of the SKB header structs, say 'struct skb_shared_info',
increasing its original size (320b [320b aligned]) to something larger
(344b [384b aligned]), then suddenly the CDC data (172b) no longer
fits in the spare SKB data area (512b - 384b = 128b).
Consequently the SKB bounds checking semantics fails and panics:
skbuff: skb_over_panic: text:ffffffff831f755b len:184 put:172 head:ffff88811f1c6c00 data:ffff88811f1c6c00 tail:0xb8 end:0x80 dev:<NULL>
------------[ cut here ]------------
kernel BUG at net/core/skbuff.c:113!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
CPU: 0 PID: 57 Comm: kworker/0:2 Not tainted 5.15.106-syzkaller-00249-g19c0ed55a470 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/14/2023
Workqueue: mld mld_ifc_work
RIP: 0010:skb_panic net/core/skbuff.c:113 [inline]
RIP: 0010:skb_over_panic+0x14c/0x150 net/core/skbuff.c:118
[snip]
Call Trace:
<TASK>
skb_put+0x151/0x210 net/core/skbuff.c:2047
skb_put_zero include/linux/skbuff.h:2422 [inline]
cdc_ncm_ndp16 drivers/net/usb/cdc_ncm.c:1131 [inline]
cdc_ncm_fill_tx_frame+0x11ab/0x3da0 drivers/net/usb/cdc_ncm.c:1308
cdc_ncm_tx_fixup+0xa3/0x100
Deal with too low values of dwNtbOutMaxSize, clamp it in the range
[USB_CDC_NCM_NTB_MIN_OUT_SIZE, CDC_NCM_NTB_MAX_SIZE_TX]. We ensure
enough data space is allocated to handle CDC data by making sure
dwNtbOutMaxSize is not smaller than USB_CDC_NCM_NTB_MIN_OUT_SIZE.
Fixes: 289507d3364f ("net: cdc_ncm: use sysfs for rx/tx aggregation tuning")
Cc: stable@vger.kernel.org
Reported-by: syzbot+9f575a1f15fc0c01ed69@syzkaller.appspotmail.com
Link: https://syzkaller.appspot.com/bug?extid=b982f1059506db48409d
Link: https://lore.kernel.org/all/20211202143437.1411410-1-lee.jones@linaro.org/
Signed-off-by: Tudor Ambarus <tudor.ambarus@linaro.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/20230517133808.1873695-2-tudor.ambarus@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/cdc_ncm.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/net/usb/cdc_ncm.c
+++ b/drivers/net/usb/cdc_ncm.c
@@ -180,9 +180,12 @@ static u32 cdc_ncm_check_tx_max(struct u
else
min = ctx->max_datagram_size + ctx->max_ndp_size + sizeof(struct usb_cdc_ncm_nth32);
- max = min_t(u32, CDC_NCM_NTB_MAX_SIZE_TX, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize));
- if (max == 0)
+ if (le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize) == 0)
max = CDC_NCM_NTB_MAX_SIZE_TX; /* dwNtbOutMaxSize not set */
+ else
+ max = clamp_t(u32, le32_to_cpu(ctx->ncm_parm.dwNtbOutMaxSize),
+ USB_CDC_NCM_NTB_MIN_OUT_SIZE,
+ CDC_NCM_NTB_MAX_SIZE_TX);
/* some devices set dwNtbOutMaxSize too low for the above default */
min = min(min, max);
@@ -1230,6 +1233,9 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
* further.
*/
if (skb_out == NULL) {
+ /* If even the smallest allocation fails, abort. */
+ if (ctx->tx_curr_size == USB_CDC_NCM_NTB_MIN_OUT_SIZE)
+ goto alloc_failed;
ctx->tx_low_mem_max_cnt = min(ctx->tx_low_mem_max_cnt + 1,
(unsigned)CDC_NCM_LOW_MEM_MAX_CNT);
ctx->tx_low_mem_val = ctx->tx_low_mem_max_cnt;
@@ -1248,13 +1254,8 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
skb_out = alloc_skb(ctx->tx_curr_size, GFP_ATOMIC);
/* No allocation possible so we will abort */
- if (skb_out == NULL) {
- if (skb != NULL) {
- dev_kfree_skb_any(skb);
- dev->net->stats.tx_dropped++;
- }
- goto exit_no_skb;
- }
+ if (!skb_out)
+ goto alloc_failed;
ctx->tx_low_mem_val--;
}
if (ctx->is_ndp16) {
@@ -1447,6 +1448,11 @@ cdc_ncm_fill_tx_frame(struct usbnet *dev
return skb_out;
+alloc_failed:
+ if (skb) {
+ dev_kfree_skb_any(skb);
+ dev->net->stats.tx_dropped++;
+ }
exit_no_skb:
/* Start timer, if there is a remaining non-empty skb */
if (ctx->tx_curr_skb != NULL && n > 0)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 172/211] m68k: Move signal frame following exception on 68020/030
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 171/211] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 173/211] parisc: Handle kgdb breakpoints only in kernel context Greg Kroah-Hartman
` (44 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michael Schmitz, Andreas Schwab,
Finn Thain, Geert Uytterhoeven, Stan Johnson
From: Finn Thain <fthain@linux-m68k.org>
commit b845b574f86dcb6a70dfa698aa87a237b0878d2a upstream.
On 68030/020, an instruction such as, moveml %a2-%a3/%a5,%sp@- may cause
a stack page fault during instruction execution (i.e. not at an
instruction boundary) and produce a format 0xB exception frame.
In this situation, the value of USP will be unreliable. If a signal is
to be delivered following the exception, this USP value is used to
calculate the location for a signal frame. This can result in a
corrupted user stack.
The corruption was detected in dash (actually in glibc) where it showed
up as an intermittent "stack smashing detected" message and crash
following signal delivery for SIGCHLD.
It was hard to reproduce that failure because delivery of the signal
raced with the page fault and because the kernel places an unpredictable
gap of up to 7 bytes between the USP and the signal frame.
A format 0xB exception frame can be produced by a bus error or an
address error. The 68030 Users Manual says that address errors occur
immediately upon detection during instruction prefetch. The instruction
pipeline allows prefetch to overlap with other instructions, which means
an address error can arise during the execution of a different
instruction. So it seems likely that this patch may help in the address
error case also.
Reported-and-tested-by: Stan Johnson <userm57@yahoo.com>
Link: https://lore.kernel.org/all/CAMuHMdW3yD22_ApemzW_6me3adq6A458u1_F0v-1EYwK_62jPA@mail.gmail.com/
Cc: Michael Schmitz <schmitzmic@gmail.com>
Cc: Andreas Schwab <schwab@linux-m68k.org>
Cc: stable@vger.kernel.org
Co-developed-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Michael Schmitz <schmitzmic@gmail.com>
Signed-off-by: Finn Thain <fthain@linux-m68k.org>
Reviewed-by: Geert Uytterhoeven <geert@linux-m68k.org>
Link: https://lore.kernel.org/r/9e66262a754fcba50208aa424188896cc52a1dd1.1683365892.git.fthain@linux-m68k.org
Signed-off-by: Geert Uytterhoeven <geert@linux-m68k.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/m68k/kernel/signal.c | 14 ++++++++++----
1 file changed, 10 insertions(+), 4 deletions(-)
--- a/arch/m68k/kernel/signal.c
+++ b/arch/m68k/kernel/signal.c
@@ -882,11 +882,17 @@ static inline int rt_setup_ucontext(stru
}
static inline void __user *
-get_sigframe(struct ksignal *ksig, size_t frame_size)
+get_sigframe(struct ksignal *ksig, struct pt_regs *tregs, size_t frame_size)
{
unsigned long usp = sigsp(rdusp(), ksig);
+ unsigned long gap = 0;
- return (void __user *)((usp - frame_size) & -8UL);
+ if (CPU_IS_020_OR_030 && tregs->format == 0xb) {
+ /* USP is unreliable so use worst-case value */
+ gap = 256;
+ }
+
+ return (void __user *)((usp - gap - frame_size) & -8UL);
}
static int setup_frame(struct ksignal *ksig, sigset_t *set,
@@ -904,7 +910,7 @@ static int setup_frame(struct ksignal *k
return -EFAULT;
}
- frame = get_sigframe(ksig, sizeof(*frame) + fsize);
+ frame = get_sigframe(ksig, tregs, sizeof(*frame) + fsize);
if (fsize)
err |= copy_to_user (frame + 1, regs + 1, fsize);
@@ -976,7 +982,7 @@ static int setup_rt_frame(struct ksignal
return -EFAULT;
}
- frame = get_sigframe(ksig, sizeof(*frame));
+ frame = get_sigframe(ksig, tregs, sizeof(*frame));
if (fsize)
err |= copy_to_user (&frame->uc.uc_extra, regs + 1, fsize);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 173/211] parisc: Handle kgdb breakpoints only in kernel context
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 172/211] m68k: Move signal frame following exception on 68020/030 Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 174/211] parisc: Allow to reboot machine after system halt Greg Kroah-Hartman
` (43 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 6888ff04e37d01295620a73f3f7efbc79f6ef152 upstream.
The kernel kgdb break instructions should only be handled when running
in kernel context.
Cc: <stable@vger.kernel.org> # v5.4+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/traps.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/arch/parisc/kernel/traps.c
+++ b/arch/parisc/kernel/traps.c
@@ -305,8 +305,8 @@ static void handle_break(struct pt_regs
#endif
#ifdef CONFIG_KGDB
- if (unlikely(iir == PARISC_KGDB_COMPILED_BREAK_INSN ||
- iir == PARISC_KGDB_BREAK_INSN)) {
+ if (unlikely((iir == PARISC_KGDB_COMPILED_BREAK_INSN ||
+ iir == PARISC_KGDB_BREAK_INSN)) && !user_mode(regs)) {
kgdb_handle_exception(9, SIGTRAP, 0, regs);
return;
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 174/211] parisc: Allow to reboot machine after system halt
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 173/211] parisc: Handle kgdb breakpoints only in kernel context Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 175/211] gpio: mockup: Fix mode of debugfs files Greg Kroah-Hartman
` (42 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Helge Deller
From: Helge Deller <deller@gmx.de>
commit 2028315cf59bb899a5ac7e87dc48ecb8fac7ac24 upstream.
In case a machine can't power-off itself on system shutdown,
allow the user to reboot it by pressing the RETURN key.
Cc: <stable@vger.kernel.org> # v4.14+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/kernel/process.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
--- a/arch/parisc/kernel/process.c
+++ b/arch/parisc/kernel/process.c
@@ -123,13 +123,18 @@ void machine_power_off(void)
/* It seems we have no way to power the system off via
* software. The user has to press the button himself. */
- printk(KERN_EMERG "System shut down completed.\n"
- "Please power this system off now.");
+ printk("Power off or press RETURN to reboot.\n");
/* prevent soft lockup/stalled CPU messages for endless loop. */
rcu_sysrq_start();
lockup_detector_soft_poweroff();
- for (;;);
+ while (1) {
+ /* reboot if user presses RETURN key */
+ if (pdc_iodc_getc() == 13) {
+ printk("Rebooting...\n");
+ machine_restart(NULL);
+ }
+ }
}
void (*pm_power_off)(void);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 175/211] gpio: mockup: Fix mode of debugfs files
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 174/211] parisc: Allow to reboot machine after system halt Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 176/211] btrfs: use nofs when cleaning up aborted transactions Greg Kroah-Hartman
` (41 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zev Weiss, Bartosz Golaszewski, stable
From: Zev Weiss <zev@bewilderbeest.net>
commit 0a1bb16e0fe6650c3841e611de374bfd5578ad70 upstream.
This driver's debugfs files have had a read operation since commit
2a9e27408e12 ("gpio: mockup: rework debugfs interface"), but were
still being created with write-only mode bits. Update them to
indicate that the files can also be read.
Signed-off-by: Zev Weiss <zev@bewilderbeest.net>
Fixes: 2a9e27408e12 ("gpio: mockup: rework debugfs interface")
Cc: stable@kernel.org # v5.1+
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-mockup.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/gpio/gpio-mockup.c
+++ b/drivers/gpio/gpio-mockup.c
@@ -370,7 +370,7 @@ static void gpio_mockup_debugfs_setup(st
priv->offset = i;
priv->desc = &gc->gpiodev->descs[i];
- debugfs_create_file(name, 0200, chip->dbg_dir, priv,
+ debugfs_create_file(name, 0600, chip->dbg_dir, priv,
&gpio_mockup_debugfs_ops);
}
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 176/211] btrfs: use nofs when cleaning up aborted transactions
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 175/211] gpio: mockup: Fix mode of debugfs files Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 177/211] dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type Greg Kroah-Hartman
` (40 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josef Bacik, David Sterba
From: Josef Bacik <josef@toxicpanda.com>
commit 597441b3436a43011f31ce71dc0a6c0bf5ce958a upstream.
Our CI system caught a lockdep splat:
======================================================
WARNING: possible circular locking dependency detected
6.3.0-rc7+ #1167 Not tainted
------------------------------------------------------
kswapd0/46 is trying to acquire lock:
ffff8c6543abd650 (sb_internal#2){++++}-{0:0}, at: btrfs_commit_inode_delayed_inode+0x5f/0x120
but task is already holding lock:
ffffffffabe61b40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x4aa/0x7a0
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #1 (fs_reclaim){+.+.}-{0:0}:
fs_reclaim_acquire+0xa5/0xe0
kmem_cache_alloc+0x31/0x2c0
alloc_extent_state+0x1d/0xd0
__clear_extent_bit+0x2e0/0x4f0
try_release_extent_mapping+0x216/0x280
btrfs_release_folio+0x2e/0x90
invalidate_inode_pages2_range+0x397/0x470
btrfs_cleanup_dirty_bgs+0x9e/0x210
btrfs_cleanup_one_transaction+0x22/0x760
btrfs_commit_transaction+0x3b7/0x13a0
create_subvol+0x59b/0x970
btrfs_mksubvol+0x435/0x4f0
__btrfs_ioctl_snap_create+0x11e/0x1b0
btrfs_ioctl_snap_create_v2+0xbf/0x140
btrfs_ioctl+0xa45/0x28f0
__x64_sys_ioctl+0x88/0xc0
do_syscall_64+0x38/0x90
entry_SYSCALL_64_after_hwframe+0x72/0xdc
-> #0 (sb_internal#2){++++}-{0:0}:
__lock_acquire+0x1435/0x21a0
lock_acquire+0xc2/0x2b0
start_transaction+0x401/0x730
btrfs_commit_inode_delayed_inode+0x5f/0x120
btrfs_evict_inode+0x292/0x3d0
evict+0xcc/0x1d0
inode_lru_isolate+0x14d/0x1e0
__list_lru_walk_one+0xbe/0x1c0
list_lru_walk_one+0x58/0x80
prune_icache_sb+0x39/0x60
super_cache_scan+0x161/0x1f0
do_shrink_slab+0x163/0x340
shrink_slab+0x1d3/0x290
shrink_node+0x300/0x720
balance_pgdat+0x35c/0x7a0
kswapd+0x205/0x410
kthread+0xf0/0x120
ret_from_fork+0x29/0x50
other info that might help us debug this:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(fs_reclaim);
lock(sb_internal#2);
lock(fs_reclaim);
lock(sb_internal#2);
*** DEADLOCK ***
3 locks held by kswapd0/46:
#0: ffffffffabe61b40 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x4aa/0x7a0
#1: ffffffffabe50270 (shrinker_rwsem){++++}-{3:3}, at: shrink_slab+0x113/0x290
#2: ffff8c6543abd0e0 (&type->s_umount_key#44){++++}-{3:3}, at: super_cache_scan+0x38/0x1f0
stack backtrace:
CPU: 0 PID: 46 Comm: kswapd0 Not tainted 6.3.0-rc7+ #1167
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.13.0-2.fc32 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x58/0x90
check_noncircular+0xd6/0x100
? save_trace+0x3f/0x310
? add_lock_to_list+0x97/0x120
__lock_acquire+0x1435/0x21a0
lock_acquire+0xc2/0x2b0
? btrfs_commit_inode_delayed_inode+0x5f/0x120
start_transaction+0x401/0x730
? btrfs_commit_inode_delayed_inode+0x5f/0x120
btrfs_commit_inode_delayed_inode+0x5f/0x120
btrfs_evict_inode+0x292/0x3d0
? lock_release+0x134/0x270
? __pfx_wake_bit_function+0x10/0x10
evict+0xcc/0x1d0
inode_lru_isolate+0x14d/0x1e0
__list_lru_walk_one+0xbe/0x1c0
? __pfx_inode_lru_isolate+0x10/0x10
? __pfx_inode_lru_isolate+0x10/0x10
list_lru_walk_one+0x58/0x80
prune_icache_sb+0x39/0x60
super_cache_scan+0x161/0x1f0
do_shrink_slab+0x163/0x340
shrink_slab+0x1d3/0x290
shrink_node+0x300/0x720
balance_pgdat+0x35c/0x7a0
kswapd+0x205/0x410
? __pfx_autoremove_wake_function+0x10/0x10
? __pfx_kswapd+0x10/0x10
kthread+0xf0/0x120
? __pfx_kthread+0x10/0x10
ret_from_fork+0x29/0x50
</TASK>
This happens because when we abort the transaction in the transaction
commit path we call invalidate_inode_pages2_range on our block group
cache inodes (if we have space cache v1) and any delalloc inodes we may
have. The plain invalidate_inode_pages2_range() call passes through
GFP_KERNEL, which makes sense in most cases, but not here. Wrap these
two invalidate callees with memalloc_nofs_save/memalloc_nofs_restore to
make sure we don't end up with the fs reclaim dependency under the
transaction dependency.
