* [PATCH 6.5 000/241] 6.5.9-rc1 review
@ 2023-10-23 10:53 Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
` (250 more replies)
0 siblings, 251 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, linux-kernel, torvalds, akpm, linux,
shuah, patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor
This is the start of the stable review cycle for the 6.5.9 release.
There are 241 patches in this series, all will be posted as a response
to this one. If anyone has any issues with these being applied, please
let me know.
Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
Anything received after that time might be too late.
The whole patch series can be found in one patch at:
https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.9-rc1.gz
or in the git tree and branch at:
git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y
and the diffstat can be found below.
thanks,
greg k-h
-------------
Pseudo-Shortlog of commits:
Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Linux 6.5.9-rc1
Matthieu Baerts <matttbe@kernel.org>
selftests: mptcp: join: correctly check for no RST
Geliang Tang <geliang.tang@suse.com>
mptcp: avoid sending RST when closing the initial subflow
Kees Cook <keescook@chromium.org>
Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
Miguel Ojeda <ojeda@kernel.org>
kbuild: remove old Rust docs output path
Miguel Ojeda <ojeda@kernel.org>
docs: rust: update Rust docs output path
Johannes Berg <johannes.berg@intel.com>
net: rfkill: reduce data->mtx scope in rfkill_fop_open
Edward AD <twuufnxlz@gmail.com>
Bluetooth: hci_sock: fix slab oob read in create_monitor_event
Jakub Kicinski <kuba@kernel.org>
net: move altnames together with the netdevice
Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
efi/unaccepted: Fix soft lockups caused by parallel memory acceptance
Konrad Dybcio <konrad.dybcio@linaro.org>
phy: qcom-qmp-combo: initialize PCS_USB registers
Konrad Dybcio <konrad.dybcio@linaro.org>
phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1
Adrien Thierry <athierry@redhat.com>
phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p
Adrien Thierry <athierry@redhat.com>
phy: qcom-qmp-usb: initialize PCS_USB registers
Tony Lindgren <tony@atomide.com>
phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
Tony Lindgren <tony@atomide.com>
phy: mapphone-mdm6600: Fix runtime PM for remove
Tony Lindgren <tony@atomide.com>
phy: mapphone-mdm6600: Fix runtime disable on probe
Miguel Ojeda <ojeda@kernel.org>
rust: docs: fix logo replacement
Carlos Bilbao <carlos.bilbao@amd.com>
docs: Move rustdoc output, cross-reference it
Nicholas Piggin <npiggin@gmail.com>
powerpc/qspinlock: Fix stale propagated yield_cpu
Michael Ellerman <mpe@ellerman.id.au>
powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12
Felix Kuehling <Felix.Kuehling@amd.com>
drm/amdgpu: Fix possible null pointer dereference
Khaled Almahallawy <khaled.almahallawy@intel.com>
drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned
Douglas Anderson <dianders@chromium.org>
drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple
Stephen Boyd <swboyd@chromium.org>
drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs42l42: Fix missing include of gpio/consumer.h
Dan Carpenter <dan.carpenter@linaro.org>
ASoC: pxa: fix a memory leak in probe()
Richard Fitzgerald <rf@opensource.cirrus.com>
ASoC: cs35l56: Fix illegal use of init_completion()
Haibo Chen <haibo.chen@nxp.com>
gpio: vf610: mask the gpio irq in system suspend and support wakeup
Haibo Chen <haibo.chen@nxp.com>
gpio: vf610: set value before the direction to avoid a glitch
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data()
Wedson Almeida Filho <walmeida@microsoft.com>
rust: error: fix the description for `ECHILD`
Hans de Goede <hdegoede@redhat.com>
platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
Hans de Goede <hdegoede@redhat.com>
platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control
Hans de Goede <hdegoede@redhat.com>
platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
Nikita Kravets <teackot@gmail.com>
platform/x86: msi-ec: Fix the 3rd config
Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency
Armin Wolf <W_Armin@gmx.de>
platform/surface: platform_profile: Propagate error if profile registration fails
Dinghao Liu <dinghao.liu@zju.edu.cn>
s390/cio: fix a memleak in css_alloc_subchannel
Orlando Chamberlain <orlandoch.dev@gmail.com>
apple-gmux: Hard Code max brightness for MMIO gmux
Herbert Xu <herbert@gondor.apana.org.au>
KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash
Francis Laniel <flaniel@linux.microsoft.com>
selftests/ftrace: Add new test case which checks non unique symbol
Francis Laniel <flaniel@linux.microsoft.com>
tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols
Niklas Schnelle <schnelle@linux.ibm.com>
s390/pci: fix iommu bitmap allocation
Peter Zijlstra <peterz@infradead.org>
perf: Disallow mis-matched inherited group reads
Gil Fine <gil.fine@linux.intel.com>
thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished
Puliang Lu <puliang.lu@fibocom.com>
USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
Benoît Monin <benoit.monin@gmx.fr>
USB: serial: option: add entry for Sierra EM9191 with new firmware
Fabio Porcedda <fabio.porcedda@gmail.com>
USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
Maurizio Lombardi <mlombard@redhat.com>
nvme-rdma: do not try to stop unallocated queues
Maurizio Lombardi <mlombard@redhat.com>
nvmet-auth: complete a request only after freeing the dhchap pointers
Martin Wilck <mwilck@suse.com>
nvme-auth: use chap->s2 to indicate bidirectional authentication
Keith Busch <kbusch@kernel.org>
nvme-pci: add BOGUS_NID for Intel 0a54 device
Keith Busch <kbusch@kernel.org>
nvme: sanitize metadata bounce buffer for reads
Dai Ngo <dai.ngo@oracle.com>
nfs42: client needs to strip file mode's suid/sgid bit after ALLOCATE op
Scott Mayhew <smayhew@redhat.com>
NFS: Fix potential oops in nfs_inode_remove_request()
Amir Goldstein <amir73il@gmail.com>
fanotify: limit reporting of event with non-decodeable file handles
Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Revert "accel/ivpu: Use cached buffers for FW loading"
Adrian Hunter <adrian.hunter@intel.com>
perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code()
Hanjun Guo <guohanjun@huawei.com>
ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init()
Sunil V L <sunilvl@ventanamicro.com>
ACPI: irq: Fix incorrect return value in acpi_register_gsi()
Olga Kornievskaia <kolga@netapp.com>
NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server
Trond Myklebust <trond.myklebust@hammerspace.com>
pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats
Trond Myklebust <trond.myklebust@hammerspace.com>
pNFS: Fix a hang in nfs4_evict_inode()
Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
pinctrl: qcom: lpass-lpi: fix concurrent register updates
Avri Altman <avri.altman@wdc.com>
mmc: core: Capture correct oemid-bits for eMMC cards
Haibo Chen <haibo.chen@nxp.com>
mmc: core: sdio: hold retuning if sdio in 1-bit mode
Ulf Hansson <ulf.hansson@linaro.org>
mmc: core: Fix error propagation for some ioctl commands
Pablo Sun <pablo.sun@mediatek.com>
mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
Sven van Ashbrook <svenva@chromium.org>
mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
dt-bindings: mmc: sdhci-msm: correct minimum number of clocks
Geert Uytterhoeven <geert+renesas@glider.be>
mtd: physmap-core: Restore map_rom fallback
Martin Kurbanov <mmkurbanov@sberdevices.ru>
mtd: spinand: micron: correct bitmask for ecc status
Rouven Czerwinski <r.czerwinski@pengutronix.de>
mtd: rawnand: Ensure the nand chip supports cached reads
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: arasan: Ensure program page operations are successful
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: marvell: Ensure program page operations are successful
Miquel Raynal <miquel.raynal@bootlin.com>
mtd: rawnand: pl353: Ensure program page operations are successful
Bibek Kumar Patro <quic_bibekkum@quicinc.com>
mtd: rawnand: qcom: Unmap the right resource upon probe failure
Paolo Abeni <pabeni@redhat.com>
tcp_bpf: properly release resources on error paths
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix using memcmp when comparing keys
Albert Huang <huangjie.albert@bytedance.com>
net/smc: fix smc clc failed issue when netdevice not in init_net
Guangguan Wang <guangguan.wang@linux.alibaba.com>
net/smc: support smc v2.x features validate
Guangguan Wang <guangguan.wang@linux.alibaba.com>
net/smc: support smc release version negotiation in clc handshake
Paolo Abeni <pabeni@redhat.com>
tcp: allow again tcp_disconnect() when threads are waiting
Hannes Reinecke <hare@suse.de>
net/tls: split tls_rx_reader_lock
Amir Tzin <amirtz@nvidia.com>
net/mlx5e: Fix VF representors reporting zero counters to "ip -s" command
Jianbo Liu <jianbol@nvidia.com>
net/mlx5e: Don't offload internal port if filter device is out device
Lama Kayal <lkayal@nvidia.com>
net/mlx5e: Take RTNL lock before triggering netdev notifiers
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on shutdown
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy rq
Dragos Tatulea <dtatulea@nvidia.com>
net/mlx5e: RX, Fix page_pool allocation failure recovery for striding rq
Maher Sanalla <msanalla@nvidia.com>
net/mlx5: Handle fw tracer change ownership event based on MTRC
Shay Drory <shayd@nvidia.com>
net/mlx5: E-switch, register event handler before arming the event
Pauli Virtanen <pav@iki.fi>
Bluetooth: hci_sync: always check if connection is alive before deleting
Pauli Virtanen <pav@iki.fi>
Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when aborting
Iulia Tanasescu <iulia.tanasescu@nxp.com>
Bluetooth: ISO: Fix invalid context error
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync
Jeff Moyer <jmoyer@redhat.com>
io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()
Xuewen Yan <xuewen.yan@unisoc.com>
cpufreq: schedutil: Update next_freq when cpufreq_limits change
Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
Fabian Vogt <fabian@ritter-vogt.de>
HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng
Martino Fontana <tinozzo123@gmail.com>
HID: nintendo: reinitialize USB Pro Controller after resuming from suspend
Rahul Rameshbabu <sergeantsagara@protonmail.com>
HID: multitouch: Add required quirk for Synaptics 0xcd7e device
Kenneth Feng <kenneth.feng@amd.com>
drm/amd/pm: add unique_id for gc 11.0.3
Tomasz Swiatek <swiatektomasz99@gmail.com>
platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet
Filipe Manana <fdmanana@suse.com>
btrfs: error out when reallocating block for defrag using a stale transaction
Filipe Manana <fdmanana@suse.com>
btrfs: error when COWing block from a root that is being deleted
Filipe Manana <fdmanana@suse.com>
btrfs: error out when COWing block using a stale transaction
Josef Bacik <josef@toxicpanda.com>
btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
Kai Uwe Broulik <foss-linux@broulik.de>
drm: panel-orientation-quirks: Add quirk for One Mix 2S
Hangbin Liu <liuhangbin@gmail.com>
ipv4/fib: send notify when delete source address routes
Kees Cook <keescook@chromium.org>
sky2: Make sure there is at least one frag_addr available
Jeff Layton <jlayton@kernel.org>
nfs: decrement nrequests counter before releasing the req
Anna Schumaker <Anna.Schumaker@Netapp.com>
SUNRPC/TLS: Lock the lower_xprt during the tls handshake
Chuck Lever <chuck.lever@oracle.com>
SUNRPC: Fail quickly when server does not recognize TLS
Michał Mirosław <mirq-linux@rere.qmqm.pl>
regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"
Benjamin Berg <benjamin.berg@intel.com>
wifi: cfg80211: avoid leaking stack data into trace
Wen Gong <quic_wgong@quicinc.com>
wifi: mac80211: allow transmitting EAPOL frames with tainted key
Johannes Berg <johannes.berg@intel.com>
wifi: mac80211: work around Cisco AP 9115 VHT MPDU length
Ilan Peer <ilan.peer@intel.com>
wifi: cfg80211: Fix 6GHz scan configuration
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_core: Fix build warnings
Ying Hsu <yinghsu@chromium.org>
Bluetooth: Avoid redundant authentication
Rocky Liao <quic_rjliao@quicinc.com>
Bluetooth: btusb: add shutdown function for QCA6174
Ma Ke <make_ruc2021@163.com>
HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
Hans de Goede <hdegoede@redhat.com>
HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse
Johannes Berg <johannes.berg@intel.com>
rfkill: sync before userspace visibility/changes
Ben Greear <greearb@candelatech.com>
wifi: iwlwifi: Ensure ack flag is properly cleared.
Aditya Kumar Singh <quic_adisi@quicinc.com>
wifi: cfg80211: validate AP phy operation before starting it
Gustavo A. R. Silva <gustavoars@kernel.org>
wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
Clément Léger <cleger@rivosinc.com>
tracing: relax trace_event_eval_update() execution with cond_resched()
Damien Le Moal <dlemoal@kernel.org>
ata: libata-eh: Fix compilation warning in ata_eh_link_report()
Damien Le Moal <dlemoal@kernel.org>
ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
Chengfeng Ye <dg573847474@gmail.com>
gpio: timberdale: Fix potential deadlock on &tgpio->lock
Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
accel/ivpu: Don't flood dmesg with VPU ready message
Jeff Layton <jlayton@kernel.org>
overlayfs: set ctime when setting mtime and atime
Heiner Kallweit <hkallweit1@gmail.com>
i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
Josef Bacik <josef@toxicpanda.com>
btrfs: initialize start_slot in btrfs_log_prealloc_extents
Filipe Manana <fdmanana@suse.com>
btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
Filipe Manana <fdmanana@suse.com>
btrfs: prevent transaction block reserve underflow when starting transaction
Filipe Manana <fdmanana@suse.com>
btrfs: fix race when refilling delayed refs block reserve
Chunhai Guo <guochunhai@vivo.com>
fs-writeback: do not requeue a clean inode having skipped pages
Rob Herring <robh@kernel.org>
arm64: dts: mediatek: Fix "mediatek,merge-mute" and "mediatek,merge-fifo-en" types
Tony Lindgren <tony@atomide.com>
ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
David Thompson <davthompson@nvidia.com>
pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency
Mårten Lindahl <marten.lindahl@axis.com>
iio: light: vcnl4000: Don't power on/off chip in config
Jakub Kicinski <kuba@kernel.org>
net: check for altname conflicts when changing netdev's netns
Jakub Kicinski <kuba@kernel.org>
net: fix ifname in netlink ntf during netns move
Jakub Kicinski <kuba@kernel.org>
net: avoid UAF on deleted altname
Vladimir Oltean <vladimir.oltean@nxp.com>
net: mdio-mux: fix C45 access returning -EIO after API change
Willem de Bruijn <willemb@google.com>
net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation
Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
net: pktgen: Fix interface flags printing
Florian Fainelli <florian.fainelli@broadcom.com>
net: phy: bcm7xxx: Add missing 16nm EPHY statistics
Aaron Conole <aconole@redhat.com>
selftests: openvswitch: Add version check for pyroute2
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: revert do not remove elements if set backend implements .abort
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: do not remove elements if set backend implements .abort
Xingyuan Mo <hdthky0@gmail.com>
nf_tables: fix NULL pointer dereference in nft_inner_init()
Xingyuan Mo <hdthky0@gmail.com>
nf_tables: fix NULL pointer dereference in nft_expr_inner_parse()
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nf_tables: do not refresh timeout when resetting element
Christoph Paasch <cpaasch@apple.com>
netlink: Correct offload_xstats size
Pablo Neira Ayuso <pablo@netfilter.org>
netfilter: nft_set_rbtree: .deactivate fails if element has expired
Phil Sutter <phil@nwl.cc>
selftests: netfilter: Run nft_audit.sh in its own netns
Aaron Conole <aconole@redhat.com>
selftests: openvswitch: Fix the ct_tuple for v4
Aaron Conole <aconole@redhat.com>
selftests: openvswitch: Catch cases where the tests are killed
Geert Uytterhoeven <geert+renesas@glider.be>
neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
Pedro Tammela <pctammela@mojatatu.com>
net/sched: sch_hfsc: upgrade 'rt' to 'sc' when it becomes a inner curve
Jiri Wiesner <jwiesner@suse.de>
bonding: Return pointer to data after pull on skb
Jinjie Ruan <ruanjinjie@huawei.com>
net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
Michal Schmidt <mschmidt@redhat.com>
i40e: prevent crash on probe if hw registers have invalid values
Shinas Rasheed <srasheed@marvell.com>
octeon_ep: update BQL sent bytes before ringing doorbell
Dan Carpenter <dan.carpenter@linaro.org>
net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
Eric Dumazet <edumazet@google.com>
ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
Shailend Chand <shailend@google.com>
gve: Do not fully free QPL pages on prefill errors
Eric Dumazet <edumazet@google.com>
tun: prevent negative ifindex
Mateusz Polchlopek <mateusz.polchlopek@intel.com>
docs: fix info about representor identification
Kuniyuki Iwashima <kuniyu@amazon.com>
tcp: Fix listen() warning with v4-mapped-v6 address.
Eric Dumazet <edumazet@google.com>
tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
Neal Cardwell <ncardwell@google.com>
tcp: fix excessive TLP and RACK timeouts from HZ rounding
Josua Mayer <josua@solid-run.com>
net: rfkill: gpio: prevent value glitch during probe
Ma Ke <make_ruc2021@163.com>
net: ipv6: fix return value check in esp_remove_trailer
Ma Ke <make_ruc2021@163.com>
net: ipv4: fix return value check in esp_remove_trailer
Johannes Berg <johannes.berg@intel.com>
wifi: cfg80211: use system_unbound_wq for wiphy work
Masami Hiramatsu (Google) <mhiramat@kernel.org>
fprobe: Fix to ensure the number of active retprobes is not zero
Dong Chenchen <dongchenchen2@huawei.com>
net: xfrm: skip policies marked as dead while reinserting policies
Eric Dumazet <edumazet@google.com>
xfrm: interface: use DEV_STATS_INC()
Eric Dumazet <edumazet@google.com>
xfrm: fix a data-race in xfrm_gen_index()
Zhang Changzhong <zhangchangzhong@huawei.com>
xfrm6: fix inet6_dev refcount underflow problem
Eric Dumazet <edumazet@google.com>
xfrm: fix a data-race in xfrm_lookup_with_ifid()
Manish Chopra <manishc@marvell.com>
qed: fix LL2 RX buffer allocation
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x: fix runtime PM imbalance on remove
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x: fix regulator leaks on probe errors
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x: fix resource leaks on bind errors
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x: fix unbind tear down order
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x: drop bogus bind error handling
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
Johan Hovold <johan+linaro@kernel.org>
ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
Luka Guzenko <l.guzenko@web.de>
ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx
Artem Borisov <dedsa2002@gmail.com>
ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV
Kailang Yang <kailang@realtek.com>
ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
Hamza Mahfooz <hamza.mahfooz@amd.com>
drm/edid: add 8 bpc quirk to the BenQ GW2765
Karol Herbst <kherbst@redhat.com>
drm/nouveau/disp: fix DP capable DSM connectors
Chen-Yu Tsai <wenst@chromium.org>
drm/mediatek: Correctly free sg_table in gem prime vmap
Ville Syrjälä <ville.syrjala@linux.intel.com>
drm/i915: Retry gtt fault when out of fence registers
Sagi Grimberg <sagi@grimberg.me>
nvmet-tcp: Fix a possible UAF in queue intialization setup
Jens Axboe <axboe@kernel.dk>
io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address
Florian Westphal <fw@strlen.de>
netfilter: nft_payload: fix wrong mac header matching
Bagas Sanjaya <bagasdotme@gmail.com>
Revert "net: wwan: iosm: enable runtime pm support for 7560"
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: fix deadlock in mark_as_free_ex
Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super
Zeng Heng <zengheng4@huawei.com>
fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
Ziqi Zhao <astrajoan@yahoo.com>
fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
Pavel Skripkin <paskripkin@gmail.com>
fs/ntfs3: Fix OOB read in ntfs_init_from_boot
Catalin Marinas <catalin.marinas@arm.com>
mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign()
Matthieu Baerts <matttbe@kernel.org>
selftests: mptcp: join: no RST when rm subflow/addr
Paolo Abeni <pabeni@redhat.com>
mptcp: more conservative check for zero probes
Paolo Abeni <pabeni@redhat.com>
tcp: check mptcp-level constraints for backlog coalescing
Dan Clash <daclash@linux.microsoft.com>
audit,io_uring: io_uring openat triggers audit reference count underflow
Maxim Levitsky <mlevitsk@redhat.com>
x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested()
Maxim Levitsky <mlevitsk@redhat.com>
x86: KVM: SVM: add support for Invalid IPI Vector interception
Maxim Levitsky <mlevitsk@redhat.com>
x86: KVM: SVM: always update the x2avic msr interception
Sean Christopherson <seanjc@google.com>
KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2}
Roman Kagan <rkagan@amazon.de>
KVM: x86/pmu: Truncate counter value to allowed width on write
Sean Christopherson <seanjc@google.com>
x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer
Joerg Roedel <jroedel@suse.de>
x86/sev: Check for user-space IOIO pointing to kernel space
Joerg Roedel <jroedel@suse.de>
x86/sev: Check IOBM for IOIO exceptions from user-space
Borislav Petkov (AMD) <bp@alien8.de>
x86/sev: Disable MMIO emulation from user mode
Jim Mattson <jmattson@google.com>
KVM: x86: Mask LVTPC when handling a PMI
Johan Hovold <johan+linaro@kernel.org>
regmap: fix NULL deref on lookup
Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
btrfs: fix stripe length calculation for non-zoned data chunk allocation
Dust Li <dust.li@linux.alibaba.com>
net/smc: return the right falback reason when prefix checks fail
Jesse Brandeburg <jesse.brandeburg@intel.com>
ice: reset first in crash dump kernels
Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
ice: Fix safe mode when DDP is missing
Jesse Brandeburg <jesse.brandeburg@intel.com>
ice: fix over-shifted variable
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_conn: Fix modifying handle while aborting
Arnd Bergmann <arnd@arndb.de>
Bluetooth: avoid memcmp() out of bounds warning
Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Bluetooth: hci_event: Fix coding style
Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Bluetooth: vhci: Fix race when opening vhci device
Ziyang Xuan <william.xuanziyang@huawei.com>
Bluetooth: Fix a refcnt underflow problem for hci_conn
Lee, Chun-Yi <jlee@suse.com>
Bluetooth: Reject connection with the device which has same BD_ADDR
Lee, Chun-Yi <jlee@suse.com>
Bluetooth: hci_event: Ignore NULL link key
-------------
Diffstat:
.../devicetree/bindings/mmc/sdhci-msm.yaml | 2 +-
Documentation/networking/representors.rst | 8 +-
Documentation/rust/general-information.rst | 2 +-
Documentation/rust/index.rst | 8 +
Makefile | 6 +-
.../boot/dts/ti/omap/motorola-mapphone-common.dtsi | 1 +
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 10 +-
arch/powerpc/Kconfig | 2 +-
arch/powerpc/lib/qspinlock.c | 3 +
arch/s390/pci/pci_dma.c | 15 +-
arch/x86/boot/compressed/sev.c | 10 ++
arch/x86/include/asm/fpu/api.h | 3 +-
arch/x86/include/asm/svm.h | 1 +
arch/x86/kernel/fpu/core.c | 5 +-
arch/x86/kernel/fpu/xstate.c | 12 +-
arch/x86/kernel/fpu/xstate.h | 3 +-
arch/x86/kernel/sev-shared.c | 53 +++++--
arch/x86/kernel/sev.c | 30 ++++
arch/x86/kvm/cpuid.c | 8 -
arch/x86/kvm/lapic.c | 8 +-
arch/x86/kvm/pmu.h | 6 +
arch/x86/kvm/svm/avic.c | 5 +-
arch/x86/kvm/svm/nested.c | 3 +
arch/x86/kvm/svm/pmu.c | 2 +-
arch/x86/kvm/svm/svm.c | 3 +-
arch/x86/kvm/vmx/pmu_intel.c | 4 +-
arch/x86/kvm/x86.c | 37 +++--
crypto/asymmetric_keys/public_key.c | 5 +-
drivers/accel/ivpu/ivpu_drv.c | 2 +-
drivers/accel/ivpu/ivpu_fw.c | 9 +-
drivers/accel/ivpu/ivpu_gem.h | 5 -
drivers/acpi/bus.c | 2 +-
drivers/acpi/irq.c | 7 +-
drivers/ata/libata-core.c | 2 +-
drivers/ata/libata-eh.c | 2 +-
drivers/base/regmap/regmap.c | 2 +-
drivers/bluetooth/btusb.c | 1 +
drivers/bluetooth/hci_vhci.c | 3 +
drivers/firmware/efi/unaccepted_memory.c | 64 +++++++-
drivers/gpio/gpio-timberdale.c | 5 +-
drivers/gpio/gpio-vf610.c | 7 +-
drivers/gpio/gpiolib-acpi.c | 1 +
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 3 +-
drivers/gpu/drm/amd/pm/amdgpu_pm.c | 1 +
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 14 +-
drivers/gpu/drm/drm_edid.c | 3 +
drivers/gpu/drm/drm_panel_orientation_quirks.c | 16 ++
drivers/gpu/drm/i915/display/intel_cx0_phy.c | 3 +-
drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 +
drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +-
drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 14 +-
drivers/gpu/drm/panel/panel-edp.c | 29 ----
drivers/gpu/drm/panel/panel-simple.c | 35 +++++
drivers/hid/hid-holtek-kbd.c | 4 +
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-input.c | 2 +
drivers/hid/hid-logitech-hidpp.c | 2 +
drivers/hid/hid-multitouch.c | 4 +
drivers/hid/hid-nintendo.c | 175 ++++++++++++---------
drivers/i2c/i2c-mux.c | 2 +-
drivers/iio/light/vcnl4000.c | 1 -
drivers/mmc/core/block.c | 31 ++--
drivers/mmc/core/mmc.c | 2 +-
drivers/mmc/core/sdio.c | 8 +-
drivers/mmc/host/mtk-sd.c | 6 +-
drivers/mmc/host/sdhci-pci-gli.c | 104 +++++++-----
drivers/mtd/maps/physmap-core.c | 11 ++
drivers/mtd/nand/raw/arasan-nand-controller.c | 16 +-
drivers/mtd/nand/raw/marvell_nand.c | 23 ++-
drivers/mtd/nand/raw/nand_base.c | 3 +
drivers/mtd/nand/raw/nand_jedec.c | 3 +
drivers/mtd/nand/raw/nand_onfi.c | 3 +
drivers/mtd/nand/raw/pl35x-nand-controller.c | 9 ++
drivers/mtd/nand/raw/qcom_nandc.c | 2 +-
drivers/mtd/nand/spi/micron.c | 2 +-
drivers/net/bonding/bond_main.c | 2 +-
drivers/net/dsa/bcm_sf2.c | 24 +--
.../chelsio/inline_crypto/chtls/chtls_io.c | 36 ++++-
drivers/net/ethernet/google/gve/gve_rx.c | 18 ++-
drivers/net/ethernet/intel/i40e/i40e_common.c | 4 +-
drivers/net/ethernet/intel/ice/ice_lib.c | 3 +-
drivers/net/ethernet/intel/ice/ice_main.c | 18 +++
.../net/ethernet/marvell/octeon_ep/octep_main.c | 13 +-
drivers/net/ethernet/marvell/sky2.h | 2 +-
.../ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
.../ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 3 +-
drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 8 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 10 +-
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 35 +++--
drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 11 +-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +-
drivers/net/ethernet/mellanox/mlx5/core/eswitch.c | 17 +-
drivers/net/ethernet/qlogic/qed/qed_ll2.c | 7 +-
drivers/net/mdio/mdio-mux.c | 47 ++++++
drivers/net/phy/bcm7xxx.c | 3 +
drivers/net/tun.c | 7 +-
drivers/net/usb/smsc95xx.c | 2 +-
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +
.../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++
drivers/net/wwan/iosm/iosm_ipc_imem.c | 17 --
drivers/net/wwan/iosm/iosm_ipc_imem.h | 2 -
drivers/net/wwan/iosm/iosm_ipc_pcie.c | 4 +-
drivers/net/wwan/iosm/iosm_ipc_port.c | 17 +-
drivers/net/wwan/iosm/iosm_ipc_trace.c | 8 -
drivers/net/wwan/iosm/iosm_ipc_wwan.c | 21 +--
drivers/nvme/host/auth.c | 4 +-
drivers/nvme/host/ioctl.c | 10 +-
drivers/nvme/host/pci.c | 3 +-
drivers/nvme/host/rdma.c | 3 +
drivers/nvme/target/fabrics-cmd-auth.c | 9 +-
drivers/nvme/target/tcp.c | 7 +-
drivers/phy/motorola/phy-mapphone-mdm6600.c | 38 +++--
drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 6 +-
drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h | 3 +-
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 24 ++-
drivers/pinctrl/core.c | 16 +-
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 17 +-
.../platform/surface/surface_platform_profile.c | 3 +-
drivers/platform/x86/apple-gmux.c | 14 +-
drivers/platform/x86/asus-nb-wmi.c | 3 +
drivers/platform/x86/asus-wmi.c | 15 +-
drivers/platform/x86/asus-wmi.h | 2 +-
.../uncore-frequency/uncore-frequency-common.c | 8 +-
drivers/platform/x86/msi-ec.c | 3 +-
drivers/platform/x86/touchscreen_dmi.c | 45 ++++++
drivers/power/reset/Kconfig | 2 +-
drivers/regulator/core.c | 6 +-
drivers/s390/cio/css.c | 6 +-
drivers/thunderbolt/tb.c | 10 +-
drivers/usb/serial/option.c | 7 +
fs/btrfs/ctree.c | 52 ++++--
fs/btrfs/delayed-ref.c | 46 ++++--
fs/btrfs/delayed-ref.h | 1 -
fs/btrfs/extent-tree.c | 6 +-
fs/btrfs/ioctl.c | 4 +-
fs/btrfs/transaction.c | 6 +-
fs/btrfs/tree-log.c | 2 +-
fs/btrfs/volumes.c | 2 +-
fs/fs-writeback.c | 11 +-
fs/namei.c | 9 +-
fs/nfs/flexfilelayout/flexfilelayout.c | 17 +-
fs/nfs/nfs42proc.c | 3 +-
fs/nfs/nfs4proc.c | 2 -
fs/nfs/pnfs.c | 33 ++--
fs/nfs/write.c | 4 +-
fs/notify/fanotify/fanotify_user.c | 25 ++-
fs/ntfs3/fsntfs.c | 6 +-
fs/ntfs3/index.c | 3 +
fs/ntfs3/ntfs_fs.h | 2 +
fs/ntfs3/super.c | 31 +++-
fs/ntfs3/xattr.c | 7 +-
fs/overlayfs/copy_up.c | 2 +-
include/linux/fs.h | 2 +-
include/linux/mtd/jedec.h | 3 +
include/linux/mtd/onfi.h | 1 +
include/linux/mtd/rawnand.h | 2 +
include/linux/perf_event.h | 1 +
include/linux/virtio_net.h | 19 ++-
include/net/bluetooth/hci_core.h | 3 +-
include/net/bluetooth/hci_mon.h | 2 +-
include/net/bluetooth/hci_sync.h | 3 +
include/net/ip_fib.h | 1 +
include/net/netns/xfrm.h | 1 +
include/net/sock.h | 10 +-
include/net/tcp.h | 3 +
include/trace/events/neigh.h | 4 +-
io_uring/io-wq.c | 10 +-
io_uring/io_uring.c | 6 +
kernel/auditsc.c | 8 +-
kernel/events/core.c | 39 ++++-
kernel/sched/cpufreq_schedutil.c | 3 +-
kernel/trace/fprobe.c | 6 +-
kernel/trace/trace_events.c | 1 +
kernel/trace/trace_kprobe.c | 63 ++++++++
kernel/trace/trace_probe.h | 1 +
mm/slab_common.c | 6 +-
net/bluetooth/hci_conn.c | 135 +++++++++++-----
net/bluetooth/hci_core.c | 8 +-
net/bluetooth/hci_event.c | 77 +++++----
net/bluetooth/hci_sock.c | 3 +-
net/bluetooth/hci_sync.c | 70 ++++++---
net/bluetooth/iso.c | 14 --
net/core/dev.c | 65 ++++++--
net/core/dev.h | 3 +
net/core/pktgen.c | 14 +-
net/core/rtnetlink.c | 4 +-
net/core/stream.c | 12 +-
net/ipv4/af_inet.c | 10 +-
net/ipv4/esp4.c | 4 +-
net/ipv4/fib_semantics.c | 15 +-
net/ipv4/fib_trie.c | 4 +
net/ipv4/inet_connection_sock.c | 1 -
net/ipv4/inet_hashtables.c | 24 ++-
net/ipv4/tcp.c | 16 +-
net/ipv4/tcp_bpf.c | 12 ++
net/ipv4/tcp_ipv4.c | 1 +
net/ipv4/tcp_output.c | 25 ++-
net/ipv4/tcp_recovery.c | 2 +-
net/ipv6/esp6.c | 4 +-
net/ipv6/xfrm6_policy.c | 4 +-
net/mac80211/cfg.c | 3 +-
net/mac80211/ibss.c | 2 +-
net/mac80211/ieee80211_i.h | 1 +
net/mac80211/mesh_plink.c | 2 +-
net/mac80211/mlme.c | 27 +++-
net/mac80211/tx.c | 3 +-
net/mac80211/vht.c | 16 +-
net/mptcp/protocol.c | 43 ++---
net/netfilter/nf_tables_api.c | 20 +--
net/netfilter/nft_inner.c | 1 +
net/netfilter/nft_payload.c | 2 +-
net/netfilter/nft_set_rbtree.c | 2 +
net/nfc/nci/spi.c | 2 +
net/rfkill/core.c | 37 +++--
net/rfkill/rfkill-gpio.c | 4 +-
net/sched/sch_hfsc.c | 18 ++-
net/smc/af_smc.c | 44 +++++-
net/smc/smc.h | 5 +-
net/smc/smc_clc.c | 60 ++++++-
net/smc/smc_clc.h | 30 +++-
net/smc/smc_core.h | 1 +
net/smc/smc_ib.c | 7 +-
net/smc/smc_ib.h | 2 +-
net/sunrpc/auth.c | 11 +-
net/sunrpc/auth_tls.c | 4 +-
net/sunrpc/clnt.c | 10 +-
net/sunrpc/xprtsock.c | 6 +
net/tls/tls_main.c | 10 +-
net/tls/tls_sw.c | 57 ++++---
net/wireless/core.c | 2 +-
net/wireless/nl80211.c | 21 ++-
net/wireless/scan.c | 4 +
net/xfrm/xfrm_interface_core.c | 22 ++-
net/xfrm/xfrm_policy.c | 27 ++--
rust/Makefile | 24 +--
rust/kernel/error.rs | 2 +-
sound/pci/hda/patch_realtek.c | 27 ++++
sound/soc/codecs/cs35l56.c | 2 +-
sound/soc/codecs/cs42l42-sdw.c | 1 +
sound/soc/codecs/wcd938x-sdw.c | 27 +++-
sound/soc/codecs/wcd938x.c | 76 ++++++---
sound/soc/pxa/pxa-ssp.c | 2 +-
tools/perf/util/dlfilter.c | 32 ++--
.../ftrace/test.d/kprobe/kprobe_non_uniq_symbol.tc | 13 ++
tools/testing/selftests/net/mptcp/mptcp_join.sh | 21 ++-
.../selftests/net/openvswitch/openvswitch.sh | 4 +-
.../testing/selftests/net/openvswitch/ovs-dpctl.py | 14 +-
tools/testing/selftests/netfilter/nft_audit.sh | 6 +
248 files changed, 2331 insertions(+), 960 deletions(-)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 001/241] Bluetooth: hci_event: Ignore NULL link key
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
` (249 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee, Chun-Yi, Luiz Augusto von Dentz, Lee
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee, Chun-Yi <jlee@suse.com>
commit 33155c4aae5260475def6f7438e4e35564f4f3ba upstream.
This change is used to relieve CVE-2020-26555. The description of the
CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
Thus, we can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]
v3: Drop the connection when null link key be detected.
v2:
- Used Link: tag instead of Closes:
- Used bt_dev_dbg instead of BT_DBG
- Added Fixes: tag
Cc: stable@vger.kernel.org
Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface")
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4725,6 +4725,15 @@ static void hci_link_key_notify_evt(stru
if (!conn)
goto unlock;
+ /* Ignore NULL link key against CVE-2020-26555 */
+ if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
+ &ev->bdaddr);
+ hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
+ hci_conn_drop(conn);
+ goto unlock;
+ }
+
hci_conn_hold(conn);
conn->disc_timeout = HCI_DISCONN_TIMEOUT;
hci_conn_drop(conn);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 001/241] Bluetooth: hci_event: Ignore NULL link key
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
0 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee, Chun-Yi, Luiz Augusto von Dentz, Lee
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee, Chun-Yi <jlee@suse.com>
commit 33155c4aae5260475def6f7438e4e35564f4f3ba upstream.
This change is used to relieve CVE-2020-26555. The description of the
CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
Thus, we can ignore null link key in the handler of "Link Key Notification
event" to relieve the attack. A similar implementation also shows in
btstack project. [3]
v3: Drop the connection when null link key be detected.
v2:
- Used Link: tag instead of Closes:
- Used bt_dev_dbg instead of BT_DBG
- Added Fixes: tag
Cc: stable@vger.kernel.org
Fixes: 55ed8ca10f35 ("Bluetooth: Implement link key handling for the management interface")
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3722 [3]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -4725,6 +4725,15 @@ static void hci_link_key_notify_evt(stru
if (!conn)
goto unlock;
+ /* Ignore NULL link key against CVE-2020-26555 */
+ if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
+ &ev->bdaddr);
+ hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
+ hci_conn_drop(conn);
+ goto unlock;
+ }
+
hci_conn_hold(conn);
conn->disc_timeout = HCI_DISCONN_TIMEOUT;
hci_conn_drop(conn);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 002/241] Bluetooth: Reject connection with the device which has same BD_ADDR
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
` (249 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee, Chun-Yi, Luiz Augusto von Dentz, Lee
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee, Chun-Yi <jlee@suse.com>
commit 1ffc6f8cc33268731fcf9629fc4438f6db1191fc upstream.
This change is used to relieve CVE-2020-26555. The description of
the CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
A condition of this attack is that attacker should change the
BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with
the target device being attacked (Host A).
Thus, we reject the connection with device which has same BD_ADDR
both on HCI_Create_Connection and HCI_Connection_Request to prevent
the attack. A similar implementation also shows in btstack project.
[3][4]
Cc: stable@vger.kernel.org
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_conn.c | 9 +++++++++
net/bluetooth/hci_event.c | 11 +++++++++++
2 files changed, 20 insertions(+)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1589,6 +1589,15 @@ struct hci_conn *hci_connect_acl(struct
return ERR_PTR(-EOPNOTSUPP);
}
+ /* Reject outgoing connection to device with same BD ADDR against
+ * CVE-2020-26555
+ */
+ if (!bacmp(&hdev->bdaddr, dst)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ dst);
+ return ERR_PTR(-ECONNREFUSED);
+ }
+
acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
if (!acl) {
acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3272,6 +3272,17 @@ static void hci_conn_request_evt(struct
bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+ {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
+ return;
+ }
+
mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
&flags);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 002/241] Bluetooth: Reject connection with the device which has same BD_ADDR
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
0 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lee, Chun-Yi, Luiz Augusto von Dentz, Lee
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lee, Chun-Yi <jlee@suse.com>
commit 1ffc6f8cc33268731fcf9629fc4438f6db1191fc upstream.
This change is used to relieve CVE-2020-26555. The description of
the CVE:
Bluetooth legacy BR/EDR PIN code pairing in Bluetooth Core Specification
1.0B through 5.2 may permit an unauthenticated nearby device to spoof
the BD_ADDR of the peer device to complete pairing without knowledge
of the PIN. [1]
The detail of this attack is in IEEE paper:
BlueMirror: Reflections on Bluetooth Pairing and Provisioning Protocols
[2]
It's a reflection attack. The paper mentioned that attacker can induce
the attacked target to generate null link key (zero key) without PIN
code. In BR/EDR, the key generation is actually handled in the controller
which is below HCI.
A condition of this attack is that attacker should change the
BR_ADDR of his hacking device (Host B) to equal to the BR_ADDR with
the target device being attacked (Host A).
Thus, we reject the connection with device which has same BD_ADDR
both on HCI_Create_Connection and HCI_Connection_Request to prevent
the attack. A similar implementation also shows in btstack project.
[3][4]
Cc: stable@vger.kernel.org
Link: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-26555 [1]
Link: https://ieeexplore.ieee.org/abstract/document/9474325/authors#authors [2]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L3523 [3]
Link: https://github.com/bluekitchen/btstack/blob/master/src/hci.c#L7297 [4]
Signed-off-by: Lee, Chun-Yi <jlee@suse.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_conn.c | 9 +++++++++
net/bluetooth/hci_event.c | 11 +++++++++++
2 files changed, 20 insertions(+)
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1589,6 +1589,15 @@ struct hci_conn *hci_connect_acl(struct
return ERR_PTR(-EOPNOTSUPP);
}
+ /* Reject outgoing connection to device with same BD ADDR against
+ * CVE-2020-26555
+ */
+ if (!bacmp(&hdev->bdaddr, dst)) {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ dst);
+ return ERR_PTR(-ECONNREFUSED);
+ }
+
acl = hci_conn_hash_lookup_ba(hdev, ACL_LINK, dst);
if (!acl) {
acl = hci_conn_add(hdev, ACL_LINK, dst, HCI_ROLE_MASTER);
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3272,6 +3272,17 @@ static void hci_conn_request_evt(struct
bt_dev_dbg(hdev, "bdaddr %pMR type 0x%x", &ev->bdaddr, ev->link_type);
+ /* Reject incoming connection from device with same BD ADDR against
+ * CVE-2020-26555
+ */
+ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+ {
+ bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
+ &ev->bdaddr);
+ hci_reject_conn(hdev, &ev->bdaddr);
+ return;
+ }
+
mask |= hci_proto_connect_ind(hdev, &ev->bdaddr, ev->link_type,
&flags);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 003/241] Bluetooth: Fix a refcnt underflow problem for hci_conn
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 004/241] Bluetooth: vhci: Fix race when opening vhci device Greg Kroah-Hartman
` (247 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ziyang Xuan, Luiz Augusto von Dentz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziyang Xuan <william.xuanziyang@huawei.com>
commit c7f59461f5a78994613afc112cdd73688aef9076 upstream.
Syzbot reports a warning as follows:
WARNING: CPU: 1 PID: 26946 at net/bluetooth/hci_conn.c:619
hci_conn_timeout+0x122/0x210 net/bluetooth/hci_conn.c:619
...
Call Trace:
<TASK>
process_one_work+0x884/0x15c0 kernel/workqueue.c:2630
process_scheduled_works kernel/workqueue.c:2703 [inline]
worker_thread+0x8b9/0x1290 kernel/workqueue.c:2784
kthread+0x33c/0x440 kernel/kthread.c:388
ret_from_fork+0x45/0x80 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
</TASK>
It is because the HCI_EV_SIMPLE_PAIR_COMPLETE event handler drops
hci_conn directly without check Simple Pairing whether be enabled. But
the Simple Pairing process can only be used if both sides have the
support enabled in the host stack.
Add hci_conn_ssp_enabled() for hci_conn in HCI_EV_IO_CAPA_REQUEST and
HCI_EV_SIMPLE_PAIR_COMPLETE event handlers to fix the problem.
Fixes: 0493684ed239 ("[Bluetooth] Disable disconnect timer during Simple Pairing")
Signed-off-by: Ziyang Xuan <william.xuanziyang@huawei.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -5309,7 +5309,7 @@ static void hci_io_capa_request_evt(stru
hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
- if (!conn)
+ if (!conn || !hci_conn_ssp_enabled(conn))
goto unlock;
hci_conn_hold(conn);
@@ -5556,7 +5556,7 @@ static void hci_simple_pair_complete_evt
hci_dev_lock(hdev);
conn = hci_conn_hash_lookup_ba(hdev, ACL_LINK, &ev->bdaddr);
- if (!conn)
+ if (!conn || !hci_conn_ssp_enabled(conn))
goto unlock;
/* Reset the authentication requirement to unknown */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 004/241] Bluetooth: vhci: Fix race when opening vhci device
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (2 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 003/241] Bluetooth: Fix a refcnt underflow problem for hci_conn Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 005/241] Bluetooth: hci_event: Fix coding style Greg Kroah-Hartman
` (246 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Arkadiusz Bokowy, Luiz Augusto von Dentz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
commit 92d4abd66f7080075793970fc8f241239e58a9e7 upstream.
When the vhci device is opened in the two-step way, i.e.: open device
then write a vendor packet with requested controller type, the device
shall respond with a vendor packet which includes HCI index of created
interface.
When the virtual HCI is created, the host sends a reset request to the
controller. This request is processed by the vhci_send_frame() function.
However, this request is send by a different thread, so it might happen
that this HCI request will be received before the vendor response is
queued in the read queue. This results in the HCI vendor response and
HCI reset request inversion in the read queue which leads to improper
behavior of btvirt:
> dmesg
[1754256.640122] Bluetooth: MGMT ver 1.22
[1754263.023806] Bluetooth: MGMT ver 1.22
[1754265.043775] Bluetooth: hci1: Opcode 0x c03 failed: -110
In order to synchronize vhci two-step open/setup process with virtual
HCI initialization, this patch adds internal lock when queuing data in
the vhci_send_frame() function.
Signed-off-by: Arkadiusz Bokowy <arkadiusz.bokowy@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/bluetooth/hci_vhci.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/bluetooth/hci_vhci.c
+++ b/drivers/bluetooth/hci_vhci.c
@@ -74,7 +74,10 @@ static int vhci_send_frame(struct hci_de
struct vhci_data *data = hci_get_drvdata(hdev);
memcpy(skb_push(skb, 1), &hci_skb_pkt_type(skb), 1);
+
+ mutex_lock(&data->open_mutex);
skb_queue_tail(&data->readq, skb);
+ mutex_unlock(&data->open_mutex);
wake_up_interruptible(&data->read_wait);
return 0;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 005/241] Bluetooth: hci_event: Fix coding style
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (3 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 004/241] Bluetooth: vhci: Fix race when opening vhci device Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 006/241] Bluetooth: avoid memcmp() out of bounds warning Greg Kroah-Hartman
` (245 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 35d91d95a0cd61ebb90e0246dc917fd25e519b8c upstream.
This fixes the following code style problem:
ERROR: that open brace { should be on the previous line
+ if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
+ {
Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3275,8 +3275,7 @@ static void hci_conn_request_evt(struct
/* Reject incoming connection from device with same BD ADDR against
* CVE-2020-26555
*/
- if (!bacmp(&hdev->bdaddr, &ev->bdaddr))
- {
+ if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
&ev->bdaddr);
hci_reject_conn(hdev, &ev->bdaddr);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 006/241] Bluetooth: avoid memcmp() out of bounds warning
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (4 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 005/241] Bluetooth: hci_event: Fix coding style Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 007/241] Bluetooth: hci_conn: Fix modifying handle while aborting Greg Kroah-Hartman
` (244 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kees Cook, Lee, Chun-Yi,
Luiz Augusto von Dentz, Marcel Holtmann, Arnd Bergmann
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Arnd Bergmann <arnd@arndb.de>
commit 9d1a3c74746428102d55371fbf74b484733937d9 upstream.
bacmp() is a wrapper around memcpy(), which contain compile-time
checks for buffer overflow. Since the hci_conn_request_evt() also calls
bt_dev_dbg() with an implicit NULL pointer check, the compiler is now
aware of a case where 'hdev' is NULL and treats this as meaning that
zero bytes are available:
In file included from net/bluetooth/hci_event.c:32:
In function 'bacmp',
inlined from 'hci_conn_request_evt' at net/bluetooth/hci_event.c:3276:7:
include/net/bluetooth/bluetooth.h:364:16: error: 'memcmp' specified bound 6 exceeds source size 0 [-Werror=stringop-overread]
364 | return memcmp(ba1, ba2, sizeof(bdaddr_t));
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Add another NULL pointer check before the bacmp() to ensure the compiler
understands the code flow enough to not warn about it. Since the patch
that introduced the warning is marked for stable backports, this one
should also go that way to avoid introducing build regressions.
Fixes: 1ffc6f8cc332 ("Bluetooth: Reject connection with the device which has same BD_ADDR")
Cc: Kees Cook <keescook@chromium.org>
Cc: "Lee, Chun-Yi" <jlee@suse.com>
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: stable@vger.kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_event.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3275,7 +3275,7 @@ static void hci_conn_request_evt(struct
/* Reject incoming connection from device with same BD ADDR against
* CVE-2020-26555
*/
- if (!bacmp(&hdev->bdaddr, &ev->bdaddr)) {
+ if (hdev && !bacmp(&hdev->bdaddr, &ev->bdaddr)) {
bt_dev_dbg(hdev, "Reject connection with same BD_ADDR %pMR\n",
&ev->bdaddr);
hci_reject_conn(hdev, &ev->bdaddr);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 007/241] Bluetooth: hci_conn: Fix modifying handle while aborting
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (5 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 006/241] Bluetooth: avoid memcmp() out of bounds warning Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 008/241] ice: fix over-shifted variable Greg Kroah-Hartman
` (243 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
commit 16e3b6429159795a87add7584eb100b19aa1d70b upstream.
This introduces hci_conn_set_handle which takes care of verifying the
conditions where the hci_conn handle can be modified, including when
hci_conn_abort has been called and also checks that the handles is
valid as well.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/hci_core.h | 1 +
net/bluetooth/hci_conn.c | 27 +++++++++++++++++++++++++++
net/bluetooth/hci_event.c | 29 +++++++++++------------------
3 files changed, 39 insertions(+), 18 deletions(-)
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -1426,6 +1426,7 @@ int hci_conn_switch_role(struct hci_conn
void hci_conn_enter_active_mode(struct hci_conn *conn, __u8 force_active);
void hci_conn_failed(struct hci_conn *conn, u8 status);
+u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle);
/*
* hci_conn_get() and hci_conn_put() are used to control the life-time of an
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1248,6 +1248,33 @@ void hci_conn_failed(struct hci_conn *co
hci_conn_del(conn);
}
+/* This function requires the caller holds hdev->lock */
+u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
+{
+ struct hci_dev *hdev = conn->hdev;
+
+ bt_dev_dbg(hdev, "hcon %p handle 0x%4.4x", conn, handle);
+
+ if (conn->handle == handle)
+ return 0;
+
+ if (handle > HCI_CONN_HANDLE_MAX) {
+ bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
+ handle, HCI_CONN_HANDLE_MAX);
+ return HCI_ERROR_INVALID_PARAMETERS;
+ }
+
+ /* If abort_reason has been sent it means the connection is being
+ * aborted and the handle shall not be changed.
+ */
+ if (conn->abort_reason)
+ return conn->abort_reason;
+
+ conn->handle = handle;
+
+ return 0;
+}
+
static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
{
struct hci_conn *conn = data;
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -3180,13 +3180,9 @@ static void hci_conn_complete_evt(struct
}
if (!status) {
- conn->handle = __le16_to_cpu(ev->handle);
- if (conn->handle > HCI_CONN_HANDLE_MAX) {
- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
- conn->handle, HCI_CONN_HANDLE_MAX);
- status = HCI_ERROR_INVALID_PARAMETERS;
+ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
+ if (status)
goto done;
- }
if (conn->type == ACL_LINK) {
conn->state = BT_CONFIG;
@@ -3879,11 +3875,9 @@ static u8 hci_cc_le_set_cig_params(struc
if (conn->state != BT_BOUND && conn->state != BT_CONNECT)
continue;
- conn->handle = __le16_to_cpu(rp->handle[i]);
+ if (hci_conn_set_handle(conn, __le16_to_cpu(rp->handle[i])))
+ continue;
- bt_dev_dbg(hdev, "%p handle 0x%4.4x parent %p", conn,
- conn->handle, conn->parent);
-
if (conn->state == BT_CONNECT)
pending = true;
}
@@ -5055,11 +5049,8 @@ static void hci_sync_conn_complete_evt(s
switch (status) {
case 0x00:
- conn->handle = __le16_to_cpu(ev->handle);
- if (conn->handle > HCI_CONN_HANDLE_MAX) {
- bt_dev_err(hdev, "Invalid handle: 0x%4.4x > 0x%4.4x",
- conn->handle, HCI_CONN_HANDLE_MAX);
- status = HCI_ERROR_INVALID_PARAMETERS;
+ status = hci_conn_set_handle(conn, __le16_to_cpu(ev->handle));
+ if (status) {
conn->state = BT_CLOSED;
break;
}
@@ -6992,7 +6983,7 @@ static void hci_le_create_big_complete_e
{
struct hci_evt_le_create_big_complete *ev = data;
struct hci_conn *conn;
- __u8 bis_idx = 0;
+ __u8 i = 0;
BT_DBG("%s status 0x%2.2x", hdev->name, ev->status);
@@ -7010,7 +7001,9 @@ static void hci_le_create_big_complete_e
conn->iso_qos.bcast.big != ev->handle)
continue;
- conn->handle = __le16_to_cpu(ev->bis_handle[bis_idx++]);
+ if (hci_conn_set_handle(conn,
+ __le16_to_cpu(ev->bis_handle[i++])))
+ continue;
if (!ev->status) {
conn->state = BT_CONNECTED;
@@ -7029,7 +7022,7 @@ static void hci_le_create_big_complete_e
rcu_read_lock();
}
- if (!ev->status && !bis_idx)
+ if (!ev->status && !i)
/* If no BISes have been connected for the BIG,
* terminate. This is in case all bound connections
* have been closed before the BIG creation
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 008/241] ice: fix over-shifted variable
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (6 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 007/241] Bluetooth: hci_conn: Fix modifying handle while aborting Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 009/241] ice: Fix safe mode when DDP is missing Greg Kroah-Hartman
` (242 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Przemek Kitszel, Jesse Brandeburg,
Simon Horman, Jacob Keller, Jakub Kicinski,
Pucha Himasekhar Reddy
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Brandeburg <jesse.brandeburg@intel.com>
commit 242e34500a32631f85c2b4eb6cb42a368a39e54f upstream.
Since the introduction of the ice driver the code has been
double-shifting the RSS enabling field, because the define already has
shifts in it and can't have the regular pattern of "a << shiftval &
mask" applied.
Most places in the code got it right, but one line was still wrong. Fix
this one location for easy backports to stable. An in-progress patch
fixes the defines to "standard" and will be applied as part of the
regular -next process sometime after this one.
Fixes: d76a60ba7afb ("ice: Add support for VLANs and offloads")
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
CC: stable@vger.kernel.org
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Signed-off-by: Jacob Keller <jacob.e.keller@intel.com>
Link: https://lore.kernel.org/r/20231010203101.406248-1-jacob.e.keller@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_lib.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/net/ethernet/intel/ice/ice_lib.c
+++ b/drivers/net/ethernet/intel/ice/ice_lib.c
@@ -1201,8 +1201,7 @@ static void ice_set_rss_vsi_ctx(struct i
ctxt->info.q_opt_rss = ((lut_type << ICE_AQ_VSI_Q_OPT_RSS_LUT_S) &
ICE_AQ_VSI_Q_OPT_RSS_LUT_M) |
- ((hash_type << ICE_AQ_VSI_Q_OPT_RSS_HASH_S) &
- ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
+ (hash_type & ICE_AQ_VSI_Q_OPT_RSS_HASH_M);
}
static void
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 009/241] ice: Fix safe mode when DDP is missing
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (7 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 008/241] ice: fix over-shifted variable Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 010/241] ice: reset first in crash dump kernels Greg Kroah-Hartman
` (241 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Pacuszka, Jan Sokolowski,
Przemek Kitszel, Jakub Kicinski, Pucha Himasekhar Reddy
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
commit 42066c4d5d344cdf8564556cdbe0aa36854fefa4 upstream.
One thing is broken in the safe mode, that is
ice_deinit_features() is being executed even
that ice_init_features() was not causing stack
trace during pci_unregister_driver().
Add check on the top of the function.
Fixes: 5b246e533d01 ("ice: split probe into smaller functions")
Signed-off-by: Mateusz Pacuszka <mateuszx.pacuszka@intel.com>
Signed-off-by: Jan Sokolowski <jan.sokolowski@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Link: https://lore.kernel.org/r/20231011233334.336092-4-jacob.e.keller@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -4632,6 +4632,9 @@ static void ice_init_features(struct ice
static void ice_deinit_features(struct ice_pf *pf)
{
+ if (ice_is_safe_mode(pf))
+ return;
+
ice_deinit_lag(pf);
if (test_bit(ICE_FLAG_DCB_CAPABLE, pf->flags))
ice_cfg_lldp_mib_change(&pf->hw, false);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 010/241] ice: reset first in crash dump kernels
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (8 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 009/241] ice: Fix safe mode when DDP is missing Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 011/241] net/smc: return the right falback reason when prefix checks fail Greg Kroah-Hartman
` (240 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vishal Agrawal, Jay Vosburgh,
Przemek Kitszel, Jesse Brandeburg, Jakub Kicinski,
Pucha Himasekhar Reddy
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jesse Brandeburg <jesse.brandeburg@intel.com>
commit 0288c3e709e5fabd51e84715c5c798a02f43061a upstream.
When the system boots into the crash dump kernel after a panic, the ice
networking device may still have pending transactions that can cause errors
or machine checks when the device is re-enabled. This can prevent the crash
dump kernel from loading the driver or collecting the crash data.
To avoid this issue, perform a function level reset (FLR) on the ice device
via PCIe config space before enabling it on the crash kernel. This will
clear any outstanding transactions and stop all queues and interrupts.
Restore the config space after the FLR, otherwise it was found in testing
that the driver wouldn't load successfully.
The following sequence causes the original issue:
- Load the ice driver with modprobe ice
- Enable SR-IOV with 2 VFs: echo 2 > /sys/class/net/eth0/device/sriov_num_vfs
- Trigger a crash with echo c > /proc/sysrq-trigger
- Load the ice driver again (or let it load automatically) with modprobe ice
- The system crashes again during pcim_enable_device()
Fixes: 837f08fdecbe ("ice: Add basic driver framework for Intel(R) E800 Series")
Reported-by: Vishal Agrawal <vagrawal@redhat.com>
Reviewed-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Signed-off-by: Jesse Brandeburg <jesse.brandeburg@intel.com>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Link: https://lore.kernel.org/r/20231011233334.336092-3-jacob.e.keller@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/ice/ice_main.c | 15 +++++++++++++++
1 file changed, 15 insertions(+)
--- a/drivers/net/ethernet/intel/ice/ice_main.c
+++ b/drivers/net/ethernet/intel/ice/ice_main.c
@@ -6,6 +6,7 @@
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <generated/utsrelease.h>
+#include <linux/crash_dump.h>
#include "ice.h"
#include "ice_base.h"
#include "ice_lib.h"
@@ -4966,6 +4967,20 @@ ice_probe(struct pci_dev *pdev, const st
return -EINVAL;
}
+ /* when under a kdump kernel initiate a reset before enabling the
+ * device in order to clear out any pending DMA transactions. These
+ * transactions can cause some systems to machine check when doing
+ * the pcim_enable_device() below.
+ */
+ if (is_kdump_kernel()) {
+ pci_save_state(pdev);
+ pci_clear_master(pdev);
+ err = pcie_flr(pdev);
+ if (err)
+ return err;
+ pci_restore_state(pdev);
+ }
+
/* this driver uses devres, see
* Documentation/driver-api/driver-model/devres.rst
*/
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 011/241] net/smc: return the right falback reason when prefix checks fail
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (9 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 010/241] ice: reset first in crash dump kernels Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 012/241] btrfs: fix stripe length calculation for non-zoned data chunk allocation Greg Kroah-Hartman
` (239 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dust Li, Alexandra Winter,
Wenjia Zhang, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dust Li <dust.li@linux.alibaba.com>
commit 4abbd2e3c1db671fa1286390f1310aec78386f1d upstream.
In the smc_listen_work(), if smc_listen_prfx_check() failed,
the real reason: SMC_CLC_DECL_DIFFPREFIX was dropped, and
SMC_CLC_DECL_NOSMCDEV was returned.
Althrough this is also kind of SMC_CLC_DECL_NOSMCDEV, but return
the real reason is much friendly for debugging.
Fixes: e49300a6bf62 ("net/smc: add listen processing for SMC-Rv2")
Signed-off-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Alexandra Winter <wintera@linux.ibm.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Link: https://lore.kernel.org/r/20231012123729.29307-1-dust.li@linux.alibaba.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/smc/af_smc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -2335,7 +2335,7 @@ static int smc_listen_find_device(struct
smc_find_ism_store_rc(rc, ini);
return (!rc) ? 0 : ini->rc;
}
- return SMC_CLC_DECL_NOSMCDEV;
+ return prfx_rc;
}
/* listen worker: finish RDMA setup */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 012/241] btrfs: fix stripe length calculation for non-zoned data chunk allocation
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (10 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 011/241] net/smc: return the right falback reason when prefix checks fail Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 013/241] nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Greg Kroah-Hartman
` (238 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Qu Wenruo, Zygo Blaxell, David Sterba
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
commit 8a540e990d7da36813cb71a4a422712bfba448a4 upstream.
Commit f6fca3917b4d "btrfs: store chunk size in space-info struct"
broke data chunk allocations on non-zoned multi-device filesystems when
using default chunk_size. Commit 5da431b71d4b "btrfs: fix the max chunk
size and stripe length calculation" partially fixed that, and this patch
completes the fix for that case.
After commit f6fca3917b4d and 5da431b71d4b, the sequence of events for
a data chunk allocation on a non-zoned filesystem is:
1. btrfs_create_chunk calls init_alloc_chunk_ctl, which copies
space_info->chunk_size (default 10 GiB) to ctl->max_stripe_len
unmodified. Before f6fca3917b4d, ctl->max_stripe_len value was
1 GiB for non-zoned data chunks and not configurable.
2. btrfs_create_chunk calls gather_device_info which consumes
and produces more fields of chunk_ctl.
3. gather_device_info multiplies ctl->max_stripe_len by
ctl->dev_stripes (which is 1 in all cases except dup)
and calls find_free_dev_extent with that number as num_bytes.
4. find_free_dev_extent locates the first dev_extent hole on
a device which is at least as large as num_bytes. With default
max_chunk_size from f6fca3917b4d, it finds the first hole which is
longer than 10 GiB, or the largest hole if that hole is shorter
than 10 GiB. This is different from the pre-f6fca3917b4d
behavior, where num_bytes is 1 GiB, and find_free_dev_extent
may choose a different hole.
5. gather_device_info repeats step 4 with all devices to find
the first or largest dev_extent hole that can be allocated on
each device.
6. gather_device_info sorts the device list by the hole size
on each device, using total unallocated space on each device to
break ties, then returns to btrfs_create_chunk with the list.
7. btrfs_create_chunk calls decide_stripe_size_regular.
8. decide_stripe_size_regular finds the largest stripe_len that
fits across the first nr_devs device dev_extent holes that were
found by gather_device_info (and satisfies other constraints
on stripe_len that are not relevant here).
9. decide_stripe_size_regular caps the length of the stripe it
computed at 1 GiB. This cap appeared in 5da431b71d4b to correct
one of the other regressions introduced in f6fca3917b4d.
10. btrfs_create_chunk creates a new chunk with the above
computed size and number of devices.
At step 4, gather_device_info() has found a location where stripe up to
10 GiB in length could be allocated on several devices, and selected
which devices should have a dev_extent allocated on them, but at step
9, only 1 GiB of the space that was found on each device can be used.
This mismatch causes new suboptimal chunk allocation cases that did not
occur in pre-f6fca3917b4d kernels.
Consider a filesystem using raid1 profile with 3 devices. After some
balances, device 1 has 10x 1 GiB unallocated space, while devices 2
and 3 have 1x 10 GiB unallocated space, i.e. the same total amount of
space, but distributed across different numbers of dev_extent holes.
For visualization, let's ignore all the chunks that were allocated before
this point, and focus on the remaining holes:
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10x 1 GiB unallocated)
Device 2: [__________] (10 GiB contig unallocated)
Device 3: [__________] (10 GiB contig unallocated)
Before f6fca3917b4d, the allocator would fill these optimally by
allocating chunks with dev_extents on devices 1 and 2 ([12]), 1 and 3
([13]), or 2 and 3 ([23]):
[after 0 chunk allocations]
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10 GiB)
Device 2: [__________] (10 GiB)
Device 3: [__________] (10 GiB)
[after 1 chunk allocation]
Device 1: [12] [_] [_] [_] [_] [_] [_] [_] [_] [_]
Device 2: [12] [_________] (9 GiB)
Device 3: [__________] (10 GiB)
[after 2 chunk allocations]
Device 1: [12] [13] [_] [_] [_] [_] [_] [_] [_] [_] (8 GiB)
Device 2: [12] [_________] (9 GiB)
Device 3: [13] [_________] (9 GiB)
[after 3 chunk allocations]
Device 1: [12] [13] [12] [_] [_] [_] [_] [_] [_] [_] (7 GiB)
Device 2: [12] [12] [________] (8 GiB)
Device 3: [13] [_________] (9 GiB)
[...]
[after 12 chunk allocations]
Device 1: [12] [13] [12] [13] [12] [13] [12] [13] [_] [_] (2 GiB)
Device 2: [12] [12] [23] [23] [12] [12] [23] [23] [__] (2 GiB)
Device 3: [13] [13] [23] [23] [13] [23] [13] [23] [__] (2 GiB)
[after 13 chunk allocations]
Device 1: [12] [13] [12] [13] [12] [13] [12] [13] [12] [_] (1 GiB)
Device 2: [12] [12] [23] [23] [12] [12] [23] [23] [12] [_] (1 GiB)
Device 3: [13] [13] [23] [23] [13] [23] [13] [23] [__] (2 GiB)
[after 14 chunk allocations]
Device 1: [12] [13] [12] [13] [12] [13] [12] [13] [12] [13] (full)
Device 2: [12] [12] [23] [23] [12] [12] [23] [23] [12] [_] (1 GiB)
Device 3: [13] [13] [23] [23] [13] [23] [13] [23] [13] [_] (1 GiB)
[after 15 chunk allocations]
Device 1: [12] [13] [12] [13] [12] [13] [12] [13] [12] [13] (full)
Device 2: [12] [12] [23] [23] [12] [12] [23] [23] [12] [23] (full)
Device 3: [13] [13] [23] [23] [13] [23] [13] [23] [13] [23] (full)
This allocates all of the space with no waste. The sorting function used
by gather_device_info considers free space holes above 1 GiB in length
to be equal to 1 GiB, so once find_free_dev_extent locates a sufficiently
long hole on each device, all the holes appear equal in the sort, and the
comparison falls back to sorting devices by total free space. This keeps
usable space on each device equal so they can all be filled completely.
After f6fca3917b4d, the allocator prefers the devices with larger holes
over the devices with more free space, so it makes bad allocation choices:
[after 1 chunk allocation]
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10 GiB)
Device 2: [23] [_________] (9 GiB)
Device 3: [23] [_________] (9 GiB)
[after 2 chunk allocations]
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10 GiB)
Device 2: [23] [23] [________] (8 GiB)
Device 3: [23] [23] [________] (8 GiB)
[after 3 chunk allocations]
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10 GiB)
Device 2: [23] [23] [23] [_______] (7 GiB)
Device 3: [23] [23] [23] [_______] (7 GiB)
[...]
[after 9 chunk allocations]
Device 1: [_] [_] [_] [_] [_] [_] [_] [_] [_] [_] (10 GiB)
Device 2: [23] [23] [23] [23] [23] [23] [23] [23] [23] [_] (1 GiB)
Device 3: [23] [23] [23] [23] [23] [23] [23] [23] [23] [_] (1 GiB)
[after 10 chunk allocations]
Device 1: [12] [_] [_] [_] [_] [_] [_] [_] [_] [_] (9 GiB)
Device 2: [23] [23] [23] [23] [23] [23] [23] [23] [12] (full)
Device 3: [23] [23] [23] [23] [23] [23] [23] [23] [_] (1 GiB)
[after 11 chunk allocations]
Device 1: [12] [13] [_] [_] [_] [_] [_] [_] [_] [_] (8 GiB)
Device 2: [23] [23] [23] [23] [23] [23] [23] [23] [12] (full)
Device 3: [23] [23] [23] [23] [23] [23] [23] [23] [13] (full)
No further allocations are possible, with 8 GiB wasted (4 GiB of data
space). The sort in gather_device_info now considers free space in
holes longer than 1 GiB to be distinct, so it will prefer devices 2 and
3 over device 1 until all but 1 GiB is allocated on devices 2 and 3.
At that point, with only 1 GiB unallocated on every device, the largest
hole length on each device is equal at 1 GiB, so the sort finally moves
to ordering the devices with the most free space, but by this time it
is too late to make use of the free space on device 1.
Note that it's possible to contrive a case where the pre-f6fca3917b4d
allocator fails the same way, but these cases generally have extensive
dev_extent fragmentation as a precondition (e.g. many holes of 768M
in length on one device, and few holes 1 GiB in length on the others).
With the regression in f6fca3917b4d, bad chunk allocation can occur even
under optimal conditions, when all dev_extent holes are exact multiples
of stripe_len in length, as in the example above.
Also note that post-f6fca3917b4d kernels do treat dev_extent holes
larger than 10 GiB as equal, so the bad behavior won't show up on a
freshly formatted filesystem; however, as the filesystem ages and fills
up, and holes ranging from 1 GiB to 10 GiB in size appear, the problem
can show up as a failure to balance after adding or removing devices,
or an unexpected shortfall in available space due to unequal allocation.
To fix the regression and make data chunk allocation work
again, set ctl->max_stripe_len back to the original SZ_1G, or
space_info->chunk_size if that's smaller (the latter can happen if the
user set space_info->chunk_size to less than 1 GiB via sysfs, or it's
a 32 MiB system chunk with a hardcoded chunk_size and stripe_len).
While researching the background of the earlier commits, I found that an
identical fix was already proposed at:
https://lore.kernel.org/linux-btrfs/de83ac46-a4a3-88d3-85ce-255b7abc5249@gmx.com/
The previous review missed one detail: ctl->max_stripe_len is used
before decide_stripe_size_regular() is called, when it is too late for
the changes in that function to have any effect. ctl->max_stripe_len is
not used directly by decide_stripe_size_regular(), but the parameter
does heavily influence the per-device free space data presented to
the function.
Fixes: f6fca3917b4d ("btrfs: store chunk size in space-info struct")
CC: stable@vger.kernel.org # 6.1+
Link: https://lore.kernel.org/linux-btrfs/20231007051421.19657-1-ce3g8jdj@umail.furryterror.org/
Reviewed-by: Qu Wenruo <wqu@suse.com>
Signed-off-by: Zygo Blaxell <ce3g8jdj@umail.furryterror.org>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/btrfs/volumes.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/fs/btrfs/volumes.c
+++ b/fs/btrfs/volumes.c
@@ -5125,7 +5125,7 @@ static void init_alloc_chunk_ctl_policy_
ASSERT(space_info);
ctl->max_chunk_size = READ_ONCE(space_info->chunk_size);
- ctl->max_stripe_size = ctl->max_chunk_size;
+ ctl->max_stripe_size = min_t(u64, ctl->max_chunk_size, SZ_1G);
if (ctl->type & BTRFS_BLOCK_GROUP_SYSTEM)
ctl->devs_max = min_t(int, ctl->devs_max, BTRFS_MAX_DEVS_SYS_CHUNK);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 013/241] nfc: nci: fix possible NULL pointer dereference in send_acknowledge()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (11 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 012/241] btrfs: fix stripe length calculation for non-zoned data chunk allocation Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 014/241] regmap: fix NULL deref on lookup Greg Kroah-Hartman
` (237 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, 黄思聪,
Krzysztof Kozlowski, Simon Horman, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 7937609cd387246aed994e81aa4fa951358fba41 upstream.
Handle memory allocation failure from nci_skb_alloc() (calling
alloc_skb()) to avoid possible NULL pointer dereference.
Reported-by: 黄思聪 <huangsicong@iie.ac.cn>
Fixes: 391d8a2da787 ("NFC: Add NCI over SPI receive")
Cc: <stable@vger.kernel.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20231013184129.18738-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/nfc/nci/spi.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/nfc/nci/spi.c
+++ b/net/nfc/nci/spi.c
@@ -151,6 +151,8 @@ static int send_acknowledge(struct nci_s
int ret;
skb = nci_skb_alloc(nspi->ndev, 0, GFP_KERNEL);
+ if (!skb)
+ return -ENOMEM;
/* add the NCI SPI header to the start of the buffer */
hdr = skb_push(skb, NCI_SPI_HDR_LEN);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 014/241] regmap: fix NULL deref on lookup
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (12 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 013/241] nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 015/241] KVM: x86: Mask LVTPC when handling a PMI Greg Kroah-Hartman
` (236 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Marc Kleine-Budde, Johan Hovold, Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit c6df843348d6b71ea986266c12831cb60c2cf325 upstream.
Not all regmaps have a name so make sure to check for that to avoid
dereferencing a NULL pointer when dev_get_regmap() is used to lookup a
named regmap.
Fixes: e84861fec32d ("regmap: dev_get_regmap_match(): fix string comparison")
Cc: stable@vger.kernel.org # 5.8
Cc: Marc Kleine-Budde <mkl@pengutronix.de>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231006082104.16707-1-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/base/regmap/regmap.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/base/regmap/regmap.c
+++ b/drivers/base/regmap/regmap.c
@@ -1572,7 +1572,7 @@ static int dev_get_regmap_match(struct d
/* If the user didn't specify a name match any */
if (data)
- return !strcmp((*r)->name, data);
+ return (*r)->name && !strcmp((*r)->name, data);
else
return 1;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 015/241] KVM: x86: Mask LVTPC when handling a PMI
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (13 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 014/241] regmap: fix NULL deref on lookup Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 016/241] x86/sev: Disable MMIO emulation from user mode Greg Kroah-Hartman
` (235 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jim Mattson, Mingwei Zhang,
Sean Christopherson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jim Mattson <jmattson@google.com>
commit a16eb25b09c02a54c1c1b449d4b6cfa2cf3f013a upstream.
Per the SDM, "When the local APIC handles a performance-monitoring
counters interrupt, it automatically sets the mask flag in the LVT
performance counter register." Add this behavior to KVM's local APIC
emulation.
Failure to mask the LVTPC entry results in spurious PMIs, e.g. when
running Linux as a guest, PMI handlers that do a "late_ack" spew a large
number of "dazed and confused" spurious NMI warnings.