CC: stable@vger.kernel.org # 4.14+
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/disk-io.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/fs/btrfs/disk-io.c
+++ b/fs/btrfs/disk-io.c
@@ -4535,7 +4535,11 @@ static void btrfs_destroy_delalloc_inode
*/
inode = igrab(&btrfs_inode->vfs_inode);
if (inode) {
+ unsigned int nofs_flag;
+
+ nofs_flag = memalloc_nofs_save();
invalidate_inode_pages2(inode->i_mapping);
+ memalloc_nofs_restore(nofs_flag);
iput(inode);
}
spin_lock(&root->delalloc_lock);
@@ -4640,7 +4644,12 @@ static void btrfs_cleanup_bg_io(struct b
inode = cache->io_ctl.inode;
if (inode) {
+ unsigned int nofs_flag;
+
+ nofs_flag = memalloc_nofs_save();
invalidate_inode_pages2(inode->i_mapping);
+ memalloc_nofs_restore(nofs_flag);
+
BTRFS_I(inode)->generation = 0;
cache->io_ctl.inode = NULL;
iput(inode);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 177/211] dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 176/211] btrfs: use nofs when cleaning up aborted transactions Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 178/211] x86/mm: Avoid incomplete Global INVLPG flushes Greg Kroah-Hartman
` (39 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Frank Li, Krzysztof Kozlowski, Shawn Guo
From: Frank Li <Frank.Li@nxp.com>
commit 50a1726b148ff30778cb8a6cf3736130b07c93fd upstream.
In cdns3-gadget.c, 'cdns,on-chip-buff-size' was read using
device_property_read_u16(). It resulted in 0 if a 32bit value was used
in dts. This commit fixes the dt binding doc to declare it as u16.
Cc: stable@vger.kernel.org
Fixes: 68989fe1c39d ("dt-bindings: usb: Convert cdns-usb3.txt to YAML schema")
Signed-off-by: Frank Li <Frank.Li@nxp.com>
Reviewed-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/usb/cdns,usb3.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/usb/cdns,usb3.yaml
+++ b/Documentation/devicetree/bindings/usb/cdns,usb3.yaml
@@ -59,7 +59,7 @@ properties:
description:
size of memory intended as internal memory for endpoints
buffers expressed in KB
- $ref: /schemas/types.yaml#/definitions/uint32
+ $ref: /schemas/types.yaml#/definitions/uint16
cdns,phyrst-a-enable:
description: Enable resetting of PHY if Rx fail is detected
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 178/211] x86/mm: Avoid incomplete Global INVLPG flushes
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 177/211] dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 179/211] selftests/memfd: Fix unknown type name build failure Greg Kroah-Hartman
` (38 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dave Hansen, Thomas Gleixner,
Daniel Sneddon
From: Dave Hansen <dave.hansen@linux.intel.com>
commit ce0b15d11ad837fbacc5356941712218e38a0a83 upstream.
The INVLPG instruction is used to invalidate TLB entries for a
specified virtual address. When PCIDs are enabled, INVLPG is supposed
to invalidate TLB entries for the specified address for both the
current PCID *and* Global entries. (Note: Only kernel mappings set
Global=1.)
Unfortunately, some INVLPG implementations can leave Global
translations unflushed when PCIDs are enabled.
As a workaround, never enable PCIDs on affected processors.
I expect there to eventually be microcode mitigations to replace this
software workaround. However, the exact version numbers where that
will happen are not known today. Once the version numbers are set in
stone, the processor list can be tweaked to only disable PCIDs on
affected processors with affected microcode.
Note: if anyone wants a quick fix that doesn't require patching, just
stick 'nopcid' on your kernel command-line.
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Reviewed-by: Thomas Gleixner <tglx@linutronix.de>
Cc: stable@vger.kernel.org
Signed-off-by: Daniel Sneddon <daniel.sneddon@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/intel-family.h | 5 +++++
arch/x86/mm/init.c | 25 +++++++++++++++++++++++++
2 files changed, 30 insertions(+)
--- a/arch/x86/include/asm/intel-family.h
+++ b/arch/x86/include/asm/intel-family.h
@@ -98,6 +98,11 @@
#define INTEL_FAM6_LAKEFIELD 0x8A
#define INTEL_FAM6_ALDERLAKE 0x97
#define INTEL_FAM6_ALDERLAKE_L 0x9A
+#define INTEL_FAM6_ALDERLAKE_N 0xBE
+
+#define INTEL_FAM6_RAPTORLAKE 0xB7
+#define INTEL_FAM6_RAPTORLAKE_P 0xBA
+#define INTEL_FAM6_RAPTORLAKE_S 0xBF
/* "Small Core" Processors (Atom) */
--- a/arch/x86/mm/init.c
+++ b/arch/x86/mm/init.c
@@ -9,6 +9,7 @@
#include <linux/sched/task.h>
#include <asm/set_memory.h>
+#include <asm/cpu_device_id.h>
#include <asm/e820/api.h>
#include <asm/init.h>
#include <asm/page.h>
@@ -254,6 +255,24 @@ static void __init probe_page_size_mask(
}
}
+#define INTEL_MATCH(_model) { .vendor = X86_VENDOR_INTEL, \
+ .family = 6, \
+ .model = _model, \
+ }
+/*
+ * INVLPG may not properly flush Global entries
+ * on these CPUs when PCIDs are enabled.
+ */
+static const struct x86_cpu_id invlpg_miss_ids[] = {
+ INTEL_MATCH(INTEL_FAM6_ALDERLAKE ),
+ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_L ),
+ INTEL_MATCH(INTEL_FAM6_ALDERLAKE_N ),
+ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE ),
+ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_P),
+ INTEL_MATCH(INTEL_FAM6_RAPTORLAKE_S),
+ {}
+};
+
static void setup_pcid(void)
{
if (!IS_ENABLED(CONFIG_X86_64))
@@ -262,6 +281,12 @@ static void setup_pcid(void)
if (!boot_cpu_has(X86_FEATURE_PCID))
return;
+ if (x86_match_cpu(invlpg_miss_ids)) {
+ pr_info("Incomplete global flushes, disabling PCID");
+ setup_clear_cpu_cap(X86_FEATURE_PCID);
+ return;
+ }
+
if (boot_cpu_has(X86_FEATURE_PGE)) {
/*
* This can't be cr4_set_bits_and_update_boot() -- the
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 179/211] selftests/memfd: Fix unknown type name build failure
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 178/211] x86/mm: Avoid incomplete Global INVLPG flushes Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 180/211] parisc: Fix flush_dcache_page() for usage from irq context Greg Kroah-Hartman
` (37 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hardik Garg, Tyler Hicks (Microsoft)
From: Hardik Garg <hargar@linux.microsoft.com>
Partially backport v6.3 commit 11f75a01448f ("selftests/memfd: add tests
for MFD_NOEXEC_SEAL MFD_EXEC") to fix an unknown type name build error.
In some systems, the __u64 typedef is not present due to differences in
system headers, causing compilation errors like this one:
fuse_test.c:64:8: error: unknown type name '__u64'
64 | static __u64 mfd_assert_get_seals(int fd)
This header includes the __u64 typedef which increases the likelihood
of successful compilation on a wider variety of systems.
Signed-off-by: Hardik Garg <hargar@linux.microsoft.com>
Reviewed-by: Tyler Hicks (Microsoft) <code@tyhicks.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/memfd/fuse_test.c | 1 +
1 file changed, 1 insertion(+)
--- a/tools/testing/selftests/memfd/fuse_test.c
+++ b/tools/testing/selftests/memfd/fuse_test.c
@@ -22,6 +22,7 @@
#include <linux/falloc.h>
#include <linux/fcntl.h>
#include <linux/memfd.h>
+#include <linux/types.h>
#include <sched.h>
#include <stdio.h>
#include <stdlib.h>
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 180/211] parisc: Fix flush_dcache_page() for usage from irq context
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 179/211] selftests/memfd: Fix unknown type name build failure Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 181/211] x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms Greg Kroah-Hartman
` (36 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, linux-parisc, Helge Deller, stable
From: Helge Deller <deller@gmx.de>
commit 61e150fb310729c98227a5edf6e4a3619edc3702 upstream.
Since at least kernel 6.1, flush_dcache_page() is called with IRQs
disabled, e.g. from aio_complete().
But the current implementation for flush_dcache_page() on parisc
unintentionally re-enables IRQs, which may lead to deadlocks.
Fix it by using xa_lock_irqsave() and xa_unlock_irqrestore()
for the flush_dcache_mmap_*lock() macros instead.
Cc: linux-parisc@vger.kernel.org
Cc: stable@kernel.org # 5.18+
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/parisc/include/asm/cacheflush.h | 5 +++++
arch/parisc/kernel/cache.c | 5 +++--
2 files changed, 8 insertions(+), 2 deletions(-)
--- a/arch/parisc/include/asm/cacheflush.h
+++ b/arch/parisc/include/asm/cacheflush.h
@@ -57,6 +57,11 @@ extern void flush_dcache_page(struct pag
#define flush_dcache_mmap_lock(mapping) xa_lock_irq(&mapping->i_pages)
#define flush_dcache_mmap_unlock(mapping) xa_unlock_irq(&mapping->i_pages)
+#define flush_dcache_mmap_lock_irqsave(mapping, flags) \
+ xa_lock_irqsave(&mapping->i_pages, flags)
+#define flush_dcache_mmap_unlock_irqrestore(mapping, flags) \
+ xa_unlock_irqrestore(&mapping->i_pages, flags)
+
#define flush_icache_page(vma,page) do { \
flush_kernel_dcache_page(page); \
--- a/arch/parisc/kernel/cache.c
+++ b/arch/parisc/kernel/cache.c
@@ -327,6 +327,7 @@ void flush_dcache_page(struct page *page
struct vm_area_struct *mpnt;
unsigned long offset;
unsigned long addr, old_addr = 0;
+ unsigned long flags;
pgoff_t pgoff;
if (mapping && !mapping_mapped(mapping)) {
@@ -346,7 +347,7 @@ void flush_dcache_page(struct page *page
* declared as MAP_PRIVATE or MAP_SHARED), so we only need
* to flush one address here for them all to become coherent */
- flush_dcache_mmap_lock(mapping);
+ flush_dcache_mmap_lock_irqsave(mapping, flags);
vma_interval_tree_foreach(mpnt, &mapping->i_mmap, pgoff, pgoff) {
offset = (pgoff - mpnt->vm_pgoff) << PAGE_SHIFT;
addr = mpnt->vm_start + offset;
@@ -369,7 +370,7 @@ void flush_dcache_page(struct page *page
old_addr = addr;
}
}
- flush_dcache_mmap_unlock(mapping);
+ flush_dcache_mmap_unlock_irqrestore(mapping, flags);
}
EXPORT_SYMBOL(flush_dcache_page);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 181/211] x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 180/211] parisc: Fix flush_dcache_page() for usage from irq context Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 182/211] debugobjects: Dont wake up kswapd from fill_pool() Greg Kroah-Hartman
` (35 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, stable, Len Brown, Zhang Rui,
Dave Hansen, Peter Zijlstra (Intel)
From: Zhang Rui <rui.zhang@intel.com>
commit edc0a2b5957652f4685ef3516f519f84807087db upstream.
Traditionally, all CPUs in a system have identical numbers of SMT
siblings. That changes with hybrid processors where some logical CPUs
have a sibling and others have none.
Today, the CPU boot code sets the global variable smp_num_siblings when
every CPU thread is brought up. The last thread to boot will overwrite
it with the number of siblings of *that* thread. That last thread to
boot will "win". If the thread is a Pcore, smp_num_siblings == 2. If it
is an Ecore, smp_num_siblings == 1.
smp_num_siblings describes if the *system* supports SMT. It should
specify the maximum number of SMT threads among all cores.
Ensure that smp_num_siblings represents the system-wide maximum number
of siblings by always increasing its value. Never allow it to decrease.
On MeteorLake-P platform, this fixes a problem that the Ecore CPUs are
not updated in any cpu sibling map because the system is treated as an
UP system when probing Ecore CPUs.
Below shows part of the CPU topology information before and after the
fix, for both Pcore and Ecore CPU (cpu0 is Pcore, cpu 12 is Ecore).
...
-/sys/devices/system/cpu/cpu0/topology/package_cpus:000fff
-/sys/devices/system/cpu/cpu0/topology/package_cpus_list:0-11
+/sys/devices/system/cpu/cpu0/topology/package_cpus:3fffff
+/sys/devices/system/cpu/cpu0/topology/package_cpus_list:0-21
...
-/sys/devices/system/cpu/cpu12/topology/package_cpus:001000
-/sys/devices/system/cpu/cpu12/topology/package_cpus_list:12
+/sys/devices/system/cpu/cpu12/topology/package_cpus:3fffff
+/sys/devices/system/cpu/cpu12/topology/package_cpus_list:0-21
Notice that the "before" 'package_cpus_list' has only one CPU. This
means that userspace tools like lscpu will see a little laptop like
an 11-socket system:
-Core(s) per socket: 1
-Socket(s): 11
+Core(s) per socket: 16
+Socket(s): 1
This is also expected to make the scheduler do rather wonky things
too.
[ dhansen: remove CPUID detail from changelog, add end user effects ]
CC: stable@kernel.org
Fixes: bbb65d2d365e ("x86: use cpuid vector 0xb when available for detecting cpu topology")
Fixes: 95f3d39ccf7a ("x86/cpu/topology: Provide detect_extended_topology_early()")
Suggested-by: Len Brown <len.brown@intel.com>
Signed-off-by: Zhang Rui <rui.zhang@intel.com>
Signed-off-by: Dave Hansen <dave.hansen@linux.intel.com>
Acked-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lore.kernel.org/all/20230323015640.27906-1-rui.zhang%40intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/cpu/topology.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/cpu/topology.c
+++ b/arch/x86/kernel/cpu/topology.c
@@ -79,7 +79,7 @@ int detect_extended_topology_early(struc
* initial apic id, which also represents 32-bit extended x2apic id.
*/
c->initial_apicid = edx;
- smp_num_siblings = LEVEL_MAX_SIBLINGS(ebx);
+ smp_num_siblings = max_t(int, smp_num_siblings, LEVEL_MAX_SIBLINGS(ebx));
#endif
return 0;
}
@@ -109,7 +109,8 @@ int detect_extended_topology(struct cpui
*/
cpuid_count(leaf, SMT_LEVEL, &eax, &ebx, &ecx, &edx);
c->initial_apicid = edx;
- core_level_siblings = smp_num_siblings = LEVEL_MAX_SIBLINGS(ebx);
+ core_level_siblings = LEVEL_MAX_SIBLINGS(ebx);
+ smp_num_siblings = max_t(int, smp_num_siblings, LEVEL_MAX_SIBLINGS(ebx));
core_plus_mask_width = ht_mask_width = BITS_SHIFT_NEXT_LEVEL(eax);
die_level_siblings = LEVEL_MAX_SIBLINGS(ebx);
pkg_mask_width = die_plus_mask_width = BITS_SHIFT_NEXT_LEVEL(eax);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 182/211] debugobjects: Dont wake up kswapd from fill_pool()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 181/211] x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 183/211] fbdev: udlfb: Fix endpoint check Greg Kroah-Hartman
` (34 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, syzbot, Tetsuo Handa, Thomas Gleixner
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
commit eb799279fb1f9c63c520fe8c1c41cb9154252db6 upstream.
syzbot is reporting a lockdep warning in fill_pool() because the allocation
from debugobjects is using GFP_ATOMIC, which is (__GFP_HIGH | __GFP_KSWAPD_RECLAIM)
and therefore tries to wake up kswapd, which acquires kswapd_wait::lock.