Fixes: f5132b01386b ("KVM: Expose a version 2 architectural PMU to a guests")
Cc: stable@vger.kernel.org
Signed-off-by: Jim Mattson <jmattson@google.com>
Tested-by: Mingwei Zhang <mizhang@google.com>
Signed-off-by: Mingwei Zhang <mizhang@google.com>
Link: https://lore.kernel.org/r/20230925173448.3518223-3-mizhang@google.com
[sean: massage changelog, correct Fixes]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/lapic.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/arch/x86/kvm/lapic.c
+++ b/arch/x86/kvm/lapic.c
@@ -2738,13 +2738,17 @@ int kvm_apic_local_deliver(struct kvm_la
{
u32 reg = kvm_lapic_get_reg(apic, lvt_type);
int vector, mode, trig_mode;
+ int r;
if (kvm_apic_hw_enabled(apic) && !(reg & APIC_LVT_MASKED)) {
vector = reg & APIC_VECTOR_MASK;
mode = reg & APIC_MODE_MASK;
trig_mode = reg & APIC_LVT_LEVEL_TRIGGER;
- return __apic_accept_irq(apic, mode, vector, 1, trig_mode,
- NULL);
+
+ r = __apic_accept_irq(apic, mode, vector, 1, trig_mode, NULL);
+ if (r && lvt_type == APIC_LVTPC)
+ kvm_lapic_set_reg(apic, APIC_LVTPC, reg | APIC_LVT_MASKED);
+ return r;
}
return 0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 016/241] x86/sev: Disable MMIO emulation from user mode
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (14 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 015/241] KVM: x86: Mask LVTPC when handling a PMI Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 017/241] x86/sev: Check IOBM for IOIO exceptions from user-space Greg Kroah-Hartman
` (234 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Dohrmann, Borislav Petkov (AMD), stable
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: "Borislav Petkov (AMD)" <bp@alien8.de>
Upstream commit: a37cd2a59d0cb270b1bba568fd3a3b8668b9d3ba
A virt scenario can be constructed where MMIO memory can be user memory.
When that happens, a race condition opens between when the hardware
raises the #VC and when the #VC handler gets to emulate the instruction.
If the MOVS is replaced with a MOVS accessing kernel memory in that
small race window, then write to kernel memory happens as the access
checks are not done at emulation time.
Disable MMIO emulation in user mode temporarily until a sensible use
case appears and justifies properly handling the race window.
Fixes: 0118b604c2c9 ("x86/sev-es: Handle MMIO String Instructions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/sev.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -1508,6 +1508,9 @@ static enum es_result vc_handle_mmio(str
return ES_DECODE_FAILED;
}
+ if (user_mode(ctxt->regs))
+ return ES_UNSUPPORTED;
+
switch (mmio) {
case INSN_MMIO_WRITE:
memcpy(ghcb->shared_buffer, reg_data, bytes);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 017/241] x86/sev: Check IOBM for IOIO exceptions from user-space
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (15 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 016/241] x86/sev: Disable MMIO emulation from user mode Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 018/241] x86/sev: Check for user-space IOIO pointing to kernel space Greg Kroah-Hartman
` (233 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Dohrmann, Joerg Roedel,
Borislav Petkov (AMD),
stable
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel <jroedel@suse.de>
Upstream commit: b9cb9c45583b911e0db71d09caa6b56469eb2bdf
Check the IO permission bitmap (if present) before emulating IOIO #VC
exceptions for user-space. These permissions are checked by hardware
already before the #VC is raised, but due to the VC-handler decoding
race it needs to be checked again in software.
Fixes: 25189d08e516 ("x86/sev-es: Add support for handling IOIO exceptions")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Tested-by: Tom Dohrmann <erbse.13@gmx.de>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/sev.c | 5 +++++
arch/x86/kernel/sev-shared.c | 22 +++++++++++++++-------
arch/x86/kernel/sev.c | 27 +++++++++++++++++++++++++++
3 files changed, 47 insertions(+), 7 deletions(-)
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -103,6 +103,11 @@ static enum es_result vc_read_mem(struct
return ES_OK;
}
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+ return ES_OK;
+}
+
#undef __init
#define __init
--- a/arch/x86/kernel/sev-shared.c
+++ b/arch/x86/kernel/sev-shared.c
@@ -696,6 +696,9 @@ static enum es_result vc_insn_string_wri
static enum es_result vc_ioio_exitinfo(struct es_em_ctxt *ctxt, u64 *exitinfo)
{
struct insn *insn = &ctxt->insn;
+ size_t size;
+ u64 port;
+
*exitinfo = 0;
switch (insn->opcode.bytes[0]) {
@@ -704,7 +707,7 @@ static enum es_result vc_ioio_exitinfo(s
case 0x6d:
*exitinfo |= IOIO_TYPE_INS;
*exitinfo |= IOIO_SEG_ES;
- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+ port = ctxt->regs->dx & 0xffff;
break;
/* OUTS opcodes */
@@ -712,41 +715,43 @@ static enum es_result vc_ioio_exitinfo(s
case 0x6f:
*exitinfo |= IOIO_TYPE_OUTS;
*exitinfo |= IOIO_SEG_DS;
- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+ port = ctxt->regs->dx & 0xffff;
break;
/* IN immediate opcodes */
case 0xe4:
case 0xe5:
*exitinfo |= IOIO_TYPE_IN;
- *exitinfo |= (u8)insn->immediate.value << 16;
+ port = (u8)insn->immediate.value & 0xffff;
break;
/* OUT immediate opcodes */
case 0xe6:
case 0xe7:
*exitinfo |= IOIO_TYPE_OUT;
- *exitinfo |= (u8)insn->immediate.value << 16;
+ port = (u8)insn->immediate.value & 0xffff;
break;
/* IN register opcodes */
case 0xec:
case 0xed:
*exitinfo |= IOIO_TYPE_IN;
- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+ port = ctxt->regs->dx & 0xffff;
break;
/* OUT register opcodes */
case 0xee:
case 0xef:
*exitinfo |= IOIO_TYPE_OUT;
- *exitinfo |= (ctxt->regs->dx & 0xffff) << 16;
+ port = ctxt->regs->dx & 0xffff;
break;
default:
return ES_DECODE_FAILED;
}
+ *exitinfo |= port << 16;
+
switch (insn->opcode.bytes[0]) {
case 0x6c:
case 0x6e:
@@ -756,12 +761,15 @@ static enum es_result vc_ioio_exitinfo(s
case 0xee:
/* Single byte opcodes */
*exitinfo |= IOIO_DATA_8;
+ size = 1;
break;
default:
/* Length determined by instruction parsing */
*exitinfo |= (insn->opnd_bytes == 2) ? IOIO_DATA_16
: IOIO_DATA_32;
+ size = (insn->opnd_bytes == 2) ? 2 : 4;
}
+
switch (insn->addr_bytes) {
case 2:
*exitinfo |= IOIO_ADDR_16;
@@ -777,7 +785,7 @@ static enum es_result vc_ioio_exitinfo(s
if (insn_has_rep_prefix(insn))
*exitinfo |= IOIO_REP;
- return ES_OK;
+ return vc_ioio_check(ctxt, (u16)port, size);
}
static enum es_result vc_handle_ioio(struct ghcb *ghcb, struct es_em_ctxt *ctxt)
--- a/arch/x86/kernel/sev.c
+++ b/arch/x86/kernel/sev.c
@@ -524,6 +524,33 @@ static enum es_result vc_slow_virt_to_ph
return ES_OK;
}
+static enum es_result vc_ioio_check(struct es_em_ctxt *ctxt, u16 port, size_t size)
+{
+ BUG_ON(size > 4);
+
+ if (user_mode(ctxt->regs)) {
+ struct thread_struct *t = ¤t->thread;
+ struct io_bitmap *iobm = t->io_bitmap;
+ size_t idx;
+
+ if (!iobm)
+ goto fault;
+
+ for (idx = port; idx < port + size; ++idx) {
+ if (test_bit(idx, iobm->bitmap))
+ goto fault;
+ }
+ }
+
+ return ES_OK;
+
+fault:
+ ctxt->fi.vector = X86_TRAP_GP;
+ ctxt->fi.error_code = 0;
+
+ return ES_EXCEPTION;
+}
+
/* Include code shared with pre-decompression boot stage */
#include "sev-shared.c"
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 018/241] x86/sev: Check for user-space IOIO pointing to kernel space
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (16 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 017/241] x86/sev: Check IOBM for IOIO exceptions from user-space Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 019/241] x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer Greg Kroah-Hartman
` (232 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Dohrmann, Joerg Roedel,
Borislav Petkov (AMD),
stable
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joerg Roedel <jroedel@suse.de>
Upstream commit: 63e44bc52047f182601e7817da969a105aa1f721
Check the memory operand of INS/OUTS before emulating the instruction.
The #VC exception can get raised from user-space, but the memory operand
can be manipulated to access kernel memory before the emulation actually
begins and after the exception handler has run.
[ bp: Massage commit message. ]
Fixes: 597cfe48212a ("x86/boot/compressed/64: Setup a GHCB-based VC Exception handler")
Reported-by: Tom Dohrmann <erbse.13@gmx.de>
Signed-off-by: Joerg Roedel <jroedel@suse.de>
Signed-off-by: Borislav Petkov (AMD) <bp@alien8.de>
Cc: <stable@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/boot/compressed/sev.c | 5 +++++
arch/x86/kernel/sev-shared.c | 31 +++++++++++++++++++++++++++++--
2 files changed, 34 insertions(+), 2 deletions(-)
--- a/arch/x86/boot/compressed/sev.c
+++ b/arch/x86/boot/compressed/sev.c
@@ -108,6 +108,11 @@ static enum es_result vc_ioio_check(stru
return ES_OK;
}
+static bool fault_in_kernel_space(unsigned long address)
+{
+ return false;
+}
+
#undef __init
#define __init
--- a/arch/x86/kernel/sev-shared.c
+++ b/arch/x86/kernel/sev-shared.c
@@ -632,6 +632,23 @@ fail:
sev_es_terminate(SEV_TERM_SET_GEN, GHCB_SEV_ES_GEN_REQ);
}
+static enum es_result vc_insn_string_check(struct es_em_ctxt *ctxt,
+ unsigned long address,
+ bool write)
+{
+ if (user_mode(ctxt->regs) && fault_in_kernel_space(address)) {
+ ctxt->fi.vector = X86_TRAP_PF;
+ ctxt->fi.error_code = X86_PF_USER;
+ ctxt->fi.cr2 = address;
+ if (write)
+ ctxt->fi.error_code |= X86_PF_WRITE;
+
+ return ES_EXCEPTION;
+ }
+
+ return ES_OK;
+}
+
static enum es_result vc_insn_string_read(struct es_em_ctxt *ctxt,
void *src, char *buf,
unsigned int data_size,
@@ -639,7 +656,12 @@ static enum es_result vc_insn_string_rea
bool backwards)
{
int i, b = backwards ? -1 : 1;
- enum es_result ret = ES_OK;
+ unsigned long address = (unsigned long)src;
+ enum es_result ret;
+
+ ret = vc_insn_string_check(ctxt, address, false);
+ if (ret != ES_OK)
+ return ret;
for (i = 0; i < count; i++) {
void *s = src + (i * data_size * b);
@@ -660,7 +682,12 @@ static enum es_result vc_insn_string_wri
bool backwards)
{
int i, s = backwards ? -1 : 1;
- enum es_result ret = ES_OK;
+ unsigned long address = (unsigned long)dst;
+ enum es_result ret;
+
+ ret = vc_insn_string_check(ctxt, address, true);
+ if (ret != ES_OK)
+ return ret;
for (i = 0; i < count; i++) {
void *d = dst + (i * data_size * s);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 019/241] x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (17 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 018/241] x86/sev: Check for user-space IOIO pointing to kernel space Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 020/241] KVM: x86/pmu: Truncate counter value to allowed width on write Greg Kroah-Hartman
` (231 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sean Christopherson, Paolo Bonzini
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 18164f66e6c59fda15c198b371fa008431efdb22 upstream.
Plumb an xfeatures mask into __copy_xstate_to_uabi_buf() so that KVM can
constrain which xfeatures are saved into the userspace buffer without
having to modify the user_xfeatures field in KVM's guest_fpu state.
KVM's ABI for KVM_GET_XSAVE{2} is that features that are not exposed to
guest must not show up in the effective xstate_bv field of the buffer.
Saving only the guest-supported xfeatures allows userspace to load the
saved state on a different host with a fewer xfeatures, so long as the
target host supports the xfeatures that are exposed to the guest.
KVM currently sets user_xfeatures directly to restrict KVM_GET_XSAVE{2} to
the set of guest-supported xfeatures, but doing so broke KVM's historical
ABI for KVM_SET_XSAVE, which allows userspace to load any xfeatures that
are supported by the *host*.
Cc: stable@vger.kernel.org
Signed-off-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230928001956.924301-2-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/fpu/api.h | 3 ++-
arch/x86/kernel/fpu/core.c | 5 +++--
arch/x86/kernel/fpu/xstate.c | 7 +++++--
arch/x86/kernel/fpu/xstate.h | 3 ++-
arch/x86/kvm/x86.c | 21 +++++++++------------
5 files changed, 21 insertions(+), 18 deletions(-)
--- a/arch/x86/include/asm/fpu/api.h
+++ b/arch/x86/include/asm/fpu/api.h
@@ -148,7 +148,8 @@ static inline void fpu_update_guest_xfd(
static inline void fpu_sync_guest_vmexit_xfd_state(void) { }
#endif
-extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf, unsigned int size, u32 pkru);
+extern void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
+ unsigned int size, u64 xfeatures, u32 pkru);
extern int fpu_copy_uabi_to_guest_fpstate(struct fpu_guest *gfpu, const void *buf, u64 xcr0, u32 *vpkru);
static inline void fpstate_set_confidential(struct fpu_guest *gfpu)
--- a/arch/x86/kernel/fpu/core.c
+++ b/arch/x86/kernel/fpu/core.c
@@ -369,14 +369,15 @@ int fpu_swap_kvm_fpstate(struct fpu_gues
EXPORT_SYMBOL_GPL(fpu_swap_kvm_fpstate);
void fpu_copy_guest_fpstate_to_uabi(struct fpu_guest *gfpu, void *buf,
- unsigned int size, u32 pkru)
+ unsigned int size, u64 xfeatures, u32 pkru)
{
struct fpstate *kstate = gfpu->fpstate;
union fpregs_state *ustate = buf;
struct membuf mb = { .p = buf, .left = size };
if (cpu_feature_enabled(X86_FEATURE_XSAVE)) {
- __copy_xstate_to_uabi_buf(mb, kstate, pkru, XSTATE_COPY_XSAVE);
+ __copy_xstate_to_uabi_buf(mb, kstate, xfeatures, pkru,
+ XSTATE_COPY_XSAVE);
} else {
memcpy(&ustate->fxsave, &kstate->regs.fxsave,
sizeof(ustate->fxsave));
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1053,6 +1053,7 @@ static void copy_feature(bool from_xstat
* __copy_xstate_to_uabi_buf - Copy kernel saved xstate to a UABI buffer
* @to: membuf descriptor
* @fpstate: The fpstate buffer from which to copy
+ * @xfeatures: The mask of xfeatures to save (XSAVE mode only)
* @pkru_val: The PKRU value to store in the PKRU component
* @copy_mode: The requested copy mode
*
@@ -1063,7 +1064,8 @@ static void copy_feature(bool from_xstat
* It supports partial copy but @to.pos always starts from zero.
*/
void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
- u32 pkru_val, enum xstate_copy_mode copy_mode)
+ u64 xfeatures, u32 pkru_val,
+ enum xstate_copy_mode copy_mode)
{
const unsigned int off_mxcsr = offsetof(struct fxregs_state, mxcsr);
struct xregs_state *xinit = &init_fpstate.regs.xsave;
@@ -1087,7 +1089,7 @@ void __copy_xstate_to_uabi_buf(struct me
break;
case XSTATE_COPY_XSAVE:
- header.xfeatures &= fpstate->user_xfeatures;
+ header.xfeatures &= fpstate->user_xfeatures & xfeatures;
break;
}
@@ -1189,6 +1191,7 @@ void copy_xstate_to_uabi_buf(struct memb
enum xstate_copy_mode copy_mode)
{
__copy_xstate_to_uabi_buf(to, tsk->thread.fpu.fpstate,
+ tsk->thread.fpu.fpstate->user_xfeatures,
tsk->thread.pkru, copy_mode);
}
--- a/arch/x86/kernel/fpu/xstate.h
+++ b/arch/x86/kernel/fpu/xstate.h
@@ -43,7 +43,8 @@ enum xstate_copy_mode {
struct membuf;
extern void __copy_xstate_to_uabi_buf(struct membuf to, struct fpstate *fpstate,
- u32 pkru_val, enum xstate_copy_mode copy_mode);
+ u64 xfeatures, u32 pkru_val,
+ enum xstate_copy_mode copy_mode);
extern void copy_xstate_to_uabi_buf(struct membuf to, struct task_struct *tsk,
enum xstate_copy_mode mode);
extern int copy_uabi_from_kernel_to_xstate(struct fpstate *fpstate, const void *kbuf, u32 *pkru);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5385,26 +5385,23 @@ static int kvm_vcpu_ioctl_x86_set_debugr
return 0;
}
-static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
- struct kvm_xsave *guest_xsave)
+
+static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
+ u8 *state, unsigned int size)
{
if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
return;
- fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
- guest_xsave->region,
- sizeof(guest_xsave->region),
+ fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
+ vcpu->arch.guest_fpu.fpstate->user_xfeatures,
vcpu->arch.pkru);
}
-static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
- u8 *state, unsigned int size)
+static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
+ struct kvm_xsave *guest_xsave)
{
- if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
- return;
-
- fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu,
- state, size, vcpu->arch.pkru);
+ return kvm_vcpu_ioctl_x86_get_xsave2(vcpu, (void *)guest_xsave->region,
+ sizeof(guest_xsave->region));
}
static int kvm_vcpu_ioctl_x86_set_xsave(struct kvm_vcpu *vcpu,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 020/241] KVM: x86/pmu: Truncate counter value to allowed width on write
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (18 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 019/241] x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 021/241] KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} Greg Kroah-Hartman
` (230 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Roman Kagan, Like Xu, Sean Christopherson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Roman Kagan <rkagan@amazon.de>
commit b29a2acd36dd7a33c63f260df738fb96baa3d4f8 upstream.
Performance counters are defined to have width less than 64 bits. The
vPMU code maintains the counters in u64 variables but assumes the value
to fit within the defined width. However, for Intel non-full-width
counters (MSR_IA32_PERFCTRx) the value receieved from the guest is
truncated to 32 bits and then sign-extended to full 64 bits. If a
negative value is set, it's sign-extended to 64 bits, but then in
kvm_pmu_incr_counter() it's incremented, truncated, and compared to the
previous value for overflow detection.
That previous value is not truncated, so it always evaluates bigger than
the truncated new one, and a PMI is injected. If the PMI handler writes
a negative counter value itself, the vCPU never quits the PMI loop.
Turns out that Linux PMI handler actually does write the counter with
the value just read with RDPMC, so when no full-width support is exposed
via MSR_IA32_PERF_CAPABILITIES, and the guest initializes the counter to
a negative value, it locks up.
This has been observed in the field, for example, when the guest configures
atop to use perfevents and runs two instances of it simultaneously.
To address the problem, maintain the invariant that the counter value
always fits in the defined bit width, by truncating the received value
in the respective set_msr methods. For better readability, factor the
out into a helper function, pmc_write_counter(), shared by vmx and svm
parts.
Fixes: 9cd803d496e7 ("KVM: x86: Update vPMCs when retiring instructions")
Cc: stable@vger.kernel.org
Signed-off-by: Roman Kagan <rkagan@amazon.de>
Link: https://lore.kernel.org/all/20230504120042.785651-1-rkagan@amazon.de
Tested-by: Like Xu <likexu@tencent.com>
[sean: tweak changelog, s/set/write in the helper]
Signed-off-by: Sean Christopherson <seanjc@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/pmu.h | 6 ++++++
arch/x86/kvm/svm/pmu.c | 2 +-
arch/x86/kvm/vmx/pmu_intel.c | 4 ++--
3 files changed, 9 insertions(+), 3 deletions(-)
--- a/arch/x86/kvm/pmu.h
+++ b/arch/x86/kvm/pmu.h
@@ -74,6 +74,12 @@ static inline u64 pmc_read_counter(struc
return counter & pmc_bitmask(pmc);
}
+static inline void pmc_write_counter(struct kvm_pmc *pmc, u64 val)
+{
+ pmc->counter += val - pmc_read_counter(pmc);
+ pmc->counter &= pmc_bitmask(pmc);
+}
+
static inline void pmc_release_perf_event(struct kvm_pmc *pmc)
{
if (pmc->perf_event) {
--- a/arch/x86/kvm/svm/pmu.c
+++ b/arch/x86/kvm/svm/pmu.c
@@ -160,7 +160,7 @@ static int amd_pmu_set_msr(struct kvm_vc
/* MSR_PERFCTRn */
pmc = get_gp_pmc_amd(pmu, msr, PMU_TYPE_COUNTER);
if (pmc) {
- pmc->counter += data - pmc_read_counter(pmc);
+ pmc_write_counter(pmc, data);
pmc_update_sample_period(pmc);
return 0;
}
--- a/arch/x86/kvm/vmx/pmu_intel.c
+++ b/arch/x86/kvm/vmx/pmu_intel.c
@@ -406,11 +406,11 @@ static int intel_pmu_set_msr(struct kvm_
if (!msr_info->host_initiated &&
!(msr & MSR_PMC_FULL_WIDTH_BIT))
data = (s64)(s32)data;
- pmc->counter += data - pmc_read_counter(pmc);
+ pmc_write_counter(pmc, data);
pmc_update_sample_period(pmc);
break;
} else if ((pmc = get_fixed_pmc(pmu, msr))) {
- pmc->counter += data - pmc_read_counter(pmc);
+ pmc_write_counter(pmc, data);
pmc_update_sample_period(pmc);
break;
} else if ((pmc = get_gp_pmc(pmu, msr, MSR_P6_EVNTSEL0))) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 021/241] KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2}
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (19 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 020/241] KVM: x86/pmu: Truncate counter value to allowed width on write Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 022/241] x86: KVM: SVM: always update the x2avic msr interception Greg Kroah-Hartman
` (229 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tyler Stachecki, Leonardo Bras,
Sean Christopherson, Dave Hansen, Paolo Bonzini
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sean Christopherson <seanjc@google.com>
commit 8647c52e9504c99752a39f1d44f6268f82c40a5c upstream.
Mask off xfeatures that aren't exposed to the guest only when saving guest
state via KVM_GET_XSAVE{2} instead of modifying user_xfeatures directly.
Preserving the maximal set of xfeatures in user_xfeatures restores KVM's
ABI for KVM_SET_XSAVE, which prior to commit ad856280ddea ("x86/kvm/fpu:
Limit guest user_xfeatures to supported bits of XCR0") allowed userspace
to load xfeatures that are supported by the host, irrespective of what
xfeatures are exposed to the guest.
There is no known use case where userspace *intentionally* loads xfeatures
that aren't exposed to the guest, but the bug fixed by commit ad856280ddea
was specifically that KVM_GET_SAVE{2} would save xfeatures that weren't
exposed to the guest, e.g. would lead to userspace unintentionally loading
guest-unsupported xfeatures when live migrating a VM.
Restricting KVM_SET_XSAVE to guest-supported xfeatures is especially
problematic for QEMU-based setups, as QEMU has a bug where instead of
terminating the VM if KVM_SET_XSAVE fails, QEMU instead simply stops
loading guest state, i.e. resumes the guest after live migration with
incomplete guest state, and ultimately results in guest data corruption.
Note, letting userspace restore all host-supported xfeatures does not fix
setups where a VM is migrated from a host *without* commit ad856280ddea,
to a target with a subset of host-supported xfeatures. However there is
no way to safely address that scenario, e.g. KVM could silently drop the
unsupported features, but that would be a clear violation of KVM's ABI and
so would require userspace to opt-in, at which point userspace could
simply be updated to sanitize the to-be-loaded XSAVE state.
Reported-by: Tyler Stachecki <stachecki.tyler@gmail.com>
Closes: https://lore.kernel.org/all/20230914010003.358162-1-tstachecki@bloomberg.net
Fixes: ad856280ddea ("x86/kvm/fpu: Limit guest user_xfeatures to supported bits of XCR0")
Cc: stable@vger.kernel.org
Cc: Leonardo Bras <leobras@redhat.com>
Signed-off-by: Sean Christopherson <seanjc@google.com>
Acked-by: Dave Hansen <dave.hansen@linux.intel.com>
Message-Id: <20230928001956.924301-3-seanjc@google.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kernel/fpu/xstate.c | 5 +----
arch/x86/kvm/cpuid.c | 8 --------
arch/x86/kvm/x86.c | 18 ++++++++++++++++--
3 files changed, 17 insertions(+), 14 deletions(-)
--- a/arch/x86/kernel/fpu/xstate.c
+++ b/arch/x86/kernel/fpu/xstate.c
@@ -1543,10 +1543,7 @@ static int fpstate_realloc(u64 xfeatures
fpregs_restore_userregs();
newfps->xfeatures = curfps->xfeatures | xfeatures;
-
- if (!guest_fpu)
- newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
-
+ newfps->user_xfeatures = curfps->user_xfeatures | xfeatures;
newfps->xfd = curfps->xfd & ~xfeatures;
/* Do the final updates within the locked region */
--- a/arch/x86/kvm/cpuid.c
+++ b/arch/x86/kvm/cpuid.c
@@ -326,14 +326,6 @@ static void kvm_vcpu_after_set_cpuid(str
vcpu->arch.guest_supported_xcr0 =
cpuid_get_supported_xcr0(vcpu->arch.cpuid_entries, vcpu->arch.cpuid_nent);
- /*
- * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
- * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
- * supported by the host.
- */
- vcpu->arch.guest_fpu.fpstate->user_xfeatures = vcpu->arch.guest_supported_xcr0 |
- XFEATURE_MASK_FPSSE;
-
kvm_update_pv_runtime(vcpu);
vcpu->arch.maxphyaddr = cpuid_query_maxphyaddr(vcpu);
--- a/arch/x86/kvm/x86.c
+++ b/arch/x86/kvm/x86.c
@@ -5389,12 +5389,26 @@ static int kvm_vcpu_ioctl_x86_set_debugr
static void kvm_vcpu_ioctl_x86_get_xsave2(struct kvm_vcpu *vcpu,
u8 *state, unsigned int size)
{
+ /*
+ * Only copy state for features that are enabled for the guest. The
+ * state itself isn't problematic, but setting bits in the header for
+ * features that are supported in *this* host but not exposed to the
+ * guest can result in KVM_SET_XSAVE failing when live migrating to a
+ * compatible host without the features that are NOT exposed to the
+ * guest.
+ *
+ * FP+SSE can always be saved/restored via KVM_{G,S}ET_XSAVE, even if
+ * XSAVE/XCRO are not exposed to the guest, and even if XSAVE isn't
+ * supported by the host.
+ */
+ u64 supported_xcr0 = vcpu->arch.guest_supported_xcr0 |
+ XFEATURE_MASK_FPSSE;
+
if (fpstate_is_confidential(&vcpu->arch.guest_fpu))
return;
fpu_copy_guest_fpstate_to_uabi(&vcpu->arch.guest_fpu, state, size,
- vcpu->arch.guest_fpu.fpstate->user_xfeatures,
- vcpu->arch.pkru);
+ supported_xcr0, vcpu->arch.pkru);
}
static void kvm_vcpu_ioctl_x86_get_xsave(struct kvm_vcpu *vcpu,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 022/241] x86: KVM: SVM: always update the x2avic msr interception
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (20 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 021/241] KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 023/241] x86: KVM: SVM: add support for Invalid IPI Vector interception Greg Kroah-Hartman
` (228 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky,
Suravee Suthikulpanit, Sean Christopherson, Paolo Bonzini
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
commit b65235f6e102354ccafda601eaa1c5bef5284d21 upstream.
The following problem exists since x2avic was enabled in the KVM:
svm_set_x2apic_msr_interception is called to enable the interception of
the x2apic msrs.
In particular it is called at the moment the guest resets its apic.
Assuming that the guest's apic was in x2apic mode, the reset will bring
it back to the xapic mode.
The svm_set_x2apic_msr_interception however has an erroneous check for
'!apic_x2apic_mode()' which prevents it from doing anything in this case.
As a result of this, all x2apic msrs are left unintercepted, and that
exposes the bare metal x2apic (if enabled) to the guest.
Oops.
Remove the erroneous '!apic_x2apic_mode()' check to fix that.
This fixes CVE-2023-5090
Fixes: 4d1d7942e36a ("KVM: SVM: Introduce logic to (de)activate x2AVIC mode")
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Tested-by: Suravee Suthikulpanit <suravee.suthikulpanit@amd.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230928173354.217464-2-mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/svm.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/arch/x86/kvm/svm/svm.c
+++ b/arch/x86/kvm/svm/svm.c
@@ -829,8 +829,7 @@ void svm_set_x2apic_msr_interception(str
if (intercept == svm->x2avic_msrs_intercepted)
return;
- if (!x2avic_enabled ||
- !apic_x2apic_mode(svm->vcpu.arch.apic))
+ if (!x2avic_enabled)
return;
for (i = 0; i < MAX_DIRECT_ACCESS_MSRS; i++) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 023/241] x86: KVM: SVM: add support for Invalid IPI Vector interception
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (21 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 022/241] x86: KVM: SVM: always update the x2avic msr interception Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 024/241] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Greg Kroah-Hartman
` (227 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson,
Paolo Bonzini
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
commit 2dcf37abf9d3aab7f975002d29fc7c17272def38 upstream.
In later revisions of AMD's APM, there is a new 'incomplete IPI' exit code:
"Invalid IPI Vector - The vector for the specified IPI was set to an
illegal value (VEC < 16)"
Note that tests on Zen2 machine show that this VM exit doesn't happen and
instead AVIC just does nothing.
Add support for this exit code by doing nothing, instead of filling
the kernel log with errors.
Also replace an unthrottled 'pr_err()' if another unknown incomplete
IPI exit happens with vcpu_unimpl()
(e.g in case AMD adds yet another 'Invalid IPI' exit reason)
Cc: <stable@vger.kernel.org>
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230928173354.217464-3-mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/include/asm/svm.h | 1 +
arch/x86/kvm/svm/avic.c | 5 ++++-
2 files changed, 5 insertions(+), 1 deletion(-)
--- a/arch/x86/include/asm/svm.h
+++ b/arch/x86/include/asm/svm.h
@@ -268,6 +268,7 @@ enum avic_ipi_failure_cause {
AVIC_IPI_FAILURE_TARGET_NOT_RUNNING,
AVIC_IPI_FAILURE_INVALID_TARGET,
AVIC_IPI_FAILURE_INVALID_BACKING_PAGE,
+ AVIC_IPI_FAILURE_INVALID_IPI_VECTOR,
};
#define AVIC_PHYSICAL_MAX_INDEX_MASK GENMASK_ULL(8, 0)
--- a/arch/x86/kvm/svm/avic.c
+++ b/arch/x86/kvm/svm/avic.c
@@ -529,8 +529,11 @@ int avic_incomplete_ipi_interception(str
case AVIC_IPI_FAILURE_INVALID_BACKING_PAGE:
WARN_ONCE(1, "Invalid backing page\n");
break;
+ case AVIC_IPI_FAILURE_INVALID_IPI_VECTOR:
+ /* Invalid IPI with vector < 16 */
+ break;
default:
- pr_err("Unknown IPI interception\n");
+ vcpu_unimpl(vcpu, "Unknown avic incomplete IPI interception\n");
}
return 1;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 024/241] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (22 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 023/241] x86: KVM: SVM: add support for Invalid IPI Vector interception Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 025/241] audit,io_uring: io_uring openat triggers audit reference count underflow Greg Kroah-Hartman
` (226 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maxim Levitsky, Sean Christopherson,
Paolo Bonzini
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maxim Levitsky <mlevitsk@redhat.com>
commit 3fdc6087df3be73a212a81ce5dd6516638568806 upstream.
svm_leave_nested() similar to a nested VM exit, get the vCPU out of nested
mode and thus should end the local inhibition of AVIC on this vCPU.
Failure to do so, can lead to hangs on guest reboot.
Raise the KVM_REQ_APICV_UPDATE request to refresh the AVIC state of the
current vCPU in this case.
Fixes: f44509f849fe ("KVM: x86: SVM: allow AVIC to co-exist with a nested guest running")
Cc: stable@vger.kernel.org
Signed-off-by: Maxim Levitsky <mlevitsk@redhat.com>
Reviewed-by: Sean Christopherson <seanjc@google.com>
Message-Id: <20230928173354.217464-4-mlevitsk@redhat.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/x86/kvm/svm/nested.c | 3 +++
1 file changed, 3 insertions(+)
--- a/arch/x86/kvm/svm/nested.c
+++ b/arch/x86/kvm/svm/nested.c
@@ -1243,6 +1243,9 @@ void svm_leave_nested(struct kvm_vcpu *v
nested_svm_uninit_mmu_context(vcpu);
vmcb_mark_all_dirty(svm->vmcb);
+
+ if (kvm_apicv_activated(vcpu->kvm))
+ kvm_make_request(KVM_REQ_APICV_UPDATE, vcpu);
}
kvm_clear_request(KVM_REQ_GET_NESTED_STATE_PAGES, vcpu);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 025/241] audit,io_uring: io_uring openat triggers audit reference count underflow
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (23 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 024/241] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 026/241] tcp: check mptcp-level constraints for backlog coalescing Greg Kroah-Hartman
` (225 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Clash, Jens Axboe, Christian Brauner
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Clash <daclash@linux.microsoft.com>
commit 03adc61edad49e1bbecfb53f7ea5d78f398fe368 upstream.
An io_uring openat operation can update an audit reference count
from multiple threads resulting in the call trace below.
A call to io_uring_submit() with a single openat op with a flag of
IOSQE_ASYNC results in the following reference count updates.
These first part of the system call performs two increments that do not race.
do_syscall_64()
__do_sys_io_uring_enter()
io_submit_sqes()
io_openat_prep()
__io_openat_prep()
getname()
getname_flags() /* update 1 (increment) */
__audit_getname() /* update 2 (increment) */
The openat op is queued to an io_uring worker thread which starts the
opportunity for a race. The system call exit performs one decrement.
do_syscall_64()
syscall_exit_to_user_mode()
syscall_exit_to_user_mode_prepare()
__audit_syscall_exit()
audit_reset_context()
putname() /* update 3 (decrement) */
The io_uring worker thread performs one increment and two decrements.
These updates can race with the system call decrement.
io_wqe_worker()
io_worker_handle_work()
io_wq_submit_work()
io_issue_sqe()
io_openat()
io_openat2()
do_filp_open()
path_openat()
__audit_inode() /* update 4 (increment) */
putname() /* update 5 (decrement) */
__audit_uring_exit()
audit_reset_context()
putname() /* update 6 (decrement) */
The fix is to change the refcnt member of struct audit_names
from int to atomic_t.
kernel BUG at fs/namei.c:262!
Call Trace:
...
? putname+0x68/0x70
audit_reset_context.part.0.constprop.0+0xe1/0x300
__audit_uring_exit+0xda/0x1c0
io_issue_sqe+0x1f3/0x450
? lock_timer_base+0x3b/0xd0
io_wq_submit_work+0x8d/0x2b0
? __try_to_del_timer_sync+0x67/0xa0
io_worker_handle_work+0x17c/0x2b0
io_wqe_worker+0x10a/0x350
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/lkml/MW2PR2101MB1033FFF044A258F84AEAA584F1C9A@MW2PR2101MB1033.namprd21.prod.outlook.com/
Fixes: 5bd2182d58e9 ("audit,io_uring,io-wq: add some basic audit support to io_uring")
Signed-off-by: Dan Clash <daclash@linux.microsoft.com>
Link: https://lore.kernel.org/r/20231012215518.GA4048@linuxonhyperv3.guj3yctzbm1etfxqx2vob5hsef.xx.internal.cloudapp.net
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/namei.c | 9 +++++----
include/linux/fs.h | 2 +-
kernel/auditsc.c | 8 ++++----
3 files changed, 10 insertions(+), 9 deletions(-)
--- a/fs/namei.c
+++ b/fs/namei.c
@@ -188,7 +188,7 @@ getname_flags(const char __user *filenam
}
}
- result->refcnt = 1;
+ atomic_set(&result->refcnt, 1);
/* The empty path is special. */
if (unlikely(!len)) {
if (empty)
@@ -249,7 +249,7 @@ getname_kernel(const char * filename)
memcpy((char *)result->name, filename, len);
result->uptr = NULL;
result->aname = NULL;
- result->refcnt = 1;
+ atomic_set(&result->refcnt, 1);
audit_getname(result);
return result;
@@ -261,9 +261,10 @@ void putname(struct filename *name)
if (IS_ERR(name))
return;
- BUG_ON(name->refcnt <= 0);
+ if (WARN_ON_ONCE(!atomic_read(&name->refcnt)))
+ return;
- if (--name->refcnt > 0)
+ if (!atomic_dec_and_test(&name->refcnt))
return;
if (name->name != name->iname) {
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -2318,7 +2318,7 @@ struct audit_names;
struct filename {
const char *name; /* pointer to actual string */
const __user char *uptr; /* original userland pointer */
- int refcnt;
+ atomic_t refcnt;
struct audit_names *aname;
const char iname[];
};
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -2210,7 +2210,7 @@ __audit_reusename(const __user char *upt
if (!n->name)
continue;
if (n->name->uptr == uptr) {
- n->name->refcnt++;
+ atomic_inc(&n->name->refcnt);
return n->name;
}
}
@@ -2239,7 +2239,7 @@ void __audit_getname(struct filename *na
n->name = name;
n->name_len = AUDIT_NAME_FULL;
name->aname = n;
- name->refcnt++;
+ atomic_inc(&name->refcnt);
}
static inline int audit_copy_fcaps(struct audit_names *name,
@@ -2371,7 +2371,7 @@ out_alloc:
return;
if (name) {
n->name = name;
- name->refcnt++;
+ atomic_inc(&name->refcnt);
}
out:
@@ -2498,7 +2498,7 @@ void __audit_inode_child(struct inode *p
if (found_parent) {
found_child->name = found_parent->name;
found_child->name_len = AUDIT_NAME_FULL;
- found_child->name->refcnt++;
+ atomic_inc(&found_child->name->refcnt);
}
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 026/241] tcp: check mptcp-level constraints for backlog coalescing
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (24 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 025/241] audit,io_uring: io_uring openat triggers audit reference count underflow Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 027/241] mptcp: more conservative check for zero probes Greg Kroah-Hartman
` (224 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch, Mat Martineau,
Paolo Abeni, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 6db8a37dfc541e059851652cfd4f0bb13b8ff6af upstream.