Since fill_pool() might be called with arbitrary locks held, fill_pool()
should not assume that acquiring kswapd_wait::lock is safe.
Use __GFP_HIGH instead and remove __GFP_NORETRY as it is pointless for
!__GFP_DIRECT_RECLAIM allocation.
Fixes: 3ac7fe5a4aab ("infrastructure to debug (dynamic) objects")
Reported-by: syzbot <syzbot+fe0c72f0ccbb93786380@syzkaller.appspotmail.com>
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Signed-off-by: Thomas Gleixner <tglx@linutronix.de>
Link: https://lore.kernel.org/r/6577e1fa-b6ee-f2be-2414-a2b51b1c5e30@I-love.SAKURA.ne.jp
Closes: https://syzkaller.appspot.com/bug?extid=fe0c72f0ccbb93786380
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
lib/debugobjects.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/lib/debugobjects.c
+++ b/lib/debugobjects.c
@@ -129,7 +129,7 @@ static const char *obj_states[ODEBUG_STA
static void fill_pool(void)
{
- gfp_t gfp = GFP_ATOMIC | __GFP_NORETRY | __GFP_NOWARN;
+ gfp_t gfp = __GFP_HIGH | __GFP_NOWARN;
struct debug_obj *obj;
unsigned long flags;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 183/211] fbdev: udlfb: Fix endpoint check
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 182/211] debugobjects: Dont wake up kswapd from fill_pool() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 184/211] net: fix stack overflow when LRO is disabled for virtual interfaces Greg Kroah-Hartman
` (33 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, Pavel Skripkin,
Helge Deller, syzbot+0e22d63dcebb802b9bc8
From: Alan Stern <stern@rowland.harvard.edu>
commit ed9de4ed39875706607fb08118a58344ae6c5f42 upstream.
The syzbot fuzzer detected a problem in the udlfb driver, caused by an
endpoint not having the expected type:
usb 1-1: Read EDID byte 0 failed: -71
usb 1-1: Unable to get valid EDID from device/display
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 0 PID: 9 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880
drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 9 Comm: kworker/0:1 Not tainted
6.4.0-rc1-syzkaller-00016-ga4422ff22142 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google
04/28/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
...
Call Trace:
<TASK>
dlfb_submit_urb+0x92/0x180 drivers/video/fbdev/udlfb.c:1980
dlfb_set_video_mode+0x21f0/0x2950 drivers/video/fbdev/udlfb.c:315
dlfb_ops_set_par+0x2a7/0x8d0 drivers/video/fbdev/udlfb.c:1111
dlfb_usb_probe+0x149a/0x2710 drivers/video/fbdev/udlfb.c:1743
The current approach for this issue failed to catch the problem
because it only checks for the existence of a bulk-OUT endpoint; it
doesn't check whether this endpoint is the one that the driver will
actually use.
We can fix the problem by instead checking that the endpoint used by
the driver does exist and is bulk-OUT.
Reported-and-tested-by: syzbot+0e22d63dcebb802b9bc8@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
CC: Pavel Skripkin <paskripkin@gmail.com>
Fixes: aaf7dbe07385 ("video: fbdev: udlfb: properly check endpoint type")
Signed-off-by: Helge Deller <deller@gmx.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/video/fbdev/udlfb.c | 13 ++++++++-----
1 file changed, 8 insertions(+), 5 deletions(-)
--- a/drivers/video/fbdev/udlfb.c
+++ b/drivers/video/fbdev/udlfb.c
@@ -27,6 +27,8 @@
#include <video/udlfb.h>
#include "edid.h"
+#define OUT_EP_NUM 1 /* The endpoint number we will use */
+
static const struct fb_fix_screeninfo dlfb_fix = {
.id = "udlfb",
.type = FB_TYPE_PACKED_PIXELS,
@@ -1651,7 +1653,7 @@ static int dlfb_usb_probe(struct usb_int
struct fb_info *info;
int retval;
struct usb_device *usbdev = interface_to_usbdev(intf);
- struct usb_endpoint_descriptor *out;
+ static u8 out_ep[] = {OUT_EP_NUM + USB_DIR_OUT, 0};
/* usb initialization */
dlfb = kzalloc(sizeof(*dlfb), GFP_KERNEL);
@@ -1665,9 +1667,9 @@ static int dlfb_usb_probe(struct usb_int
dlfb->udev = usb_get_dev(usbdev);
usb_set_intfdata(intf, dlfb);
- retval = usb_find_common_endpoints(intf->cur_altsetting, NULL, &out, NULL, NULL);
- if (retval) {
- dev_err(&intf->dev, "Device should have at lease 1 bulk endpoint!\n");
+ if (!usb_check_bulk_endpoints(intf, out_ep)) {
+ dev_err(&intf->dev, "Invalid DisplayLink device!\n");
+ retval = -EINVAL;
goto error;
}
@@ -1926,7 +1928,8 @@ retry:
}
/* urb->transfer_buffer_length set to actual before submit */
- usb_fill_bulk_urb(urb, dlfb->udev, usb_sndbulkpipe(dlfb->udev, 1),
+ usb_fill_bulk_urb(urb, dlfb->udev,
+ usb_sndbulkpipe(dlfb->udev, OUT_EP_NUM),
buf, size, dlfb_urb_completion, unode);
urb->transfer_flags |= URB_NO_TRANSFER_DMA_MAP;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 184/211] net: fix stack overflow when LRO is disabled for virtual interfaces
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 183/211] fbdev: udlfb: Fix endpoint check Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 185/211] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated() Greg Kroah-Hartman
` (32 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+60748c96cf5c6df8e581,
Taehee Yoo, Eric Dumazet, Nikolay Aleksandrov, Jakub Kicinski
From: Taehee Yoo <ap420073@gmail.com>
commit ae9b15fbe63447bc1d3bba3769f409d17ca6fdf6 upstream.
When the virtual interface's feature is updated, it synchronizes the
updated feature for its own lower interface.
This propagation logic should be worked as the iteration, not recursively.
But it works recursively due to the netdev notification unexpectedly.
This problem occurs when it disables LRO only for the team and bonding
interface type.
team0
|
+------+------+-----+-----+
| | | | |
team1 team2 team3 ... team200
If team0's LRO feature is updated, it generates the NETDEV_FEAT_CHANGE
event to its own lower interfaces(team1 ~ team200).
It is worked by netdev_sync_lower_features().
So, the NETDEV_FEAT_CHANGE notification logic of each lower interface
work iteratively.
But generated NETDEV_FEAT_CHANGE event is also sent to the upper
interface too.
upper interface(team0) generates the NETDEV_FEAT_CHANGE event for its own
lower interfaces again.
lower and upper interfaces receive this event and generate this
event again and again.
So, the stack overflow occurs.
But it is not the infinite loop issue.
Because the netdev_sync_lower_features() updates features before
generating the NETDEV_FEAT_CHANGE event.
Already synchronized lower interfaces skip notification logic.
So, it is just the problem that iteration logic is changed to the
recursive unexpectedly due to the notification mechanism.
Reproducer:
ip link add team0 type team
ethtool -K team0 lro on
for i in {1..200}
do
ip link add team$i master team0 type team
ethtool -K team$i lro on
done
ethtool -K team0 lro off
In order to fix it, the notifier_ctx member of bonding/team is introduced.
Reported-by: syzbot+60748c96cf5c6df8e581@syzkaller.appspotmail.com
Fixes: fd867d51f889 ("net/core: generic support for disabling netdev features down stack")
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Nikolay Aleksandrov <razor@blackwall.org>
Link: https://lore.kernel.org/r/20230517143010.3596250-1-ap420073@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 8 +++++++-
drivers/net/team/team.c | 7 ++++++-
include/linux/if_team.h | 1 +
include/net/bonding.h | 1 +
4 files changed, 15 insertions(+), 2 deletions(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -3537,7 +3537,11 @@ static int bond_slave_netdev_event(unsig
unblock_netpoll_tx();
break;
case NETDEV_FEAT_CHANGE:
- bond_compute_features(bond);
+ if (!bond->notifier_ctx) {
+ bond->notifier_ctx = true;
+ bond_compute_features(bond);
+ bond->notifier_ctx = false;
+ }
break;
case NETDEV_RESEND_IGMP:
/* Propagate to master device */
@@ -5360,6 +5364,8 @@ static int bond_init(struct net_device *
if (!bond->wq)
return -ENOMEM;
+ bond->notifier_ctx = false;
+
spin_lock_init(&bond->stats_lock);
netdev_lockdep_set_classes(bond_dev);
--- a/drivers/net/team/team.c
+++ b/drivers/net/team/team.c
@@ -1624,6 +1624,7 @@ static int team_init(struct net_device *
team->dev = dev;
team_set_no_mode(team);
+ team->notifier_ctx = false;
team->pcpu_stats = netdev_alloc_pcpu_stats(struct team_pcpu_stats);
if (!team->pcpu_stats)
@@ -3016,7 +3017,11 @@ static int team_device_event(struct noti
team_del_slave(port->team->dev, dev);
break;
case NETDEV_FEAT_CHANGE:
- team_compute_features(port->team);
+ if (!port->team->notifier_ctx) {
+ port->team->notifier_ctx = true;
+ team_compute_features(port->team);
+ port->team->notifier_ctx = false;
+ }
break;
case NETDEV_PRECHANGEMTU:
/* Forbid to change mtu of underlaying device */
--- a/include/linux/if_team.h
+++ b/include/linux/if_team.h
@@ -208,6 +208,7 @@ struct team {
bool queue_override_enabled;
struct list_head *qom_lists; /* array of queue override mapping lists */
bool port_mtu_change_allowed;
+ bool notifier_ctx;
struct {
unsigned int count;
unsigned int interval; /* in ms */
--- a/include/net/bonding.h
+++ b/include/net/bonding.h
@@ -216,6 +216,7 @@ struct bonding {
struct bond_up_slave __rcu *usable_slaves;
struct bond_up_slave __rcu *all_slaves;
bool force_primary;
+ bool notifier_ctx;
s32 slave_cnt; /* never change this value outside the attach/detach wrappers */
int (*recv_probe)(const struct sk_buff *, struct bonding *,
struct slave *);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 185/211] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated().
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 184/211] net: fix stack overflow when LRO is disabled for virtual interfaces Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 186/211] USB: core: Add routines for endpoint checks in old drivers Greg Kroah-Hartman
` (31 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+444ca0907e96f7c5e48b,
Kuniyuki Iwashima, Paolo Abeni
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit ad42a35bdfc6d3c0fc4cb4027d7b2757ce665665 upstream.
syzbot reported [0] a null-ptr-deref in sk_get_rmem0() while using
IPPROTO_UDPLITE (0x88):
14:25:52 executing program 1:
r0 = socket$inet6(0xa, 0x80002, 0x88)
We had a similar report [1] for probably sk_memory_allocated_add()
in __sk_mem_raise_allocated(), and commit c915fe13cbaa ("udplite: fix
NULL pointer dereference") fixed it by setting .memory_allocated for
udplite_prot and udplitev6_prot.
To fix the variant, we need to set either .sysctl_wmem_offset or
.sysctl_rmem.
Now UDP and UDPLITE share the same value for .memory_allocated, so we
use the same .sysctl_wmem_offset for UDP and UDPLITE.
[0]:
general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] PREEMPT SMP KASAN
KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007]
CPU: 0 PID: 6829 Comm: syz-executor.1 Not tainted 6.4.0-rc2-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 04/28/2023
RIP: 0010:sk_get_rmem0 include/net/sock.h:2907 [inline]
RIP: 0010:__sk_mem_raise_allocated+0x806/0x17a0 net/core/sock.c:3006
Code: c1 ea 03 80 3c 02 00 0f 85 23 0f 00 00 48 8b 44 24 08 48 8b 98 38 01 00 00 48 b8 00 00 00 00 00 fc ff df 48 89 da 48 c1 ea 03 <0f> b6 14 02 48 89 d8 83 e0 07 83 c0 03 38 d0 0f 8d 6f 0a 00 00 8b
RSP: 0018:ffffc90005d7f450 EFLAGS: 00010246
RAX: dffffc0000000000 RBX: 0000000000000000 RCX: ffffc90004d92000
RDX: 0000000000000000 RSI: ffffffff88066482 RDI: ffffffff8e2ccbb8
RBP: ffff8880173f7000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000000 R12: 0000000000030000
R13: 0000000000000001 R14: 0000000000000340 R15: 0000000000000001
FS: 0000000000000000(0000) GS:ffff8880b9800000(0063) knlGS:00000000f7f1cb40
CS: 0010 DS: 002b ES: 002b CR0: 0000000080050033
CR2: 000000002e82f000 CR3: 0000000034ff0000 CR4: 00000000003506f0
Call Trace:
<TASK>
__sk_mem_schedule+0x6c/0xe0 net/core/sock.c:3077
udp_rmem_schedule net/ipv4/udp.c:1539 [inline]
__udp_enqueue_schedule_skb+0x776/0xb30 net/ipv4/udp.c:1581
__udpv6_queue_rcv_skb net/ipv6/udp.c:666 [inline]
udpv6_queue_rcv_one_skb+0xc39/0x16c0 net/ipv6/udp.c:775
udpv6_queue_rcv_skb+0x194/0xa10 net/ipv6/udp.c:793
__udp6_lib_mcast_deliver net/ipv6/udp.c:906 [inline]
__udp6_lib_rcv+0x1bda/0x2bd0 net/ipv6/udp.c:1013
ip6_protocol_deliver_rcu+0x2e7/0x1250 net/ipv6/ip6_input.c:437
ip6_input_finish+0x150/0x2f0 net/ipv6/ip6_input.c:482
NF_HOOK include/linux/netfilter.h:303 [inline]
NF_HOOK include/linux/netfilter.h:297 [inline]
ip6_input+0xa0/0xd0 net/ipv6/ip6_input.c:491
ip6_mc_input+0x40b/0xf50 net/ipv6/ip6_input.c:585
dst_input include/net/dst.h:468 [inline]
ip6_rcv_finish net/ipv6/ip6_input.c:79 [inline]
NF_HOOK include/linux/netfilter.h:303 [inline]
NF_HOOK include/linux/netfilter.h:297 [inline]
ipv6_rcv+0x250/0x380 net/ipv6/ip6_input.c:309
__netif_receive_skb_one_core+0x114/0x180 net/core/dev.c:5491
__netif_receive_skb+0x1f/0x1c0 net/core/dev.c:5605
netif_receive_skb_internal net/core/dev.c:5691 [inline]
netif_receive_skb+0x133/0x7a0 net/core/dev.c:5750
tun_rx_batched+0x4b3/0x7a0 drivers/net/tun.c:1553
tun_get_user+0x2452/0x39c0 drivers/net/tun.c:1989
tun_chr_write_iter+0xdf/0x200 drivers/net/tun.c:2035
call_write_iter include/linux/fs.h:1868 [inline]
new_sync_write fs/read_write.c:491 [inline]
vfs_write+0x945/0xd50 fs/read_write.c:584
ksys_write+0x12b/0x250 fs/read_write.c:637
do_syscall_32_irqs_on arch/x86/entry/common.c:112 [inline]
__do_fast_syscall_32+0x65/0xf0 arch/x86/entry/common.c:178
do_fast_syscall_32+0x33/0x70 arch/x86/entry/common.c:203
entry_SYSENTER_compat_after_hwframe+0x70/0x82
RIP: 0023:0xf7f21579
Code: b8 01 10 06 03 74 b4 01 10 07 03 74 b0 01 10 08 03 74 d8 01 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00
RSP: 002b:00000000f7f1c590 EFLAGS: 00000282 ORIG_RAX: 0000000000000004
RAX: ffffffffffffffda RBX: 00000000000000c8 RCX: 0000000020000040
RDX: 0000000000000083 RSI: 00000000f734e000 RDI: 0000000000000000
RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000296 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000000
</TASK>
Modules linked in:
Link: https://lore.kernel.org/netdev/CANaxB-yCk8hhP68L4Q2nFOJht8sqgXGGQO2AftpHs0u1xyGG5A@mail.gmail.com/ [1]
Fixes: 850cbaddb52d ("udp: use it's own memory accounting schema")
Reported-by: syzbot+444ca0907e96f7c5e48b@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=444ca0907e96f7c5e48b
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Link: https://lore.kernel.org/r/20230523163305.66466-1-kuniyu@amazon.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/udplite.c | 2 ++
net/ipv6/udplite.c | 2 ++
2 files changed, 4 insertions(+)
--- a/net/ipv4/udplite.c
+++ b/net/ipv4/udplite.c
@@ -62,6 +62,8 @@ struct proto udplite_prot = {
.get_port = udp_v4_get_port,
.memory_allocated = &udp_memory_allocated,
.sysctl_mem = sysctl_udp_mem,
+ .sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min),
+ .sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min),
.obj_size = sizeof(struct udp_sock),
.h.udp_table = &udplite_table,
};
--- a/net/ipv6/udplite.c
+++ b/net/ipv6/udplite.c
@@ -57,6 +57,8 @@ struct proto udplitev6_prot = {
.get_port = udp_v6_get_port,
.memory_allocated = &udp_memory_allocated,
.sysctl_mem = sysctl_udp_mem,
+ .sysctl_wmem_offset = offsetof(struct net, ipv4.sysctl_udp_wmem_min),
+ .sysctl_rmem_offset = offsetof(struct net, ipv4.sysctl_udp_rmem_min),
.obj_size = sizeof(struct udp6_sock),
.h.udp_table = &udplite_table,
};
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 186/211] USB: core: Add routines for endpoint checks in old drivers
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 185/211] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 187/211] USB: sisusbvga: Add endpoint checks Greg Kroah-Hartman
` (30 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Alan Stern
From: Alan Stern <stern@rowland.harvard.edu>
commit 13890626501ffda22b18213ddaf7930473da5792 upstream.
Many of the older USB drivers in the Linux USB stack were written
based simply on a vendor's device specification. They use the
endpoint information in the spec and assume these endpoints will
always be present, with the properties listed, in any device matching
the given vendor and product IDs.
While that may have been true back then, with spoofing and fuzzing it
is not true any more. More and more we are finding that those old
drivers need to perform at least a minimum of checking before they try
to use any endpoint other than ep0.
To make this checking as simple as possible, we now add a couple of
utility routines to the USB core. usb_check_bulk_endpoints() and
usb_check_int_endpoints() take an interface pointer together with a
list of endpoint addresses (numbers and directions). They check that
the interface's current alternate setting includes endpoints with
those addresses and that each of these endpoints has the right type:
bulk or interrupt, respectively.
Although we already have usb_find_common_endpoints() and related
routines meant for a similar purpose, they are not well suited for
this kind of checking. Those routines find endpoints of various
kinds, but only one (either the first or the last) of each kind, and
they don't verify that the endpoints' addresses agree with what the
caller expects.
In theory the new routines could be more general: They could take a
particular altsetting as their argument instead of always using the
interface's current altsetting. In practice I think this won't matter
too much; multiple altsettings tend to be used for transferring media
(audio or visual) over isochronous endpoints, not bulk or interrupt.
Drivers for such devices will generally require more sophisticated
checking than these simplistic routines provide.
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/dd2c8e8c-2c87-44ea-ba17-c64b97e201c9@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/core/usb.c | 76 +++++++++++++++++++++++++++++++++++++++++++++++++
include/linux/usb.h | 5 +++
2 files changed, 81 insertions(+)
--- a/drivers/usb/core/usb.c
+++ b/drivers/usb/core/usb.c
@@ -208,6 +208,82 @@ int usb_find_common_endpoints_reverse(st
EXPORT_SYMBOL_GPL(usb_find_common_endpoints_reverse);
/**
+ * usb_find_endpoint() - Given an endpoint address, search for the endpoint's
+ * usb_host_endpoint structure in an interface's current altsetting.
+ * @intf: the interface whose current altsetting should be searched
+ * @ep_addr: the endpoint address (number and direction) to find
+ *
+ * Search the altsetting's list of endpoints for one with the specified address.
+ *
+ * Return: Pointer to the usb_host_endpoint if found, %NULL otherwise.
+ */
+static const struct usb_host_endpoint *usb_find_endpoint(
+ const struct usb_interface *intf, unsigned int ep_addr)
+{
+ int n;
+ const struct usb_host_endpoint *ep;
+
+ n = intf->cur_altsetting->desc.bNumEndpoints;
+ ep = intf->cur_altsetting->endpoint;
+ for (; n > 0; (--n, ++ep)) {
+ if (ep->desc.bEndpointAddress == ep_addr)
+ return ep;
+ }
+ return NULL;
+}
+
+/**
+ * usb_check_bulk_endpoints - Check whether an interface's current altsetting
+ * contains a set of bulk endpoints with the given addresses.
+ * @intf: the interface whose current altsetting should be searched
+ * @ep_addrs: 0-terminated array of the endpoint addresses (number and
+ * direction) to look for
+ *
+ * Search for endpoints with the specified addresses and check their types.
+ *
+ * Return: %true if all the endpoints are found and are bulk, %false otherwise.
+ */
+bool usb_check_bulk_endpoints(
+ const struct usb_interface *intf, const u8 *ep_addrs)
+{
+ const struct usb_host_endpoint *ep;
+
+ for (; *ep_addrs; ++ep_addrs) {
+ ep = usb_find_endpoint(intf, *ep_addrs);
+ if (!ep || !usb_endpoint_xfer_bulk(&ep->desc))
+ return false;
+ }
+ return true;
+}
+EXPORT_SYMBOL_GPL(usb_check_bulk_endpoints);
+
+/**
+ * usb_check_int_endpoints - Check whether an interface's current altsetting
+ * contains a set of interrupt endpoints with the given addresses.
+ * @intf: the interface whose current altsetting should be searched
+ * @ep_addrs: 0-terminated array of the endpoint addresses (number and
+ * direction) to look for
+ *
+ * Search for endpoints with the specified addresses and check their types.
+ *
+ * Return: %true if all the endpoints are found and are interrupt,
+ * %false otherwise.
+ */
+bool usb_check_int_endpoints(
+ const struct usb_interface *intf, const u8 *ep_addrs)
+{
+ const struct usb_host_endpoint *ep;
+
+ for (; *ep_addrs; ++ep_addrs) {
+ ep = usb_find_endpoint(intf, *ep_addrs);
+ if (!ep || !usb_endpoint_xfer_int(&ep->desc))
+ return false;
+ }
+ return true;
+}
+EXPORT_SYMBOL_GPL(usb_check_int_endpoints);
+
+/**
* usb_find_alt_setting() - Given a configuration, find the alternate setting
* for the given interface.
* @config: the configuration to search (not necessarily the current config).
--- a/include/linux/usb.h
+++ b/include/linux/usb.h
@@ -279,6 +279,11 @@ void usb_put_intf(struct usb_interface *
#define USB_MAXINTERFACES 32
#define USB_MAXIADS (USB_MAXINTERFACES/2)
+bool usb_check_bulk_endpoints(
+ const struct usb_interface *intf, const u8 *ep_addrs);
+bool usb_check_int_endpoints(
+ const struct usb_interface *intf, const u8 *ep_addrs);
+
/*
* USB Resume Timer: Every Host controller driver should drive the resume
* signalling on the bus for the amount of time defined by this macro.
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 187/211] USB: sisusbvga: Add endpoint checks
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 186/211] USB: core: Add routines for endpoint checks in old drivers Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 188/211] media: radio-shark: " Greg Kroah-Hartman
` (29 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, syzbot+23be03b56c5259385d79
From: Alan Stern <stern@rowland.harvard.edu>
commit df05a9b05e466a46725564528b277d0c570d0104 upstream.
The syzbot fuzzer was able to provoke a WARNING from the sisusbvga driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 3 != type 1
WARNING: CPU: 1 PID: 26 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 1 PID: 26 Comm: kworker/1:1 Not tainted 6.2.0-rc5-syzkaller-00199-g5af6ce704936 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/12/2023
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed6/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 6c 50 80 fb 48 8b 7c 24 18 e8 62 1a 01 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 60 b1 fa 8a e8 84 b0 be 03 <0f> 0b e9 58 f8 ff ff e8 3e 50 80 fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90000a1ed18 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000001 RCX: 0000000000000000
RDX: ffff888012783a80 RSI: ffffffff816680ec RDI: fffff52000143d95
RBP: ffff888079020000 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000003
R13: ffff888017d33370 R14: 0000000000000003 R15: ffff888021213600
FS: 0000000000000000(0000) GS:ffff8880b9900000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00005592753a60b0 CR3: 0000000022899000 CR4: 00000000003506e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
sisusb_bulkout_msg drivers/usb/misc/sisusbvga/sisusbvga.c:224 [inline]
sisusb_send_bulk_msg.constprop.0+0x904/0x1230 drivers/usb/misc/sisusbvga/sisusbvga.c:379
sisusb_send_bridge_packet drivers/usb/misc/sisusbvga/sisusbvga.c:567 [inline]
sisusb_do_init_gfxdevice drivers/usb/misc/sisusbvga/sisusbvga.c:2077 [inline]
sisusb_init_gfxdevice+0x87b/0x4000 drivers/usb/misc/sisusbvga/sisusbvga.c:2177
sisusb_probe+0x9cd/0xbe2 drivers/usb/misc/sisusbvga/sisusbvga.c:2869
...
The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types. This can be fixed by adding a simple check of
the endpoints.
Link: https://syzkaller.appspot.com/bug?extid=23be03b56c5259385d79
Reported-and-tested-by: syzbot+23be03b56c5259385d79@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/48ef98f7-51ae-4f63-b8d3-0ef2004bb60a@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/misc/sisusbvga/sisusb.c | 14 ++++++++++++++
1 file changed, 14 insertions(+)
--- a/drivers/usb/misc/sisusbvga/sisusb.c
+++ b/drivers/usb/misc/sisusbvga/sisusb.c
@@ -3014,6 +3014,20 @@ static int sisusb_probe(struct usb_inter
struct usb_device *dev = interface_to_usbdev(intf);
struct sisusb_usb_data *sisusb;
int retval = 0, i;
+ static const u8 ep_addresses[] = {
+ SISUSB_EP_GFX_IN | USB_DIR_IN,
+ SISUSB_EP_GFX_OUT | USB_DIR_OUT,
+ SISUSB_EP_GFX_BULK_OUT | USB_DIR_OUT,
+ SISUSB_EP_GFX_LBULK_OUT | USB_DIR_OUT,
+ SISUSB_EP_BRIDGE_IN | USB_DIR_IN,
+ SISUSB_EP_BRIDGE_OUT | USB_DIR_OUT,
+ 0};
+
+ /* Are the expected endpoints present? */
+ if (!usb_check_bulk_endpoints(intf, ep_addresses)) {
+ dev_err(&intf->dev, "Invalid USB2VGA device\n");
+ return -EINVAL;
+ }
dev_info(&dev->dev, "USB2VGA dongle found at address %d\n",
dev->devnum);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 188/211] media: radio-shark: Add endpoint checks
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 187/211] USB: sisusbvga: Add endpoint checks Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 189/211] net: fix skb leak in __skb_tstamp_tx() Greg Kroah-Hartman
` (28 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alan Stern, syzbot+4b3f8190f6e13b3efd74
From: Alan Stern <stern@rowland.harvard.edu>
commit 76e31045ba030e94e72105c01b2e98f543d175ac upstream.
The syzbot fuzzer was able to provoke a WARNING from the radio-shark2
driver:
------------[ cut here ]------------
usb 1-1: BOGUS urb xfer, pipe 1 != type 3
WARNING: CPU: 0 PID: 3271 at drivers/usb/core/urb.c:504 usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Modules linked in:
CPU: 0 PID: 3271 Comm: kworker/0:3 Not tainted 6.1.0-rc4-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/26/2022
Workqueue: usb_hub_wq hub_event
RIP: 0010:usb_submit_urb+0xed2/0x1880 drivers/usb/core/urb.c:504
Code: 7c 24 18 e8 00 36 ea fb 48 8b 7c 24 18 e8 36 1c 02 ff 41 89 d8 44 89 e1 4c 89 ea 48 89 c6 48 c7 c7 a0 b6 90 8a e8 9a 29 b8 03 <0f> 0b e9 58 f8 ff ff e8 d2 35 ea fb 48 81 c5 c0 05 00 00 e9 84 f7
RSP: 0018:ffffc90003876dd0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: 0000000000000003 RCX: 0000000000000000
RDX: ffff8880750b0040 RSI: ffffffff816152b8 RDI: fffff5200070edac
RBP: ffff8880172d81e0 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000080000000 R11: 0000000000000000 R12: 0000000000000001
R13: ffff8880285c5040 R14: 0000000000000002 R15: ffff888017158200
FS: 0000000000000000(0000) GS:ffff8880b9a00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007ffe03235b90 CR3: 000000000bc8e000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
usb_start_wait_urb+0x101/0x4b0 drivers/usb/core/message.c:58
usb_bulk_msg+0x226/0x550 drivers/usb/core/message.c:387
shark_write_reg+0x1ff/0x2e0 drivers/media/radio/radio-shark2.c:88
...
The problem was caused by the fact that the driver does not check
whether the endpoints it uses are actually present and have the
appropriate types. This can be fixed by adding a simple check of
these endpoints (and similarly for the radio-shark driver).
Link: https://syzkaller.appspot.com/bug?extid=4b3f8190f6e13b3efd74
Reported-and-tested-by: syzbot+4b3f8190f6e13b3efd74@syzkaller.appspotmail.com
Signed-off-by: Alan Stern <stern@rowland.harvard.edu>
Link: https://lore.kernel.org/r/e2858ab4-4adf-46e5-bbf6-c56742034547@rowland.harvard.edu
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/media/radio/radio-shark.c | 10 ++++++++++
drivers/media/radio/radio-shark2.c | 10 ++++++++++
2 files changed, 20 insertions(+)
--- a/drivers/media/radio/radio-shark.c
+++ b/drivers/media/radio/radio-shark.c
@@ -316,6 +316,16 @@ static int usb_shark_probe(struct usb_in
{
struct shark_device *shark;
int retval = -ENOMEM;
+ static const u8 ep_addresses[] = {
+ SHARK_IN_EP | USB_DIR_IN,
+ SHARK_OUT_EP | USB_DIR_OUT,
+ 0};
+
+ /* Are the expected endpoints present? */
+ if (!usb_check_int_endpoints(intf, ep_addresses)) {
+ dev_err(&intf->dev, "Invalid radioSHARK device\n");
+ return -EINVAL;
+ }
shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
if (!shark)
--- a/drivers/media/radio/radio-shark2.c
+++ b/drivers/media/radio/radio-shark2.c
@@ -282,6 +282,16 @@ static int usb_shark_probe(struct usb_in
{
struct shark_device *shark;
int retval = -ENOMEM;
+ static const u8 ep_addresses[] = {
+ SHARK_IN_EP | USB_DIR_IN,
+ SHARK_OUT_EP | USB_DIR_OUT,
+ 0};
+
+ /* Are the expected endpoints present? */
+ if (!usb_check_int_endpoints(intf, ep_addresses)) {
+ dev_err(&intf->dev, "Invalid radioSHARK2 device\n");
+ return -EINVAL;
+ }
shark = kzalloc(sizeof(struct shark_device), GFP_KERNEL);
if (!shark)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 189/211] net: fix skb leak in __skb_tstamp_tx()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 188/211] media: radio-shark: " Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 190/211] selftests: fib_tests: mute cleanup error message Greg Kroah-Hartman
` (27 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pratyush Yadav, Kuniyuki Iwashima,
Willem de Bruijn, Jakub Kicinski
From: Pratyush Yadav <ptyadav@amazon.de>
commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream.
Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
zerocopy skbs. But it ended up adding a leak of its own. When
skb_orphan_frags_rx() fails, the function just returns, leaking the skb
it just cloned. Free it before returning.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/skbuff.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4751,8 +4751,10 @@ void __skb_tstamp_tx(struct sk_buff *ori
} else {
skb = skb_clone(orig_skb, GFP_ATOMIC);
- if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
+ if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
+ kfree_skb(skb);
return;
+ }
}
if (!skb)
return;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 190/211] selftests: fib_tests: mute cleanup error message
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 189/211] net: fix skb leak in __skb_tstamp_tx() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 191/211] octeontx2-pf: Fix TSOv6 offload Greg Kroah-Hartman
` (26 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Po-Hsu Lin, Ido Schimmel,
Simon Horman, David S. Miller
From: Po-Hsu Lin <po-hsu.lin@canonical.com>
commit d226b1df361988f885c298737d6019c863a25f26 upstream.