The MPTCP protocol can acquire the subflow-level socket lock and
cause the tcp backlog usage. When inserting new skbs into the
backlog, the stack will try to coalesce them.
Currently, we have no check in place to ensure that such coalescing
will respect the MPTCP-level DSS, and that may cause data stream
corruption, as reported by Christoph.
Address the issue by adding the relevant admission check for coalescing
in tcp_add_backlog().
Note the issue is not easy to reproduce, as the MPTCP protocol tries
hard to avoid acquiring the subflow-level socket lock.
Fixes: 648ef4b88673 ("mptcp: Implement MPTCP receive path")
Cc: stable@vger.kernel.org
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/420
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-2-17ecb002e41d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_ipv4.c | 1 +
1 file changed, 1 insertion(+)
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1869,6 +1869,7 @@ bool tcp_add_backlog(struct sock *sk, st
#ifdef CONFIG_TLS_DEVICE
tail->decrypted != skb->decrypted ||
#endif
+ !mptcp_skb_can_collapse(tail, skb) ||
thtail->doff != th->doff ||
memcmp(thtail + 1, th + 1, hdrlen - sizeof(*th)))
goto no_coalesce;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 027/241] mptcp: more conservative check for zero probes
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (25 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 026/241] tcp: check mptcp-level constraints for backlog coalescing Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 028/241] selftests: mptcp: join: no RST when rm subflow/addr Greg Kroah-Hartman
` (223 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch, Mat Martineau,
Paolo Abeni, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
commit 72377ab2d671befd6390a1d5677f5cca61235b65 upstream.
Christoph reported that the MPTCP protocol can find the subflow-level
write queue unexpectedly not empty while crafting a zero-window probe,
hitting a warning:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 188 at net/mptcp/protocol.c:1312 mptcp_sendmsg_frag+0xc06/0xe70
Modules linked in:
CPU: 0 PID: 188 Comm: kworker/0:2 Not tainted 6.6.0-rc2-g1176aa719d7a #47
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
Workqueue: events mptcp_worker
RIP: 0010:mptcp_sendmsg_frag+0xc06/0xe70 net/mptcp/protocol.c:1312
RAX: 47d0530de347ff6a RBX: 47d0530de347ff6b RCX: ffff8881015d3c00
RDX: ffff8881015d3c00 RSI: 47d0530de347ff6b RDI: 47d0530de347ff6b
RBP: 47d0530de347ff6b R08: ffffffff8243c6a8 R09: ffffffff82042d9c
R10: 0000000000000002 R11: ffffffff82056850 R12: ffff88812a13d580
R13: 0000000000000001 R14: ffff88812b375e50 R15: ffff88812bbf3200
FS: 0000000000000000(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000000695118 CR3: 0000000115dfc001 CR4: 0000000000170ef0
Call Trace:
<TASK>
__subflow_push_pending+0xa4/0x420 net/mptcp/protocol.c:1545
__mptcp_push_pending+0x128/0x3b0 net/mptcp/protocol.c:1614
mptcp_release_cb+0x218/0x5b0 net/mptcp/protocol.c:3391
release_sock+0xf6/0x100 net/core/sock.c:3521
mptcp_worker+0x6e8/0x8f0 net/mptcp/protocol.c:2746
process_scheduled_works+0x341/0x690 kernel/workqueue.c:2630
worker_thread+0x3a7/0x610 kernel/workqueue.c:2784
kthread+0x143/0x180 kernel/kthread.c:388
ret_from_fork+0x4d/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:304
</TASK>
The root cause of the issue is that expectations are wrong: e.g. due
to MPTCP-level re-injection we can hit the critical condition.
Explicitly avoid the zero-window probe when the subflow write queue
is not empty and drop the related warnings.
Reported-by: Christoph Paasch <cpaasch@apple.com>
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/444
Fixes: f70cad1085d1 ("mptcp: stop relying on tcp_tx_skb_cache")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-3-17ecb002e41d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 8 +-------
1 file changed, 1 insertion(+), 7 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -1300,7 +1300,7 @@ alloc_skb:
if (copy == 0) {
u64 snd_una = READ_ONCE(msk->snd_una);
- if (snd_una != msk->snd_nxt) {
+ if (snd_una != msk->snd_nxt || tcp_write_queue_tail(ssk)) {
tcp_remove_empty_skb(ssk);
return 0;
}
@@ -1308,11 +1308,6 @@ alloc_skb:
zero_window_probe = true;
data_seq = snd_una - 1;
copy = 1;
-
- /* all mptcp-level data is acked, no skbs should be present into the
- * ssk write queue
- */
- WARN_ON_ONCE(reuse_skb);
}
copy = min_t(size_t, copy, info->limit - info->sent);
@@ -1341,7 +1336,6 @@ alloc_skb:
if (reuse_skb) {
TCP_SKB_CB(skb)->tcp_flags &= ~TCPHDR_PSH;
mpext->data_len += copy;
- WARN_ON_ONCE(zero_window_probe);
goto out;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 028/241] selftests: mptcp: join: no RST when rm subflow/addr
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (26 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 027/241] mptcp: more conservative check for zero probes Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 029/241] mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign() Greg Kroah-Hartman
` (222 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Matthieu Baerts,
Mat Martineau, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts <matttbe@kernel.org>
commit 2cfaa8b3b7aece3c7b13dd10db20dcea65875692 upstream.
Recently, we noticed that some RST were wrongly generated when removing
the initial subflow.
This patch makes sure RST are not sent when removing any subflows or any
addresses.
Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures")
Cc: stable@vger.kernel.org
Acked-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-5-17ecb002e41d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 13 +++++++++++++
1 file changed, 13 insertions(+)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -2282,6 +2282,7 @@ remove_tests()
chk_join_nr 1 1 1
chk_rm_tx_nr 1
chk_rm_nr 1 1
+ chk_rst_nr 0 0
fi
# multiple subflows, remove
@@ -2294,6 +2295,7 @@ remove_tests()
run_tests $ns1 $ns2 10.0.1.1 slow
chk_join_nr 2 2 2
chk_rm_nr 2 2
+ chk_rst_nr 0 0
fi
# single address, remove
@@ -2306,6 +2308,7 @@ remove_tests()
chk_join_nr 1 1 1
chk_add_nr 1 1
chk_rm_nr 1 1 invert
+ chk_rst_nr 0 0
fi
# subflow and signal, remove
@@ -2319,6 +2322,7 @@ remove_tests()
chk_join_nr 2 2 2
chk_add_nr 1 1
chk_rm_nr 1 1
+ chk_rst_nr 0 0
fi
# subflows and signal, remove
@@ -2333,6 +2337,7 @@ remove_tests()
chk_join_nr 3 3 3
chk_add_nr 1 1
chk_rm_nr 2 2
+ chk_rst_nr 0 0
fi
# addresses remove
@@ -2347,6 +2352,7 @@ remove_tests()
chk_join_nr 3 3 3
chk_add_nr 3 3
chk_rm_nr 3 3 invert
+ chk_rst_nr 0 0
fi
# invalid addresses remove
@@ -2361,6 +2367,7 @@ remove_tests()
chk_join_nr 1 1 1
chk_add_nr 3 3
chk_rm_nr 3 1 invert
+ chk_rst_nr 0 0
fi
# subflows and signal, flush
@@ -2375,6 +2382,7 @@ remove_tests()
chk_join_nr 3 3 3
chk_add_nr 1 1
chk_rm_nr 1 3 invert simult
+ chk_rst_nr 0 0
fi
# subflows flush
@@ -2394,6 +2402,7 @@ remove_tests()
else
chk_rm_nr 3 3
fi
+ chk_rst_nr 0 0
fi
# addresses flush
@@ -2408,6 +2417,7 @@ remove_tests()
chk_join_nr 3 3 3
chk_add_nr 3 3
chk_rm_nr 3 3 invert simult
+ chk_rst_nr 0 0
fi
# invalid addresses flush
@@ -2422,6 +2432,7 @@ remove_tests()
chk_join_nr 1 1 1
chk_add_nr 3 3
chk_rm_nr 3 1 invert
+ chk_rst_nr 0 0
fi
# remove id 0 subflow
@@ -2433,6 +2444,7 @@ remove_tests()
run_tests $ns1 $ns2 10.0.1.1 slow
chk_join_nr 1 1 1
chk_rm_nr 1 1
+ chk_rst_nr 0 0
fi
# remove id 0 address
@@ -2445,6 +2457,7 @@ remove_tests()
chk_join_nr 1 1 1
chk_add_nr 1 1
chk_rm_nr 1 1 invert
+ chk_rst_nr 0 0 invert
fi
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 029/241] mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (27 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 028/241] selftests: mptcp: join: no RST when rm subflow/addr Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 030/241] fs/ntfs3: Fix OOB read in ntfs_init_from_boot Greg Kroah-Hartman
` (221 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mark Rutland, Catalin Marinas,
Peter Collingbourne, Vlastimil Babka
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Catalin Marinas <catalin.marinas@arm.com>
commit c15cdea517414e0b29a11e0a0e2443d127c9109b upstream.
Commit b035f5a6d852 ("mm: slab: reduce the kmalloc() minimum alignment
if DMA bouncing possible") allows architectures with non-coherent DMA to
define a small ARCH_KMALLOC_MINALIGN (e.g. sizeof(unsigned long long))
and this has been enabled on arm64. With KASAN_HW_TAGS enabled, however,
ARCH_SLAB_MINALIGN becomes 16 on arm64 (arch_slab_minalign() dynamically
selects it since commit d949a8155d13 ("mm: make minimum slab alignment a
runtime property")). This can lead to a situation where kmalloc-8 caches
are attempted to be created with a kmem_caches.size aligned to 16. When
the cache is mergeable, it can lead to kernel warnings like:
sysfs: cannot create duplicate filename '/kernel/slab/:d-0000016'
CPU: 0 PID: 1 Comm: swapper/0 Not tainted 6.6.0-rc1-00001-gda98843cd306-dirty #5
Hardware name: QEMU QEMU Virtual Machine, BIOS 0.0.0 02/06/2015
Call trace:
dump_backtrace+0x90/0xe8
show_stack+0x18/0x24
dump_stack_lvl+0x48/0x60
dump_stack+0x18/0x24
sysfs_warn_dup+0x64/0x80
sysfs_create_dir_ns+0xe8/0x108
kobject_add_internal+0x98/0x264
kobject_init_and_add+0x8c/0xd8
sysfs_slab_add+0x12c/0x248
slab_sysfs_init+0x98/0x14c
do_one_initcall+0x6c/0x1b0
kernel_init_freeable+0x1c0/0x288
kernel_init+0x24/0x1e0
ret_from_fork+0x10/0x20
kobject: kobject_add_internal failed for :d-0000016 with -EEXIST, don't try to register things with the same name in the same directory.
SLUB: Unable to add boot slab dma-kmalloc-8 to sysfs
Limit the __kmalloc_minalign() return value (used to create the
kmalloc-* caches) to arch_slab_minalign() so that kmalloc-8 caches are
skipped when KASAN_HW_TAGS is enabled (both config and runtime).
Reported-by: Mark Rutland <mark.rutland@arm.com>
Fixes: b035f5a6d852 ("mm: slab: reduce the kmalloc() minimum alignment if DMA bouncing possible")
Signed-off-by: Catalin Marinas <catalin.marinas@arm.com>
Cc: Peter Collingbourne <pcc@google.com>
Cc: stable@vger.kernel.org # 6.5.x
Signed-off-by: Vlastimil Babka <vbabka@suse.cz>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
mm/slab_common.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/mm/slab_common.c
+++ b/mm/slab_common.c
@@ -864,11 +864,13 @@ void __init setup_kmalloc_cache_index_ta
static unsigned int __kmalloc_minalign(void)
{
+ unsigned int minalign = dma_get_cache_alignment();
+
#ifdef CONFIG_DMA_BOUNCE_UNALIGNED_KMALLOC
if (io_tlb_default_mem.nslabs)
- return ARCH_KMALLOC_MINALIGN;
+ minalign = ARCH_KMALLOC_MINALIGN;
#endif
- return dma_get_cache_alignment();
+ return max(minalign, arch_slab_minalign());
}
void __init
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 030/241] fs/ntfs3: Fix OOB read in ntfs_init_from_boot
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (28 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 029/241] mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign() Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 031/241] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() Greg Kroah-Hartman
` (220 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+53ce40c8c0322c06aea5,
Pavel Skripkin, Konstantin Komarov
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pavel Skripkin <paskripkin@gmail.com>
commit 34e6552a442f268eefd408e47f4f2d471aa64829 upstream.
Syzbot was able to create a device which has the last sector of size
512.
After failing to boot from initial sector, reading from boot info from
offset 511 causes OOB read.
To prevent such reports add sanity check to validate if size of buffer_head
if big enough to hold ntfs3 bootinfo
Fixes: 6a4cd3ea7d77 ("fs/ntfs3: Alternative boot if primary boot is corrupted")
Reported-by: syzbot+53ce40c8c0322c06aea5@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/super.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -855,6 +855,11 @@ static int ntfs_init_from_boot(struct su
check_boot:
err = -EINVAL;
+
+ /* Corrupted image; do not read OOB */
+ if (bh->b_size - sizeof(*boot) < boot_off)
+ goto out;
+
boot = (struct NTFS_BOOT *)Add2Ptr(bh->b_data, boot_off);
if (memcmp(boot->system_id, "NTFS ", sizeof("NTFS ") - 1)) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 031/241] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (29 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 030/241] fs/ntfs3: Fix OOB read in ntfs_init_from_boot Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 032/241] fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() Greg Kroah-Hartman
` (219 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+60cf892fc31d1f4358fc,
Ziqi Zhao, Konstantin Komarov
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ziqi Zhao <astrajoan@yahoo.com>
commit 1f9b94af923c88539426ed811ae7e9543834a5c5 upstream.
Upon investigation of the C reproducer provided by Syzbot, it seemed
the reproducer was trying to mount a corrupted NTFS filesystem, then
issue a rename syscall to some nodes in the filesystem. This can be
shown by modifying the reproducer to only include the mount syscall,
and investigating the filesystem by e.g. `ls` and `rm` commands. As a
result, during the problematic call to `hdr_fine_e`, the `inode` being
supplied did not go through `indx_init`, hence the `cmp` function
pointer was never set.
The fix is simply to check whether `cmp` is not set, and return NULL
if that's the case, in order to be consistent with other error
scenarios of the `hdr_find_e` method. The rationale behind this patch
is that:
- We should prevent crashing the kernel even if the mounted filesystem
is corrupted. Any syscalls made on the filesystem could return
invalid, but the kernel should be able to sustain these calls.
- Only very specific corruption would lead to this bug, so it would be
a pretty rare case in actual usage anyways. Therefore, introducing a
check to specifically protect against this bug seems appropriate.
Because of its rarity, an `unlikely` clause is used to wrap around
this nullity check.
Reported-by: syzbot+60cf892fc31d1f4358fc@syzkaller.appspotmail.com
Signed-off-by: Ziqi Zhao <astrajoan@yahoo.com>
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/index.c | 3 +++
1 file changed, 3 insertions(+)
--- a/fs/ntfs3/index.c
+++ b/fs/ntfs3/index.c
@@ -729,6 +729,9 @@ static struct NTFS_DE *hdr_find_e(const
u32 total = le32_to_cpu(hdr->total);
u16 offs[128];
+ if (unlikely(!cmp))
+ return NULL;
+
fill_table:
if (end > total)
return NULL;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 032/241] fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (30 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 031/241] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 033/241] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Greg Kroah-Hartman
` (218 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+9fcea5ef6dc4dc72d334,
Zeng Heng, Konstantin Komarov
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zeng Heng <zengheng4@huawei.com>
commit 8e7e27b2ee1e19c4040d4987e345f678a74c0aed upstream.
Here is a BUG report about linux-6.1 from syzbot, but it still remains
within upstream:
BUG: KASAN: slab-out-of-bounds in ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
BUG: KASAN: slab-out-of-bounds in ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
Read of size 1 at addr ffff888021acaf3d by task syz-executor128/3632
Call Trace:
kasan_report+0x139/0x170 mm/kasan/report.c:495
ntfs_list_ea fs/ntfs3/xattr.c:191 [inline]
ntfs_listxattr+0x401/0x570 fs/ntfs3/xattr.c:710
vfs_listxattr fs/xattr.c:457 [inline]
listxattr+0x293/0x2d0 fs/xattr.c:804
path_listxattr fs/xattr.c:828 [inline]
__do_sys_llistxattr fs/xattr.c:846 [inline]
Before derefering field members of `ea` in unpacked_ea_size(), we need to
check whether the EA_FULL struct is located in access validate range.
Similarly, when derefering `ea->name` field member, we need to check
whethe the ea->name is located in access validate range, too.
Fixes: be71b5cba2e6 ("fs/ntfs3: Add attrib operations")
Reported-by: syzbot+9fcea5ef6dc4dc72d334@syzkaller.appspotmail.com
Signed-off-by: Zeng Heng <zengheng4@huawei.com>
[almaz.alexandrovich@paragon-software.com: took the ret variable out of the loop block]
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/xattr.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/xattr.c
+++ b/fs/ntfs3/xattr.c
@@ -211,7 +211,8 @@ static ssize_t ntfs_list_ea(struct ntfs_
size = le32_to_cpu(info->size);
/* Enumerate all xattrs. */
- for (ret = 0, off = 0; off < size; off += ea_size) {
+ ret = 0;
+ for (off = 0; off + sizeof(struct EA_FULL) < size; off += ea_size) {
ea = Add2Ptr(ea_all, off);
ea_size = unpacked_ea_size(ea);
@@ -219,6 +220,10 @@ static ssize_t ntfs_list_ea(struct ntfs_
break;
if (buffer) {
+ /* Check if we can use field ea->name */
+ if (off + ea_size > size)
+ break;
+
if (ret + ea->name_len + 1 > bytes_per_buffer) {
err = -ERANGE;
goto out;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 033/241] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (31 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 032/241] fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 034/241] fs/ntfs3: fix deadlock in mark_as_free_ex Greg Kroah-Hartman
` (217 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+478c1bf0e6bf4a8f3a04,
Konstantin Komarov
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit 91a4b1ee78cb100b19b70f077c247f211110348f upstream.
Reported-by: syzbot+478c1bf0e6bf4a8f3a04@syzkaller.appspotmail.com
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/ntfs_fs.h | 2 ++
fs/ntfs3/super.c | 26 ++++++++++++++++++++------
2 files changed, 22 insertions(+), 6 deletions(-)
--- a/fs/ntfs3/ntfs_fs.h
+++ b/fs/ntfs3/ntfs_fs.h
@@ -42,9 +42,11 @@ enum utf16_endian;
#define MINUS_ONE_T ((size_t)(-1))
/* Biggest MFT / smallest cluster */
#define MAXIMUM_BYTES_PER_MFT 4096
+#define MAXIMUM_SHIFT_BYTES_PER_MFT 12
#define NTFS_BLOCKS_PER_MFT_RECORD (MAXIMUM_BYTES_PER_MFT / 512)
#define MAXIMUM_BYTES_PER_INDEX 4096
+#define MAXIMUM_SHIFT_BYTES_PER_INDEX 12
#define NTFS_BLOCKS_PER_INODE (MAXIMUM_BYTES_PER_INDEX / 512)
/* NTFS specific error code when fixup failed. */
--- a/fs/ntfs3/super.c
+++ b/fs/ntfs3/super.c
@@ -906,9 +906,17 @@ check_boot:
goto out;
}
- sbi->record_size = record_size =
- boot->record_size < 0 ? 1 << (-boot->record_size) :
- (u32)boot->record_size << cluster_bits;
+ if (boot->record_size >= 0) {
+ record_size = (u32)boot->record_size << cluster_bits;
+ } else if (-boot->record_size <= MAXIMUM_SHIFT_BYTES_PER_MFT) {
+ record_size = 1u << (-boot->record_size);
+ } else {
+ ntfs_err(sb, "%s: invalid record size %d.", hint,
+ boot->record_size);
+ goto out;
+ }
+
+ sbi->record_size = record_size;
sbi->record_bits = blksize_bits(record_size);
sbi->attr_size_tr = (5 * record_size >> 4); // ~320 bytes
@@ -925,9 +933,15 @@ check_boot:
goto out;
}
- sbi->index_size = boot->index_size < 0 ?
- 1u << (-boot->index_size) :
- (u32)boot->index_size << cluster_bits;
+ if (boot->index_size >= 0) {
+ sbi->index_size = (u32)boot->index_size << cluster_bits;
+ } else if (-boot->index_size <= MAXIMUM_SHIFT_BYTES_PER_INDEX) {
+ sbi->index_size = 1u << (-boot->index_size);
+ } else {
+ ntfs_err(sb, "%s: invalid index size %d.", hint,
+ boot->index_size);
+ goto out;
+ }
/* Check index record size. */
if (sbi->index_size < SECTOR_SIZE || !is_power_of_2(sbi->index_size)) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 034/241] fs/ntfs3: fix deadlock in mark_as_free_ex
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (32 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 033/241] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 035/241] Revert "net: wwan: iosm: enable runtime pm support for 7560" Greg Kroah-Hartman
` (216 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+e94d98936a0ed08bde43,
Konstantin Komarov
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
commit bfbe5b31caa74ab97f1784fe9ade5f45e0d3de91 upstream.
Reported-by: syzbot+e94d98936a0ed08bde43@syzkaller.appspotmail.com
Signed-off-by: Konstantin Komarov <almaz.alexandrovich@paragon-software.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ntfs3/fsntfs.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/fs/ntfs3/fsntfs.c
+++ b/fs/ntfs3/fsntfs.c
@@ -2461,10 +2461,12 @@ void mark_as_free_ex(struct ntfs_sb_info
{
CLST end, i, zone_len, zlen;
struct wnd_bitmap *wnd = &sbi->used.bitmap;
+ bool dirty = false;
down_write_nested(&wnd->rw_lock, BITMAP_MUTEX_CLUSTERS);
if (!wnd_is_used(wnd, lcn, len)) {
- ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
+ /* mark volume as dirty out of wnd->rw_lock */
+ dirty = true;
end = lcn + len;
len = 0;
@@ -2518,6 +2520,8 @@ void mark_as_free_ex(struct ntfs_sb_info
out:
up_write(&wnd->rw_lock);
+ if (dirty)
+ ntfs_set_state(sbi, NTFS_DIRTY_ERROR);
}
/*
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 035/241] Revert "net: wwan: iosm: enable runtime pm support for 7560"
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (33 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 034/241] fs/ntfs3: fix deadlock in mark_as_free_ex Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 036/241] netfilter: nft_payload: fix wrong mac header matching Greg Kroah-Hartman
` (215 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin, Bagas Sanjaya, Loic Poulain,
David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bagas Sanjaya <bagasdotme@gmail.com>
commit 1db34aa58d80988f5ee99d2fd9d8f7489c3b0681 upstream.
Runtime power management support breaks Intel LTE modem where dmesg dump
showes timeout errors:
```
[ 72.027442] iosm 0000:01:00.0: msg timeout
[ 72.531638] iosm 0000:01:00.0: msg timeout
[ 73.035414] iosm 0000:01:00.0: msg timeout
[ 73.540359] iosm 0000:01:00.0: msg timeout
```
Furthermore, when shutting down with `poweroff` and modem attached, the
system rebooted instead of powering down as expected. The modem works
again only after power cycling.
Revert runtime power management support for IOSM driver as introduced by
commit e4f5073d53be6c ("net: wwan: iosm: enable runtime pm support for
7560").
Fixes: e4f5073d53be ("net: wwan: iosm: enable runtime pm support for 7560")
Reported-by: Martin <mwolf@adiumentum.com>
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=217996
Link: https://lore.kernel.org/r/267abf02-4b60-4a2e-92cd-709e3da6f7d3@gmail.com/
Signed-off-by: Bagas Sanjaya <bagasdotme@gmail.com>
Reviewed-by: Loic Poulain <loic.poulain@linaro.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/wwan/iosm/iosm_ipc_imem.c | 17 -----------------
drivers/net/wwan/iosm/iosm_ipc_imem.h | 2 --
drivers/net/wwan/iosm/iosm_ipc_pcie.c | 4 +---
drivers/net/wwan/iosm/iosm_ipc_port.c | 17 +----------------
drivers/net/wwan/iosm/iosm_ipc_trace.c | 8 --------
drivers/net/wwan/iosm/iosm_ipc_wwan.c | 21 ++-------------------
6 files changed, 4 insertions(+), 65 deletions(-)
diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.c b/drivers/net/wwan/iosm/iosm_ipc_imem.c
index 635301d677e1..829515a601b3 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_imem.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_imem.c
@@ -4,7 +4,6 @@
*/
#include <linux/delay.h>
-#include <linux/pm_runtime.h>
#include "iosm_ipc_chnl_cfg.h"
#include "iosm_ipc_devlink.h"
@@ -632,11 +631,6 @@ static void ipc_imem_run_state_worker(struct work_struct *instance)
/* Complete all memory stores after setting bit */
smp_mb__after_atomic();
- if (ipc_imem->pcie->pci->device == INTEL_CP_DEVICE_7560_ID) {
- pm_runtime_mark_last_busy(ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_imem->dev);
- }
-
return;
err_ipc_mux_deinit:
@@ -1240,7 +1234,6 @@ void ipc_imem_cleanup(struct iosm_imem *ipc_imem)
/* forward MDM_NOT_READY to listeners */
ipc_uevent_send(ipc_imem->dev, UEVENT_MDM_NOT_READY);
- pm_runtime_get_sync(ipc_imem->dev);
hrtimer_cancel(&ipc_imem->td_alloc_timer);
hrtimer_cancel(&ipc_imem->tdupdate_timer);
@@ -1426,16 +1419,6 @@ struct iosm_imem *ipc_imem_init(struct iosm_pcie *pcie, unsigned int device_id,
set_bit(IOSM_DEVLINK_INIT, &ipc_imem->flag);
}
-
- if (!pm_runtime_enabled(ipc_imem->dev))
- pm_runtime_enable(ipc_imem->dev);
-
- pm_runtime_set_autosuspend_delay(ipc_imem->dev,
- IPC_MEM_AUTO_SUSPEND_DELAY_MS);
- pm_runtime_use_autosuspend(ipc_imem->dev);
- pm_runtime_allow(ipc_imem->dev);
- pm_runtime_mark_last_busy(ipc_imem->dev);
-
return ipc_imem;
devlink_channel_fail:
ipc_devlink_deinit(ipc_imem->ipc_devlink);
diff --git a/drivers/net/wwan/iosm/iosm_ipc_imem.h b/drivers/net/wwan/iosm/iosm_ipc_imem.h
index 0144b45e2afb..5664ac507c90 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_imem.h
+++ b/drivers/net/wwan/iosm/iosm_ipc_imem.h
@@ -103,8 +103,6 @@ struct ipc_chnl_cfg;
#define FULLY_FUNCTIONAL 0
#define IOSM_DEVLINK_INIT 1
-#define IPC_MEM_AUTO_SUSPEND_DELAY_MS 5000
-
/* List of the supported UL/DL pipes. */
enum ipc_mem_pipes {
IPC_MEM_PIPE_0 = 0,
diff --git a/drivers/net/wwan/iosm/iosm_ipc_pcie.c b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
index 3a259c9abefd..04517bd3325a 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_pcie.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_pcie.c
@@ -6,7 +6,6 @@
#include <linux/acpi.h>
#include <linux/bitfield.h>
#include <linux/module.h>
-#include <linux/pm_runtime.h>
#include <net/rtnetlink.h>
#include "iosm_ipc_imem.h"
@@ -438,8 +437,7 @@ static int __maybe_unused ipc_pcie_resume_cb(struct device *dev)
return 0;
}
-static DEFINE_RUNTIME_DEV_PM_OPS(iosm_ipc_pm, ipc_pcie_suspend_cb,
- ipc_pcie_resume_cb, NULL);
+static SIMPLE_DEV_PM_OPS(iosm_ipc_pm, ipc_pcie_suspend_cb, ipc_pcie_resume_cb);
static struct pci_driver iosm_ipc_driver = {
.name = KBUILD_MODNAME,
diff --git a/drivers/net/wwan/iosm/iosm_ipc_port.c b/drivers/net/wwan/iosm/iosm_ipc_port.c
index 2ba1ddca3945..5d5b4183e14a 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_port.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_port.c
@@ -3,8 +3,6 @@
* Copyright (C) 2020-21 Intel Corporation.
*/
-#include <linux/pm_runtime.h>
-
#include "iosm_ipc_chnl_cfg.h"
#include "iosm_ipc_imem_ops.h"
#include "iosm_ipc_port.h"
@@ -15,16 +13,12 @@ static int ipc_port_ctrl_start(struct wwan_port *port)
struct iosm_cdev *ipc_port = wwan_port_get_drvdata(port);
int ret = 0;
- pm_runtime_get_sync(ipc_port->ipc_imem->dev);
ipc_port->channel = ipc_imem_sys_port_open(ipc_port->ipc_imem,
ipc_port->chl_id,
IPC_HP_CDEV_OPEN);
if (!ipc_port->channel)
ret = -EIO;
- pm_runtime_mark_last_busy(ipc_port->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_port->ipc_imem->dev);
-
return ret;
}
@@ -33,24 +27,15 @@ static void ipc_port_ctrl_stop(struct wwan_port *port)
{
struct iosm_cdev *ipc_port = wwan_port_get_drvdata(port);
- pm_runtime_get_sync(ipc_port->ipc_imem->dev);
ipc_imem_sys_port_close(ipc_port->ipc_imem, ipc_port->channel);
- pm_runtime_mark_last_busy(ipc_port->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_port->ipc_imem->dev);
}
/* transfer control data to modem */
static int ipc_port_ctrl_tx(struct wwan_port *port, struct sk_buff *skb)
{
struct iosm_cdev *ipc_port = wwan_port_get_drvdata(port);
- int ret;
- pm_runtime_get_sync(ipc_port->ipc_imem->dev);
- ret = ipc_imem_sys_cdev_write(ipc_port, skb);
- pm_runtime_mark_last_busy(ipc_port->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_port->ipc_imem->dev);
-
- return ret;
+ return ipc_imem_sys_cdev_write(ipc_port, skb);
}
static const struct wwan_port_ops ipc_wwan_ctrl_ops = {
diff --git a/drivers/net/wwan/iosm/iosm_ipc_trace.c b/drivers/net/wwan/iosm/iosm_ipc_trace.c
index 4368373797b6..eeecfa3d10c5 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_trace.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_trace.c
@@ -3,9 +3,7 @@
* Copyright (C) 2020-2021 Intel Corporation.
*/
-#include <linux/pm_runtime.h>
#include <linux/wwan.h>
-
#include "iosm_ipc_trace.h"
/* sub buffer size and number of sub buffer */
@@ -99,8 +97,6 @@ static ssize_t ipc_trace_ctrl_file_write(struct file *filp,
if (ret)
return ret;
- pm_runtime_get_sync(ipc_trace->ipc_imem->dev);
-
mutex_lock(&ipc_trace->trc_mutex);
if (val == TRACE_ENABLE && ipc_trace->mode != TRACE_ENABLE) {
ipc_trace->channel = ipc_imem_sys_port_open(ipc_trace->ipc_imem,
@@ -121,10 +117,6 @@ static ssize_t ipc_trace_ctrl_file_write(struct file *filp,
ret = count;
unlock:
mutex_unlock(&ipc_trace->trc_mutex);
-
- pm_runtime_mark_last_busy(ipc_trace->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_trace->ipc_imem->dev);
-
return ret;
}
diff --git a/drivers/net/wwan/iosm/iosm_ipc_wwan.c b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
index 93d17de08786..ff747fc79aaf 100644
--- a/drivers/net/wwan/iosm/iosm_ipc_wwan.c
+++ b/drivers/net/wwan/iosm/iosm_ipc_wwan.c
@@ -6,7 +6,6 @@
#include <linux/etherdevice.h>
#include <linux/if_arp.h>
#include <linux/if_link.h>
-#include <linux/pm_runtime.h>
#include <linux/rtnetlink.h>
#include <linux/wwan.h>
#include <net/pkt_sched.h>
@@ -52,13 +51,11 @@ static int ipc_wwan_link_open(struct net_device *netdev)
struct iosm_netdev_priv *priv = wwan_netdev_drvpriv(netdev);
struct iosm_wwan *ipc_wwan = priv->ipc_wwan;
int if_id = priv->if_id;
- int ret = 0;
if (if_id < IP_MUX_SESSION_START ||
if_id >= ARRAY_SIZE(ipc_wwan->sub_netlist))
return -EINVAL;
- pm_runtime_get_sync(ipc_wwan->ipc_imem->dev);
/* get channel id */
priv->ch_id = ipc_imem_sys_wwan_open(ipc_wwan->ipc_imem, if_id);
@@ -66,8 +63,7 @@ static int ipc_wwan_link_open(struct net_device *netdev)
dev_err(ipc_wwan->dev,
"cannot connect wwan0 & id %d to the IPC mem layer",
if_id);
- ret = -ENODEV;
- goto err_out;
+ return -ENODEV;
}
/* enable tx path, DL data may follow */
@@ -76,11 +72,7 @@ static int ipc_wwan_link_open(struct net_device *netdev)
dev_dbg(ipc_wwan->dev, "Channel id %d allocated to if_id %d",
priv->ch_id, priv->if_id);
-err_out:
- pm_runtime_mark_last_busy(ipc_wwan->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_wwan->ipc_imem->dev);
-
- return ret;
+ return 0;
}
/* Bring-down the wwan net link */
@@ -90,12 +82,9 @@ static int ipc_wwan_link_stop(struct net_device *netdev)
netif_stop_queue(netdev);
- pm_runtime_get_sync(priv->ipc_wwan->ipc_imem->dev);
ipc_imem_sys_wwan_close(priv->ipc_wwan->ipc_imem, priv->if_id,
priv->ch_id);
priv->ch_id = -1;
- pm_runtime_mark_last_busy(priv->ipc_wwan->ipc_imem->dev);
- pm_runtime_put_autosuspend(priv->ipc_wwan->ipc_imem->dev);
return 0;
}
@@ -117,7 +106,6 @@ static netdev_tx_t ipc_wwan_link_transmit(struct sk_buff *skb,
if_id >= ARRAY_SIZE(ipc_wwan->sub_netlist))
return -EINVAL;
- pm_runtime_get(ipc_wwan->ipc_imem->dev);
/* Send the SKB to device for transmission */
ret = ipc_imem_sys_wwan_transmit(ipc_wwan->ipc_imem,
if_id, priv->ch_id, skb);
@@ -131,14 +119,9 @@ static netdev_tx_t ipc_wwan_link_transmit(struct sk_buff *skb,
ret = NETDEV_TX_BUSY;
dev_err(ipc_wwan->dev, "unable to push packets");
} else {
- pm_runtime_mark_last_busy(ipc_wwan->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_wwan->ipc_imem->dev);
goto exit;
}
- pm_runtime_mark_last_busy(ipc_wwan->ipc_imem->dev);
- pm_runtime_put_autosuspend(ipc_wwan->ipc_imem->dev);
-
return ret;
exit:
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 036/241] netfilter: nft_payload: fix wrong mac header matching
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (34 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 035/241] Revert "net: wwan: iosm: enable runtime pm support for 7560" Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 037/241] io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address Greg Kroah-Hartman
` (214 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Blažej Krajňák,
Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Westphal <fw@strlen.de>
commit d351c1ea2de3e36e608fc355d8ae7d0cc80e6cd6 upstream.
mcast packets get looped back to the local machine.
Such packets have a 0-length mac header, we should treat
this like "mac header not set" and abort rule evaluation.
As-is, we just copy data from the network header instead.
Fixes: 96518518cc41 ("netfilter: add nftables")
Reported-by: Blažej Krajňák <krajnak@levonet.sk>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_payload.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/netfilter/nft_payload.c
+++ b/net/netfilter/nft_payload.c
@@ -179,7 +179,7 @@ void nft_payload_eval(const struct nft_e
switch (priv->base) {
case NFT_PAYLOAD_LL_HEADER:
- if (!skb_mac_header_was_set(skb))
+ if (!skb_mac_header_was_set(skb) || skb_mac_header_len(skb) == 0)
goto err;
if (skb_vlan_tag_present(skb) &&
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 037/241] io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (35 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 036/241] netfilter: nft_payload: fix wrong mac header matching Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 038/241] nvmet-tcp: Fix a possible UAF in queue intialization setup Greg Kroah-Hartman
` (213 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, rtm, Jeff Moyer, Jens Axboe
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jens Axboe <axboe@kernel.dk>
commit 8b51a3956d44ea6ade962874ade14de9a7d16556 upstream.