In the end of the test, there will be an error message induced by the
`ip netns del ns1` command in cleanup()
Tests passed: 201
Tests failed: 0
Cannot remove namespace file "/run/netns/ns1": No such file or directory
This can even be reproduced with just `./fib_tests.sh -h` as we're
calling cleanup() on exit.
Redirect the error message to /dev/null to mute it.
V2: Update commit message and fixes tag.
V3: resubmit due to missing netdev ML in V2
Fixes: b60417a9f2b8 ("selftest: fib_tests: Always cleanup before exit")
Signed-off-by: Po-Hsu Lin <po-hsu.lin@canonical.com>
Reviewed-by: Ido Schimmel <idosch@nvidia.com>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/fib_tests.sh | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/tools/testing/selftests/net/fib_tests.sh
+++ b/tools/testing/selftests/net/fib_tests.sh
@@ -68,7 +68,7 @@ setup()
cleanup()
{
$IP link del dev dummy0 &> /dev/null
- ip netns del ns1
+ ip netns del ns1 &> /dev/null
ip netns del ns2 &> /dev/null
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 191/211] octeontx2-pf: Fix TSOv6 offload
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 190/211] selftests: fib_tests: mute cleanup error message Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 192/211] bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields Greg Kroah-Hartman
` (25 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sunil Goutham, Ratheesh Kannoth,
David S. Miller
From: Sunil Goutham <sgoutham@marvell.com>
commit de678ca38861f2eb58814048076dcf95ed1b5bf9 upstream.
HW adds segment size to the payload length
in the IPv6 header. Fix payload length to
just TCP header length instead of 'TCP header
size + IPv6 header size'.
Fixes: 86d7476078b8 ("octeontx2-pf: TCP segmentation offload support")
Signed-off-by: Sunil Goutham <sgoutham@marvell.com>
Signed-off-by: Ratheesh Kannoth <rkannoth@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
+++ b/drivers/net/ethernet/marvell/octeontx2/nic/otx2_txrx.c
@@ -526,9 +526,7 @@ static void otx2_sqe_add_ext(struct otx2
htons(ext->lso_sb - skb_network_offset(skb));
} else if (skb_shinfo(skb)->gso_type & SKB_GSO_TCPV6) {
ext->lso_format = pfvf->hw.lso_tsov6_idx;
-
- ipv6_hdr(skb)->payload_len =
- htons(ext->lso_sb - skb_network_offset(skb));
+ ipv6_hdr(skb)->payload_len = htons(tcp_hdrlen(skb));
} else if (skb_shinfo(skb)->gso_type & SKB_GSO_UDP_L4) {
__be16 l3_proto = vlan_get_protocol(skb);
struct udphdr *udph = udp_hdr(skb);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 192/211] bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 191/211] octeontx2-pf: Fix TSOv6 offload Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 193/211] ipv6: Fix out-of-bounds access in ipv6_find_tlv() Greg Kroah-Hartman
` (24 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alexei Starovoitov, Daniel Borkmann,
John Fastabend, Krzesimir Nowak, Andrey Ignatov, Yonghong Song,
Will Deacon
From: Will Deacon <will@kernel.org>
commit 0613d8ca9ab382caabe9ed2dceb429e9781e443f upstream.
A narrow load from a 64-bit context field results in a 64-bit load
followed potentially by a 64-bit right-shift and then a bitwise AND
operation to extract the relevant data.
In the case of a 32-bit access, an immediate mask of 0xffffffff is used
to construct a 64-bit BPP_AND operation which then sign-extends the mask
value and effectively acts as a glorified no-op. For example:
0: 61 10 00 00 00 00 00 00 r0 = *(u32 *)(r1 + 0)
results in the following code generation for a 64-bit field:
ldr x7, [x7] // 64-bit load
mov x10, #0xffffffffffffffff
and x7, x7, x10
Fix the mask generation so that narrow loads always perform a 32-bit AND
operation:
ldr x7, [x7] // 64-bit load
mov w10, #0xffffffff
and w7, w7, w10
Cc: Alexei Starovoitov <ast@kernel.org>
Cc: Daniel Borkmann <daniel@iogearbox.net>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Krzesimir Nowak <krzesimir@kinvolk.io>
Cc: Andrey Ignatov <rdna@fb.com>
Acked-by: Yonghong Song <yhs@fb.com>
Fixes: 31fd85816dbe ("bpf: permits narrower load from bpf program context fields")
Signed-off-by: Will Deacon <will@kernel.org>
Link: https://lore.kernel.org/r/20230518102528.1341-1-will@kernel.org
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/bpf/verifier.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/kernel/bpf/verifier.c
+++ b/kernel/bpf/verifier.c
@@ -11146,7 +11146,7 @@ static int convert_ctx_accesses(struct b
insn_buf[cnt++] = BPF_ALU64_IMM(BPF_RSH,
insn->dst_reg,
shift);
- insn_buf[cnt++] = BPF_ALU64_IMM(BPF_AND, insn->dst_reg,
+ insn_buf[cnt++] = BPF_ALU32_IMM(BPF_AND, insn->dst_reg,
(1ULL << size * 8) - 1);
}
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 193/211] ipv6: Fix out-of-bounds access in ipv6_find_tlv()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 192/211] bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 194/211] power: supply: leds: Fix blink to LED on transition Greg Kroah-Hartman
` (23 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Gavrilov Ilia, Jiri Pirko,
David Ahern, David S. Miller
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
commit 878ecb0897f4737a4c9401f3523fd49589025671 upstream.
optlen is fetched without checking whether there is more than one byte to parse.
It can lead to out-of-bounds access.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: c61a40432509 ("[IPV6]: Find option offset by type.")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/exthdrs_core.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/ipv6/exthdrs_core.c
+++ b/net/ipv6/exthdrs_core.c
@@ -143,6 +143,8 @@ int ipv6_find_tlv(const struct sk_buff *
optlen = 1;
break;
default:
+ if (len < 2)
+ goto bad;
optlen = nh[offset + 1] + 2;
if (optlen > len)
goto bad;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 194/211] power: supply: leds: Fix blink to LED on transition
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 193/211] ipv6: Fix out-of-bounds access in ipv6_find_tlv() Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 195/211] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition Greg Kroah-Hartman
` (22 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Vasily Khoruzhick,
Sebastian Reichel
From: Hans de Goede <hdegoede@redhat.com>
commit e4484643991e0f6b89060092563f0dbab9450cbb upstream.
When a battery's status changes from charging to full then
the charging-blink-full-solid trigger tries to change
the LED from blinking to solid/on.
As is documented in include/linux/leds.h to deactivate blinking /
to make the LED solid a LED_OFF must be send:
"""
* Deactivate blinking again when the brightness is set to LED_OFF
* via the brightness_set() callback.
"""
led_set_brighness() calls with a brightness value other then 0 / LED_OFF
merely change the brightness of the LED in its on state while it is
blinking.
So power_supply_update_bat_leds() must first send a LED_OFF event
before the LED_FULL to disable blinking.
Fixes: 6501f728c56f ("power_supply: Add new LED trigger charging-blink-solid-full")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Reviewed-by: Vasily Khoruzhick <anarsoul@gmail.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/power_supply_leds.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- a/drivers/power/supply/power_supply_leds.c
+++ b/drivers/power/supply/power_supply_leds.c
@@ -34,8 +34,9 @@ static void power_supply_update_bat_leds
led_trigger_event(psy->charging_full_trig, LED_FULL);
led_trigger_event(psy->charging_trig, LED_OFF);
led_trigger_event(psy->full_trig, LED_FULL);
- led_trigger_event(psy->charging_blink_full_solid_trig,
- LED_FULL);
+ /* Going from blink to LED on requires a LED_OFF event to stop blink */
+ led_trigger_event(psy->charging_blink_full_solid_trig, LED_OFF);
+ led_trigger_event(psy->charging_blink_full_solid_trig, LED_FULL);
break;
case POWER_SUPPLY_STATUS_CHARGING:
led_trigger_event(psy->charging_full_trig, LED_FULL);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 195/211] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 194/211] power: supply: leds: Fix blink to LED on transition Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 196/211] power: supply: bq27xxx: Fix I2C IRQ race on remove Greg Kroah-Hartman
` (21 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
From: Hans de Goede <hdegoede@redhat.com>
commit 5c34c0aef185dcd10881847b9ebf20046aa77cb4 upstream.
bq27xxx_battery_update() assumes / requires that it is only run once,
not multiple times at the same time. But there are 3 possible callers:
1. bq27xxx_battery_poll() delayed_work item handler
2. bq27xxx_battery_irq_handler_thread() I2C IRQ handler
3. bq27xxx_battery_setup()
And there is no protection against these racing with each other,
fix this race condition by making all callers take di->lock:
- Rename bq27xxx_battery_update() to bq27xxx_battery_update_unlocked()
- Add new bq27xxx_battery_update() which takes di->lock and then calls
bq27xxx_battery_update_unlocked()
- Make stale cache check code in bq27xxx_battery_get_property(), which
already takes di->lock directly to check the jiffies, call
bq27xxx_battery_update_unlocked() instead of messing with
the delayed_work item
- Make bq27xxx_battery_update_unlocked() mod the delayed-work item
so that the next poll is delayed to poll_interval milliseconds after
the last update independent of the source of the update
Fixes: 740b755a3b34 ("bq27x00: Poll battery state")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/bq27xxx_battery.c | 21 +++++++++++++--------
1 file changed, 13 insertions(+), 8 deletions(-)
--- a/drivers/power/supply/bq27xxx_battery.c
+++ b/drivers/power/supply/bq27xxx_battery.c
@@ -1681,7 +1681,7 @@ static int bq27xxx_battery_read_health(s
return POWER_SUPPLY_HEALTH_GOOD;
}
-void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+static void bq27xxx_battery_update_unlocked(struct bq27xxx_device_info *di)
{
struct bq27xxx_reg_cache cache = {0, };
bool has_ci_flag = di->opts & BQ27XXX_O_HAS_CI;
@@ -1732,6 +1732,16 @@ void bq27xxx_battery_update(struct bq27x
di->cache = cache;
di->last_update = jiffies;
+
+ if (poll_interval > 0)
+ mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
+}
+
+void bq27xxx_battery_update(struct bq27xxx_device_info *di)
+{
+ mutex_lock(&di->lock);
+ bq27xxx_battery_update_unlocked(di);
+ mutex_unlock(&di->lock);
}
EXPORT_SYMBOL_GPL(bq27xxx_battery_update);
@@ -1742,9 +1752,6 @@ static void bq27xxx_battery_poll(struct
work.work);
bq27xxx_battery_update(di);
-
- if (poll_interval > 0)
- schedule_delayed_work(&di->work, poll_interval * HZ);
}
/*
@@ -1919,10 +1926,8 @@ static int bq27xxx_battery_get_property(
struct bq27xxx_device_info *di = power_supply_get_drvdata(psy);
mutex_lock(&di->lock);
- if (time_is_before_jiffies(di->last_update + 5 * HZ)) {
- cancel_delayed_work_sync(&di->work);
- bq27xxx_battery_poll(&di->work.work);
- }
+ if (time_is_before_jiffies(di->last_update + 5 * HZ))
+ bq27xxx_battery_update_unlocked(di);
mutex_unlock(&di->lock);
if (psp != POWER_SUPPLY_PROP_PRESENT && di->cache.flags < 0)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 196/211] power: supply: bq27xxx: Fix I2C IRQ race on remove
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 195/211] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 197/211] power: supply: bq27xxx: Fix poll_interval handling and races " Greg Kroah-Hartman
` (20 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
From: Hans de Goede <hdegoede@redhat.com>
commit 444ff00734f3878cd54ddd1ed5e2e6dbea9326d5 upstream.
devm_request_threaded_irq() requested IRQs are only free-ed after
the driver's remove function has ran. So the IRQ could trigger and
call bq27xxx_battery_update() after bq27xxx_battery_teardown() has
already run.
Switch to explicitly free-ing the IRQ in bq27xxx_battery_i2c_remove()
to fix this.
Fixes: 8807feb91b76 ("power: bq27xxx_battery: Add interrupt handling support")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/bq27xxx_battery_i2c.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/power/supply/bq27xxx_battery_i2c.c
+++ b/drivers/power/supply/bq27xxx_battery_i2c.c
@@ -179,7 +179,7 @@ static int bq27xxx_battery_i2c_probe(str
i2c_set_clientdata(client, di);
if (client->irq) {
- ret = devm_request_threaded_irq(&client->dev, client->irq,
+ ret = request_threaded_irq(client->irq,
NULL, bq27xxx_battery_irq_handler_thread,
IRQF_ONESHOT,
di->name, di);
@@ -209,6 +209,7 @@ static int bq27xxx_battery_i2c_remove(st
{
struct bq27xxx_device_info *di = i2c_get_clientdata(client);
+ free_irq(client->irq, di);
bq27xxx_battery_teardown(di);
mutex_lock(&battery_mutex);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 197/211] power: supply: bq27xxx: Fix poll_interval handling and races on remove
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 196/211] power: supply: bq27xxx: Fix I2C IRQ race on remove Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 198/211] power: supply: sbs-charger: Fix INHIBITED bit for Status reg Greg Kroah-Hartman
` (19 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hans de Goede, Sebastian Reichel
From: Hans de Goede <hdegoede@redhat.com>
commit c00bc80462afc7963f449d7f21d896d2f629cacc upstream.
Before this patch bq27xxx_battery_teardown() was setting poll_interval = 0
to avoid bq27xxx_battery_update() requeuing the delayed_work item.
There are 2 problems with this:
1. If the driver is unbound through sysfs, rather then the module being
rmmod-ed, this changes poll_interval unexpectedly
2. This is racy, after it being set poll_interval could be changed
before bq27xxx_battery_update() checks it through
/sys/module/bq27xxx_battery/parameters/poll_interval
Fix this by added a removed attribute to struct bq27xxx_device_info and
using that instead of setting poll_interval to 0.
There also is another poll_interval related race on remove(), writing
/sys/module/bq27xxx_battery/parameters/poll_interval will requeue
the delayed_work item for all devices on the bq27xxx_battery_devices
list and the device being removed was only removed from that list
after cancelling the delayed_work item.
Fix this by moving the removal from the bq27xxx_battery_devices list
to before cancelling the delayed_work item.
Fixes: 8cfaaa811894 ("bq27x00_battery: Fix OOPS caused by unregistring bq27x00 driver")
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/bq27xxx_battery.c | 22 +++++++++-------------
include/linux/power/bq27xxx_battery.h | 1 +
2 files changed, 10 insertions(+), 13 deletions(-)
--- a/drivers/power/supply/bq27xxx_battery.c
+++ b/drivers/power/supply/bq27xxx_battery.c
@@ -1733,7 +1733,7 @@ static void bq27xxx_battery_update_unloc
di->last_update = jiffies;
- if (poll_interval > 0)
+ if (!di->removed && poll_interval > 0)
mod_delayed_work(system_wq, &di->work, poll_interval * HZ);
}
@@ -2063,22 +2063,18 @@ EXPORT_SYMBOL_GPL(bq27xxx_battery_setup)
void bq27xxx_battery_teardown(struct bq27xxx_device_info *di)
{
- /*
- * power_supply_unregister call bq27xxx_battery_get_property which
- * call bq27xxx_battery_poll.
- * Make sure that bq27xxx_battery_poll will not call
- * schedule_delayed_work again after unregister (which cause OOPS).