If we specify a valid CQ ring address but an invalid SQ ring address,
we'll correctly spot this and free the allocated pages and clear them
to NULL. However, we don't clear the ring page count, and hence will
attempt to free the pages again. We've already cleared the address of
the page array when freeing them, but we don't check for that. This
causes the following crash:
Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000
Oops [#1]
Modules linked in:
CPU: 0 PID: 20 Comm: kworker/u2:1 Not tainted 6.6.0-rc5-dirty #56
Hardware name: ucbbar,riscvemu-bare (DT)
Workqueue: events_unbound io_ring_exit_work
epc : io_pages_free+0x2a/0x58
ra : io_rings_free+0x3a/0x50
epc : ffffffff808811a2 ra : ffffffff80881406 sp : ffff8f80000c3cd0
status: 0000000200000121 badaddr: 0000000000000000 cause: 000000000000000d
[<ffffffff808811a2>] io_pages_free+0x2a/0x58
[<ffffffff80881406>] io_rings_free+0x3a/0x50
[<ffffffff80882176>] io_ring_exit_work+0x37e/0x424
[<ffffffff80027234>] process_one_work+0x10c/0x1f4
[<ffffffff8002756e>] worker_thread+0x252/0x31c
[<ffffffff8002f5e4>] kthread+0xc4/0xe0
[<ffffffff8000332a>] ret_from_fork+0xa/0x1c
Check for a NULL array in io_pages_free(), but also clear the page counts
when we free them to be on the safer side.
Reported-by: rtm@csail.mit.edu
Fixes: 03d89a2de25b ("io_uring: support for user allocated memory for rings/sqes")
Cc: stable@vger.kernel.org
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
io_uring/io_uring.c | 6 ++++++
1 file changed, 6 insertions(+)
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -2666,7 +2666,11 @@ static void io_pages_free(struct page **
if (!pages)
return;
+
page_array = *pages;
+ if (!page_array)
+ return;
+
for (i = 0; i < npages; i++)
unpin_user_page(page_array[i]);
kvfree(page_array);
@@ -2750,7 +2754,9 @@ static void io_rings_free(struct io_ring
ctx->sq_sqes = NULL;
} else {
io_pages_free(&ctx->ring_pages, ctx->n_ring_pages);
+ ctx->n_ring_pages = 0;
io_pages_free(&ctx->sqe_pages, ctx->n_sqe_pages);
+ ctx->n_sqe_pages = 0;
}
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 038/241] nvmet-tcp: Fix a possible UAF in queue intialization setup
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (36 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 037/241] io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 039/241] drm/i915: Retry gtt fault when out of fence registers Greg Kroah-Hartman
` (212 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Alon Zahavi, Sagi Grimberg,
Christoph Hellwig, Chaitanya Kulkarni, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sagi Grimberg <sagi@grimberg.me>
commit d920abd1e7c4884f9ecd0749d1921b7ab19ddfbd upstream.
>From Alon:
"Due to a logical bug in the NVMe-oF/TCP subsystem in the Linux kernel,
a malicious user can cause a UAF and a double free, which may lead to
RCE (may also lead to an LPE in case the attacker already has local
privileges)."
Hence, when a queue initialization fails after the ahash requests are
allocated, it is guaranteed that the queue removal async work will be
called, hence leave the deallocation to the queue removal.
Also, be extra careful not to continue processing the socket, so set
queue rcv_state to NVMET_TCP_RECV_ERR upon a socket error.
Cc: stable@vger.kernel.org
Reported-by: Alon Zahavi <zahavi.alon@gmail.com>
Tested-by: Alon Zahavi <zahavi.alon@gmail.com>
Signed-off-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/tcp.c | 7 ++-----
1 file changed, 2 insertions(+), 5 deletions(-)
--- a/drivers/nvme/target/tcp.c
+++ b/drivers/nvme/target/tcp.c
@@ -372,6 +372,7 @@ static void nvmet_tcp_fatal_error(struct
static void nvmet_tcp_socket_error(struct nvmet_tcp_queue *queue, int status)
{
+ queue->rcv_state = NVMET_TCP_RECV_ERR;
if (status == -EPIPE || status == -ECONNRESET)
kernel_sock_shutdown(queue->sock, SHUT_RDWR);
else
@@ -910,15 +911,11 @@ static int nvmet_tcp_handle_icreq(struct
iov.iov_len = sizeof(*icresp);
ret = kernel_sendmsg(queue->sock, &msg, &iov, 1, iov.iov_len);
if (ret < 0)
- goto free_crypto;
+ return ret; /* queue removal will cleanup */
queue->state = NVMET_TCP_Q_LIVE;
nvmet_prepare_receive_pdu(queue);
return 0;
-free_crypto:
- if (queue->hdr_digest || queue->data_digest)
- nvmet_tcp_free_crypto(queue);
- return ret;
}
static void nvmet_tcp_handle_req_failure(struct nvmet_tcp_queue *queue,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 039/241] drm/i915: Retry gtt fault when out of fence registers
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (37 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 038/241] nvmet-tcp: Fix a possible UAF in queue intialization setup Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 040/241] drm/mediatek: Correctly free sg_table in gem prime vmap Greg Kroah-Hartman
` (211 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ville Syrjälä,
Andi Shyti, Rodrigo Vivi
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ville Syrjälä <ville.syrjala@linux.intel.com>
commit e339c6d628fe66c9b64bf31040a55770952aec57 upstream.
If we can't find a free fence register to handle a fault in the GMADR
range just return VM_FAULT_NOPAGE without populating the PTE so that
userspace will retry the access and trigger another fault. Eventually
we should find a free fence and the fault will get properly handled.
A further improvement idea might be to reserve a fence (or one per CPU?)
for the express purpose of handling faults without having to retry. But
that would require some additional work.
Looks like this may have gotten broken originally by
commit 39965b376601 ("drm/i915: don't trash the gtt when running out of fences")
as that changed the errno to -EDEADLK which wasn't handle by the gtt
fault code either. But later in commit 2feeb52859fc ("drm/i915/gt: Fix
-EDEADLK handling regression") I changed it again to -ENOBUFS as -EDEADLK
was now getting used for the ww mutex dance. So this fix only makes
sense after that last commit.
Cc: stable@vger.kernel.org
Closes: https://gitlab.freedesktop.org/drm/intel/-/issues/9479
Fixes: 2feeb52859fc ("drm/i915/gt: Fix -EDEADLK handling regression")
Signed-off-by: Ville Syrjälä <ville.syrjala@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231012132801.16292-1-ville.syrjala@linux.intel.com
Reviewed-by: Andi Shyti <andi.shyti@linux.intel.com>
(cherry picked from commit 7f403caabe811b88ab0de3811ff3f4782c415761)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/i915/gem/i915_gem_mman.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/gpu/drm/i915/gem/i915_gem_mman.c
+++ b/drivers/gpu/drm/i915/gem/i915_gem_mman.c
@@ -235,6 +235,7 @@ static vm_fault_t i915_error_to_vmf_faul
case 0:
case -EAGAIN:
case -ENOSPC: /* transient failure to evict? */
+ case -ENOBUFS: /* temporarily out of fences? */
case -ERESTARTSYS:
case -EINTR:
case -EBUSY:
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 040/241] drm/mediatek: Correctly free sg_table in gem prime vmap
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (38 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 039/241] drm/i915: Retry gtt fault when out of fence registers Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 041/241] drm/nouveau/disp: fix DP capable DSM connectors Greg Kroah-Hartman
` (210 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Chen-Yu Tsai, CK Hu, Chun-Kuang Hu
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chen-Yu Tsai <wenst@chromium.org>
commit dcc583c225e659d5da34b4ad83914fd6b51e3dbf upstream.
The MediaTek DRM driver implements GEM PRIME vmap by fetching the
sg_table for the object, iterating through the pages, and then
vmapping them. In essence, unlike the GEM DMA helpers which vmap
when the object is first created or imported, the MediaTek version
does it on request.
Unfortunately, the code never correctly frees the sg_table contents.
This results in a kernel memory leak. On a Hayato device with a text
console on the internal display, this results in the system running
out of memory in a few days from all the console screen cursor updates.
Add sg_free_table() to correctly free the contents of the sg_table. This
was missing despite explicitly required by mtk_gem_prime_get_sg_table().
Also move the "out" shortcut label to after the kfree() call for the
sg_table. Having sg_free_table() together with kfree() makes more sense.
The shortcut is only used when the object already has a kernel address,
in which case the pointer is NULL and kfree() does nothing. Hence this
change causes no functional change.
Fixes: 3df64d7b0a4f ("drm/mediatek: Implement gem prime vmap/vunmap function")
Cc: <stable@vger.kernel.org>
Signed-off-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: CK Hu <ck.hu@mediatek.com>
Link: https://patchwork.kernel.org/project/dri-devel/patch/20231004083226.1940055-1-wenst@chromium.org/
Signed-off-by: Chun-Kuang Hu <chunkuang.hu@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/mediatek/mtk_drm_gem.c | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
--- a/drivers/gpu/drm/mediatek/mtk_drm_gem.c
+++ b/drivers/gpu/drm/mediatek/mtk_drm_gem.c
@@ -239,6 +239,7 @@ int mtk_drm_gem_prime_vmap(struct drm_ge
npages = obj->size >> PAGE_SHIFT;
mtk_gem->pages = kcalloc(npages, sizeof(*mtk_gem->pages), GFP_KERNEL);
if (!mtk_gem->pages) {
+ sg_free_table(sgt);
kfree(sgt);
return -ENOMEM;
}
@@ -248,12 +249,15 @@ int mtk_drm_gem_prime_vmap(struct drm_ge
mtk_gem->kvaddr = vmap(mtk_gem->pages, npages, VM_MAP,
pgprot_writecombine(PAGE_KERNEL));
if (!mtk_gem->kvaddr) {
+ sg_free_table(sgt);
kfree(sgt);
kfree(mtk_gem->pages);
return -ENOMEM;
}
-out:
+ sg_free_table(sgt);
kfree(sgt);
+
+out:
iosys_map_set_vaddr(map, mtk_gem->kvaddr);
return 0;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 041/241] drm/nouveau/disp: fix DP capable DSM connectors
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (39 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 040/241] drm/mediatek: Correctly free sg_table in gem prime vmap Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 042/241] drm/edid: add 8 bpc quirk to the BenQ GW2765 Greg Kroah-Hartman
` (209 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Lyude Paul, Karol Herbst
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Karol Herbst <kherbst@redhat.com>
commit 4366faf43308bd91c59a20c43a9f853a9c3bb6e4 upstream.
Just special case DP DSM connectors until we properly figure out how to
deal with this.
This resolves user regressions on GPUs with such connectors without
reverting the original fix.
Cc: Lyude Paul <lyude@redhat.com>
Cc: stable@vger.kernel.org # 6.4+
Closes: https://gitlab.freedesktop.org/drm/nouveau/-/issues/255
Fixes: 2b5d1c29f6c4 ("drm/nouveau/disp: PIOR DP uses GPIO for HPD, not PMGR AUX interrupts")
Signed-off-by: Karol Herbst <kherbst@redhat.com>
Reviewed-by: Lyude Paul <lyude@redhat.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231011114134.861818-1-kherbst@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
index 46b057fe1412..3249e5c1c893 100644
--- a/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
+++ b/drivers/gpu/drm/nouveau/nvkm/engine/disp/uconn.c
@@ -62,6 +62,18 @@ nvkm_uconn_uevent_gpio(struct nvkm_object *object, u64 token, u32 bits)
return object->client->event(token, &args, sizeof(args.v0));
}
+static bool
+nvkm_connector_is_dp_dms(u8 type)
+{
+ switch (type) {
+ case DCB_CONNECTOR_DMS59_DP0:
+ case DCB_CONNECTOR_DMS59_DP1:
+ return true;
+ default:
+ return false;
+ }
+}
+
static int
nvkm_uconn_uevent(struct nvkm_object *object, void *argv, u32 argc, struct nvkm_uevent *uevent)
{
@@ -101,7 +113,7 @@ nvkm_uconn_uevent(struct nvkm_object *object, void *argv, u32 argc, struct nvkm_
if (args->v0.types & NVIF_CONN_EVENT_V0_UNPLUG) bits |= NVKM_GPIO_LO;
if (args->v0.types & NVIF_CONN_EVENT_V0_IRQ) {
/* TODO: support DP IRQ on ANX9805 and remove this hack. */
- if (!outp->info.location)
+ if (!outp->info.location && !nvkm_connector_is_dp_dms(conn->info.type))
return -EINVAL;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 042/241] drm/edid: add 8 bpc quirk to the BenQ GW2765
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (40 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 041/241] drm/nouveau/disp: fix DP capable DSM connectors Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 043/241] ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Greg Kroah-Hartman
` (208 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Harry Wentland, Hamza Mahfooz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hamza Mahfooz <hamza.mahfooz@amd.com>
commit 88630e91f12677848c0c4a5790ec0d691f8859fa upstream.
The BenQ GW2765 reports that it supports higher (> 8) bpc modes, but
when trying to set them we end up with a black screen. So, limit it to 8
bpc modes.
Cc: stable@vger.kernel.org # 6.5+
Link: https://gitlab.freedesktop.org/drm/amd/-/issues/2610
Reviewed-by: Harry Wentland <harry.wentland@amd.com>
Signed-off-by: Hamza Mahfooz <hamza.mahfooz@amd.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231012184927.133137-1-hamza.mahfooz@amd.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpu/drm/drm_edid.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/gpu/drm/drm_edid.c b/drivers/gpu/drm/drm_edid.c
index 340da8257b51..4b71040ae5be 100644
--- a/drivers/gpu/drm/drm_edid.c
+++ b/drivers/gpu/drm/drm_edid.c
@@ -123,6 +123,9 @@ static const struct edid_quirk {
/* AEO model 0 reports 8 bpc, but is a 6 bpc panel */
EDID_QUIRK('A', 'E', 'O', 0, EDID_QUIRK_FORCE_6BPC),
+ /* BenQ GW2765 */
+ EDID_QUIRK('B', 'N', 'Q', 0x78d6, EDID_QUIRK_FORCE_8BPC),
+
/* BOE model on HP Pavilion 15-n233sl reports 8 bpc, but is a 6 bpc panel */
EDID_QUIRK('B', 'O', 'E', 0x78b, EDID_QUIRK_FORCE_6BPC),
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 043/241] ALSA: hda/realtek - Fixed ASUS platform headset Mic issue
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (41 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 042/241] drm/edid: add 8 bpc quirk to the BenQ GW2765 Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 044/241] ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV Greg Kroah-Hartman
` (207 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Kailang Yang, Takashi Iwai
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kailang Yang <kailang@realtek.com>
commit c8c0a03ec1be6b3f3ec1ce91685351235212db19 upstream.
ASUS platform Headset Mic was disable by default.
Assigned verb table for Mic pin will enable it.
Signed-off-by: Kailang Yang <kailang@realtek.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/1155d914c20c40569f56d36c79254879@realtek.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 25 +++++++++++++++++++++++++
1 file changed, 25 insertions(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -7009,6 +7009,24 @@ static void alc287_fixup_bind_dacs(struc
0x0); /* Make sure 0x14 was disable */
}
}
+/* Fix none verb table of Headset Mic pin */
+static void alc_fixup_headset_mic(struct hda_codec *codec,
+ const struct hda_fixup *fix, int action)
+{
+ struct alc_spec *spec = codec->spec;
+ static const struct hda_pintbl pincfgs[] = {
+ { 0x19, 0x03a1103c },
+ { }
+ };
+
+ switch (action) {
+ case HDA_FIXUP_ACT_PRE_PROBE:
+ snd_hda_apply_pincfgs(codec, pincfgs);
+ alc_update_coef_idx(codec, 0x45, 0xf<<12 | 1<<10, 5<<12);
+ spec->parse_flags |= HDA_PINCFG_HEADSET_MIC;
+ break;
+ }
+}
enum {
@@ -7274,6 +7292,7 @@ enum {
ALC245_FIXUP_HP_X360_MUTE_LEDS,
ALC287_FIXUP_THINKPAD_I2S_SPK,
ALC287_FIXUP_MG_RTKC_CSAMP_CS35L41_I2C_THINKPAD,
+ ALC2XX_FIXUP_HEADSET_MIC,
};
/* A special fixup for Lenovo C940 and Yoga Duet 7;
@@ -9372,6 +9391,10 @@ static const struct hda_fixup alc269_fix
.chained = true,
.chain_id = ALC287_FIXUP_CS35L41_I2C_2_THINKPAD_ACPI,
},
+ [ALC2XX_FIXUP_HEADSET_MIC] = {
+ .type = HDA_FIXUP_FUNC,
+ .v.func = alc_fixup_headset_mic,
+ },
};
static const struct snd_pci_quirk alc269_fixup_tbl[] = {
@@ -10656,6 +10679,8 @@ static const struct snd_hda_pin_quirk al
SND_HDA_PIN_QUIRK(0x10ec0274, 0x1028, "Dell", ALC274_FIXUP_DELL_AIO_LINEOUT_VERB,
{0x19, 0x40000000},
{0x1a, 0x40000000}),
+ SND_HDA_PIN_QUIRK(0x10ec0256, 0x1043, "ASUS", ALC2XX_FIXUP_HEADSET_MIC,
+ {0x19, 0x40000000}),
{}
};
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 044/241] ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (42 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 043/241] ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 045/241] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx Greg Kroah-Hartman
` (206 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Artem Borisov, Takashi Iwai
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Artem Borisov <dedsa2002@gmail.com>
commit 5dedc9f53eef7ec07b23686381100d03fb259f50 upstream.
Enables the SPI-connected Cirrus amp and the required pins
for headset mic detection.
As of BIOS version 313 it is still necessary to modify the
ACPI table to add the related _DSD properties:
https://gist.github.com/Flex1911/1bce378645fc95a5743671bd5deabfc8
Signed-off-by: Artem Borisov <dedsa2002@gmail.com>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20231014075044.17474-1-dedsa2002@gmail.com
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9738,6 +9738,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x1043, 0x1517, "Asus Zenbook UX31A", ALC269VB_FIXUP_ASUS_ZENBOOK_UX31A),
SND_PCI_QUIRK(0x1043, 0x1573, "ASUS GZ301V", ALC285_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1043, 0x1662, "ASUS GV301QH", ALC294_FIXUP_ASUS_DUAL_SPK),
+ SND_PCI_QUIRK(0x1043, 0x1663, "ASUS GU603ZV", ALC285_FIXUP_ASUS_HEADSET_MIC),
SND_PCI_QUIRK(0x1043, 0x1683, "ASUS UM3402YAR", ALC287_FIXUP_CS35L41_I2C_2),
SND_PCI_QUIRK(0x1043, 0x16b2, "ASUS GU603", ALC289_FIXUP_ASUS_GA401),
SND_PCI_QUIRK(0x1043, 0x16e3, "ASUS UX50", ALC269_FIXUP_STEREO_DMIC),
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 045/241] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (43 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 044/241] ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 046/241] ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind Greg Kroah-Hartman
` (205 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luka Guzenko, Takashi Iwai
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luka Guzenko <l.guzenko@web.de>
commit 56e85993896b914032d11e32ecbf8415e7b2f621 upstream.
This HP Laptop uses ALC236 codec with COEF 0x07 controlling the
mute LED. Enable existing quirk for this device.
Signed-off-by: Luka Guzenko <l.guzenko@web.de>
Cc: <stable@vger.kernel.org>
Link: https://lore.kernel.org/r/20231016221328.1521674-1-l.guzenko@web.de
Signed-off-by: Takashi Iwai <tiwai@suse.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/pci/hda/patch_realtek.c | 1 +
1 file changed, 1 insertion(+)
--- a/sound/pci/hda/patch_realtek.c
+++ b/sound/pci/hda/patch_realtek.c
@@ -9669,6 +9669,7 @@ static const struct snd_pci_quirk alc269
SND_PCI_QUIRK(0x103c, 0x89c6, "Zbook Fury 17 G9", ALC245_FIXUP_CS35L41_SPI_2_HP_GPIO_LED),
SND_PCI_QUIRK(0x103c, 0x89ca, "HP", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
SND_PCI_QUIRK(0x103c, 0x89d3, "HP EliteBook 645 G9 (MB 89D2)", ALC236_FIXUP_HP_MUTE_LED_MICMUTE_VREF),
+ SND_PCI_QUIRK(0x103c, 0x8a20, "HP Laptop 15s-fq5xxx", ALC236_FIXUP_HP_MUTE_LED_COEFBIT2),
SND_PCI_QUIRK(0x103c, 0x8a25, "HP Victus 16-d1xxx (MB 8A25)", ALC245_FIXUP_HP_MUTE_LED_COEFBIT),
SND_PCI_QUIRK(0x103c, 0x8a78, "HP Dev One", ALC285_FIXUP_HP_LIMIT_INT_MIC_BOOST),
SND_PCI_QUIRK(0x103c, 0x8aa0, "HP ProBook 440 G9 (MB 8A9E)", ALC236_FIXUP_HP_GPIO_LED),
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 046/241] ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (44 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 045/241] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 047/241] ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors Greg Kroah-Hartman
` (204 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit f0dfdcbe706462495d47982eecd13a61aabd644d upstream.
Make sure to deregister the component when the driver is being unbound
and before the underlying device-managed resources are freed.
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-7-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x-sdw.c | 10 ++++++++++
1 file changed, 10 insertions(+)
--- a/sound/soc/codecs/wcd938x-sdw.c
+++ b/sound/soc/codecs/wcd938x-sdw.c
@@ -1281,6 +1281,15 @@ static int wcd9380_probe(struct sdw_slav
return component_add(dev, &wcd938x_sdw_component_ops);
}
+static int wcd9380_remove(struct sdw_slave *pdev)
+{
+ struct device *dev = &pdev->dev;
+
+ component_del(dev, &wcd938x_sdw_component_ops);
+
+ return 0;
+}
+
static const struct sdw_device_id wcd9380_slave_id[] = {
SDW_SLAVE_ENTRY(0x0217, 0x10d, 0),
{},
@@ -1320,6 +1329,7 @@ static const struct dev_pm_ops wcd938x_s
static struct sdw_driver wcd9380_codec_driver = {
.probe = wcd9380_probe,
+ .remove = wcd9380_remove,
.ops = &wcd9380_slave_ops,
.id_table = wcd9380_slave_id,
.driver = {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 047/241] ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (45 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 046/241] ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 048/241] ASoC: codecs: wcd938x: drop bogus bind error handling Greg Kroah-Hartman
` (203 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit c5c0383082eace13da2ffceeea154db2780165e7 upstream.
Make sure to balance the runtime PM operations, including the disable
count, on probe errors and on driver unbind.
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-8-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x-sdw.c | 17 ++++++++++++++++-
1 file changed, 16 insertions(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd938x-sdw.c
+++ b/sound/soc/codecs/wcd938x-sdw.c
@@ -1278,7 +1278,18 @@ static int wcd9380_probe(struct sdw_slav
pm_runtime_set_active(dev);
pm_runtime_enable(dev);
- return component_add(dev, &wcd938x_sdw_component_ops);
+ ret = component_add(dev, &wcd938x_sdw_component_ops);
+ if (ret)
+ goto err_disable_rpm;
+
+ return 0;
+
+err_disable_rpm:
+ pm_runtime_disable(dev);
+ pm_runtime_set_suspended(dev);
+ pm_runtime_dont_use_autosuspend(dev);
+
+ return ret;
}
static int wcd9380_remove(struct sdw_slave *pdev)
@@ -1287,6 +1298,10 @@ static int wcd9380_remove(struct sdw_sla
component_del(dev, &wcd938x_sdw_component_ops);
+ pm_runtime_disable(dev);
+ pm_runtime_set_suspended(dev);
+ pm_runtime_dont_use_autosuspend(dev);
+
return 0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 048/241] ASoC: codecs: wcd938x: drop bogus bind error handling
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (46 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 047/241] ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 049/241] ASoC: codecs: wcd938x: fix unbind tear down order Greg Kroah-Hartman
` (202 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit bfbc79de60c53e5fed505390440b87ef59ee268c upstream.
Drop the bogus error handling for a soundwire device backcast during
bind() that cannot fail.
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-2-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 4 ----
1 file changed, 4 deletions(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -3448,10 +3448,6 @@ static int wcd938x_bind(struct device *d
wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev);
wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x;
wcd938x->tx_sdw_dev = dev_to_sdw_dev(wcd938x->txdev);
- if (!wcd938x->tx_sdw_dev) {
- dev_err(dev, "could not get txslave with matching of dev\n");
- return -EINVAL;
- }
/* As TX is main CSR reg interface, which should not be suspended first.
* expicilty add the dependency link */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 049/241] ASoC: codecs: wcd938x: fix unbind tear down order
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (47 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 048/241] ASoC: codecs: wcd938x: drop bogus bind error handling Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 050/241] ASoC: codecs: wcd938x: fix resource leaks on bind errors Greg Kroah-Hartman
` (201 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit fa2f8a991ba4aa733ac1c3b1be0c86148aa4c52c upstream.
Make sure to deregister the component before tearing down the resources
it depends on during unbind().
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-3-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -3504,10 +3504,10 @@ static void wcd938x_unbind(struct device
{
struct wcd938x_priv *wcd938x = dev_get_drvdata(dev);
+ snd_soc_unregister_component(dev);
device_link_remove(dev, wcd938x->txdev);
device_link_remove(dev, wcd938x->rxdev);
device_link_remove(wcd938x->rxdev, wcd938x->txdev);
- snd_soc_unregister_component(dev);
component_unbind_all(dev, wcd938x);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 050/241] ASoC: codecs: wcd938x: fix resource leaks on bind errors
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (48 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 049/241] ASoC: codecs: wcd938x: fix unbind tear down order Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 051/241] ASoC: codecs: wcd938x: fix regulator leaks on probe errors Greg Kroah-Hartman
` (200 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit da29b94ed3547cee9d510d02eca4009f2de476cf upstream.
Add the missing code to release resources on bind errors, including the
references taken by wcd938x_sdw_device_get() which also need to be
dropped on unbind().
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-4-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 44 ++++++++++++++++++++++++++++++++++----------
1 file changed, 34 insertions(+), 10 deletions(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -3435,7 +3435,8 @@ static int wcd938x_bind(struct device *d
wcd938x->rxdev = wcd938x_sdw_device_get(wcd938x->rxnode);
if (!wcd938x->rxdev) {
dev_err(dev, "could not find slave with matching of node\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_unbind;
}
wcd938x->sdw_priv[AIF1_PB] = dev_get_drvdata(wcd938x->rxdev);
wcd938x->sdw_priv[AIF1_PB]->wcd938x = wcd938x;
@@ -3443,7 +3444,8 @@ static int wcd938x_bind(struct device *d
wcd938x->txdev = wcd938x_sdw_device_get(wcd938x->txnode);
if (!wcd938x->txdev) {
dev_err(dev, "could not find txslave with matching of node\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_rxdev;
}
wcd938x->sdw_priv[AIF1_CAP] = dev_get_drvdata(wcd938x->txdev);
wcd938x->sdw_priv[AIF1_CAP]->wcd938x = wcd938x;
@@ -3454,31 +3456,35 @@ static int wcd938x_bind(struct device *d
if (!device_link_add(wcd938x->rxdev, wcd938x->txdev, DL_FLAG_STATELESS |
DL_FLAG_PM_RUNTIME)) {
dev_err(dev, "could not devlink tx and rx\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_put_txdev;
}
if (!device_link_add(dev, wcd938x->txdev, DL_FLAG_STATELESS |
DL_FLAG_PM_RUNTIME)) {
dev_err(dev, "could not devlink wcd and tx\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_remove_rxtx_link;
}
if (!device_link_add(dev, wcd938x->rxdev, DL_FLAG_STATELESS |
DL_FLAG_PM_RUNTIME)) {
dev_err(dev, "could not devlink wcd and rx\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_remove_tx_link;
}
wcd938x->regmap = dev_get_regmap(&wcd938x->tx_sdw_dev->dev, NULL);
if (!wcd938x->regmap) {
dev_err(dev, "could not get TX device regmap\n");
- return -EINVAL;
+ ret = -EINVAL;
+ goto err_remove_rx_link;
}
ret = wcd938x_irq_init(wcd938x, dev);
if (ret) {
dev_err(dev, "%s: IRQ init failed: %d\n", __func__, ret);
- return ret;
+ goto err_remove_rx_link;
}
wcd938x->sdw_priv[AIF1_PB]->slave_irq = wcd938x->virq;
@@ -3487,17 +3493,33 @@ static int wcd938x_bind(struct device *d
ret = wcd938x_set_micbias_data(wcd938x);
if (ret < 0) {
dev_err(dev, "%s: bad micbias pdata\n", __func__);
- return ret;
+ goto err_remove_rx_link;
}
ret = snd_soc_register_component(dev, &soc_codec_dev_wcd938x,
wcd938x_dais, ARRAY_SIZE(wcd938x_dais));
- if (ret)
+ if (ret) {
dev_err(dev, "%s: Codec registration failed\n",
__func__);
+ goto err_remove_rx_link;
+ }
- return ret;
+ return 0;
+err_remove_rx_link:
+ device_link_remove(dev, wcd938x->rxdev);
+err_remove_tx_link:
+ device_link_remove(dev, wcd938x->txdev);
+err_remove_rxtx_link:
+ device_link_remove(wcd938x->rxdev, wcd938x->txdev);
+err_put_txdev:
+ put_device(wcd938x->txdev);
+err_put_rxdev:
+ put_device(wcd938x->rxdev);
+err_unbind:
+ component_unbind_all(dev, wcd938x);
+
+ return ret;
}
static void wcd938x_unbind(struct device *dev)
@@ -3508,6 +3530,8 @@ static void wcd938x_unbind(struct device
device_link_remove(dev, wcd938x->txdev);
device_link_remove(dev, wcd938x->rxdev);
device_link_remove(wcd938x->rxdev, wcd938x->txdev);
+ put_device(wcd938x->txdev);
+ put_device(wcd938x->rxdev);
component_unbind_all(dev, wcd938x);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 051/241] ASoC: codecs: wcd938x: fix regulator leaks on probe errors
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (49 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 050/241] ASoC: codecs: wcd938x: fix resource leaks on bind errors Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 052/241] ASoC: codecs: wcd938x: fix runtime PM imbalance on remove Greg Kroah-Hartman
` (199 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 69a026a2357ee69983690d07976de44ef26ee38a upstream.
Make sure to disable and free the regulators on probe errors and on
driver unbind.
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-5-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 18 +++++++++++++++---
1 file changed, 15 insertions(+), 3 deletions(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -3325,8 +3325,10 @@ static int wcd938x_populate_dt_data(stru
return dev_err_probe(dev, ret, "Failed to get supplies\n");
ret = regulator_bulk_enable(WCD938X_MAX_SUPPLY, wcd938x->supplies);
- if (ret)
+ if (ret) {
+ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies);
return dev_err_probe(dev, ret, "Failed to enable supplies\n");
+ }
wcd938x_dt_parse_micbias_info(dev, wcd938x);
@@ -3592,13 +3594,13 @@ static int wcd938x_probe(struct platform
ret = wcd938x_add_slave_components(wcd938x, dev, &match);
if (ret)
- return ret;
+ goto err_disable_regulators;
wcd938x_reset(wcd938x);
ret = component_master_add_with_match(dev, &wcd938x_comp_ops, match);
if (ret)
- return ret;
+ goto err_disable_regulators;
pm_runtime_set_autosuspend_delay(dev, 1000);
pm_runtime_use_autosuspend(dev);
@@ -3608,11 +3610,21 @@ static int wcd938x_probe(struct platform
pm_runtime_idle(dev);
return 0;
+
+err_disable_regulators:
+ regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies);
+ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies);
+
+ return ret;
}
static void wcd938x_remove(struct platform_device *pdev)
{
+ struct wcd938x_priv *wcd938x = dev_get_drvdata(&pdev->dev);
+
component_master_del(&pdev->dev, &wcd938x_comp_ops);
+ regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies);
+ regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies);
}
#if defined(CONFIG_OF)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 052/241] ASoC: codecs: wcd938x: fix runtime PM imbalance on remove
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (50 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 051/241] ASoC: codecs: wcd938x: fix regulator leaks on probe errors Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 053/241] qed: fix LL2 RX buffer allocation Greg Kroah-Hartman
` (198 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Kandagatla, Johan Hovold,
Mark Brown
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johan Hovold <johan+linaro@kernel.org>
commit 3ebebb2c1eca92a15107b2d7aeff34196fd9e217 upstream.
Make sure to balance the runtime PM operations, including the disable
count, on driver unbind.
Fixes: 16572522aece ("ASoC: codecs: wcd938x-sdw: add SoundWire driver")
Cc: stable@vger.kernel.org # 5.14
Cc: Srinivas Kandagatla <srinivas.kandagatla@linaro.org>
Signed-off-by: Johan Hovold <johan+linaro@kernel.org>
Link: https://lore.kernel.org/r/20231003155558.27079-6-johan+linaro@kernel.org
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
sound/soc/codecs/wcd938x.c | 10 ++++++++--
1 file changed, 8 insertions(+), 2 deletions(-)
--- a/sound/soc/codecs/wcd938x.c
+++ b/sound/soc/codecs/wcd938x.c
@@ -3620,9 +3620,15 @@ err_disable_regulators:
static void wcd938x_remove(struct platform_device *pdev)
{
- struct wcd938x_priv *wcd938x = dev_get_drvdata(&pdev->dev);
+ struct device *dev = &pdev->dev;
+ struct wcd938x_priv *wcd938x = dev_get_drvdata(dev);
+
+ component_master_del(dev, &wcd938x_comp_ops);
+
+ pm_runtime_disable(dev);
+ pm_runtime_set_suspended(dev);
+ pm_runtime_dont_use_autosuspend(dev);
- component_master_del(&pdev->dev, &wcd938x_comp_ops);
regulator_bulk_disable(WCD938X_MAX_SUPPLY, wcd938x->supplies);
regulator_bulk_free(WCD938X_MAX_SUPPLY, wcd938x->supplies);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 053/241] qed: fix LL2 RX buffer allocation
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (51 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 052/241] ASoC: codecs: wcd938x: fix runtime PM imbalance on remove Greg Kroah-Hartman
@ 2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 054/241] xfrm: fix a data-race in xfrm_lookup_with_ifid() Greg Kroah-Hartman
` (197 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:53 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, David S. Miller, Manish Chopra
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Manish Chopra <manishc@marvell.com>
commit 2f3389c73832ad90b63208c0fc281ad080114c7a upstream.
Driver allocates the LL2 rx buffers from kmalloc()
area to construct the skb using slab_build_skb()
The required size allocation seems to have overlooked
for accounting both skb_shared_info size and device
placement padding bytes which results into the below
panic when doing skb_put() for a standard MTU sized frame.
skbuff: skb_over_panic: text:ffffffffc0b0225f len:1514 put:1514
head:ff3dabceaf39c000 data:ff3dabceaf39c042 tail:0x62c end:0x566
dev:<NULL>
…
skb_panic+0x48/0x4a
skb_put.cold+0x10/0x10
qed_ll2b_complete_rx_packet+0x14f/0x260 [qed]
qed_ll2_rxq_handle_completion.constprop.0+0x169/0x200 [qed]
qed_ll2_rxq_completion+0xba/0x320 [qed]
qed_int_sp_dpc+0x1a7/0x1e0 [qed]
This patch fixes this by accouting skb_shared_info and device
placement padding size bytes when allocating the buffers.
Cc: David S. Miller <davem@davemloft.net>
Fixes: 0a7fb11c23c0 ("qed: Add Light L2 support")
Signed-off-by: Manish Chopra <manishc@marvell.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/qlogic/qed/qed_ll2.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/qlogic/qed/qed_ll2.c
+++ b/drivers/net/ethernet/qlogic/qed/qed_ll2.c
@@ -113,7 +113,10 @@ static void qed_ll2b_complete_tx_packet(
static int qed_ll2_alloc_buffer(struct qed_dev *cdev,
u8 **data, dma_addr_t *phys_addr)
{
- *data = kmalloc(cdev->ll2->rx_size, GFP_ATOMIC);
+ size_t size = cdev->ll2->rx_size + NET_SKB_PAD +
+ SKB_DATA_ALIGN(sizeof(struct skb_shared_info));
+
+ *data = kmalloc(size, GFP_ATOMIC);
if (!(*data)) {
DP_INFO(cdev, "Failed to allocate LL2 buffer data\n");
return -ENOMEM;
@@ -2589,7 +2592,7 @@ static int qed_ll2_start(struct qed_dev
INIT_LIST_HEAD(&cdev->ll2->list);
spin_lock_init(&cdev->ll2->lock);
- cdev->ll2->rx_size = NET_SKB_PAD + ETH_HLEN +
+ cdev->ll2->rx_size = PRM_DMA_PAD_BYTES_NUM + ETH_HLEN +
L1_CACHE_BYTES + params->mtu;
/* Allocate memory for LL2.
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 054/241] xfrm: fix a data-race in xfrm_lookup_with_ifid()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (52 preceding siblings ...)
2023-10-23 10:53 ` [PATCH 6.5 053/241] qed: fix LL2 RX buffer allocation Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 055/241] xfrm6: fix inet6_dev refcount underflow problem Greg Kroah-Hartman
` (196 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit de5724ca38fd5e442bae9c1fab31942b6544012d upstream.
syzbot complains about a race in xfrm_lookup_with_ifid() [1]
When preparing commit 0a9e5794b21e ("xfrm: annotate data-race
around use_time") I thought xfrm_lookup_with_ifid() was modifying
a still private structure.
[1]
BUG: KCSAN: data-race in xfrm_lookup_with_ifid / xfrm_lookup_with_ifid
write to 0xffff88813ea41108 of 8 bytes by task 8150 on cpu 1:
xfrm_lookup_with_ifid+0xce7/0x12d0 net/xfrm/xfrm_policy.c:3218
xfrm_lookup net/xfrm/xfrm_policy.c:3270 [inline]
xfrm_lookup_route+0x3b/0x100 net/xfrm/xfrm_policy.c:3281
ip6_dst_lookup_flow+0x98/0xc0 net/ipv6/ip6_output.c:1246
send6+0x241/0x3c0 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0xbd/0x130 drivers/net/wireguard/socket.c:178
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
write to 0xffff88813ea41108 of 8 bytes by task 15867 on cpu 0:
xfrm_lookup_with_ifid+0xce7/0x12d0 net/xfrm/xfrm_policy.c:3218
xfrm_lookup net/xfrm/xfrm_policy.c:3270 [inline]
xfrm_lookup_route+0x3b/0x100 net/xfrm/xfrm_policy.c:3281
ip6_dst_lookup_flow+0x98/0xc0 net/ipv6/ip6_output.c:1246
send6+0x241/0x3c0 drivers/net/wireguard/socket.c:139
wg_socket_send_skb_to_peer+0xbd/0x130 drivers/net/wireguard/socket.c:178
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
value changed: 0x00000000651cd9d1 -> 0x00000000651cd9d2
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 15867 Comm: kworker/u4:58 Not tainted 6.6.0-rc4-syzkaller-00016-g5e62ed3b1c8a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: wg-kex-wg2 wg_packet_handshake_send_worker
Fixes: 0a9e5794b21e ("xfrm: annotate data-race around use_time")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_policy.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -3215,7 +3215,7 @@ no_transform:
}
for (i = 0; i < num_pols; i++)
- pols[i]->curlft.use_time = ktime_get_real_seconds();
+ WRITE_ONCE(pols[i]->curlft.use_time, ktime_get_real_seconds());
if (num_xfrms < 0) {
/* Prohibit the flow */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 055/241] xfrm6: fix inet6_dev refcount underflow problem
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (53 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 054/241] xfrm: fix a data-race in xfrm_lookup_with_ifid() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 056/241] xfrm: fix a data-race in xfrm_gen_index() Greg Kroah-Hartman
` (195 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Zhang Changzhong, Xin Long,
Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Zhang Changzhong <zhangchangzhong@huawei.com>
commit cc9b364bb1d58d3dae270c7a931a8cc717dc2b3b upstream.
There are race conditions that may lead to inet6_dev refcount underflow
in xfrm6_dst_destroy() and rt6_uncached_list_flush_dev().
One of the refcount underflow bugs is shown below:
(cpu 1) | (cpu 2)
xfrm6_dst_destroy() |
... |
in6_dev_put() |
| rt6_uncached_list_flush_dev()
... | ...
| in6_dev_put()
rt6_uncached_list_del() | ...
... |
xfrm6_dst_destroy() calls rt6_uncached_list_del() after in6_dev_put(),
so rt6_uncached_list_flush_dev() has a chance to call in6_dev_put()
again for the same inet6_dev.
Fix it by moving in6_dev_put() after rt6_uncached_list_del() in
xfrm6_dst_destroy().
Fixes: 510c321b5571 ("xfrm: reuse uncached_list to track xdsts")
Signed-off-by: Zhang Changzhong <zhangchangzhong@huawei.com>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/xfrm6_policy.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/ipv6/xfrm6_policy.c
+++ b/net/ipv6/xfrm6_policy.c
@@ -117,10 +117,10 @@ static void xfrm6_dst_destroy(struct dst
{
struct xfrm_dst *xdst = (struct xfrm_dst *)dst;
- if (likely(xdst->u.rt6.rt6i_idev))
- in6_dev_put(xdst->u.rt6.rt6i_idev);
dst_destroy_metrics_generic(dst);
rt6_uncached_list_del(&xdst->u.rt6);
+ if (likely(xdst->u.rt6.rt6i_idev))
+ in6_dev_put(xdst->u.rt6.rt6i_idev);
xfrm_dst_destroy(xdst);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 056/241] xfrm: fix a data-race in xfrm_gen_index()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (54 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 055/241] xfrm6: fix inet6_dev refcount underflow problem Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 057/241] xfrm: interface: use DEV_STATS_INC() Greg Kroah-Hartman
` (194 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Steffen Klassert, Herbert Xu
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 3e4bc23926b83c3c67e5f61ae8571602754131a6 upstream.
xfrm_gen_index() mutual exclusion uses net->xfrm.xfrm_policy_lock.
This means we must use a per-netns idx_generator variable,
instead of a static one.
Alternative would be to use an atomic variable.
syzbot reported:
BUG: KCSAN: data-race in xfrm_sk_policy_insert / xfrm_sk_policy_insert
write to 0xffffffff87005938 of 4 bytes by task 29466 on cpu 0:
xfrm_gen_index net/xfrm/xfrm_policy.c:1385 [inline]
xfrm_sk_policy_insert+0x262/0x640 net/xfrm/xfrm_policy.c:2347
xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read to 0xffffffff87005938 of 4 bytes by task 29460 on cpu 1:
xfrm_sk_policy_insert+0x13e/0x640
xfrm_user_policy+0x413/0x540 net/xfrm/xfrm_state.c:2639
do_ipv6_setsockopt+0x1317/0x2ce0 net/ipv6/ipv6_sockglue.c:943
ipv6_setsockopt+0x57/0x130 net/ipv6/ipv6_sockglue.c:1012
rawv6_setsockopt+0x21e/0x410 net/ipv6/raw.c:1054
sock_common_setsockopt+0x61/0x70 net/core/sock.c:3697
__sys_setsockopt+0x1c9/0x230 net/socket.c:2263
__do_sys_setsockopt net/socket.c:2274 [inline]
__se_sys_setsockopt net/socket.c:2271 [inline]
__x64_sys_setsockopt+0x66/0x80 net/socket.c:2271
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00006ad8 -> 0x00006b18
Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 29460 Comm: syz-executor.1 Not tainted 6.5.0-rc5-syzkaller-00243-g9106536c1aa3 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Fixes: 1121994c803f ("netns xfrm: policy insertion in netns")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Cc: Herbert Xu <herbert@gondor.apana.org.au>
Acked-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/netns/xfrm.h | 1 +
net/xfrm/xfrm_policy.c | 6 ++----
2 files changed, 3 insertions(+), 4 deletions(-)
--- a/include/net/netns/xfrm.h
+++ b/include/net/netns/xfrm.h
@@ -50,6 +50,7 @@ struct netns_xfrm {
struct list_head policy_all;
struct hlist_head *policy_byidx;
unsigned int policy_idx_hmask;
+ unsigned int idx_generator;
struct hlist_head policy_inexact[XFRM_POLICY_MAX];
struct xfrm_policy_hash policy_bydst[XFRM_POLICY_MAX];
unsigned int policy_count[XFRM_POLICY_MAX * 2];
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -1372,8 +1372,6 @@ EXPORT_SYMBOL(xfrm_policy_hash_rebuild);
* of an absolute inpredictability of ordering of rules. This will not pass. */
static u32 xfrm_gen_index(struct net *net, int dir, u32 index)
{
- static u32 idx_generator;
-
for (;;) {
struct hlist_head *list;
struct xfrm_policy *p;
@@ -1381,8 +1379,8 @@ static u32 xfrm_gen_index(struct net *ne
int found;
if (!index) {
- idx = (idx_generator | dir);
- idx_generator += 8;
+ idx = (net->xfrm.idx_generator | dir);
+ net->xfrm.idx_generator += 8;
} else {
idx = index;
index = 0;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 057/241] xfrm: interface: use DEV_STATS_INC()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (55 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 056/241] xfrm: fix a data-race in xfrm_gen_index() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 058/241] net: xfrm: skip policies marked as dead while reinserting policies Greg Kroah-Hartman
` (193 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit f7c4e3e5d4f6609b4725a97451948ca2e425379a upstream.
syzbot/KCSAN reported data-races in xfrm whenever dev->stats fields
are updated.
It appears all of these updates can happen from multiple cpus.
Adopt SMP safe DEV_STATS_INC() to update dev->stats fields.
BUG: KCSAN: data-race in xfrmi_xmit / xfrmi_xmit
read-write to 0xffff88813726b160 of 8 bytes by task 23986 on cpu 1:
xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
netdev_start_xmit include/linux/netdevice.h:4903 [inline]
xmit_one net/core/dev.c:3544 [inline]
dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
dst_output include/net/dst.h:458 [inline]
ip_local_out net/ipv4/ip_output.c:127 [inline]
ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
___sys_sendmsg net/socket.c:2594 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2680
__do_sys_sendmmsg net/socket.c:2709 [inline]
__se_sys_sendmmsg net/socket.c:2706 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
read-write to 0xffff88813726b160 of 8 bytes by task 23987 on cpu 0:
xfrmi_xmit+0x74e/0xb20 net/xfrm/xfrm_interface_core.c:583
__netdev_start_xmit include/linux/netdevice.h:4889 [inline]
netdev_start_xmit include/linux/netdevice.h:4903 [inline]
xmit_one net/core/dev.c:3544 [inline]
dev_hard_start_xmit+0x11b/0x3f0 net/core/dev.c:3560
__dev_queue_xmit+0xeee/0x1de0 net/core/dev.c:4340
dev_queue_xmit include/linux/netdevice.h:3082 [inline]
neigh_connected_output+0x231/0x2a0 net/core/neighbour.c:1581
neigh_output include/net/neighbour.h:542 [inline]
ip_finish_output2+0x74a/0x850 net/ipv4/ip_output.c:230
ip_finish_output+0xf4/0x240 net/ipv4/ip_output.c:318
NF_HOOK_COND include/linux/netfilter.h:293 [inline]
ip_output+0xe5/0x1b0 net/ipv4/ip_output.c:432
dst_output include/net/dst.h:458 [inline]
ip_local_out net/ipv4/ip_output.c:127 [inline]
ip_send_skb+0x72/0xe0 net/ipv4/ip_output.c:1487
udp_send_skb+0x6a4/0x990 net/ipv4/udp.c:963
udp_sendmsg+0x1249/0x12d0 net/ipv4/udp.c:1246
inet_sendmsg+0x63/0x80 net/ipv4/af_inet.c:840
sock_sendmsg_nosec net/socket.c:730 [inline]
sock_sendmsg net/socket.c:753 [inline]
____sys_sendmsg+0x37c/0x4d0 net/socket.c:2540
___sys_sendmsg net/socket.c:2594 [inline]
__sys_sendmmsg+0x269/0x500 net/socket.c:2680
__do_sys_sendmmsg net/socket.c:2709 [inline]
__se_sys_sendmmsg net/socket.c:2706 [inline]
__x64_sys_sendmmsg+0x57/0x60 net/socket.c:2706
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
value changed: 0x00000000000010d7 -> 0x00000000000010d8
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 23987 Comm: syz-executor.5 Not tainted 6.5.0-syzkaller-10885-g0468be89b3fa #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/26/2023
Fixes: f203b76d7809 ("xfrm: Add virtual xfrm interfaces")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_interface_core.c | 22 ++++++++++------------
1 file changed, 10 insertions(+), 12 deletions(-)
--- a/net/xfrm/xfrm_interface_core.c
+++ b/net/xfrm/xfrm_interface_core.c
@@ -380,8 +380,8 @@ static int xfrmi_rcv_cb(struct sk_buff *
skb->dev = dev;
if (err) {
- dev->stats.rx_errors++;
- dev->stats.rx_dropped++;
+ DEV_STATS_INC(dev, rx_errors);
+ DEV_STATS_INC(dev, rx_dropped);
return 0;
}
@@ -426,7 +426,6 @@ static int
xfrmi_xmit2(struct sk_buff *skb, struct net_device *dev, struct flowi *fl)
{
struct xfrm_if *xi = netdev_priv(dev);
- struct net_device_stats *stats = &xi->dev->stats;
struct dst_entry *dst = skb_dst(skb);
unsigned int length = skb->len;
struct net_device *tdev;
@@ -473,7 +472,7 @@ xfrmi_xmit2(struct sk_buff *skb, struct
tdev = dst->dev;
if (tdev == dev) {
- stats->collisions++;
+ DEV_STATS_INC(dev, collisions);
net_warn_ratelimited("%s: Local routing loop detected!\n",
dev->name);
goto tx_err_dst_release;
@@ -512,13 +511,13 @@ xmit:
if (net_xmit_eval(err) == 0) {
dev_sw_netstats_tx_add(dev, 1, length);
} else {
- stats->tx_errors++;
- stats->tx_aborted_errors++;
+ DEV_STATS_INC(dev, tx_errors);
+ DEV_STATS_INC(dev, tx_aborted_errors);
}
return 0;
tx_err_link_failure:
- stats->tx_carrier_errors++;
+ DEV_STATS_INC(dev, tx_carrier_errors);
dst_link_failure(skb);
tx_err_dst_release:
dst_release(dst);
@@ -528,7 +527,6 @@ tx_err_dst_release:
static netdev_tx_t xfrmi_xmit(struct sk_buff *skb, struct net_device *dev)
{
struct xfrm_if *xi = netdev_priv(dev);
- struct net_device_stats *stats = &xi->dev->stats;
struct dst_entry *dst = skb_dst(skb);
struct flowi fl;
int ret;
@@ -545,7 +543,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_
dst = ip6_route_output(dev_net(dev), NULL, &fl.u.ip6);
if (dst->error) {
dst_release(dst);
- stats->tx_carrier_errors++;
+ DEV_STATS_INC(dev, tx_carrier_errors);
goto tx_err;
}
skb_dst_set(skb, dst);
@@ -561,7 +559,7 @@ static netdev_tx_t xfrmi_xmit(struct sk_
fl.u.ip4.flowi4_flags |= FLOWI_FLAG_ANYSRC;
rt = __ip_route_output_key(dev_net(dev), &fl.u.ip4);
if (IS_ERR(rt)) {
- stats->tx_carrier_errors++;
+ DEV_STATS_INC(dev, tx_carrier_errors);
goto tx_err;
}
skb_dst_set(skb, &rt->dst);
@@ -580,8 +578,8 @@ static netdev_tx_t xfrmi_xmit(struct sk_
return NETDEV_TX_OK;
tx_err:
- stats->tx_errors++;
- stats->tx_dropped++;
+ DEV_STATS_INC(dev, tx_errors);
+ DEV_STATS_INC(dev, tx_dropped);
kfree_skb(skb);
return NETDEV_TX_OK;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 058/241] net: xfrm: skip policies marked as dead while reinserting policies
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (56 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 057/241] xfrm: interface: use DEV_STATS_INC() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 059/241] fprobe: Fix to ensure the number of active retprobes is not zero Greg Kroah-Hartman
` (192 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Dong Chenchen, Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dong Chenchen <dongchenchen2@huawei.com>
commit 6d41d4fe28724db16ca1016df0713a07e0cc7448 upstream.
BUG: KASAN: slab-use-after-free in xfrm_policy_inexact_list_reinsert+0xb6/0x430
Read of size 1 at addr ffff8881051f3bf8 by task ip/668
CPU: 2 PID: 668 Comm: ip Not tainted 6.5.0-rc5-00182-g25aa0bebba72-dirty #64
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x72/0xa0
print_report+0xd0/0x620
kasan_report+0xb6/0xf0
xfrm_policy_inexact_list_reinsert+0xb6/0x430
xfrm_policy_inexact_insert_node.constprop.0+0x537/0x800
xfrm_policy_inexact_alloc_chain+0x23f/0x320
xfrm_policy_inexact_insert+0x6b/0x590
xfrm_policy_insert+0x3b1/0x480
xfrm_add_policy+0x23c/0x3c0
xfrm_user_rcv_msg+0x2d0/0x510
netlink_rcv_skb+0x10d/0x2d0
xfrm_netlink_rcv+0x49/0x60
netlink_unicast+0x3fe/0x540
netlink_sendmsg+0x528/0x970
sock_sendmsg+0x14a/0x160
____sys_sendmsg+0x4fc/0x580
___sys_sendmsg+0xef/0x160
__sys_sendmsg+0xf7/0x1b0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x73/0xdd
The root cause is:
cpu 0 cpu1
xfrm_dump_policy
xfrm_policy_walk
list_move_tail
xfrm_add_policy
... ...
xfrm_policy_inexact_list_reinsert
list_for_each_entry_reverse
if (!policy->bydst_reinsert)
//read non-existent policy
xfrm_dump_policy_done
xfrm_policy_walk_done
list_del(&walk->walk.all);
If dump_one_policy() returns err (triggered by netlink socket),
xfrm_policy_walk() will move walk initialized by socket to list
net->xfrm.policy_all. so this socket becomes visible in the global
policy list. The head *walk can be traversed when users add policies
with different prefixlen and trigger xfrm_policy node merge.
The issue can also be triggered by policy list traversal while rehashing
and flushing policies.
It can be fixed by skip such "policies" with walk.dead set to 1.
Fixes: 9cf545ebd591 ("xfrm: policy: store inexact policies in a tree ordered by destination address")
Fixes: 12a169e7d8f4 ("ipsec: Put dumpers on the dump list")
Signed-off-by: Dong Chenchen <dongchenchen2@huawei.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/xfrm/xfrm_policy.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- a/net/xfrm/xfrm_policy.c
+++ b/net/xfrm/xfrm_policy.c
@@ -851,7 +851,7 @@ static void xfrm_policy_inexact_list_rei
struct hlist_node *newpos = NULL;
bool matches_s, matches_d;
- if (!policy->bydst_reinsert)
+ if (policy->walk.dead || !policy->bydst_reinsert)
continue;
WARN_ON_ONCE(policy->family != family);
@@ -1256,8 +1256,11 @@ static void xfrm_hash_rebuild(struct wor
struct xfrm_pol_inexact_bin *bin;
u8 dbits, sbits;
+ if (policy->walk.dead)
+ continue;
+
dir = xfrm_policy_id2dir(policy->index);
- if (policy->walk.dead || dir >= XFRM_POLICY_MAX)
+ if (dir >= XFRM_POLICY_MAX)
continue;
if ((dir & XFRM_POLICY_MASK) == XFRM_POLICY_OUT) {
@@ -1821,9 +1824,11 @@ int xfrm_policy_flush(struct net *net, u
again:
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
+ if (pol->walk.dead)
+ continue;
+
dir = xfrm_policy_id2dir(pol->index);
- if (pol->walk.dead ||
- dir >= XFRM_POLICY_MAX ||
+ if (dir >= XFRM_POLICY_MAX ||
pol->type != type)
continue;
@@ -1860,9 +1865,11 @@ int xfrm_dev_policy_flush(struct net *ne
again:
list_for_each_entry(pol, &net->xfrm.policy_all, walk.all) {
+ if (pol->walk.dead)
+ continue;
+
dir = xfrm_policy_id2dir(pol->index);
- if (pol->walk.dead ||
- dir >= XFRM_POLICY_MAX ||
+ if (dir >= XFRM_POLICY_MAX ||
pol->xdo.dev != dev)
continue;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 059/241] fprobe: Fix to ensure the number of active retprobes is not zero
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (57 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 058/241] net: xfrm: skip policies marked as dead while reinserting policies Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 060/241] wifi: cfg80211: use system_unbound_wq for wiphy work Greg Kroah-Hartman
` (191 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, wuqiang.matt, Masami Hiramatsu (Google)
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Masami Hiramatsu (Google) <mhiramat@kernel.org>
commit 700b2b439766e8aab8a7174991198497345bd411 upstream.
The number of active retprobes can be zero but it is not acceptable,
so return EINVAL error if detected.
Link: https://lore.kernel.org/all/169750018550.186853.11198884812017796410.stgit@devnote2/
Reported-by: wuqiang.matt <wuqiang.matt@bytedance.com>
Closes: https://lore.kernel.org/all/20231016222103.cb9f426edc60220eabd8aa6a@kernel.org/
Fixes: 5b0ab78998e3 ("fprobe: Add exit_handler support")
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/fprobe.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/kernel/trace/fprobe.c
+++ b/kernel/trace/fprobe.c
@@ -189,7 +189,7 @@ static int fprobe_init_rethook(struct fp
{
int i, size;
- if (num < 0)
+ if (num <= 0)
return -EINVAL;
if (!fp->exit_handler) {
@@ -202,8 +202,8 @@ static int fprobe_init_rethook(struct fp
size = fp->nr_maxactive;
else
size = num * num_possible_cpus() * 2;
- if (size < 0)
- return -E2BIG;
+ if (size <= 0)
+ return -EINVAL;
fp->rethook = rethook_alloc((void *)fp, fprobe_exit_handler);
if (!fp->rethook)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 060/241] wifi: cfg80211: use system_unbound_wq for wiphy work
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (58 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 059/241] fprobe: Fix to ensure the number of active retprobes is not zero Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 061/241] net: ipv4: fix return value check in esp_remove_trailer Greg Kroah-Hartman
` (190 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Kalle Valo
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit 91d20ab9d9ca035527af503d00e1e30d6c375f2a upstream.
Since wiphy work items can run pretty much arbitrary
code in the stack/driver, it can take longer to run
all of this, so we shouldn't be using system_wq via
schedule_work(). Also, we lock the wiphy (which is
the reason this exists), so use system_unbound_wq.
Reported-and-tested-by: Kalle Valo <kvalo@kernel.org>
Fixes: a3ee4dc84c4e ("wifi: cfg80211: add a work abstraction with special semantics")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/wireless/core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/wireless/core.c
+++ b/net/wireless/core.c
@@ -1622,7 +1622,7 @@ void wiphy_work_queue(struct wiphy *wiph
list_add_tail(&work->entry, &rdev->wiphy_work_list);
spin_unlock_irqrestore(&rdev->wiphy_work_lock, flags);
- schedule_work(&rdev->wiphy_work);
+ queue_work(system_unbound_wq, &rdev->wiphy_work);
}
EXPORT_SYMBOL_GPL(wiphy_work_queue);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 061/241] net: ipv4: fix return value check in esp_remove_trailer
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (59 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 060/241] wifi: cfg80211: use system_unbound_wq for wiphy work Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 062/241] net: ipv6: " Greg Kroah-Hartman
` (189 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make_ruc2021@163.com>
commit 513f61e2193350c7a345da98559b80f61aec4fa6 upstream.
In esp_remove_trailer(), to avoid an unexpected result returned by
pskb_trim, we should check the return value of pskb_trim().
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/esp4.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv4/esp4.c
+++ b/net/ipv4/esp4.c
@@ -732,7 +732,9 @@ static inline int esp_remove_trailer(str
skb->csum = csum_block_sub(skb->csum, csumdiff,
skb->len - trimlen);
}
- pskb_trim(skb, skb->len - trimlen);
+ ret = pskb_trim(skb, skb->len - trimlen);
+ if (unlikely(ret))
+ return ret;
ret = nexthdr[1];
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 062/241] net: ipv6: fix return value check in esp_remove_trailer
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (60 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 061/241] net: ipv4: fix return value check in esp_remove_trailer Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 063/241] net: rfkill: gpio: prevent value glitch during probe Greg Kroah-Hartman
` (188 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Steffen Klassert
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make_ruc2021@163.com>
commit dad4e491e30b20f4dc615c9da65d2142d703b5c2 upstream.
In esp_remove_trailer(), to avoid an unexpected result returned by
pskb_trim, we should check the return value of pskb_trim().
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Signed-off-by: Steffen Klassert <steffen.klassert@secunet.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv6/esp6.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/net/ipv6/esp6.c
+++ b/net/ipv6/esp6.c
@@ -770,7 +770,9 @@ static inline int esp_remove_trailer(str
skb->csum = csum_block_sub(skb->csum, csumdiff,
skb->len - trimlen);
}
- pskb_trim(skb, skb->len - trimlen);
+ ret = pskb_trim(skb, skb->len - trimlen);
+ if (unlikely(ret))
+ return ret;
ret = nexthdr[1];
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 063/241] net: rfkill: gpio: prevent value glitch during probe
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (61 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 062/241] net: ipv6: " Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 064/241] tcp: fix excessive TLP and RACK timeouts from HZ rounding Greg Kroah-Hartman
` (187 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Josua Mayer, Johannes Berg
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josua Mayer <josua@solid-run.com>
commit b2f750c3a80b285cd60c9346f8c96bd0a2a66cde upstream.
When either reset- or shutdown-gpio have are initially deasserted,
e.g. after a reboot - or when the hardware does not include pull-down,
there will be a short toggle of both IOs to logical 0 and back to 1.
It seems that the rfkill default is unblocked, so the driver should not
glitch to output low during probe.
It can lead e.g. to unexpected lte modem reconnect:
[1] root@localhost:~# dmesg | grep "usb 2-1"
[ 2.136124] usb 2-1: new SuperSpeed USB device number 2 using xhci-hcd
[ 21.215278] usb 2-1: USB disconnect, device number 2
[ 28.833977] usb 2-1: new SuperSpeed USB device number 3 using xhci-hcd
The glitch has been discovered on an arm64 board, now that device-tree
support for the rfkill-gpio driver has finally appeared :).
Change the flags for devm_gpiod_get_optional from GPIOD_OUT_LOW to
GPIOD_ASIS to avoid any glitches.
The rfkill driver will set the intended value during rfkill_sync_work.
Fixes: 7176ba23f8b5 ("net: rfkill: add generic gpio rfkill driver")
Signed-off-by: Josua Mayer <josua@solid-run.com>
Link: https://lore.kernel.org/r/20231004163928.14609-1-josua@solid-run.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rfkill/rfkill-gpio.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/net/rfkill/rfkill-gpio.c
+++ b/net/rfkill/rfkill-gpio.c
@@ -108,13 +108,13 @@ static int rfkill_gpio_probe(struct plat
rfkill->clk = devm_clk_get(&pdev->dev, NULL);
- gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_OUT_LOW);
+ gpio = devm_gpiod_get_optional(&pdev->dev, "reset", GPIOD_ASIS);
if (IS_ERR(gpio))
return PTR_ERR(gpio);
rfkill->reset_gpio = gpio;
- gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_OUT_LOW);
+ gpio = devm_gpiod_get_optional(&pdev->dev, "shutdown", GPIOD_ASIS);
if (IS_ERR(gpio))
return PTR_ERR(gpio);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 064/241] tcp: fix excessive TLP and RACK timeouts from HZ rounding
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (62 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 063/241] net: rfkill: gpio: prevent value glitch during probe Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 065/241] tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb Greg Kroah-Hartman
` (186 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Eric Dumazet, Neal Cardwell,
Yuchung Cheng, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Neal Cardwell <ncardwell@google.com>
commit 1c2709cfff1dedbb9591e989e2f001484208d914 upstream.
We discovered from packet traces of slow loss recovery on kernels with
the default HZ=250 setting (and min_rtt < 1ms) that after reordering,
when receiving a SACKed sequence range, the RACK reordering timer was
firing after about 16ms rather than the desired value of roughly
min_rtt/4 + 2ms. The problem is largely due to the RACK reorder timer
calculation adding in TCP_TIMEOUT_MIN, which is 2 jiffies. On kernels
with HZ=250, this is 2*4ms = 8ms. The TLP timer calculation has the
exact same issue.
This commit fixes the TLP transmit timer and RACK reordering timer
floor calculation to more closely match the intended 2ms floor even on
kernels with HZ=250. It does this by adding in a new
TCP_TIMEOUT_MIN_US floor of 2000 us and then converting to jiffies,
instead of the current approach of converting to jiffies and then
adding th TCP_TIMEOUT_MIN value of 2 jiffies.
Our testing has verified that on kernels with HZ=1000, as expected,
this does not produce significant changes in behavior, but on kernels
with the default HZ=250 the latency improvement can be large. For
example, our tests show that for HZ=250 kernels at low RTTs this fix
roughly halves the latency for the RACK reorder timer: instead of
mostly firing at 16ms it mostly fires at 8ms.
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Neal Cardwell <ncardwell@google.com>
Signed-off-by: Yuchung Cheng <ycheng@google.com>
Fixes: bb4d991a28cc ("tcp: adjust tail loss probe timeout")
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231015174700.2206872-1-ncardwell.sw@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/tcp.h | 3 +++
net/ipv4/tcp_output.c | 9 +++++----
net/ipv4/tcp_recovery.c | 2 +-
3 files changed, 9 insertions(+), 5 deletions(-)
--- a/include/net/tcp.h
+++ b/include/net/tcp.h
@@ -142,6 +142,9 @@ void tcp_time_wait(struct sock *sk, int
#define TCP_RTO_MAX ((unsigned)(120*HZ))
#define TCP_RTO_MIN ((unsigned)(HZ/5))
#define TCP_TIMEOUT_MIN (2U) /* Min timeout for TCP timers in jiffies */
+
+#define TCP_TIMEOUT_MIN_US (2*USEC_PER_MSEC) /* Min TCP timeout in microsecs */
+
#define TCP_TIMEOUT_INIT ((unsigned)(1*HZ)) /* RFC6298 2.1 initial RTO value */
#define TCP_TIMEOUT_FALLBACK ((unsigned)(3*HZ)) /* RFC 1122 initial RTO value, now
* used as a fallback RTO for the
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2773,7 +2773,7 @@ bool tcp_schedule_loss_probe(struct sock
{
struct inet_connection_sock *icsk = inet_csk(sk);
struct tcp_sock *tp = tcp_sk(sk);
- u32 timeout, rto_delta_us;
+ u32 timeout, timeout_us, rto_delta_us;
int early_retrans;
/* Don't do any loss probe on a Fast Open connection before 3WHS
@@ -2797,11 +2797,12 @@ bool tcp_schedule_loss_probe(struct sock
* sample is available then probe after TCP_TIMEOUT_INIT.
*/
if (tp->srtt_us) {
- timeout = usecs_to_jiffies(tp->srtt_us >> 2);
+ timeout_us = tp->srtt_us >> 2;
if (tp->packets_out == 1)
- timeout += TCP_RTO_MIN;
+ timeout_us += tcp_rto_min_us(sk);
else
- timeout += TCP_TIMEOUT_MIN;
+ timeout_us += TCP_TIMEOUT_MIN_US;
+ timeout = usecs_to_jiffies(timeout_us);
} else {
timeout = TCP_TIMEOUT_INIT;
}
--- a/net/ipv4/tcp_recovery.c
+++ b/net/ipv4/tcp_recovery.c
@@ -104,7 +104,7 @@ bool tcp_rack_mark_lost(struct sock *sk)
tp->rack.advanced = 0;
tcp_rack_detect_loss(sk, &timeout);
if (timeout) {
- timeout = usecs_to_jiffies(timeout) + TCP_TIMEOUT_MIN;
+ timeout = usecs_to_jiffies(timeout + TCP_TIMEOUT_MIN_US);
inet_csk_reset_xmit_timer(sk, ICSK_TIME_REO_TIMEOUT,
timeout, inet_csk(sk)->icsk_rto);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 065/241] tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (63 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 064/241] tcp: fix excessive TLP and RACK timeouts from HZ rounding Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 066/241] tcp: Fix listen() warning with v4-mapped-v6 address Greg Kroah-Hartman
` (185 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stefan Wahren, Eric Dumazet,
Neal Cardwell, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit f921a4a5bffa8a0005b190fb9421a7fc1fd716b6 upstream.
In commit 75eefc6c59fd ("tcp: tsq: add a shortcut in tcp_small_queue_check()")
we allowed to send an skb regardless of TSQ limits being hit if rtx queue
was empty or had a single skb, in order to better fill the pipe
when/if TX completions were slow.
Then later, commit 75c119afe14f ("tcp: implement rb-tree based
retransmit queue") accidentally removed the special case for
one skb in rtx queue.
Stefan Wahren reported a regression in single TCP flow throughput
using a 100Mbit fec link, starting from commit 65466904b015 ("tcp: adjust
TSO packet sizes based on min_rtt"). This last commit only made the
regression more visible, because it locked the TCP flow on a particular
behavior where TSQ prevented two skbs being pushed downstream,
adding silences on the wire between each TSO packet.
Many thanks to Stefan for his invaluable help !
Fixes: 75c119afe14f ("tcp: implement rb-tree based retransmit queue")
Link: https://lore.kernel.org/netdev/7f31ddc8-9971-495e-a1f6-819df542e0af@gmx.net/
Reported-by: Stefan Wahren <wahrenst@gmx.net>
Tested-by: Stefan Wahren <wahrenst@gmx.net>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Neal Cardwell <ncardwell@google.com>
Link: https://lore.kernel.org/r/20231017124526.4060202-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/tcp_output.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2527,6 +2527,18 @@ static bool tcp_pacing_check(struct sock
return true;
}
+static bool tcp_rtx_queue_empty_or_single_skb(const struct sock *sk)
+{
+ const struct rb_node *node = sk->tcp_rtx_queue.rb_node;
+
+ /* No skb in the rtx queue. */
+ if (!node)
+ return true;
+
+ /* Only one skb in rtx queue. */
+ return !node->rb_left && !node->rb_right;
+}
+
/* TCP Small Queues :
* Control number of packets in qdisc/devices to two packets / or ~1 ms.
* (These limits are doubled for retransmits)
@@ -2564,12 +2576,12 @@ static bool tcp_small_queue_check(struct
limit += extra_bytes;
}
if (refcount_read(&sk->sk_wmem_alloc) > limit) {
- /* Always send skb if rtx queue is empty.
+ /* Always send skb if rtx queue is empty or has one skb.
* No need to wait for TX completion to call us back,
* after softirq/tasklet schedule.
* This helps when TX completions are delayed too much.
*/
- if (tcp_rtx_queue_empty(sk))
+ if (tcp_rtx_queue_empty_or_single_skb(sk))
return false;
set_bit(TSQ_THROTTLED, &sk->sk_tsq_flags);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 066/241] tcp: Fix listen() warning with v4-mapped-v6 address.
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (64 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 065/241] tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 067/241] docs: fix info about representor identification Greg Kroah-Hartman
` (184 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+71e724675ba3958edb31,
Kuniyuki Iwashima, Eric Dumazet, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kuniyuki Iwashima <kuniyu@amazon.com>
commit 8702cf12e6ba91616a72d684e90357977972991b upstream.
syzbot reported a warning [0] introduced by commit c48ef9c4aed3 ("tcp: Fix
bind() regression for v4-mapped-v6 non-wildcard address.").
After the cited commit, a v4 socket's address matches the corresponding
v4-mapped-v6 tb2 in inet_bind2_bucket_match_addr(), not vice versa.
During X.X.X.X -> ::ffff:X.X.X.X order bind()s, the second bind() uses
bhash and conflicts properly without checking bhash2 so that we need not
check if a v4-mapped-v6 sk matches the corresponding v4 address tb2 in
inet_bind2_bucket_match_addr(). However, the repro shows that we need
to check that in a no-conflict case.
The repro bind()s two sockets to the 2-tuples using SO_REUSEPORT and calls
listen() for the first socket:
from socket import *
s1 = socket()
s1.setsockopt(SOL_SOCKET, SO_REUSEPORT, 1)
s1.bind(('127.0.0.1', 0))
s2 = socket(AF_INET6)
s2.setsockopt(SOL_SOCKET, SO_REUSEPORT, 1)
s2.bind(('::ffff:127.0.0.1', s1.getsockname()[1]))
s1.listen()
The second socket should belong to the first socket's tb2, but the second
bind() creates another tb2 bucket because inet_bind2_bucket_find() returns
NULL in inet_csk_get_port() as the v4-mapped-v6 sk does not match the
corresponding v4 address tb2.
bhash2[] -> tb2(::ffff:X.X.X.X) -> tb2(X.X.X.X)
Then, listen() for the first socket calls inet_csk_get_port(), where the
v4 address matches the v4-mapped-v6 tb2 and WARN_ON() is triggered.
To avoid that, we need to check if v4-mapped-v6 sk address matches with
the corresponding v4 address tb2 in inet_bind2_bucket_match().
The same checks are needed in inet_bind2_bucket_addr_match() too, so we
can move all checks there and call it from inet_bind2_bucket_match().
Note that now tb->family is just an address family of tb->(v6_)?rcv_saddr
and not of sockets in the bucket. This could be refactored later by
defining tb->rcv_saddr as tb->v6_rcv_saddr.s6_addr32[3] and prepending
::ffff: when creating v4 tb2.