- */
- poll_interval = 0;
-
- cancel_delayed_work_sync(&di->work);
-
- power_supply_unregister(di->bat);
-
mutex_lock(&bq27xxx_list_lock);
list_del(&di->list);
mutex_unlock(&bq27xxx_list_lock);
+ /* Set removed to avoid bq27xxx_battery_update() re-queuing the work */
+ mutex_lock(&di->lock);
+ di->removed = true;
+ mutex_unlock(&di->lock);
+
+ cancel_delayed_work_sync(&di->work);
+
+ power_supply_unregister(di->bat);
mutex_destroy(&di->lock);
}
EXPORT_SYMBOL_GPL(bq27xxx_battery_teardown);
--- a/include/linux/power/bq27xxx_battery.h
+++ b/include/linux/power/bq27xxx_battery.h
@@ -67,6 +67,7 @@ struct bq27xxx_device_info {
struct bq27xxx_access_methods bus;
struct bq27xxx_reg_cache cache;
int charge_design_full;
+ bool removed;
unsigned long last_update;
struct delayed_work work;
struct power_supply *bat;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 198/211] power: supply: sbs-charger: Fix INHIBITED bit for Status reg
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 197/211] power: supply: bq27xxx: Fix poll_interval handling and races " Greg Kroah-Hartman
@ 2023-05-28 19:11 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 199/211] fs: fix undefined behavior in bit shift for SB_NOUSER Greg Kroah-Hartman
` (18 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:11 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Daisuke Nojiri, Sebastian Reichel
From: Daisuke Nojiri <dnojiri@chromium.org>
commit b2f2a3c9800208b0db2c2e34b05323757117faa2 upstream.
CHARGE_INHIBITED bit position of the ChargerStatus register is actually
0 not 1. This patch corrects it.
Fixes: feb583e37f8a8 ("power: supply: add sbs-charger driver")
Signed-off-by: Daisuke Nojiri <dnojiri@chromium.org>
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/power/supply/sbs-charger.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/power/supply/sbs-charger.c
+++ b/drivers/power/supply/sbs-charger.c
@@ -25,7 +25,7 @@
#define SBS_CHARGER_REG_STATUS 0x13
#define SBS_CHARGER_REG_ALARM_WARNING 0x16
-#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(1)
+#define SBS_CHARGER_STATUS_CHARGE_INHIBITED BIT(0)
#define SBS_CHARGER_STATUS_RES_COLD BIT(9)
#define SBS_CHARGER_STATUS_RES_HOT BIT(10)
#define SBS_CHARGER_STATUS_BATTERY_PRESENT BIT(14)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 199/211] fs: fix undefined behavior in bit shift for SB_NOUSER
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2023-05-28 19:11 ` [PATCH 5.10 198/211] power: supply: sbs-charger: Fix INHIBITED bit for Status reg Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 200/211] coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() Greg Kroah-Hartman
` (17 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hao Ge, Christian Brauner
From: Hao Ge <gehao@kylinos.cn>
commit f15afbd34d8fadbd375f1212e97837e32bc170cc upstream.
Shifting signed 32-bit value by 31 bits is undefined, so changing
significant bit to unsigned. It was spotted by UBSAN.
So let's just fix this by using the BIT() helper for all SB_* flags.
Fixes: e462ec50cb5f ("VFS: Differentiate mount flags (MS_*) from internal superblock flags")
Signed-off-by: Hao Ge <gehao@kylinos.cn>
Message-Id: <20230424051835.374204-1-gehao@kylinos.cn>
[brauner@kernel.org: use BIT() for all SB_* flags]
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/fs.h | 42 +++++++++++++++++++++---------------------
1 file changed, 21 insertions(+), 21 deletions(-)
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1348,29 +1348,29 @@ extern int send_sigurg(struct fown_struc
* sb->s_flags. Note that these mirror the equivalent MS_* flags where
* represented in both.
*/
-#define SB_RDONLY 1 /* Mount read-only */
-#define SB_NOSUID 2 /* Ignore suid and sgid bits */
-#define SB_NODEV 4 /* Disallow access to device special files */
-#define SB_NOEXEC 8 /* Disallow program execution */
-#define SB_SYNCHRONOUS 16 /* Writes are synced at once */
-#define SB_MANDLOCK 64 /* Allow mandatory locks on an FS */
-#define SB_DIRSYNC 128 /* Directory modifications are synchronous */
-#define SB_NOATIME 1024 /* Do not update access times. */
-#define SB_NODIRATIME 2048 /* Do not update directory access times */
-#define SB_SILENT 32768
-#define SB_POSIXACL (1<<16) /* VFS does not apply the umask */
-#define SB_INLINECRYPT (1<<17) /* Use blk-crypto for encrypted files */
-#define SB_KERNMOUNT (1<<22) /* this is a kern_mount call */
-#define SB_I_VERSION (1<<23) /* Update inode I_version field */
-#define SB_LAZYTIME (1<<25) /* Update the on-disk [acm]times lazily */
+#define SB_RDONLY BIT(0) /* Mount read-only */
+#define SB_NOSUID BIT(1) /* Ignore suid and sgid bits */
+#define SB_NODEV BIT(2) /* Disallow access to device special files */
+#define SB_NOEXEC BIT(3) /* Disallow program execution */
+#define SB_SYNCHRONOUS BIT(4) /* Writes are synced at once */
+#define SB_MANDLOCK BIT(6) /* Allow mandatory locks on an FS */
+#define SB_DIRSYNC BIT(7) /* Directory modifications are synchronous */
+#define SB_NOATIME BIT(10) /* Do not update access times. */
+#define SB_NODIRATIME BIT(11) /* Do not update directory access times */
+#define SB_SILENT BIT(15)
+#define SB_POSIXACL BIT(16) /* VFS does not apply the umask */
+#define SB_INLINECRYPT BIT(17) /* Use blk-crypto for encrypted files */
+#define SB_KERNMOUNT BIT(22) /* this is a kern_mount call */
+#define SB_I_VERSION BIT(23) /* Update inode I_version field */
+#define SB_LAZYTIME BIT(25) /* Update the on-disk [acm]times lazily */
/* These sb flags are internal to the kernel */
-#define SB_SUBMOUNT (1<<26)
-#define SB_FORCE (1<<27)
-#define SB_NOSEC (1<<28)
-#define SB_BORN (1<<29)
-#define SB_ACTIVE (1<<30)
-#define SB_NOUSER (1<<31)
+#define SB_SUBMOUNT BIT(26)
+#define SB_FORCE BIT(27)
+#define SB_NOSEC BIT(28)
+#define SB_BORN BIT(29)
+#define SB_ACTIVE BIT(30)
+#define SB_NOUSER BIT(31)
/* These flags relate to encoding and casefolding */
#define SB_ENC_STRICT_MODE_FL (1 << 0)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 200/211] coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 199/211] fs: fix undefined behavior in bit shift for SB_NOUSER Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 201/211] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Greg Kroah-Hartman
` (16 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Suzuki K Poulose
From: Dan Carpenter <dan.carpenter@linaro.org>
commit f67bc15e526bb9920683ad6c1891ff9e08981335 upstream.
This code generates a Smatch warning:
drivers/hwtracing/coresight/coresight-tmc-etr.c:947 tmc_etr_buf_insert_barrier_packet()
error: uninitialized symbol 'bufp'.
The problem is that if tmc_sg_table_get_data() returns -EINVAL, then
when we test if "len < CORESIGHT_BARRIER_PKT_SIZE", the negative "len"
value is type promoted to a high unsigned long value which is greater
than CORESIGHT_BARRIER_PKT_SIZE. Fix this bug by adding an explicit
check for error codes.
Fixes: 75f4e3619fe2 ("coresight: tmc-etr: Add transparent buffer management")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Suzuki K Poulose <suzuki.poulose@arm.com>
Link: https://lore.kernel.org/r/7d33e244-d8b9-4c27-9653-883a13534b01@kili.mountain
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/hwtracing/coresight/coresight-tmc-etr.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/hwtracing/coresight/coresight-tmc-etr.c
+++ b/drivers/hwtracing/coresight/coresight-tmc-etr.c
@@ -926,7 +926,7 @@ tmc_etr_buf_insert_barrier_packet(struct
len = tmc_etr_buf_get_data(etr_buf, offset,
CORESIGHT_BARRIER_PKT_SIZE, &bufp);
- if (WARN_ON(len < CORESIGHT_BARRIER_PKT_SIZE))
+ if (WARN_ON(len < 0 || len < CORESIGHT_BARRIER_PKT_SIZE))
return -EINVAL;
coresight_insert_barrier_packet(bufp);
return offset + CORESIGHT_BARRIER_PKT_SIZE;
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 201/211] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 200/211] coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 202/211] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again Greg Kroah-Hartman
` (15 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Juergen Gross
From: Dan Carpenter <dan.carpenter@linaro.org>
commit 8fafac202d18230bb9926bda48e563fd2cce2a4f upstream.
In the pvcalls_new_active_socket() function, most error paths call
pvcalls_back_release_active(fedata->dev, fedata, map) which calls
sock_release() on "sock". The bug is that the caller also frees sock.
Fix this by making every error path in pvcalls_new_active_socket()
release the sock, and don't free it in the caller.
Fixes: 5db4d286a8ef ("xen/pvcalls: implement connect command")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Juergen Gross <jgross@suse.com>
Link: https://lore.kernel.org/r/e5f98dc2-0305-491f-a860-71bbd1398a2f@kili.mountain
Signed-off-by: Juergen Gross <jgross@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/xen/pvcalls-back.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
--- a/drivers/xen/pvcalls-back.c
+++ b/drivers/xen/pvcalls-back.c
@@ -321,8 +321,10 @@ static struct sock_mapping *pvcalls_new_
void *page;
map = kzalloc(sizeof(*map), GFP_KERNEL);
- if (map == NULL)
+ if (map == NULL) {
+ sock_release(sock);
return NULL;
+ }
map->fedata = fedata;
map->sock = sock;
@@ -414,10 +416,8 @@ static int pvcalls_back_connect(struct x
req->u.connect.ref,
req->u.connect.evtchn,
sock);
- if (!map) {
+ if (!map)
ret = -EFAULT;
- sock_release(sock);
- }
out:
rsp = RING_GET_RESPONSE(&fedata->ring, fedata->ring.rsp_prod_pvt++);
@@ -558,7 +558,6 @@ static void __pvcalls_back_accept(struct
sock);
if (!map) {
ret = -EFAULT;
- sock_release(sock);
goto out_error;
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 202/211] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 201/211] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 203/211] ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg Greg Kroah-Hartman
` (14 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vernon Lovejoy, Oleg Nesterov,
Josh Poimboeuf
From: Vernon Lovejoy <vlovejoy@redhat.com>
commit 2e4be0d011f21593c6b316806779ba1eba2cd7e0 upstream.
The commit e335bb51cc15 ("x86/unwind: Ensure stack pointer is aligned")
tried to align the stack pointer in show_trace_log_lvl(), otherwise the
"stack < stack_info.end" check can't guarantee that the last read does
not go past the end of the stack.
However, we have the same problem with the initial value of the stack
pointer, it can also be unaligned. So without this patch this trivial
kernel module
#include <linux/module.h>
static int init(void)
{
asm volatile("sub $0x4,%rsp");
dump_stack();
asm volatile("add $0x4,%rsp");
return -EAGAIN;
}
module_init(init);
MODULE_LICENSE("GPL");
crashes the kernel.
Fixes: e335bb51cc15 ("x86/unwind: Ensure stack pointer is aligned")
Signed-off-by: Vernon Lovejoy <vlovejoy@redhat.com>
Signed-off-by: Oleg Nesterov <oleg@redhat.com>
Link: https://lore.kernel.org/r/20230512104232.GA10227@redhat.com
Signed-off-by: Josh Poimboeuf <jpoimboe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/dumpstack.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/arch/x86/kernel/dumpstack.c
+++ b/arch/x86/kernel/dumpstack.c
@@ -195,7 +195,6 @@ void show_trace_log_lvl(struct task_stru
printk("%sCall Trace:\n", log_lvl);
unwind_start(&state, task, regs, stack);
- stack = stack ? : get_stack_pointer(task, regs);
regs = unwind_get_entry_regs(&state, &partial);
/*
@@ -214,9 +213,13 @@ void show_trace_log_lvl(struct task_stru
* - hardirq stack
* - entry stack
*/
- for ( ; stack; stack = PTR_ALIGN(stack_info.next_sp, sizeof(long))) {
+ for (stack = stack ?: get_stack_pointer(task, regs);
+ stack;
+ stack = stack_info.next_sp) {
const char *stack_name;
+ stack = PTR_ALIGN(stack, sizeof(long));
+
if (get_stack_info(stack, task, &stack_info, &visit_mask)) {
/*
* We weren't on a valid stack. It's possible that
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 203/211] ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 202/211] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 204/211] forcedeth: Fix an error handling path in nv_probe() Greg Kroah-Hartman
` (13 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Cezary Rojewski,
Amadeusz Sławiński, Mark Brown
From: Cezary Rojewski <cezary.rojewski@intel.com>
commit 95109657471311601b98e71f03d0244f48dc61bb upstream.
Constant 'C4_CHANNEL' does not exist on the firmware side. Value 0xC is
reserved for 'C7_1' instead.
Fixes: 04afbbbb1cba ("ASoC: Intel: Skylake: Update the topology interface structure")
Signed-off-by: Cezary Rojewski <cezary.rojewski@intel.com>
Signed-off-by: Amadeusz Sławiński <amadeuszx.slawinski@linux.intel.com>
Link: https://lore.kernel.org/r/20230519201711.4073845-4-amadeuszx.slawinski@linux.intel.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/uapi/sound/skl-tplg-interface.h | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/include/uapi/sound/skl-tplg-interface.h
+++ b/include/uapi/sound/skl-tplg-interface.h
@@ -66,7 +66,8 @@ enum skl_ch_cfg {
SKL_CH_CFG_DUAL_MONO = 9,
SKL_CH_CFG_I2S_DUAL_STEREO_0 = 10,
SKL_CH_CFG_I2S_DUAL_STEREO_1 = 11,
- SKL_CH_CFG_4_CHANNEL = 12,
+ SKL_CH_CFG_7_1 = 12,
+ SKL_CH_CFG_4_CHANNEL = SKL_CH_CFG_7_1,
SKL_CH_CFG_INVALID
};
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 204/211] forcedeth: Fix an error handling path in nv_probe()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 203/211] ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 205/211] net/mlx5e: do as little as possible in napi poll when budget is 0 Greg Kroah-Hartman
` (12 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Zhu Yanjun,
Jakub Kicinski
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 5b17a4971d3b2a073f4078dd65331efbe35baa2d upstream.
If an error occures after calling nv_mgmt_acquire_sema(), it should be
undone with a corresponding nv_mgmt_release_sema() call.
Add it in the error handling path of the probe as already done in the
remove function.
Fixes: cac1c52c3621 ("forcedeth: mgmt unit interface")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Acked-by: Zhu Yanjun <zyjzyj2000@gmail.com>
Link: https://lore.kernel.org/r/355e9a7d351b32ad897251b6f81b5886fcdc6766.1684571393.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/nvidia/forcedeth.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/ethernet/nvidia/forcedeth.c
+++ b/drivers/net/ethernet/nvidia/forcedeth.c
@@ -6138,6 +6138,7 @@ static int nv_probe(struct pci_dev *pci_
return 0;
out_error:
+ nv_mgmt_release_sema(dev);
if (phystate_orig)
writel(phystate|NVREG_ADAPTCTL_RUNNING, base + NvRegAdapterControl);
out_freering:
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 205/211] net/mlx5e: do as little as possible in napi poll when budget is 0
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 204/211] forcedeth: Fix an error handling path in nv_probe() Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 206/211] net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs Greg Kroah-Hartman
` (11 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tariq Toukan, Jakub Kicinski,
Simon Horman, David S. Miller
From: Jakub Kicinski <kuba@kernel.org>
commit afbed3f74830163f9559579dee382cac3cff82da upstream.
NAPI gets called with budget of 0 from netpoll, which has interrupts
disabled. We should try to free some space on Tx rings and nothing
else.
Specifically do not try to handle XDP TX or try to refill Rx buffers -
we can't use the page pool from IRQ context. Don't check if IRQs moved,
either, that makes no sense in netpoll. Netpoll calls _all_ the rings
from whatever CPU it happens to be invoked on.
In general do as little as possible, the work quickly adds up when
there's tens of rings to poll.
The immediate stack trace I was seeing is:
__do_softirq+0xd1/0x2c0
__local_bh_enable_ip+0xc7/0x120
</IRQ>
<TASK>
page_pool_put_defragged_page+0x267/0x320
mlx5e_free_xdpsq_desc+0x99/0xd0
mlx5e_poll_xdpsq_cq+0x138/0x3b0
mlx5e_napi_poll+0xc3/0x8b0
netpoll_poll_dev+0xce/0x150
AFAIU page pool takes a BH lock, releases it and since BH is now
enabled tries to run softirqs.