[0]:
WARNING: CPU: 0 PID: 5049 at net/ipv4/inet_connection_sock.c:587 inet_csk_get_port+0xf96/0x2350 net/ipv4/inet_connection_sock.c:587
Modules linked in:
CPU: 0 PID: 5049 Comm: syz-executor288 Not tainted 6.6.0-rc2-syzkaller-00018-g2cf0f7156238 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/04/2023
RIP: 0010:inet_csk_get_port+0xf96/0x2350 net/ipv4/inet_connection_sock.c:587
Code: 7c 24 08 e8 4c b6 8a 01 31 d2 be 88 01 00 00 48 c7 c7 e0 94 ae 8b e8 59 2e a3 f8 2e 2e 2e 31 c0 e9 04 fe ff ff e8 ca 88 d0 f8 <0f> 0b e9 0f f9 ff ff e8 be 88 d0 f8 49 8d 7e 48 e8 65 ca 5a 00 31
RSP: 0018:ffffc90003abfbf0 EFLAGS: 00010293
RAX: 0000000000000000 RBX: ffff888026429100 RCX: 0000000000000000
RDX: ffff88807edcbb80 RSI: ffffffff88b73d66 RDI: ffff888026c49f38
RBP: ffff888026c49f30 R08: 0000000000000005 R09: 0000000000000000
R10: 0000000000000001 R11: 0000000000000000 R12: ffffffff9260f200
R13: ffff888026c49880 R14: 0000000000000000 R15: ffff888026429100
FS: 00005555557d5380(0000) GS:ffff8880b9800000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 000000000045ad50 CR3: 0000000025754000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
inet_csk_listen_start+0x155/0x360 net/ipv4/inet_connection_sock.c:1256
__inet_listen_sk+0x1b8/0x5c0 net/ipv4/af_inet.c:217
inet_listen+0x93/0xd0 net/ipv4/af_inet.c:239
__sys_listen+0x194/0x270 net/socket.c:1866
__do_sys_listen net/socket.c:1875 [inline]
__se_sys_listen net/socket.c:1873 [inline]
__x64_sys_listen+0x53/0x80 net/socket.c:1873
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x38/0xb0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x63/0xcd
RIP: 0033:0x7f3a5bce3af9
Code: 28 00 00 00 75 05 48 83 c4 28 c3 e8 c1 17 00 00 90 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffc1a1c79e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000032
RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f3a5bce3af9
RDX: 00007f3a5bce3af9 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00007f3a5bd565f0 R08: 0000000000000006 R09: 0000000000000006
R10: 0000000000000006 R11: 0000000000000246 R12: 0000000000000001
R13: 431bde82d7b634db R14: 0000000000000001 R15: 0000000000000001
</TASK>
Fixes: c48ef9c4aed3 ("tcp: Fix bind() regression for v4-mapped-v6 non-wildcard address.")
Reported-by: syzbot+71e724675ba3958edb31@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=71e724675ba3958edb31
Signed-off-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231010013814.70571-1-kuniyu@amazon.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/inet_hashtables.c | 24 +++++++++---------------
1 file changed, 9 insertions(+), 15 deletions(-)
--- a/net/ipv4/inet_hashtables.c
+++ b/net/ipv4/inet_hashtables.c
@@ -148,8 +148,14 @@ static bool inet_bind2_bucket_addr_match
const struct sock *sk)
{
#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family != tb2->family)
- return false;
+ if (sk->sk_family != tb2->family) {
+ if (sk->sk_family == AF_INET)
+ return ipv6_addr_v4mapped(&tb2->v6_rcv_saddr) &&
+ tb2->v6_rcv_saddr.s6_addr32[3] == sk->sk_rcv_saddr;
+
+ return ipv6_addr_v4mapped(&sk->sk_v6_rcv_saddr) &&
+ sk->sk_v6_rcv_saddr.s6_addr32[3] == tb2->rcv_saddr;
+ }
if (sk->sk_family == AF_INET6)
return ipv6_addr_equal(&tb2->v6_rcv_saddr,
@@ -799,19 +805,7 @@ static bool inet_bind2_bucket_match(cons
tb->l3mdev != l3mdev)
return false;
-#if IS_ENABLED(CONFIG_IPV6)
- if (sk->sk_family != tb->family) {
- if (sk->sk_family == AF_INET)
- return ipv6_addr_v4mapped(&tb->v6_rcv_saddr) &&
- tb->v6_rcv_saddr.s6_addr32[3] == sk->sk_rcv_saddr;
-
- return false;
- }
-
- if (sk->sk_family == AF_INET6)
- return ipv6_addr_equal(&tb->v6_rcv_saddr, &sk->sk_v6_rcv_saddr);
-#endif
- return tb->rcv_saddr == sk->sk_rcv_saddr;
+ return inet_bind2_bucket_addr_match(tb, sk);
}
bool inet_bind2_bucket_match_addr_any(const struct inet_bind2_bucket *tb, const struct net *net,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 067/241] docs: fix info about representor identification
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (65 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 066/241] tcp: Fix listen() warning with v4-mapped-v6 address Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 068/241] tun: prevent negative ifindex Greg Kroah-Hartman
` (183 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mateusz Polchlopek, Wojciech Drewek,
Przemek Kitszel, Edward Cree, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
commit a258c804aa8742763dce694b5e992d7ccf4294f2 upstream.
Update the "How are representors identified?" documentation
subchapter. For newer kernels driver should use
SET_NETDEV_DEVLINK_PORT instead of ndo_get_devlink_port()
callback.
Fixes: 7712b3e966ea ("Merge branch 'net-fix-netdev-to-devlink_port-linkage-and-expose-to-user'")
Signed-off-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Reviewed-by: Wojciech Drewek <wojciech.drewek@intel.com>
Reviewed-by: Przemek Kitszel <przemyslaw.kitszel@intel.com>
Reviewed-by: Edward Cree <ecree.xilinx@gmail.com>
Link: https://lore.kernel.org/r/20231012123144.15768-1-mateusz.polchlopek@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/networking/representors.rst | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/Documentation/networking/representors.rst b/Documentation/networking/representors.rst
index ee1f5cd54496..decb39c19b9e 100644
--- a/Documentation/networking/representors.rst
+++ b/Documentation/networking/representors.rst
@@ -162,9 +162,11 @@ How are representors identified?
The representor netdevice should *not* directly refer to a PCIe device (e.g.
through ``net_dev->dev.parent`` / ``SET_NETDEV_DEV()``), either of the
representee or of the switchdev function.
-Instead, it should implement the ``ndo_get_devlink_port()`` netdevice op, which
-the kernel uses to provide the ``phys_switch_id`` and ``phys_port_name`` sysfs
-nodes. (Some legacy drivers implement ``ndo_get_port_parent_id()`` and
+Instead, the driver should use the ``SET_NETDEV_DEVLINK_PORT`` macro to
+assign a devlink port instance to the netdevice before registering the
+netdevice; the kernel uses the devlink port to provide the ``phys_switch_id``
+and ``phys_port_name`` sysfs nodes.
+(Some legacy drivers implement ``ndo_get_port_parent_id()`` and
``ndo_get_phys_port_name()`` directly, but this is deprecated.) See
:ref:`Documentation/networking/devlink/devlink-port.rst <devlink_port>` for the
details of this API.
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 068/241] tun: prevent negative ifindex
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (66 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 067/241] docs: fix info about representor identification Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 069/241] gve: Do not fully free QPL pages on prefill errors Greg Kroah-Hartman
` (182 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet,
Willem de Bruijn, Jason Wang, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit cbfbfe3aee718dc4c3c837f5d2463170ee59d78c upstream.
After commit 956db0a13b47 ("net: warn about attempts to register
negative ifindex") syzbot is able to trigger the following splat.
Negative ifindex are not supported.
WARNING: CPU: 1 PID: 6003 at net/core/dev.c:9596 dev_index_reserve+0x104/0x210
Modules linked in:
CPU: 1 PID: 6003 Comm: syz-executor926 Not tainted 6.6.0-rc4-syzkaller-g19af4a4ed414 #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
pstate: 80400005 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=--)
pc : dev_index_reserve+0x104/0x210
lr : dev_index_reserve+0x100/0x210
sp : ffff800096a878e0
x29: ffff800096a87930 x28: ffff0000d04380d0 x27: ffff0000d04380f8
x26: ffff0000d04380f0 x25: 1ffff00012d50f20 x24: 1ffff00012d50f1c
x23: dfff800000000000 x22: ffff8000929c21c0 x21: 00000000ffffffea
x20: ffff0000d04380e0 x19: ffff800096a87900 x18: ffff800096a874c0
x17: ffff800084df5008 x16: ffff80008051f9c4 x15: 0000000000000001
x14: 1fffe0001a087198 x13: 0000000000000000 x12: 0000000000000000
x11: 0000000000000000 x10: 0000000000000000 x9 : 0000000000000000
x8 : ffff0000d41c9bc0 x7 : 0000000000000000 x6 : 0000000000000000
x5 : ffff800091763d88 x4 : 0000000000000000 x3 : ffff800084e04748
x2 : 0000000000000001 x1 : 00000000fead71c7 x0 : 0000000000000000
Call trace:
dev_index_reserve+0x104/0x210
register_netdevice+0x598/0x1074 net/core/dev.c:10084
tun_set_iff+0x630/0xb0c drivers/net/tun.c:2850
__tun_chr_ioctl+0x788/0x2af8 drivers/net/tun.c:3118
tun_chr_ioctl+0x38/0x4c drivers/net/tun.c:3403
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:871 [inline]
__se_sys_ioctl fs/ioctl.c:857 [inline]
__arm64_sys_ioctl+0x14c/0x1c8 fs/ioctl.c:857
__invoke_syscall arch/arm64/kernel/syscall.c:37 [inline]
invoke_syscall+0x98/0x2b8 arch/arm64/kernel/syscall.c:51
el0_svc_common+0x130/0x23c arch/arm64/kernel/syscall.c:136
do_el0_svc+0x48/0x58 arch/arm64/kernel/syscall.c:155
el0_svc+0x58/0x16c arch/arm64/kernel/entry-common.c:678
el0t_64_sync_handler+0x84/0xfc arch/arm64/kernel/entry-common.c:696
el0t_64_sync+0x190/0x194 arch/arm64/kernel/entry.S:595
irq event stamp: 11348
hardirqs last enabled at (11347): [<ffff80008a716574>] __raw_spin_unlock_irqrestore include/linux/spinlock_api_smp.h:151 [inline]
hardirqs last enabled at (11347): [<ffff80008a716574>] _raw_spin_unlock_irqrestore+0x38/0x98 kernel/locking/spinlock.c:194
hardirqs last disabled at (11348): [<ffff80008a627820>] el1_dbg+0x24/0x80 arch/arm64/kernel/entry-common.c:436
softirqs last enabled at (11138): [<ffff8000887ca53c>] spin_unlock_bh include/linux/spinlock.h:396 [inline]
softirqs last enabled at (11138): [<ffff8000887ca53c>] release_sock+0x15c/0x1b0 net/core/sock.c:3531
softirqs last disabled at (11136): [<ffff8000887ca41c>] spin_lock_bh include/linux/spinlock.h:356 [inline]
softirqs last disabled at (11136): [<ffff8000887ca41c>] release_sock+0x3c/0x1b0 net/core/sock.c:3518
Fixes: fb7589a16216 ("tun: Add ability to create tun device with given index")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://lore.kernel.org/r/20231016180851.3560092-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/tun.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- a/drivers/net/tun.c
+++ b/drivers/net/tun.c
@@ -3068,10 +3068,11 @@ static long __tun_chr_ioctl(struct file
struct net *net = sock_net(&tfile->sk);
struct tun_struct *tun;
void __user* argp = (void __user*)arg;
- unsigned int ifindex, carrier;
+ unsigned int carrier;
struct ifreq ifr;
kuid_t owner;
kgid_t group;
+ int ifindex;
int sndbuf;
int vnet_hdr_sz;
int le;
@@ -3127,7 +3128,9 @@ static long __tun_chr_ioctl(struct file
ret = -EFAULT;
if (copy_from_user(&ifindex, argp, sizeof(ifindex)))
goto unlock;
-
+ ret = -EINVAL;
+ if (ifindex < 0)
+ goto unlock;
ret = 0;
tfile->ifindex = ifindex;
goto unlock;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 069/241] gve: Do not fully free QPL pages on prefill errors
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (67 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 068/241] tun: prevent negative ifindex Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 070/241] ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr Greg Kroah-Hartman
` (181 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shailend Chand, Paolo Abeni
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shailend Chand <shailend@google.com>
commit 95535e37e8959f50e7aee365a5bdc9e5ed720443 upstream.
The prefill function should have only removed the page count bias it
added. Fully freeing the page will cause gve_free_queue_page_list to
free a page the driver no longer owns.
Fixes: 82fd151d38d9 ("gve: Reduce alloc and copy costs in the GQ rx path")
Signed-off-by: Shailend Chand <shailend@google.com>
Link: https://lore.kernel.org/r/20231014014121.2843922-1-shailend@google.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/google/gve/gve_rx.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/drivers/net/ethernet/google/gve/gve_rx.c b/drivers/net/ethernet/google/gve/gve_rx.c
index d1da7413dc4d..e84a066aa1a4 100644
--- a/drivers/net/ethernet/google/gve/gve_rx.c
+++ b/drivers/net/ethernet/google/gve/gve_rx.c
@@ -146,7 +146,7 @@ static int gve_prefill_rx_pages(struct gve_rx_ring *rx)
err = gve_rx_alloc_buffer(priv, &priv->pdev->dev, &rx->data.page_info[i],
&rx->data.data_ring[i]);
if (err)
- goto alloc_err;
+ goto alloc_err_rda;
}
if (!rx->data.raw_addressing) {
@@ -171,12 +171,26 @@ static int gve_prefill_rx_pages(struct gve_rx_ring *rx)
return slots;
alloc_err_qpl:
+ /* Fully free the copy pool pages. */
while (j--) {
page_ref_sub(rx->qpl_copy_pool[j].page,
rx->qpl_copy_pool[j].pagecnt_bias - 1);
put_page(rx->qpl_copy_pool[j].page);
}
-alloc_err:
+
+ /* Do not fully free QPL pages - only remove the bias added in this
+ * function with gve_setup_rx_buffer.
+ */
+ while (i--)
+ page_ref_sub(rx->data.page_info[i].page,
+ rx->data.page_info[i].pagecnt_bias - 1);
+
+ gve_unassign_qpl(priv, rx->data.qpl->id);
+ rx->data.qpl = NULL;
+
+ return err;
+
+alloc_err_rda:
while (i--)
gve_rx_free_buffer(&priv->pdev->dev,
&rx->data.page_info[i],
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 070/241] ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (68 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 069/241] gve: Do not fully free QPL pages on prefill errors Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 071/241] net: usb: smsc95xx: Fix an error code in smsc95xx_reset() Greg Kroah-Hartman
` (180 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot, Eric Dumazet, Simon Horman,
David Ahern, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Eric Dumazet <edumazet@google.com>
commit 195374d893681da43a39796e53b30ac4f20400c4 upstream.
syzbot reported a data-race while accessing nh->nh_saddr_genid [1]
Add annotations, but leave the code lazy as intended.
[1]
BUG: KCSAN: data-race in fib_select_path / fib_select_path
write to 0xffff8881387166f0 of 4 bytes by task 6778 on cpu 1:
fib_info_update_nhc_saddr net/ipv4/fib_semantics.c:1334 [inline]
fib_result_prefsrc net/ipv4/fib_semantics.c:1354 [inline]
fib_select_path+0x292/0x330 net/ipv4/fib_semantics.c:2269
ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
__ip_route_output_key include/net/route.h:134 [inline]
ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
read to 0xffff8881387166f0 of 4 bytes by task 6759 on cpu 0:
fib_result_prefsrc net/ipv4/fib_semantics.c:1350 [inline]
fib_select_path+0x1cb/0x330 net/ipv4/fib_semantics.c:2269
ip_route_output_key_hash_rcu+0x659/0x12c0 net/ipv4/route.c:2810
ip_route_output_key_hash net/ipv4/route.c:2644 [inline]
__ip_route_output_key include/net/route.h:134 [inline]
ip_route_output_flow+0xa6/0x150 net/ipv4/route.c:2872
send4+0x1f5/0x520 drivers/net/wireguard/socket.c:61
wg_socket_send_skb_to_peer+0x94/0x130 drivers/net/wireguard/socket.c:175
wg_socket_send_buffer_to_peer+0xd6/0x100 drivers/net/wireguard/socket.c:200
wg_packet_send_handshake_initiation drivers/net/wireguard/send.c:40 [inline]
wg_packet_handshake_send_worker+0x10c/0x150 drivers/net/wireguard/send.c:51
process_one_work kernel/workqueue.c:2630 [inline]
process_scheduled_works+0x5b8/0xa30 kernel/workqueue.c:2703
worker_thread+0x525/0x730 kernel/workqueue.c:2784
kthread+0x1d7/0x210 kernel/kthread.c:388
ret_from_fork+0x48/0x60 arch/x86/kernel/process.c:147
ret_from_fork_asm+0x11/0x20 arch/x86/entry/entry_64.S:304
value changed: 0x959d3217 -> 0x959d3218
Reported by Kernel Concurrency Sanitizer on:
CPU: 0 PID: 6759 Comm: kworker/u4:15 Not tainted 6.6.0-rc4-syzkaller-00029-gcbf3a2cb156a #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/06/2023
Workqueue: wg-kex-wg1 wg_packet_handshake_send_worker
Fixes: 436c3b66ec98 ("ipv4: Invalidate nexthop cache nh_saddr more correctly.")
Reported-by: syzbot <syzkaller@googlegroups.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20231017192304.82626-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/ipv4/fib_semantics.c | 14 +++++++++-----
1 file changed, 9 insertions(+), 5 deletions(-)
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1325,15 +1325,18 @@ __be32 fib_info_update_nhc_saddr(struct
unsigned char scope)
{
struct fib_nh *nh;
+ __be32 saddr;
if (nhc->nhc_family != AF_INET)
return inet_select_addr(nhc->nhc_dev, 0, scope);
nh = container_of(nhc, struct fib_nh, nh_common);
- nh->nh_saddr = inet_select_addr(nh->fib_nh_dev, nh->fib_nh_gw4, scope);
- nh->nh_saddr_genid = atomic_read(&net->ipv4.dev_addr_genid);
+ saddr = inet_select_addr(nh->fib_nh_dev, nh->fib_nh_gw4, scope);
- return nh->nh_saddr;
+ WRITE_ONCE(nh->nh_saddr, saddr);
+ WRITE_ONCE(nh->nh_saddr_genid, atomic_read(&net->ipv4.dev_addr_genid));
+
+ return saddr;
}
__be32 fib_result_prefsrc(struct net *net, struct fib_result *res)
@@ -1347,8 +1350,9 @@ __be32 fib_result_prefsrc(struct net *ne
struct fib_nh *nh;
nh = container_of(nhc, struct fib_nh, nh_common);
- if (nh->nh_saddr_genid == atomic_read(&net->ipv4.dev_addr_genid))
- return nh->nh_saddr;
+ if (READ_ONCE(nh->nh_saddr_genid) ==
+ atomic_read(&net->ipv4.dev_addr_genid))
+ return READ_ONCE(nh->nh_saddr);
}
return fib_info_update_nhc_saddr(net, nhc, res->fi->fib_scope);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 071/241] net: usb: smsc95xx: Fix an error code in smsc95xx_reset()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (69 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 070/241] ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 072/241] octeon_ep: update BQL sent bytes before ringing doorbell Greg Kroah-Hartman
` (179 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Andrew Lunn, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
commit c53647a5df9e66dd9fedf240198e1fe50d88c286 upstream.
Return a negative error code instead of success.
Fixes: 2f7ca802bdae ("net: Add SMSC LAN9500 USB2.0 10/100 ethernet adapter driver")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Link: https://lore.kernel.org/r/147927f0-9ada-45cc-81ff-75a19dd30b76@moroto.mountain
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/usb/smsc95xx.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/usb/smsc95xx.c
+++ b/drivers/net/usb/smsc95xx.c
@@ -897,7 +897,7 @@ static int smsc95xx_reset(struct usbnet
if (timeout >= 100) {
netdev_warn(dev->net, "timeout waiting for completion of Lite Reset\n");
- return ret;
+ return -ETIMEDOUT;
}
ret = smsc95xx_set_mac_address(dev);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 072/241] octeon_ep: update BQL sent bytes before ringing doorbell
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (70 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 071/241] net: usb: smsc95xx: Fix an error code in smsc95xx_reset() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 073/241] i40e: prevent crash on probe if hw registers have invalid values Greg Kroah-Hartman
` (178 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Shinas Rasheed, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shinas Rasheed <srasheed@marvell.com>
commit a0ca6b9dfef0b3cc83aa8bb485ed61a018f84982 upstream.
Sometimes Tx is completed immediately after doorbell is updated, which
causes Tx completion routing to update completion bytes before the
same packet bytes are updated in sent bytes in transmit function, hence
hitting BUG_ON() in dql_completed(). To avoid this, update BQL
sent bytes before ringing doorbell.
Fixes: 37d79d059606 ("octeon_ep: add Tx/Rx processing and interrupt support")
Signed-off-by: Shinas Rasheed <srasheed@marvell.com>
Link: https://lore.kernel.org/r/20231017105030.2310966-1-srasheed@marvell.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/marvell/octeon_ep/octep_main.c | 13 ++++++-------
1 file changed, 6 insertions(+), 7 deletions(-)
--- a/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
+++ b/drivers/net/ethernet/marvell/octeon_ep/octep_main.c
@@ -715,20 +715,19 @@ static netdev_tx_t octep_start_xmit(stru
hw_desc->dptr = tx_buffer->sglist_dma;
}
- /* Flush the hw descriptor before writing to doorbell */
- wmb();
-
- /* Ring Doorbell to notify the NIC there is a new packet */
- writel(1, iq->doorbell_reg);
+ netdev_tx_sent_queue(iq->netdev_q, skb->len);
+ skb_tx_timestamp(skb);
atomic_inc(&iq->instr_pending);
wi++;
if (wi == iq->max_count)
wi = 0;
iq->host_write_index = wi;
+ /* Flush the hw descriptor before writing to doorbell */
+ wmb();
- netdev_tx_sent_queue(iq->netdev_q, skb->len);
+ /* Ring Doorbell to notify the NIC there is a new packet */
+ writel(1, iq->doorbell_reg);
iq->stats.instr_posted++;
- skb_tx_timestamp(skb);
return NETDEV_TX_OK;
dma_map_sg_err:
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 073/241] i40e: prevent crash on probe if hw registers have invalid values
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (71 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 072/241] octeon_ep: update BQL sent bytes before ringing doorbell Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 074/241] net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register() Greg Kroah-Hartman
` (177 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michal Schmidt, Simon Horman,
Jakub Kicinski, Pucha Himasekhar Reddy
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michal Schmidt <mschmidt@redhat.com>
commit fc6f716a5069180c40a8c9b63631e97da34f64a3 upstream.
The hardware provides the indexes of the first and the last available
queue and VF. From the indexes, the driver calculates the numbers of
queues and VFs. In theory, a faulty device might say the last index is
smaller than the first index. In that case, the driver's calculation
would underflow, it would attempt to write to non-existent registers
outside of the ioremapped range and crash.
I ran into this not by having a faulty device, but by an operator error.
I accidentally ran a QE test meant for i40e devices on an ice device.
The test used 'echo i40e > /sys/...ice PCI device.../driver_override',
bound the driver to the device and crashed in one of the wr32 calls in
i40e_clear_hw.
Add checks to prevent underflows in the calculations of num_queues and
num_vfs. With this fix, the wrong device probing reports errors and
returns a failure without crashing.
Fixes: 838d41d92a90 ("i40e: clear all queues and interrupts")
Signed-off-by: Michal Schmidt <mschmidt@redhat.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Pucha Himasekhar Reddy <himasekharx.reddy.pucha@intel.com> (A Contingent worker at Intel)
Link: https://lore.kernel.org/r/20231011233334.336092-2-jacob.e.keller@intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/ethernet/intel/i40e/i40e_common.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/net/ethernet/intel/i40e/i40e_common.c
+++ b/drivers/net/ethernet/intel/i40e/i40e_common.c
@@ -1082,7 +1082,7 @@ void i40e_clear_hw(struct i40e_hw *hw)
I40E_PFLAN_QALLOC_FIRSTQ_SHIFT;
j = (val & I40E_PFLAN_QALLOC_LASTQ_MASK) >>
I40E_PFLAN_QALLOC_LASTQ_SHIFT;
- if (val & I40E_PFLAN_QALLOC_VALID_MASK)
+ if (val & I40E_PFLAN_QALLOC_VALID_MASK && j >= base_queue)
num_queues = (j - base_queue) + 1;
else
num_queues = 0;
@@ -1092,7 +1092,7 @@ void i40e_clear_hw(struct i40e_hw *hw)
I40E_PF_VT_PFALLOC_FIRSTVF_SHIFT;
j = (val & I40E_PF_VT_PFALLOC_LASTVF_MASK) >>
I40E_PF_VT_PFALLOC_LASTVF_SHIFT;
- if (val & I40E_PF_VT_PFALLOC_VALID_MASK)
+ if (val & I40E_PF_VT_PFALLOC_VALID_MASK && j >= i)
num_vfs = (j - i) + 1;
else
num_vfs = 0;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 074/241] net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (72 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 073/241] i40e: prevent crash on probe if hw registers have invalid values Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 075/241] bonding: Return pointer to data after pull on skb Greg Kroah-Hartman
` (176 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jinjie Ruan, Simon Horman,
Florian Fainelli, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jinjie Ruan <ruanjinjie@huawei.com>
commit 61b40cefe51af005c72dbdcf975a3d166c6e6406 upstream.
In bcm_sf2_mdio_register(), the class_find_device() will call get_device()
to increment reference count for priv->master_mii_bus->dev if
of_mdio_find_bus() succeeds. If mdiobus_alloc() or mdiobus_register()
fails, it will call get_device() twice without decrement reference count
for the device. And it is the same if bcm_sf2_mdio_register() succeeds but
fails in bcm_sf2_sw_probe(), or if bcm_sf2_sw_probe() succeeds. If the
reference count has not decremented to zero, the dev related resource will
not be freed.
So remove the get_device() in bcm_sf2_mdio_register(), and call
put_device() if mdiobus_alloc() or mdiobus_register() fails and in
bcm_sf2_mdio_unregister() to solve the issue.
And as Simon suggested, unwind from errors for bcm_sf2_mdio_register() and
just return 0 if it succeeds to make it cleaner.
Fixes: 461cd1b03e32 ("net: dsa: bcm_sf2: Register our slave MDIO bus")
Signed-off-by: Jinjie Ruan <ruanjinjie@huawei.com>
Suggested-by: Simon Horman <horms@kernel.org>
Reviewed-by: Simon Horman <horms@kernel.org>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Link: https://lore.kernel.org/r/20231011032419.2423290-1-ruanjinjie@huawei.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/dsa/bcm_sf2.c | 24 +++++++++++++++---------
1 file changed, 15 insertions(+), 9 deletions(-)
--- a/drivers/net/dsa/bcm_sf2.c
+++ b/drivers/net/dsa/bcm_sf2.c
@@ -617,17 +617,16 @@ static int bcm_sf2_mdio_register(struct
dn = of_find_compatible_node(NULL, NULL, "brcm,unimac-mdio");
priv->master_mii_bus = of_mdio_find_bus(dn);
if (!priv->master_mii_bus) {
- of_node_put(dn);
- return -EPROBE_DEFER;
+ err = -EPROBE_DEFER;
+ goto err_of_node_put;
}
- get_device(&priv->master_mii_bus->dev);
priv->master_mii_dn = dn;
priv->slave_mii_bus = mdiobus_alloc();
if (!priv->slave_mii_bus) {
- of_node_put(dn);
- return -ENOMEM;
+ err = -ENOMEM;
+ goto err_put_master_mii_bus_dev;
}
priv->slave_mii_bus->priv = priv;
@@ -684,11 +683,17 @@ static int bcm_sf2_mdio_register(struct
}
err = mdiobus_register(priv->slave_mii_bus);
- if (err && dn) {
- mdiobus_free(priv->slave_mii_bus);
- of_node_put(dn);
- }
+ if (err && dn)
+ goto err_free_slave_mii_bus;
+
+ return 0;
+err_free_slave_mii_bus:
+ mdiobus_free(priv->slave_mii_bus);
+err_put_master_mii_bus_dev:
+ put_device(&priv->master_mii_bus->dev);
+err_of_node_put:
+ of_node_put(dn);
return err;
}
@@ -696,6 +701,7 @@ static void bcm_sf2_mdio_unregister(stru
{
mdiobus_unregister(priv->slave_mii_bus);
mdiobus_free(priv->slave_mii_bus);
+ put_device(&priv->master_mii_bus->dev);
of_node_put(priv->master_mii_dn);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 075/241] bonding: Return pointer to data after pull on skb
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (73 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 074/241] net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 076/241] net/sched: sch_hfsc: upgrade rt to sc when it becomes a inner curve Greg Kroah-Hartman
` (175 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Wiesner, Jay Vosburgh,
Jiri Pirko, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jiri Wiesner <jwiesner@suse.de>
commit d93f3f992780af4a21e6c1ab86946b7c5602f1b9 upstream.
Since 429e3d123d9a ("bonding: Fix extraction of ports from the packet
headers"), header offsets used to compute a hash in bond_xmit_hash() are
relative to skb->data and not skb->head. If the tail of the header buffer
of an skb really needs to be advanced and the operation is successful, the
pointer to the data must be returned (and not a pointer to the head of the
buffer).
Fixes: 429e3d123d9a ("bonding: Fix extraction of ports from the packet headers")
Signed-off-by: Jiri Wiesner <jwiesner@suse.de>
Acked-by: Jay Vosburgh <jay.vosburgh@canonical.com>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/bonding/bond_main.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/net/bonding/bond_main.c
+++ b/drivers/net/bonding/bond_main.c
@@ -4022,7 +4022,7 @@ static inline const void *bond_pull_data
if (likely(n <= hlen))
return data;
else if (skb && likely(pskb_may_pull(skb, n)))
- return skb->head;
+ return skb->data;
return NULL;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 076/241] net/sched: sch_hfsc: upgrade rt to sc when it becomes a inner curve
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (74 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 075/241] bonding: Return pointer to data after pull on skb Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 077/241] neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section Greg Kroah-Hartman
` (174 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christian Theune, Budimir Markovic,
Pedro Tammela, Jamal Hadi Salim, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pedro Tammela <pctammela@mojatatu.com>
commit a13b67c9a015c4e21601ef9aa4ec9c5d972df1b4 upstream.
Christian Theune says:
I upgraded from 6.1.38 to 6.1.55 this morning and it broke my traffic shaping script,
leaving me with a non-functional uplink on a remote router.
A 'rt' curve cannot be used as a inner curve (parent class), but we were
allowing such configurations since the qdisc was introduced. Such
configurations would trigger a UAF as Budimir explains:
The parent will have vttree_insert() called on it in init_vf(),
but will not have vttree_remove() called on it in update_vf()
because it does not have the HFSC_FSC flag set.
The qdisc always assumes that inner classes have the HFSC_FSC flag set.
This is by design as it doesn't make sense 'qdisc wise' for an 'rt'
curve to be an inner curve.
Budimir's original patch disallows users to add classes with a 'rt'
parent, but this is too strict as it breaks users that have been using
'rt' as a inner class. Another approach, taken by this patch, is to
upgrade the inner 'rt' into a 'sc', warning the user in the process.
It avoids the UAF reported by Budimir while also being more permissive
to bad scripts/users/code using 'rt' as a inner class.
Users checking the `tc class ls [...]` or `tc class get [...]` dumps would
observe the curve change and are potentially breaking with this change.
v1->v2: https://lore.kernel.org/all/20231013151057.2611860-1-pctammela@mojatatu.com/
- Correct 'Fixes' tag and merge with revert (Jakub)
Cc: Christian Theune <ct@flyingcircus.io>
Cc: Budimir Markovic <markovicbudimir@gmail.com>
Fixes: b3d26c5702c7 ("net/sched: sch_hfsc: Ensure inner classes have fsc curve")
Signed-off-by: Pedro Tammela <pctammela@mojatatu.com>
Acked-by: Jamal Hadi Salim <jhs@mojatatu.com>
Link: https://lore.kernel.org/r/20231017143602.3191556-1-pctammela@mojatatu.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sched/sch_hfsc.c | 18 ++++++++++++++----
1 file changed, 14 insertions(+), 4 deletions(-)
--- a/net/sched/sch_hfsc.c
+++ b/net/sched/sch_hfsc.c
@@ -903,6 +903,14 @@ hfsc_change_usc(struct hfsc_class *cl, s
cl->cl_flags |= HFSC_USC;
}
+static void
+hfsc_upgrade_rt(struct hfsc_class *cl)
+{
+ cl->cl_fsc = cl->cl_rsc;
+ rtsc_init(&cl->cl_virtual, &cl->cl_fsc, cl->cl_vt, cl->cl_total);
+ cl->cl_flags |= HFSC_FSC;
+}
+
static const struct nla_policy hfsc_policy[TCA_HFSC_MAX + 1] = {
[TCA_HFSC_RSC] = { .len = sizeof(struct tc_service_curve) },
[TCA_HFSC_FSC] = { .len = sizeof(struct tc_service_curve) },
@@ -1012,10 +1020,6 @@ hfsc_change_class(struct Qdisc *sch, u32
if (parent == NULL)
return -ENOENT;
}
- if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
- NL_SET_ERR_MSG(extack, "Invalid parent - parent class must have FSC");
- return -EINVAL;
- }
if (classid == 0 || TC_H_MAJ(classid ^ sch->handle) != 0)
return -EINVAL;
@@ -1066,6 +1070,12 @@ hfsc_change_class(struct Qdisc *sch, u32
cl->cf_tree = RB_ROOT;
sch_tree_lock(sch);
+ /* Check if the inner class is a misconfigured 'rt' */
+ if (!(parent->cl_flags & HFSC_FSC) && parent != &q->root) {
+ NL_SET_ERR_MSG(extack,
+ "Forced curve change on parent 'rt' to 'sc'");
+ hfsc_upgrade_rt(parent);
+ }
qdisc_class_hash_insert(&q->clhash, &cl->cl_common);
list_add_tail(&cl->siblings, &parent->children);
if (parent->level == 0)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 077/241] neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (75 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 076/241] net/sched: sch_hfsc: upgrade rt to sc when it becomes a inner curve Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 078/241] selftests: openvswitch: Catch cases where the tests are killed Greg Kroah-Hartman
` (173 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Simon Horman,
David Ahern, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 2915240eddba96b37de4c7e9a3d0ac6f9548454b upstream.
When CONFIG_IPV6=n, and building with W=1:
In file included from include/trace/define_trace.h:102,
from include/trace/events/neigh.h:255,
from net/core/net-traces.c:51:
include/trace/events/neigh.h: In function ‘trace_event_raw_event_neigh_create’:
include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
42 | struct in6_addr *pin6;
| ^~~~
include/trace/trace_events.h:402:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
402 | { assign; } \
| ^~~~~~
include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
44 | PARAMS(assign), \
| ^~~~~~
include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
23 | TRACE_EVENT(neigh_create,
| ^~~~~~~~~~~
include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
41 | TP_fast_assign(
| ^~~~~~~~~~~~~~
In file included from include/trace/define_trace.h:103,
from include/trace/events/neigh.h:255,
from net/core/net-traces.c:51:
include/trace/events/neigh.h: In function ‘perf_trace_neigh_create’:
include/trace/events/neigh.h:42:34: error: variable ‘pin6’ set but not used [-Werror=unused-but-set-variable]
42 | struct in6_addr *pin6;
| ^~~~
include/trace/perf.h:51:11: note: in definition of macro ‘DECLARE_EVENT_CLASS’
51 | { assign; } \
| ^~~~~~
include/trace/trace_events.h:44:30: note: in expansion of macro ‘PARAMS’
44 | PARAMS(assign), \
| ^~~~~~
include/trace/events/neigh.h:23:1: note: in expansion of macro ‘TRACE_EVENT’
23 | TRACE_EVENT(neigh_create,
| ^~~~~~~~~~~
include/trace/events/neigh.h:41:9: note: in expansion of macro ‘TP_fast_assign’
41 | TP_fast_assign(
| ^~~~~~~~~~~~~~
Indeed, the variable pin6 is declared and initialized unconditionally,
while it is only used and needlessly re-initialized when support for
IPv6 is enabled.
Fix this by dropping the unused variable initialization, and moving the
variable declaration inside the existing section protected by a check
for CONFIG_IPV6.
Fixes: fc651001d2c5ca4f ("neighbor: Add tracepoint to __neigh_create")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Simon Horman <horms@kernel.org>
Tested-by: Simon Horman <horms@kernel.org> # build-tested
Reviewed-by: David Ahern <dsahern@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/trace/events/neigh.h | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/include/trace/events/neigh.h
+++ b/include/trace/events/neigh.h
@@ -39,7 +39,6 @@ TRACE_EVENT(neigh_create,
),
TP_fast_assign(
- struct in6_addr *pin6;
__be32 *p32;
__entry->family = tbl->family;
@@ -47,7 +46,6 @@ TRACE_EVENT(neigh_create,
__entry->entries = atomic_read(&tbl->gc_entries);
__entry->created = n != NULL;
__entry->gc_exempt = exempt_from_gc;
- pin6 = (struct in6_addr *)__entry->primary_key6;
p32 = (__be32 *)__entry->primary_key4;
if (tbl->family == AF_INET)
@@ -57,6 +55,8 @@ TRACE_EVENT(neigh_create,
#if IS_ENABLED(CONFIG_IPV6)
if (tbl->family == AF_INET6) {
+ struct in6_addr *pin6;
+
pin6 = (struct in6_addr *)__entry->primary_key6;
*pin6 = *(struct in6_addr *)pkey;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 078/241] selftests: openvswitch: Catch cases where the tests are killed
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (76 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 077/241] neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 079/241] selftests: openvswitch: Fix the ct_tuple for v4 Greg Kroah-Hartman
` (172 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aaron Conole, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Conole <aconole@redhat.com>
commit af846afad5ca1c1a24d320adf9e48255e97db84e upstream.
In case of fatal signal, or early abort at least cleanup the current
test case.