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Fixes: 60bbf7eeef10 ("mlx5: use page_pool for xdp_return_frame call")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_txrx.c
@@ -137,20 +137,22 @@ int mlx5e_napi_poll(struct napi_struct *
for (i = 0; i < c->num_tc; i++)
busy |= mlx5e_poll_tx_cq(&c->sq[i].cq, budget);
+ /* budget=0 means we may be in IRQ context, do as little as possible */
+ if (unlikely(!budget))
+ goto out;
+
busy |= mlx5e_poll_xdpsq_cq(&c->xdpsq.cq);
if (c->xdp)
busy |= mlx5e_poll_xdpsq_cq(&c->rq_xdpsq.cq);
- if (likely(budget)) { /* budget=0 means: don't poll rx rings */
- if (xsk_open)
- work_done = mlx5e_poll_rx_cq(&xskrq->cq, budget);
+ if (xsk_open)
+ work_done = mlx5e_poll_rx_cq(&xskrq->cq, budget);
- if (likely(budget - work_done))
- work_done += mlx5e_poll_rx_cq(&rq->cq, budget - work_done);
+ if (likely(budget - work_done))
+ work_done += mlx5e_poll_rx_cq(&rq->cq, budget - work_done);
- busy |= work_done == budget;
- }
+ busy |= work_done == budget;
mlx5e_poll_ico_cq(&c->icosq.cq);
if (mlx5e_poll_ico_cq(&c->async_icosq.cq))
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 206/211] net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 205/211] net/mlx5e: do as little as possible in napi poll when budget is 0 Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 207/211] net/mlx5: Fix error message when failing to allocate device memory Greg Kroah-Hartman
` (10 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Erez Shitrit, Alex Vesker, Saeed Mahameed
From: Erez Shitrit <erezsh@nvidia.com>
commit 1e5daf5565b61a96e570865091589afc9156e3d3 upstream.
When calculating crc for hash index we use the function crc32 that
calculates for little-endian (LE) arch.
Then we convert it to network endianness using htonl(), but it's wrong
to do the conversion in BE archs since the crc32 value is already LE.
The solution is to switch the bytes from the crc result for all types
of arc.
Fixes: 40416d8ede65 ("net/mlx5: DR, Replace CRC32 implementation to use kernel lib")
Signed-off-by: Erez Shitrit <erezsh@nvidia.com>
Reviewed-by: Alex Vesker <valex@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/steering/dr_ste.c
@@ -112,7 +112,8 @@ static u32 dr_ste_crc32_calc(const void
{
u32 crc = crc32(0, input_data, length);
- return (__force u32)htonl(crc);
+ return (__force u32)((crc >> 24) & 0xff) | ((crc << 8) & 0xff0000) |
+ ((crc >> 8) & 0xff00) | ((crc << 24) & 0xff000000);
}
u32 mlx5dr_ste_calc_hash_index(u8 *hw_ste_p, struct mlx5dr_ste_htbl *htbl)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 207/211] net/mlx5: Fix error message when failing to allocate device memory
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 206/211] net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 208/211] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device Greg Kroah-Hartman
` (9 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Roi Dayan, Saeed Mahameed
From: Roi Dayan <roid@nvidia.com>
commit a65735148e0328f80c0f72f9f8d2f609bfcf4aff upstream.
Fix spacing for the error and also the correct error code pointer.
Fixes: c9b9dcb430b3 ("net/mlx5: Move device memory management to mlx5_core")
Signed-off-by: Roi Dayan <roid@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/main.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/main.c
@@ -887,7 +887,7 @@ static int mlx5_init_once(struct mlx5_co
dev->dm = mlx5_dm_create(dev);
if (IS_ERR(dev->dm))
- mlx5_core_warn(dev, "Failed to init device memory%d\n", err);
+ mlx5_core_warn(dev, "Failed to init device memory %ld\n", PTR_ERR(dev->dm));
dev->tracer = mlx5_fw_tracer_create(dev);
dev->hv_vhca = mlx5_hv_vhca_create(dev);
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 208/211] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 207/211] net/mlx5: Fix error message when failing to allocate device memory Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 209/211] arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay Greg Kroah-Hartman
` (8 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shay Drory, Saeed Mahameed
From: Shay Drory <shayd@nvidia.com>
commit af87194352cad882d787d06fb7efa714acd95427 upstream.
In case devcom allocation is failed, mlx5 is always freeing the priv.
However, this priv might have been allocated by a different thread,
and freeing it might lead to use-after-free bugs.
Fix it by freeing the priv only in case it was allocated by the
running thread.
Fixes: fadd59fc50d0 ("net/mlx5: Introduce inter-device communication mechanism")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/lib/devcom.c
@@ -110,7 +110,8 @@ struct mlx5_devcom *mlx5_devcom_register
priv->devs[idx] = dev;
devcom = mlx5_devcom_alloc(priv, idx);
if (!devcom) {
- kfree(priv);
+ if (new_priv)
+ kfree(priv);
return ERR_PTR(-ENOMEM);
}
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 209/211] arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 208/211] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 210/211] 3c589_cs: Fix an error handling path in tc589_probe() Greg Kroah-Hartman
` (7 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Hugo Villeneuve, Shawn Guo
From: Hugo Villeneuve <hvilleneuve@dimonoff.com>
commit f161cea5a20f3aeeb637a88ad1705fc2720b4d58 upstream.
While testing the ethernet interface on a Variscite symphony carrier
board using an imx8mn SOM with an onboard ADIN1300 PHY (EC hardware
configuration), the ethernet PHY is not detected.
The ADIN1300 datasheet indicate that the "Management interface
active (t4)" state is reached at most 5ms after the reset signal is
deasserted.
The device tree in Variscite custom git repository uses the following
property:
phy-reset-post-delay = <20>;
Add a new MDIO property 'reset-deassert-us' of 20ms to have the same
delay inside the ethphy node. Adding this property fixes the problem
with the PHY detection.
Note that this SOM can also have an Atheros AR8033 PHY. In this case,
a 1ms deassert delay is sufficient. Add a comment to that effect.
Fixes: ade0176dd8a0 ("arm64: dts: imx8mn-var-som: Add Variscite VAR-SOM-MX8MN System on Module")
Signed-off-by: Hugo Villeneuve <hvilleneuve@dimonoff.com>
Signed-off-by: Shawn Guo <shawnguo@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi
+++ b/arch/arm64/boot/dts/freescale/imx8mn-var-som.dtsi
@@ -98,11 +98,17 @@
#address-cells = <1>;
#size-cells = <0>;
- ethphy: ethernet-phy@4 {
+ ethphy: ethernet-phy@4 { /* AR8033 or ADIN1300 */
compatible = "ethernet-phy-ieee802.3-c22";
reg = <4>;
reset-gpios = <&gpio1 9 GPIO_ACTIVE_LOW>;
reset-assert-us = <10000>;
+ /*
+ * Deassert delay:
+ * ADIN1300 requires 5ms.
+ * AR8033 requires 1ms.
+ */
+ reset-deassert-us = <20000>;
};
};
};
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 210/211] 3c589_cs: Fix an error handling path in tc589_probe()
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 209/211] arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 211/211] net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE Greg Kroah-Hartman
` (6 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe JAILLET, Simon Horman,
Jakub Kicinski
From: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
commit 640bf95b2c7c2981fb471acdafbd3e0458f8390d upstream.
Should tc589_config() fail, some resources need to be released as already
done in the remove function.
Fixes: 15b99ac17295 ("[PATCH] pcmcia: add return value to _config() functions")
Signed-off-by: Christophe JAILLET <christophe.jaillet@wanadoo.fr>
Reviewed-by: Simon Horman <simon.horman@corigine.com>
Link: https://lore.kernel.org/r/d8593ae867b24c79063646e36f9b18b0790107cb.1684575975.git.christophe.jaillet@wanadoo.fr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/3com/3c589_cs.c | 11 ++++++++++-
1 file changed, 10 insertions(+), 1 deletion(-)
--- a/drivers/net/ethernet/3com/3c589_cs.c
+++ b/drivers/net/ethernet/3com/3c589_cs.c
@@ -195,6 +195,7 @@ static int tc589_probe(struct pcmcia_dev
{
struct el3_private *lp;
struct net_device *dev;
+ int ret;
dev_dbg(&link->dev, "3c589_attach()\n");
@@ -218,7 +219,15 @@ static int tc589_probe(struct pcmcia_dev
dev->ethtool_ops = &netdev_ethtool_ops;
- return tc589_config(link);
+ ret = tc589_config(link);
+ if (ret)
+ goto err_free_netdev;
+
+ return 0;
+
+err_free_netdev:
+ free_netdev(dev);
+ return ret;
}
static void tc589_detach(struct pcmcia_device *link)
^ permalink raw reply [flat|nested] 218+ messages in thread
* [PATCH 5.10 211/211] net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 210/211] 3c589_cs: Fix an error handling path in tc589_probe() Greg Kroah-Hartman
@ 2023-05-28 19:12 ` Greg Kroah-Hartman
2023-05-29 16:06 ` [PATCH 5.10 000/211] 5.10.181-rc1 review Guenter Roeck
` (5 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Greg Kroah-Hartman @ 2023-05-28 19:12 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Epping, Vladimir Oltean,
Jakub Kicinski
From: David Epping <david.epping@missinglinkelectronics.com>
commit 57fb54ab9f6945e204740b696bd4cee61ee04e5e upstream.
The mscc driver implements support for VSC8502, so its ID should be in
the MODULE_DEVICE_TABLE for automatic loading.
Signed-off-by: David Epping <david.epping@missinglinkelectronics.com>
Fixes: d3169863310d ("net: phy: mscc: add support for VSC8502")
Reviewed-by: Vladimir Oltean <olteanv@gmail.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/mscc/mscc_main.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/net/phy/mscc/mscc_main.c
+++ b/drivers/net/phy/mscc/mscc_main.c
@@ -2563,6 +2563,7 @@ static struct phy_driver vsc85xx_driver[
module_phy_driver(vsc85xx_driver);
static struct mdio_device_id __maybe_unused vsc85xx_tbl[] = {
+ { PHY_ID_VSC8502, 0xfffffff0, },
{ PHY_ID_VSC8504, 0xfffffff0, },
{ PHY_ID_VSC8514, 0xfffffff0, },
{ PHY_ID_VSC8530, 0xfffffff0, },
^ permalink raw reply [flat|nested] 218+ messages in thread
* Re: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2023-05-28 19:12 ` [PATCH 5.10 211/211] net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE Greg Kroah-Hartman
@ 2023-05-29 16:06 ` Guenter Roeck
2023-05-29 16:28 ` Naresh Kamboju
` (4 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Guenter Roeck @ 2023-05-29 16:06 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
On Sun, May 28, 2023 at 08:08:41PM +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 162 pass: 162 fail: 0
Qemu test results:
total: 485 pass: 485 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 218+ messages in thread
* Re: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2023-05-29 16:06 ` [PATCH 5.10 000/211] 5.10.181-rc1 review Guenter Roeck
@ 2023-05-29 16:28 ` Naresh Kamboju
2023-05-30 9:19 ` Jon Hunter
` (3 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Naresh Kamboju @ 2023-05-29 16:28 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
On Mon, 29 May 2023 at 01:10, Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro’s test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 5.10.181-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-5.10.y
* git commit: 80ae453d08c191989cbf98440279674059eca336
* git describe: v5.10.180-212-g80ae453d08c1
* test details:
https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-5.10.y/build/v5.10.180-212-g80ae453d08c1
## Test Regressions (compared to v5.10.180)
## Metric Regressions (compared to v5.10.180)
## Test Fixes (compared to v5.10.180)
## Metric Fixes (compared to v5.10.180)
## Test result summary
total: 133331, pass: 110831, fail: 3975, skip: 18332, xfail: 193
## Build Summary
* arc: 5 total, 5 passed, 0 failed
* arm: 117 total, 116 passed, 1 failed
* arm64: 45 total, 43 passed, 2 failed
* i386: 35 total, 33 passed, 2 failed
* mips: 27 total, 26 passed, 1 failed
* parisc: 8 total, 8 passed, 0 failed
* powerpc: 26 total, 20 passed, 6 failed
* riscv: 12 total, 11 passed, 1 failed
* s390: 12 total, 12 passed, 0 failed
* sh: 14 total, 12 passed, 2 failed
* sparc: 8 total, 8 passed, 0 failed
* x86_64: 38 total, 36 passed, 2 failed
## Test suites summary
* boot
* fwts
* igt-gpu-tools
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-exec
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-firmware
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-net-forwarding
* kselftest-net-mptcp
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-sigaltstack
* kselftest-size
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-user_events
* kselftest-vDSO
* kselftest-watchdog
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* perf
* rcutorture
* v4l2-compliance
* vdso
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 218+ messages in thread
* Re: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2023-05-29 16:28 ` Naresh Kamboju
@ 2023-05-30 9:19 ` Jon Hunter
2023-05-30 11:56 ` Chris Paterson
` (2 subsequent siblings)
216 siblings, 0 replies; 218+ messages in thread
From: Jon Hunter @ 2023-05-30 9:19 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, linux-tegra, stable
On Sun, 28 May 2023 20:08:41 +0100, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
All tests passing for Tegra ...
Test results for stable-v5.10:
11 builds: 11 pass, 0 fail
28 boots: 28 pass, 0 fail
75 tests: 75 pass, 0 fail
Linux version: 5.10.181-rc1-g80ae453d08c1
Boards tested: tegra124-jetson-tk1, tegra186-p2771-0000,
tegra194-p2972-0000, tegra194-p3509-0000+p3668-0000,
tegra20-ventana, tegra210-p2371-2180,
tegra210-p3450-0000, tegra30-cardhu-a04
Tested-by: Jon Hunter <jonathanh@nvidia.com>
Jon
^ permalink raw reply [flat|nested] 218+ messages in thread
* RE: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2023-05-30 9:19 ` Jon Hunter
@ 2023-05-30 11:56 ` Chris Paterson
2023-05-30 17:01 ` Allen Pais
2023-05-30 18:31 ` Florian Fainelli
216 siblings, 0 replies; 218+ messages in thread
From: Chris Paterson @ 2023-05-30 11:56 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow
Hello Greg,
> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
> Sent: Sunday, May 28, 2023 8:09 PM
>
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
CIP configurations built and booted with Linux 5.10.181-rc1 (80ae453d08c1):
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/pipelines/881425018
https://gitlab.com/cip-project/cip-testing/linux-stable-rc-ci/-/commits/linux-5.10.y
Tested-by: Chris Paterson (CIP) <chris.paterson2@renesas.com>
Kind regards, Chris
^ permalink raw reply [flat|nested] 218+ messages in thread
* Re: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2023-05-30 11:56 ` Chris Paterson
@ 2023-05-30 17:01 ` Allen Pais
2023-05-30 18:31 ` Florian Fainelli
216 siblings, 0 replies; 218+ messages in thread
From: Allen Pais @ 2023-05-30 17:01 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
>
Compiled and booted on my x86_64 and ARM64 test systems. No errors or
regressions.
Tested-by: Allen Pais <apais@linux.microsoft.com>
Thanks.
^ permalink raw reply [flat|nested] 218+ messages in thread
* Re: [PATCH 5.10 000/211] 5.10.181-rc1 review
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2023-05-30 17:01 ` Allen Pais
@ 2023-05-30 18:31 ` Florian Fainelli
216 siblings, 0 replies; 218+ messages in thread
From: Florian Fainelli @ 2023-05-30 18:31 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow
On 5/28/23 12:08, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 5.10.181 release.
> There are 211 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Tue, 30 May 2023 19:08:13 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v5.x/stable-review/patch-5.10.181-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-5.10.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 218+ messages in thread
end of thread, other threads:[~2023-05-30 18:31 UTC | newest]
Thread overview: 218+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-05-28 19:08 [PATCH 5.10 000/211] 5.10.181-rc1 review Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 001/211] driver core: add a helper to setup both the of_node and fwnode of a device Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 002/211] drm/mipi-dsi: Set the fwnode for mipi_dsi_device Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 003/211] ARM: 9296/1: HP Jornada 7XX: fix kernel-doc warnings Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 004/211] net: mdio: mvusb: Fix an error handling path in mvusb_mdio_probe() Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 005/211] linux/dim: Do nothing if no time delta between samples Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 006/211] net: Fix load-tearing on sk->sk_stamp in sock_recv_cmsgs() Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 007/211] netfilter: conntrack: fix possible bug_on with enable_hooks=1 Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 008/211] netlink: annotate accesses to nlk->cb_running Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 009/211] net: annotate sk->sk_err write from do_recvmmsg() Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 010/211] net: deal with most data-races in sk_wait_event() Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 011/211] net: tap: check vlan with eth_type_vlan() method Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 012/211] net: add vlan_get_protocol_and_depth() helper Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 013/211] tcp: factor out __tcp_close() helper Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 014/211] tcp: add annotations around sk->sk_shutdown accesses Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 015/211] ipvlan:Fix out-of-bounds caused by unclear skb->cb Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 016/211] net: datagram: fix data-races in datagram_poll() Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 017/211] af_unix: Fix a data race of sk->sk_receive_queue->qlen Greg Kroah-Hartman
2023-05-28 19:08 ` [PATCH 5.10 018/211] af_unix: Fix data races around sk->sk_shutdown Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 019/211] drm/i915/dp: prevent potential div-by-zero Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 020/211] fbdev: arcfb: Fix error handling in arcfb_probe() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 021/211] ext4: remove an unused variable warning with CONFIG_QUOTA=n Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 022/211] ext4: reflect error codes from ext4_multi_mount_protect() to its callers Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 023/211] ext4: dont clear SB_RDONLY when remounting r/w until quota is re-enabled Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 024/211] ext4: fix lockdep warning when enabling MMP Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 025/211] ext4: remove redundant mb_regenerate_buddy() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 026/211] ext4: drop s_mb_bal_lock and convert protected fields to atomic Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 027/211] ext4: add mballoc stats proc file Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 028/211] ext4: allow to find by goal if EXT4_MB_HINT_GOAL_ONLY is set Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 029/211] ext4: allow ext4_get_group_info() to fail Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 030/211] refscale: Move shutdown from wait_event() to wait_event_idle() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 031/211] rcu: Protect rcu_print_task_exp_stall() ->exp_tasks access Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 032/211] fs: hfsplus: remove WARN_ON() from hfsplus_cat_{read,write}_inode() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 033/211] drm/amd/display: Use DC_LOG_DC in the trasform pixel function Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 034/211] regmap: cache: Return error in cache sync operations for REGCACHE_NONE Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 035/211] arm64: dts: qcom: msm8996: Add missing DWC3 quirks Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 036/211] memstick: r592: Fix UAF bug in r592_remove due to race condition Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 037/211] firmware: arm_sdei: Fix sleep from invalid context BUG Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 038/211] ACPI: EC: Fix oops when removing custom query handlers Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 039/211] remoteproc: stm32_rproc: Add mutex protection for workqueue Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 040/211] drm/tegra: Avoid potential 32-bit integer overflow Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 041/211] ACPICA: Avoid undefined behavior: applying zero offset to null pointer Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 042/211] ACPICA: ACPICA: check null return of ACPI_ALLOCATE_ZEROED in acpi_db_display_objects Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 043/211] drm/amd: Fix an out of bounds error in BIOS parser Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 044/211] wifi: ath: Silence memcpy run-time false positive warning Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 045/211] bpf: Annotate data races in bpf_local_storage Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 046/211] wifi: brcmfmac: cfg80211: Pass the PMK in binary instead of hex Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 047/211] ext2: Check block size validity during mount Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 048/211] scsi: lpfc: Prevent lpfc_debugfs_lockstat_write() buffer overflow Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 049/211] net: pasemi: Fix return type of pasemi_mac_start_tx() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 050/211] net: Catch invalid index in XPS mapping Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 051/211] scsi: target: iscsit: Free cmds before session free Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 052/211] lib: cpu_rmap: Avoid use after free on rmap->obj array entries Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 053/211] scsi: message: mptlan: Fix use after free bug in mptlan_remove() due to race condition Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 054/211] gfs2: Fix inode height consistency check Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 055/211] ext4: set goal start correctly in ext4_mb_normalize_request Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 056/211] ext4: Fix best extent lstart adjustment logic in ext4_mb_new_inode_pa() Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 057/211] f2fs: fix to drop all dirty pages during umount() if cp_error is set Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 058/211] samples/bpf: Fix fout leak in hbms run_bpf_prog Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 059/211] wifi: iwlwifi: pcie: fix possible NULL pointer dereference Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 060/211] wifi: iwlwifi: pcie: Fix integer overflow in iwl_write_to_user_buf Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 061/211] null_blk: Always check queue mode setting from configfs Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 062/211] wifi: iwlwifi: dvm: Fix memcpy: detected field-spanning write backtrace Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 063/211] wifi: ath11k: Fix SKB corruption in REO destination ring Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 064/211] ipvs: Update width of source for ip_vs_sync_conn_options Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 065/211] Bluetooth: hci_bcm: Fall back to getting bdaddr from EFI if not set Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 066/211] Bluetooth: L2CAP: fix "bad unlock balance" in l2cap_disconnect_rsp Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 067/211] staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 068/211] HID: logitech-hidpp: Dont use the USB serial for USB devices Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 069/211] HID: logitech-hidpp: Reconcile USB and Unifying serials Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 070/211] spi: spi-imx: fix MX51_ECSPI_* macros when cs > 3 Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 071/211] HID: wacom: generic: Set battery quirk only when we see battery data Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 072/211] usb: typec: tcpm: fix multiple times discover svids error Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 073/211] serial: 8250: Reinit port->pm on port specific driver unbind Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 074/211] mcb-pci: Reallocate memory region to avoid memory overlapping Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 075/211] sched: Fix KCSAN noinstr violation Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 076/211] recordmcount: Fix memory leaks in the uwrite function Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 077/211] RDMA/core: Fix multiple -Warray-bounds warnings Greg Kroah-Hartman
2023-05-28 19:09 ` [PATCH 5.10 078/211] iommu/arm-smmu-qcom: Limit the SMR groups to 128 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 079/211] clk: tegra20: fix gcc-7 constant overflow warning Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 080/211] iommu/arm-smmu-v3: Acknowledge pri/event queue overflow if any Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 081/211] Input: xpad - add constants for GIP interface numbers Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 082/211] phy: st: miphy28lp: use _poll_timeout functions for waits Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 083/211] mfd: dln2: Fix memory leak in dln2_probe() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 084/211] btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 085/211] btrfs: replace calls to btrfs_find_free_ino with btrfs_find_free_objectid Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 086/211] btrfs: fix space cache inconsistency after error loading it from disk Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 087/211] xfrm: dont check the default policy if the policy allows the packet Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 088/211] Revert "Fix XFRM-I support for nested ESP tunnels" Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 089/211] drm/msm/dp: unregister audio driver during unbind Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 090/211] drm/msm/dpu: Remove duplicate register defines from INTF Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 091/211] cpupower: Make TSC read per CPU for Mperf monitor Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 092/211] af_key: Reject optional tunnel/BEET mode templates in outbound policies Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 093/211] net: fec: Better handle pm_runtime_get() failing in .remove() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 094/211] net: phy: dp83867: add w/a for packet errors seen with short cables Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 095/211] ALSA: firewire-digi00x: prevent potential use after free Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 096/211] ALSA: hda/realtek: Apply HP B&O top speaker profile to Pavilion 15 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 097/211] vsock: avoid to close connected socket after the timeout Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 098/211] ipv4/tcp: do not use per netns ctl sockets Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 099/211] net: Find dst with sks xfrm policy not ctl_sk Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 100/211] tcp: fix possible sk_priority leak in tcp_v4_send_reset() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 101/211] serial: arc_uart: fix of_iomap leak in `arc_serial_probe` Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 102/211] erspan: get the proto with the md version for collect_md Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 103/211] net: hns3: fix sending pfc frames after reset issue Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 104/211] net: hns3: fix reset delay time to avoid configuration timeout Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 105/211] media: netup_unidvb: fix use-after-free at del_timer() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 106/211] SUNRPC: Fix trace_svc_register() call site Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 107/211] drm/exynos: fix g2d_open/close helper function definitions Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 108/211] net: nsh: Use correct mac_offset to unwind gso skb in nsh_gso_segment() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 109/211] net/tipc: fix tipc header files for kernel-doc Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 110/211] tipc: add tipc_bearer_min_mtu to calculate min mtu Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 111/211] tipc: do not update mtu if msg_max is too small in mtu negotiation Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 112/211] tipc: check the bearer min mtu properly when setting it by netlink Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 113/211] net: bcmgenet: Remove phy_stop() from bcmgenet_netif_stop() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 114/211] net: bcmgenet: Restore phy_stop() depending upon suspend/close Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 115/211] wifi: mac80211: fix min center freq offset tracing Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 116/211] wifi: iwlwifi: mvm: dont trust firmware n_channels Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 117/211] scsi: storvsc: Dont pass unused PFNs to Hyper-V host Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 118/211] cassini: Fix a memory leak in the error handling path of cas_init_one() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 119/211] igb: fix bit_shift to be in [1..8] range Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 120/211] vlan: fix a potential uninit-value in vlan_dev_hard_start_xmit() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 121/211] netfilter: nft_set_rbtree: fix null deref on element insertion Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 122/211] bridge: always declare tunnel functions Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 123/211] ALSA: usb-audio: Add a sample rate workaround for Line6 Pod Go Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 124/211] USB: usbtmc: Fix direction for 0-length ioctl control messages Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 125/211] usb-storage: fix deadlock when a scsi command timeouts more than once Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 126/211] USB: UHCI: adjust zhaoxin UHCI controllers OverCurrent bit value Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 127/211] usb: dwc3: debugfs: Resume dwc3 before accessing registers Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 128/211] usb: gadget: u_ether: Fix host MAC address case Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 129/211] usb: typec: altmodes/displayport: fix pin_assignment_show Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 130/211] ALSA: hda: Fix Oops by 9.1 surround channel names Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 131/211] ALSA: hda: Add NVIDIA codec IDs a3 through a7 to patch table Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 132/211] ALSA: hda/realtek: Add quirk for Clevo L140AU Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 133/211] ALSA: hda/realtek: Add a quirk for HP EliteDesk 805 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 134/211] ALSA: hda/realtek: Add quirk for 2nd ASUS GU603 Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 135/211] can: j1939: recvmsg(): allow MSG_CMSG_COMPAT flag Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 136/211] can: isotp: " Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 137/211] can: kvaser_pciefd: Set CAN_STATE_STOPPED in kvaser_pciefd_stop() Greg Kroah-Hartman
2023-05-28 19:10 ` [PATCH 5.10 138/211] can: kvaser_pciefd: Call request_irq() before enabling interrupts Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 139/211] can: kvaser_pciefd: Empty SRB buffer in probe Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 140/211] can: kvaser_pciefd: Clear listen-only bit if not explicitly requested Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 141/211] can: kvaser_pciefd: Do not send EFLUSH command on TFD interrupt Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 142/211] can: kvaser_pciefd: Disable interrupts in probe error path Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 143/211] statfs: enforce statfs[64] structure initialization Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 144/211] serial: Add support for Advantech PCI-1611U card Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 145/211] vc_screen: reload load of struct vc_data pointer in vcs_write() to avoid UAF Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 146/211] ceph: force updating the msg pointer in non-split case Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 147/211] tpm/tpm_tis: Disable interrupts for more Lenovo devices Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 148/211] powerpc/64s/radix: Fix soft dirty tracking Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 149/211] nilfs2: fix use-after-free bug of nilfs_root in nilfs_evict_inode() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 150/211] HID: wacom: Force pen out of prox if no events have been received in a while Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 151/211] HID: wacom: Add new Intuos Pro Small (PTH-460) device IDs Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 152/211] HID: wacom: add three styli to wacom_intuos_get_tool_type Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 153/211] KVM: arm64: Link position-independent string routines into .hyp.text Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 154/211] serial: 8250_exar: derive nr_ports from PCI ID for Acces I/O cards Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 155/211] serial: exar: Add support for Sealevel 7xxxC serial cards Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 156/211] serial: 8250_exar: Add support for USR298x PCI Modems Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 157/211] s390/qdio: get rid of register asm Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 158/211] s390/qdio: fix do_sqbs() inline assembly constraint Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 159/211] watchdog: sp5100_tco: Immediately trigger upon starting Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 160/211] ARM: dts: stm32: fix AV96 board SAI2 pin muxing on stm32mp15 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 161/211] writeback, cgroup: remove extra percpu_ref_exit() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 162/211] net/sched: act_mirred: refactor the handle of xmit Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 163/211] net/sched: act_mirred: better wording on protection against excessive stack growth Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 164/211] act_mirred: use the backlog for nested calls to mirred ingress Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 165/211] spi: fsl-spi: Re-organise transfer bits_per_word adaptation Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 166/211] spi: fsl-cpm: Use 16 bit mode for large transfers with even size Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 167/211] ocfs2: Switch to security_inode_init_security() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 168/211] ALSA: hda/ca0132: add quirk for EVGA X299 DARK Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 169/211] ALSA: hda: Fix unhandled register update during auto-suspend period Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 170/211] ALSA: hda/realtek: Enable headset onLenovo M70/M90 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 171/211] net: cdc_ncm: Deal with too low values of dwNtbOutMaxSize Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 172/211] m68k: Move signal frame following exception on 68020/030 Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 173/211] parisc: Handle kgdb breakpoints only in kernel context Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 174/211] parisc: Allow to reboot machine after system halt Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 175/211] gpio: mockup: Fix mode of debugfs files Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 176/211] btrfs: use nofs when cleaning up aborted transactions Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 177/211] dt-binding: cdns,usb3: Fix cdns,on-chip-buff-size type Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 178/211] x86/mm: Avoid incomplete Global INVLPG flushes Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 179/211] selftests/memfd: Fix unknown type name build failure Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 180/211] parisc: Fix flush_dcache_page() for usage from irq context Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 181/211] x86/topology: Fix erroneous smp_num_siblings on Intel Hybrid platforms Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 182/211] debugobjects: Dont wake up kswapd from fill_pool() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 183/211] fbdev: udlfb: Fix endpoint check Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 184/211] net: fix stack overflow when LRO is disabled for virtual interfaces Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 185/211] udplite: Fix NULL pointer dereference in __sk_mem_raise_allocated() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 186/211] USB: core: Add routines for endpoint checks in old drivers Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 187/211] USB: sisusbvga: Add endpoint checks Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 188/211] media: radio-shark: " Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 189/211] net: fix skb leak in __skb_tstamp_tx() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 190/211] selftests: fib_tests: mute cleanup error message Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 191/211] octeontx2-pf: Fix TSOv6 offload Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 192/211] bpf: Fix mask generation for 32-bit narrow loads of 64-bit fields Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 193/211] ipv6: Fix out-of-bounds access in ipv6_find_tlv() Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 194/211] power: supply: leds: Fix blink to LED on transition Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 195/211] power: supply: bq27xxx: Fix bq27xxx_battery_update() race condition Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 196/211] power: supply: bq27xxx: Fix I2C IRQ race on remove Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 197/211] power: supply: bq27xxx: Fix poll_interval handling and races " Greg Kroah-Hartman
2023-05-28 19:11 ` [PATCH 5.10 198/211] power: supply: sbs-charger: Fix INHIBITED bit for Status reg Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 199/211] fs: fix undefined behavior in bit shift for SB_NOUSER Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 200/211] coresight: Fix signedness bug in tmc_etr_buf_insert_barrier_packet() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 201/211] xen/pvcalls-back: fix double frees with pvcalls_new_active_socket() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 202/211] x86/show_trace_log_lvl: Ensure stack pointer is aligned, again Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 203/211] ASoC: Intel: Skylake: Fix declaration of enum skl_ch_cfg Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 204/211] forcedeth: Fix an error handling path in nv_probe() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 205/211] net/mlx5e: do as little as possible in napi poll when budget is 0 Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 206/211] net/mlx5: DR, Fix crc32 calculation to work on big-endian (BE) CPUs Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 207/211] net/mlx5: Fix error message when failing to allocate device memory Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 208/211] net/mlx5: Devcom, fix error flow in mlx5_devcom_register_device Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 209/211] arm64: dts: imx8mn-var-som: fix PHY detection bug by adding deassert delay Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 210/211] 3c589_cs: Fix an error handling path in tc589_probe() Greg Kroah-Hartman
2023-05-28 19:12 ` [PATCH 5.10 211/211] net: phy: mscc: add VSC8502 to MODULE_DEVICE_TABLE Greg Kroah-Hartman
2023-05-29 16:06 ` [PATCH 5.10 000/211] 5.10.181-rc1 review Guenter Roeck
2023-05-29 16:28 ` Naresh Kamboju
2023-05-30 9:19 ` Jon Hunter
2023-05-30 11:56 ` Chris Paterson
2023-05-30 17:01 ` Allen Pais
2023-05-30 18:31 ` Florian Fainelli
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.