Fixes: 25f16c873fb1 ("selftests: add openvswitch selftest suite")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 ++
1 file changed, 2 insertions(+)
--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh
+++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh
@@ -3,6 +3,8 @@
#
# OVS kernel module self tests
+trap ovs_exit_sig EXIT TERM INT ERR
+
# Kselftest framework requirement - SKIP code is 4.
ksft_skip=4
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 079/241] selftests: openvswitch: Fix the ct_tuple for v4
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (77 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 078/241] selftests: openvswitch: Catch cases where the tests are killed Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 080/241] selftests: netfilter: Run nft_audit.sh in its own netns Greg Kroah-Hartman
` (171 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Aaron Conole, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Conole <aconole@redhat.com>
commit 8eff0e062201e26739c74ac2355b7362622b7190 upstream.
The ct_tuple v4 data structure decode / encode routines were using
the v6 IP address decode and relying on default encode. This could
cause exceptions during encode / decode depending on how a ct4
tuple would appear in a netlink message.
Caught during code review.
Fixes: e52b07aa1a54 ("selftests: openvswitch: add flow dump support")
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/openvswitch/ovs-dpctl.py | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
@@ -732,12 +732,14 @@ class ovskey(nla):
"src",
lambda x: str(ipaddress.IPv4Address(x)),
int,
+ convert_ipv4,
),
(
"dst",
"dst",
- lambda x: str(ipaddress.IPv6Address(x)),
+ lambda x: str(ipaddress.IPv4Address(x)),
int,
+ convert_ipv4,
),
("tp_src", "tp_src", "%d", int),
("tp_dst", "tp_dst", "%d", int),
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 080/241] selftests: netfilter: Run nft_audit.sh in its own netns
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (78 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 079/241] selftests: openvswitch: Fix the ct_tuple for v4 Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 081/241] netfilter: nft_set_rbtree: .deactivate fails if element has expired Greg Kroah-Hartman
` (170 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Phil Sutter, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Phil Sutter <phil@nwl.cc>
commit 2e2d9c7d4d37d74873583d7b0c94eac8b6869486 upstream.
Don't mess with the host's firewall ruleset. Since audit logging is not
per-netns, add an initial delay of a second so other selftests' netns
cleanups have a chance to finish.
Fixes: e8dbde59ca3f ("selftests: netfilter: Test nf_tables audit logging")
Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/netfilter/nft_audit.sh | 6 ++++++
1 file changed, 6 insertions(+)
--- a/tools/testing/selftests/netfilter/nft_audit.sh
+++ b/tools/testing/selftests/netfilter/nft_audit.sh
@@ -11,6 +11,12 @@ nft --version >/dev/null 2>&1 || {
exit $SKIP_RC
}
+# Run everything in a separate network namespace
+[ "${1}" != "run" ] && { unshare -n "${0}" run; exit $?; }
+
+# give other scripts a chance to finish - audit_logread sees all activity
+sleep 1
+
logfile=$(mktemp)
rulefile=$(mktemp)
echo "logging into $logfile"
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 081/241] netfilter: nft_set_rbtree: .deactivate fails if element has expired
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (79 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 080/241] selftests: netfilter: Run nft_audit.sh in its own netns Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 082/241] netlink: Correct offload_xstats size Greg Kroah-Hartman
` (169 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit d111692a59c1470ae530cbb39bcf0346c950ecc7 upstream.
This allows to remove an expired element which is not possible in other
existing set backends, this is more noticeable if gc-interval is high so
expired elements remain in the tree. On-demand gc also does not help in
this case, because this is delete element path. Return NULL if element
has expired.
Fixes: 8d8540c4f5e0 ("netfilter: nft_set_rbtree: add timeout support")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_set_rbtree.c | 2 ++
1 file changed, 2 insertions(+)
--- a/net/netfilter/nft_set_rbtree.c
+++ b/net/netfilter/nft_set_rbtree.c
@@ -568,6 +568,8 @@ static void *nft_rbtree_deactivate(const
nft_rbtree_interval_end(this)) {
parent = parent->rb_right;
continue;
+ } else if (nft_set_elem_expired(&rbe->ext)) {
+ break;
} else if (!nft_set_elem_active(&rbe->ext, genmask)) {
parent = parent->rb_left;
continue;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 082/241] netlink: Correct offload_xstats size
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (80 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 081/241] netfilter: nft_set_rbtree: .deactivate fails if element has expired Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 083/241] netfilter: nf_tables: do not refresh timeout when resetting element Greg Kroah-Hartman
` (168 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christoph Paasch, Petr Machata,
Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Christoph Paasch <cpaasch@apple.com>
commit 503930f8e113edc86f92b767efb4ea57bdffffb2 upstream.
rtnl_offload_xstats_get_size_hw_s_info_one() conditionalizes the
size-computation for IFLA_OFFLOAD_XSTATS_HW_S_INFO_USED based on whether
or not the device has offload_xstats enabled.
However, rtnl_offload_xstats_fill_hw_s_info_one() is adding the u8 for
that field uncondtionally.
syzkaller triggered a WARNING in rtnl_stats_get due to this:
------------[ cut here ]------------
WARNING: CPU: 0 PID: 754 at net/core/rtnetlink.c:5982 rtnl_stats_get+0x2f4/0x300
Modules linked in:
CPU: 0 PID: 754 Comm: syz-executor148 Not tainted 6.6.0-rc2-g331b78eb12af #45
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.11.0-2.el7 04/01/2014
RIP: 0010:rtnl_stats_get+0x2f4/0x300 net/core/rtnetlink.c:5982
Code: ff ff 89 ee e8 7d 72 50 ff 83 fd a6 74 17 e8 33 6e 50 ff 4c 89 ef be 02 00 00 00 e8 86 00 fa ff e9 7b fe ff ff e8 1c 6e 50 ff <0f> 0b eb e5 e8 73 79 7b 00 0f 1f 00 90 90 90 90 90 90 90 90 90 90
RSP: 0018:ffffc900006837c0 EFLAGS: 00010293
RAX: ffffffff81cf7f24 RBX: ffff8881015d9000 RCX: ffff888101815a00
RDX: 0000000000000000 RSI: 00000000ffffffa6 RDI: 00000000ffffffa6
RBP: 00000000ffffffa6 R08: ffffffff81cf7f03 R09: 0000000000000001
R10: ffff888101ba47b9 R11: ffff888101815a00 R12: ffff8881017dae00
R13: ffff8881017dad00 R14: ffffc90000683ab8 R15: ffffffff83c1f740
FS: 00007fbc22dbc740(0000) GS:ffff88813bc00000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000000020000046 CR3: 000000010264e003 CR4: 0000000000170ef0
Call Trace:
<TASK>
rtnetlink_rcv_msg+0x677/0x710 net/core/rtnetlink.c:6480
netlink_rcv_skb+0xea/0x1c0 net/netlink/af_netlink.c:2545
netlink_unicast+0x430/0x500 net/netlink/af_netlink.c:1342
netlink_sendmsg+0x4fc/0x620 net/netlink/af_netlink.c:1910
sock_sendmsg+0xa8/0xd0 net/socket.c:730
____sys_sendmsg+0x22a/0x320 net/socket.c:2541
___sys_sendmsg+0x143/0x190 net/socket.c:2595
__x64_sys_sendmsg+0xd8/0x150 net/socket.c:2624
do_syscall_x64 arch/x86/entry/common.c:50 [inline]
do_syscall_64+0x47/0xa0 arch/x86/entry/common.c:80
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
RIP: 0033:0x7fbc22e8d6a9
Code: 5c c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 4f 37 0d 00 f7 d8 64 89 01 48
RSP: 002b:00007ffc4320e778 EFLAGS: 00000246 ORIG_RAX: 000000000000002e
RAX: ffffffffffffffda RBX: 00000000004007d0 RCX: 00007fbc22e8d6a9
RDX: 0000000000000000 RSI: 0000000020000000 RDI: 0000000000000003
RBP: 0000000000000001 R08: 0000000000000000 R09: 00000000004007d0
R10: 0000000000000008 R11: 0000000000000246 R12: 00007ffc4320e898
R13: 00007ffc4320e8a8 R14: 00000000004004a0 R15: 00007fbc22fa5a80
</TASK>
---[ end trace 0000000000000000 ]---
Which didn't happen prior to commit bf9f1baa279f ("net: add dedicated
kmem_cache for typical/small skb->head") as the skb always was large
enough.
Fixes: 0e7788fd7622 ("net: rtnetlink: Add UAPI for obtaining L3 offload xstats")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Petr Machata <petrm@nvidia.com>
Link: https://lore.kernel.org/r/20231013041448.8229-1-cpaasch@apple.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/rtnetlink.c | 4 +---
1 file changed, 1 insertion(+), 3 deletions(-)
--- a/net/core/rtnetlink.c
+++ b/net/core/rtnetlink.c
@@ -5504,13 +5504,11 @@ static unsigned int
rtnl_offload_xstats_get_size_hw_s_info_one(const struct net_device *dev,
enum netdev_offload_xstats_type type)
{
- bool enabled = netdev_offload_xstats_enabled(dev, type);
-
return nla_total_size(0) +
/* IFLA_OFFLOAD_XSTATS_HW_S_INFO_REQUEST */
nla_total_size(sizeof(u8)) +
/* IFLA_OFFLOAD_XSTATS_HW_S_INFO_USED */
- (enabled ? nla_total_size(sizeof(u8)) : 0) +
+ nla_total_size(sizeof(u8)) +
0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 083/241] netfilter: nf_tables: do not refresh timeout when resetting element
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (81 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 082/241] netlink: Correct offload_xstats size Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 084/241] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse() Greg Kroah-Hartman
` (167 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit 4c90bba60c26db7dc7df450f748e86440149786e upstream.
The dump and reset command should not refresh the timeout, this command
is intended to allow users to list existing stateful objects and reset
them, element expiration should be refresh via transaction instead with
a specific command to achieve this, otherwise this is entering combo
semantics that will be hard to be undone later (eg. a user asking to
retrieve counters but _not_ requiring to refresh expiration).
Fixes: 079cd633219d ("netfilter: nf_tables: Introduce NFT_MSG_GETSETELEM_RESET")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 18 +++++-------------
1 file changed, 5 insertions(+), 13 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -5553,7 +5553,6 @@ static int nf_tables_fill_setelem(struct
const struct nft_set_ext *ext = nft_set_elem_ext(set, elem->priv);
unsigned char *b = skb_tail_pointer(skb);
struct nlattr *nest;
- u64 timeout = 0;
nest = nla_nest_start_noflag(skb, NFTA_LIST_ELEM);
if (nest == NULL)
@@ -5589,15 +5588,11 @@ static int nf_tables_fill_setelem(struct
htonl(*nft_set_ext_flags(ext))))
goto nla_put_failure;
- if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT)) {
- timeout = *nft_set_ext_timeout(ext);
- if (nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
- nf_jiffies64_to_msecs(timeout),
- NFTA_SET_ELEM_PAD))
- goto nla_put_failure;
- } else if (set->flags & NFT_SET_TIMEOUT) {
- timeout = READ_ONCE(set->timeout);
- }
+ if (nft_set_ext_exists(ext, NFT_SET_EXT_TIMEOUT) &&
+ nla_put_be64(skb, NFTA_SET_ELEM_TIMEOUT,
+ nf_jiffies64_to_msecs(*nft_set_ext_timeout(ext)),
+ NFTA_SET_ELEM_PAD))
+ goto nla_put_failure;
if (nft_set_ext_exists(ext, NFT_SET_EXT_EXPIRATION)) {
u64 expires, now = get_jiffies_64();
@@ -5612,9 +5607,6 @@ static int nf_tables_fill_setelem(struct
nf_jiffies64_to_msecs(expires),
NFTA_SET_ELEM_PAD))
goto nla_put_failure;
-
- if (reset)
- *nft_set_ext_expiration(ext) = now + timeout;
}
if (nft_set_ext_exists(ext, NFT_SET_EXT_USERDATA)) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 084/241] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (82 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 083/241] netfilter: nf_tables: do not refresh timeout when resetting element Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 085/241] nf_tables: fix NULL pointer dereference in nft_inner_init() Greg Kroah-Hartman
` (166 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xingyuan Mo, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingyuan Mo <hdthky0@gmail.com>
commit 505ce0630ad5d31185695f8a29dde8d29f28faa7 upstream.
We should check whether the NFTA_EXPR_NAME netlink attribute is present
before accessing it, otherwise a null pointer deference error will occur.
Call Trace:
<TASK>
dump_stack_lvl+0x4f/0x90
print_report+0x3f0/0x620
kasan_report+0xcd/0x110
__asan_load2+0x7d/0xa0
nla_strcmp+0x2f/0x90
__nft_expr_type_get+0x41/0xb0
nft_expr_inner_parse+0xe3/0x200
nft_inner_init+0x1be/0x2e0
nf_tables_newrule+0x813/0x1230
nfnetlink_rcv_batch+0xec3/0x1170
nfnetlink_rcv+0x1e4/0x220
netlink_unicast+0x34e/0x4b0
netlink_sendmsg+0x45c/0x7e0
__sys_sendto+0x355/0x370
__x64_sys_sendto+0x84/0xa0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/netfilter/nf_tables_api.c b/net/netfilter/nf_tables_api.c
index aae6ffebb413..a623d31b6518 100644
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -3166,7 +3166,7 @@ int nft_expr_inner_parse(const struct nft_ctx *ctx, const struct nlattr *nla,
if (err < 0)
return err;
- if (!tb[NFTA_EXPR_DATA])
+ if (!tb[NFTA_EXPR_DATA] || !tb[NFTA_EXPR_NAME])
return -EINVAL;
type = __nft_expr_type_get(ctx->family, tb[NFTA_EXPR_NAME]);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 085/241] nf_tables: fix NULL pointer dereference in nft_inner_init()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (83 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 084/241] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 086/241] netfilter: nf_tables: do not remove elements if set backend implements .abort Greg Kroah-Hartman
` (165 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Xingyuan Mo, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xingyuan Mo <hdthky0@gmail.com>
commit 52177bbf19e6e9398375a148d2e13ed492b40b80 upstream.
We should check whether the NFTA_INNER_NUM netlink attribute is present
before accessing it, otherwise a null pointer deference error will occur.
Call Trace:
dump_stack_lvl+0x4f/0x90
print_report+0x3f0/0x620
kasan_report+0xcd/0x110
__asan_load4+0x84/0xa0
nft_inner_init+0x128/0x2e0
nf_tables_newrule+0x813/0x1230
nfnetlink_rcv_batch+0xec3/0x1170
nfnetlink_rcv+0x1e4/0x220
netlink_unicast+0x34e/0x4b0
netlink_sendmsg+0x45c/0x7e0
__sys_sendto+0x355/0x370
__x64_sys_sendto+0x84/0xa0
do_syscall_64+0x3f/0x90
entry_SYSCALL_64_after_hwframe+0x6e/0xd8
Fixes: 3a07327d10a0 ("netfilter: nft_inner: support for inner tunnel header matching")
Signed-off-by: Xingyuan Mo <hdthky0@gmail.com>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nft_inner.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/net/netfilter/nft_inner.c b/net/netfilter/nft_inner.c
index 28e2873ba24e..928312d01eb1 100644
--- a/net/netfilter/nft_inner.c
+++ b/net/netfilter/nft_inner.c
@@ -298,6 +298,7 @@ static int nft_inner_init(const struct nft_ctx *ctx,
int err;
if (!tb[NFTA_INNER_FLAGS] ||
+ !tb[NFTA_INNER_NUM] ||
!tb[NFTA_INNER_HDRSIZE] ||
!tb[NFTA_INNER_TYPE] ||
!tb[NFTA_INNER_EXPR])
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 086/241] netfilter: nf_tables: do not remove elements if set backend implements .abort
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (84 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 085/241] nf_tables: fix NULL pointer dereference in nft_inner_init() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 087/241] netfilter: nf_tables: revert " Greg Kroah-Hartman
` (164 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit ebd032fa881882fef2acb9da1bbde48d8233241d upstream.
pipapo set backend maintains two copies of the datastructure, removing
the elements from the copy that is going to be discarded slows down
the abort path significantly, from several minutes to few seconds after
this patch.
Fixes: 212ed75dc5fb ("netfilter: nf_tables: integrate pipapo into commit protocol")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10336,7 +10336,10 @@ static int __nf_tables_abort(struct net
break;
}
te = (struct nft_trans_elem *)trans->data;
- nft_setelem_remove(net, te->set, &te->elem);
+ if (!te->set->ops->abort ||
+ nft_setelem_is_catchall(te->set, &te->elem))
+ nft_setelem_remove(net, te->set, &te->elem);
+
if (!nft_setelem_is_catchall(te->set, &te->elem))
atomic_dec(&te->set->nelems);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 087/241] netfilter: nf_tables: revert do not remove elements if set backend implements .abort
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (85 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 086/241] netfilter: nf_tables: do not remove elements if set backend implements .abort Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 088/241] selftests: openvswitch: Add version check for pyroute2 Greg Kroah-Hartman
` (163 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Pablo Neira Ayuso, Florian Westphal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Neira Ayuso <pablo@netfilter.org>
commit f86fb94011aeb3b26337fc22204ca726aeb8bc24 upstream.
nf_tables_abort_release() path calls nft_set_elem_destroy() for
NFT_MSG_NEWSETELEM which releases the element, however, a reference to
the element still remains in the working copy.
Fixes: ebd032fa8818 ("netfilter: nf_tables: do not remove elements if set backend implements .abort")
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/netfilter/nf_tables_api.c | 5 +----
1 file changed, 1 insertion(+), 4 deletions(-)
--- a/net/netfilter/nf_tables_api.c
+++ b/net/netfilter/nf_tables_api.c
@@ -10336,10 +10336,7 @@ static int __nf_tables_abort(struct net
break;
}
te = (struct nft_trans_elem *)trans->data;
- if (!te->set->ops->abort ||
- nft_setelem_is_catchall(te->set, &te->elem))
- nft_setelem_remove(net, te->set, &te->elem);
-
+ nft_setelem_remove(net, te->set, &te->elem);
if (!nft_setelem_is_catchall(te->set, &te->elem))
atomic_dec(&te->set->nelems);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 088/241] selftests: openvswitch: Add version check for pyroute2
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (86 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 087/241] netfilter: nf_tables: revert " Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 089/241] net: phy: bcm7xxx: Add missing 16nm EPHY statistics Greg Kroah-Hartman
` (162 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Paolo Abeni, Aaron Conole, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aaron Conole <aconole@redhat.com>
commit 92e37f20f20a23fec4626ae72eda50f127acb130 upstream.
Paolo Abeni reports that on some systems the pyroute2 version isn't
new enough to run the test suite. Ensure that we support a minimum
version of 0.6 for all cases (which does include the existing ones).
The 0.6.1 version was released in May of 2021, so should be
propagated to most installations at this point.
The alternative that Paolo proposed was to only skip when the
add-flow is being run. This would be okay for most cases, except
if a future test case is added that needs to do flow dump without
an associated add (just guessing). In that case, it could also be
broken and we would need additional skip logic anyway. Just draw
a line in the sand now.
Fixes: 25f16c873fb1 ("selftests: add openvswitch selftest suite")
Reported-by: Paolo Abeni <pabeni@redhat.com>
Closes: https://lore.kernel.org/lkml/8470c431e0930d2ea204a9363a60937289b7fdbe.camel@redhat.com/
Signed-off-by: Aaron Conole <aconole@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/openvswitch/openvswitch.sh | 2 +-
tools/testing/selftests/net/openvswitch/ovs-dpctl.py | 10 +++++++++-
2 files changed, 10 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/openvswitch/openvswitch.sh
+++ b/tools/testing/selftests/net/openvswitch/openvswitch.sh
@@ -204,7 +204,7 @@ run_test() {
fi
if python3 ovs-dpctl.py -h 2>&1 | \
- grep "Need to install the python" >/dev/null 2>&1; then
+ grep -E "Need to (install|upgrade) the python" >/dev/null 2>&1; then
stdbuf -o0 printf "TEST: %-60s [PYLIB]\n" "${tdesc}"
return $ksft_skip
fi
--- a/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
+++ b/tools/testing/selftests/net/openvswitch/ovs-dpctl.py
@@ -25,8 +25,10 @@ try:
from pyroute2.netlink import nlmsg_atoms
from pyroute2.netlink.exceptions import NetlinkError
from pyroute2.netlink.generic import GenericNetlinkSocket
+ import pyroute2
+
except ModuleNotFoundError:
- print("Need to install the python pyroute2 package.")
+ print("Need to install the python pyroute2 package >= 0.6.")
sys.exit(0)
@@ -1459,6 +1461,12 @@ def main(argv):
nlmsg_atoms.ovskey = ovskey
nlmsg_atoms.ovsactions = ovsactions
+ # version check for pyroute2
+ prverscheck = pyroute2.__version__.split(".")
+ if int(prverscheck[0]) == 0 and int(prverscheck[1]) < 6:
+ print("Need to upgrade the python pyroute2 package to >= 0.6.")
+ sys.exit(0)
+
parser = argparse.ArgumentParser()
parser.add_argument(
"-v",
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 089/241] net: phy: bcm7xxx: Add missing 16nm EPHY statistics
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (87 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 088/241] selftests: openvswitch: Add version check for pyroute2 Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 090/241] net: pktgen: Fix interface flags printing Greg Kroah-Hartman
` (161 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Justin Chen, Andrew Lunn,
Florian Fainelli, Simon Horman, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Florian Fainelli <florian.fainelli@broadcom.com>
commit 6200e00e112ce2d17b066a20dd2476d9aecbefa6 upstream.
The .probe() function would allocate the necessary space and ensure that
the library call sizes the number of statistics but the callbacks
necessary to fetch the name and values were not wired up.
Reported-by: Justin Chen <justin.chen@broadcom.com>
Fixes: f68d08c437f9 ("net: phy: bcm7xxx: Add EPHY entry for 72165")
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Signed-off-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Simon Horman <horms@kernel.org>
Link: https://lore.kernel.org/r/20231017205119.416392-1-florian.fainelli@broadcom.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/phy/bcm7xxx.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/net/phy/bcm7xxx.c
+++ b/drivers/net/phy/bcm7xxx.c
@@ -894,6 +894,9 @@ static int bcm7xxx_28nm_probe(struct phy
.name = _name, \
/* PHY_BASIC_FEATURES */ \
.flags = PHY_IS_INTERNAL, \
+ .get_sset_count = bcm_phy_get_sset_count, \
+ .get_strings = bcm_phy_get_strings, \
+ .get_stats = bcm7xxx_28nm_get_phy_stats, \
.probe = bcm7xxx_28nm_probe, \
.config_init = bcm7xxx_16nm_ephy_config_init, \
.config_aneg = genphy_config_aneg, \
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 090/241] net: pktgen: Fix interface flags printing
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (88 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 089/241] net: phy: bcm7xxx: Add missing 16nm EPHY statistics Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 091/241] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Greg Kroah-Hartman
` (160 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gavrilov Ilia, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
commit 1d30162f35c7a73fc2f8cdcdcdbd690bedb99d1a upstream.
Device flags are displayed incorrectly:
1) The comparison (i == F_FLOW_SEQ) is always false, because F_FLOW_SEQ
is equal to (1 << FLOW_SEQ_SHIFT) == 2048, and the maximum value
of the 'i' variable is (NR_PKT_FLAG - 1) == 17. It should be compared
with FLOW_SEQ_SHIFT.
2) Similarly to the F_IPSEC flag.
3) Also add spaces to the print end of the string literal "spi:%u"
to prevent the output from merging with the flag that follows.
Found by InfoTeCS on behalf of Linux Verification Center
(linuxtesting.org) with SVACE.
Fixes: 99c6d3d20d62 ("pktgen: Remove brute-force printing of flags")
Signed-off-by: Gavrilov Ilia <Ilia.Gavrilov@infotecs.ru>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/pktgen.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
--- a/net/core/pktgen.c
+++ b/net/core/pktgen.c
@@ -669,19 +669,19 @@ static int pktgen_if_show(struct seq_fil
seq_puts(seq, " Flags: ");
for (i = 0; i < NR_PKT_FLAGS; i++) {
- if (i == F_FLOW_SEQ)
+ if (i == FLOW_SEQ_SHIFT)
if (!pkt_dev->cflows)
continue;
- if (pkt_dev->flags & (1 << i))
+ if (pkt_dev->flags & (1 << i)) {
seq_printf(seq, "%s ", pkt_flag_names[i]);
- else if (i == F_FLOW_SEQ)
- seq_puts(seq, "FLOW_RND ");
-
#ifdef CONFIG_XFRM
- if (i == F_IPSEC && pkt_dev->spi)
- seq_printf(seq, "spi:%u", pkt_dev->spi);
+ if (i == IPSEC_SHIFT && pkt_dev->spi)
+ seq_printf(seq, "spi:%u ", pkt_dev->spi);
#endif
+ } else if (i == FLOW_SEQ_SHIFT) {
+ seq_puts(seq, "FLOW_RND ");
+ }
}
seq_puts(seq, "\n");
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 091/241] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (89 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 090/241] net: pktgen: Fix interface flags printing Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 092/241] net: mdio-mux: fix C45 access returning -EIO after API change Greg Kroah-Hartman
` (159 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+01cdbc31e9c0ae9b33ac,
syzbot+c99d835ff081ca30f986, Willem de Bruijn, Eric Dumazet,
Jason Wang, David S. Miller
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Willem de Bruijn <willemb@google.com>
commit fc8b2a619469378717e7270d2a4e1ef93c585f7a upstream.
Syzbot reported two new paths to hit an internal WARNING using the
new virtio gso type VIRTIO_NET_HDR_GSO_UDP_L4.
RIP: 0010:skb_checksum_help+0x4a2/0x600 net/core/dev.c:3260
skb len=64521 gso_size=344
and
RIP: 0010:skb_warn_bad_offload+0x118/0x240 net/core/dev.c:3262
Older virtio types have historically had loose restrictions, leading
to many entirely impractical fuzzer generated packets causing
problems deep in the kernel stack. Ideally, we would have had strict
validation for all types from the start.
New virtio types can have tighter validation. Limit UDP GSO packets
inserted via virtio to the same limits imposed by the UDP_SEGMENT
socket interface:
1. must use checksum offload
2. checksum offload matches UDP header
3. no more segments than UDP_MAX_SEGMENTS
4. UDP GSO does not take modifier flags, notably SKB_GSO_TCP_ECN
Fixes: 860b7f27b8f7 ("linux/virtio_net.h: Support USO offload in vnet header.")
Reported-by: syzbot+01cdbc31e9c0ae9b33ac@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/0000000000005039270605eb0b7f@google.com/
Reported-by: syzbot+c99d835ff081ca30f986@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/0000000000005426680605eb0b9f@google.com/
Signed-off-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/virtio_net.h | 19 ++++++++++++++++---
1 file changed, 16 insertions(+), 3 deletions(-)
diff --git a/include/linux/virtio_net.h b/include/linux/virtio_net.h
index 7b4dd69555e4..27cc1d464321 100644
--- a/include/linux/virtio_net.h
+++ b/include/linux/virtio_net.h
@@ -3,8 +3,8 @@
#define _LINUX_VIRTIO_NET_H
#include <linux/if_vlan.h>
+#include <linux/udp.h>
#include <uapi/linux/tcp.h>
-#include <uapi/linux/udp.h>
#include <uapi/linux/virtio_net.h>
static inline bool virtio_net_hdr_match_proto(__be16 protocol, __u8 gso_type)
@@ -151,9 +151,22 @@ retry:
unsigned int nh_off = p_off;
struct skb_shared_info *shinfo = skb_shinfo(skb);
- /* UFO may not include transport header in gso_size. */
- if (gso_type & SKB_GSO_UDP)
+ switch (gso_type & ~SKB_GSO_TCP_ECN) {
+ case SKB_GSO_UDP:
+ /* UFO may not include transport header in gso_size. */
nh_off -= thlen;
+ break;
+ case SKB_GSO_UDP_L4:
+ if (!(hdr->flags & VIRTIO_NET_HDR_F_NEEDS_CSUM))
+ return -EINVAL;
+ if (skb->csum_offset != offsetof(struct udphdr, check))
+ return -EINVAL;
+ if (skb->len - p_off > gso_size * UDP_MAX_SEGMENTS)
+ return -EINVAL;
+ if (gso_type != SKB_GSO_UDP_L4)
+ return -EINVAL;
+ break;
+ }
/* Kernel has a special handling for GSO_BY_FRAGS. */
if (gso_size == GSO_BY_FRAGS)
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 092/241] net: mdio-mux: fix C45 access returning -EIO after API change
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (90 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 091/241] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 093/241] net: avoid UAF on deleted altname Greg Kroah-Hartman
` (158 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Vladimir Oltean, Florian Fainelli,
Andrew Lunn, Russell King (Oracle),
Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Vladimir Oltean <vladimir.oltean@nxp.com>
commit 1f9f2143f24e224a8582a5d54918c43b9121eccc upstream.
The mii_bus API conversion to read_c45() and write_c45() did not cover
the mdio-mux driver before read() and write() were made C22-only.
This broke arch/arm64/boot/dts/freescale/fsl-ls1028a-qds-13bb.dtso.
The -EOPNOTSUPP from mdiobus_c45_read() is transformed by
get_phy_c45_devs_in_pkg() into -EIO, is further propagated to
of_mdiobus_register() and this makes the mdio-mux driver fail to probe
the entire child buses, not just the PHYs that cause access errors.
Fix the regression by introducing special c45 read and write accessors
to mdio-mux which forward the operation to the parent MDIO bus.
Fixes: db1a63aed89c ("net: phy: Remove fallback to old C45 method")
Signed-off-by: Vladimir Oltean <vladimir.oltean@nxp.com>
Reviewed-by: Florian Fainelli <florian.fainelli@broadcom.com>
Reviewed-by: Andrew Lunn <andrew@lunn.ch>
Reviewed-by: Russell King (Oracle) <rmk+kernel@armlinux.org.uk>
Link: https://lore.kernel.org/r/20231017143144.3212657-1-vladimir.oltean@nxp.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/net/mdio/mdio-mux.c | 47 +++++++++++++++++++++++++++++++++++++
1 file changed, 47 insertions(+)
diff --git a/drivers/net/mdio/mdio-mux.c b/drivers/net/mdio/mdio-mux.c
index a881e3523328..bef4cce71287 100644
--- a/drivers/net/mdio/mdio-mux.c
+++ b/drivers/net/mdio/mdio-mux.c
@@ -55,6 +55,27 @@ out:
return r;
}
+static int mdio_mux_read_c45(struct mii_bus *bus, int phy_id, int dev_addr,
+ int regnum)
+{
+ struct mdio_mux_child_bus *cb = bus->priv;
+ struct mdio_mux_parent_bus *pb = cb->parent;
+ int r;
+
+ mutex_lock_nested(&pb->mii_bus->mdio_lock, MDIO_MUTEX_MUX);
+ r = pb->switch_fn(pb->current_child, cb->bus_number, pb->switch_data);
+ if (r)
+ goto out;
+
+ pb->current_child = cb->bus_number;
+
+ r = pb->mii_bus->read_c45(pb->mii_bus, phy_id, dev_addr, regnum);
+out:
+ mutex_unlock(&pb->mii_bus->mdio_lock);
+
+ return r;
+}
+
/*
* The parent bus' lock is used to order access to the switch_fn.
*/
@@ -80,6 +101,28 @@ out:
return r;
}
+static int mdio_mux_write_c45(struct mii_bus *bus, int phy_id, int dev_addr,
+ int regnum, u16 val)
+{
+ struct mdio_mux_child_bus *cb = bus->priv;
+ struct mdio_mux_parent_bus *pb = cb->parent;
+
+ int r;
+
+ mutex_lock_nested(&pb->mii_bus->mdio_lock, MDIO_MUTEX_MUX);
+ r = pb->switch_fn(pb->current_child, cb->bus_number, pb->switch_data);
+ if (r)
+ goto out;
+
+ pb->current_child = cb->bus_number;
+
+ r = pb->mii_bus->write_c45(pb->mii_bus, phy_id, dev_addr, regnum, val);
+out:
+ mutex_unlock(&pb->mii_bus->mdio_lock);
+
+ return r;
+}
+
static int parent_count;
static void mdio_mux_uninit_children(struct mdio_mux_parent_bus *pb)
@@ -173,6 +216,10 @@ int mdio_mux_init(struct device *dev,
cb->mii_bus->parent = dev;
cb->mii_bus->read = mdio_mux_read;
cb->mii_bus->write = mdio_mux_write;
+ if (parent_bus->read_c45)
+ cb->mii_bus->read_c45 = mdio_mux_read_c45;
+ if (parent_bus->write_c45)
+ cb->mii_bus->write_c45 = mdio_mux_write_c45;
r = of_mdiobus_register(cb->mii_bus, child_bus_node);
if (r) {
mdiobus_free(cb->mii_bus);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 093/241] net: avoid UAF on deleted altname
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (91 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 092/241] net: mdio-mux: fix C45 access returning -EIO after API change Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 094/241] net: fix ifname in netlink ntf during netns move Greg Kroah-Hartman
` (157 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Jakub Kicinski, Paolo Abeni
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 1a83f4a7c156fa6bbd6b530e89fa3270bf3d9d1b upstream.
Altnames are accessed under RCU (dev_get_by_name_rcu())
but freed by kfree() with no synchronization point.
Each node has one or two allocations (node and a variable-size
name, sometimes the name is netdev->name). Adding rcu_heads
here is a bit tedious. Besides most code which unlists the names
already has rcu barriers - so take the simpler approach of adding
synchronize_rcu(). Note that the one on the unregistration path
(which matters more) is removed by the next fix.
Fixes: ff92741270bf ("net: introduce name_node struct to be used in hashlist")
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -343,7 +343,6 @@ int netdev_name_node_alt_create(struct n
static void __netdev_name_node_alt_destroy(struct netdev_name_node *name_node)
{
list_del(&name_node->list);
- netdev_name_node_del(name_node);
kfree(name_node->name);
netdev_name_node_free(name_node);
}
@@ -362,6 +361,8 @@ int netdev_name_node_alt_destroy(struct
if (name_node == dev->name_node || name_node->dev != dev)
return -EINVAL;
+ netdev_name_node_del(name_node);
+ synchronize_rcu();
__netdev_name_node_alt_destroy(name_node);
return 0;
@@ -10838,6 +10839,7 @@ void unregister_netdevice_many_notify(st
synchronize_net();
list_for_each_entry(dev, head, unreg_list) {
+ struct netdev_name_node *name_node;
struct sk_buff *skb = NULL;
/* Shutdown queueing discipline. */
@@ -10865,6 +10867,9 @@ void unregister_netdevice_many_notify(st
dev_uc_flush(dev);
dev_mc_flush(dev);
+ netdev_for_each_altname(dev, name_node)
+ netdev_name_node_del(name_node);
+ synchronize_rcu();
netdev_name_node_alt_flush(dev);
netdev_name_node_free(dev->name_node);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 094/241] net: fix ifname in netlink ntf during netns move
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (92 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 093/241] net: avoid UAF on deleted altname Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 095/241] net: check for altname conflicts when changing netdevs netns Greg Kroah-Hartman
` (156 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jakub Kicinski, Jiri Pirko, Paolo Abeni
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 311cca40661f428b7aa114fb5af578cfdbe3e8b6 upstream.
dev_get_valid_name() overwrites the netdev's name on success.
This makes it hard to use in prepare-commit-like fashion,
where we do validation first, and "commit" to the change
later.
Factor out a helper which lets us save the new name to a buffer.
Use it to fix the problem of notification on netns move having
incorrect name:
5: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether be:4d:58:f9:d5:40 brd ff:ff:ff:ff:ff:ff
6: eth1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether 1e:4a:34:36:e3:cd brd ff:ff:ff:ff:ff:ff
[ ~]# ip link set dev eth0 netns 1 name eth1
ip monitor inside netns:
Deleted inet eth0
Deleted inet6 eth0
Deleted 5: eth1: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN group default
link/ether be:4d:58:f9:d5:40 brd ff:ff:ff:ff:ff:ff new-netnsid 0 new-ifindex 7
Name is reported as eth1 in old netns for ifindex 5, already renamed.
Fixes: d90310243fd7 ("net: device name allocation cleanups")
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 44 +++++++++++++++++++++++++++++++-------------
1 file changed, 31 insertions(+), 13 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1116,6 +1116,26 @@ static int __dev_alloc_name(struct net *
return -ENFILE;
}
+static int dev_prep_valid_name(struct net *net, struct net_device *dev,
+ const char *want_name, char *out_name)
+{
+ int ret;
+
+ if (!dev_valid_name(want_name))
+ return -EINVAL;
+
+ if (strchr(want_name, '%')) {
+ ret = __dev_alloc_name(net, want_name, out_name);
+ return ret < 0 ? ret : 0;
+ } else if (netdev_name_in_use(net, want_name)) {
+ return -EEXIST;
+ } else if (out_name != want_name) {
+ strscpy(out_name, want_name, IFNAMSIZ);
+ }
+
+ return 0;
+}
+
static int dev_alloc_name_ns(struct net *net,
struct net_device *dev,
const char *name)
@@ -1153,19 +1173,13 @@ EXPORT_SYMBOL(dev_alloc_name);
static int dev_get_valid_name(struct net *net, struct net_device *dev,
const char *name)
{
- BUG_ON(!net);
-
- if (!dev_valid_name(name))
- return -EINVAL;
-
- if (strchr(name, '%'))
- return dev_alloc_name_ns(net, dev, name);
- else if (netdev_name_in_use(net, name))
- return -EEXIST;
- else if (dev->name != name)
- strscpy(dev->name, name, IFNAMSIZ);
+ char buf[IFNAMSIZ];
+ int ret;
- return 0;
+ ret = dev_prep_valid_name(net, dev, name, buf);
+ if (ret >= 0)
+ strscpy(dev->name, buf, IFNAMSIZ);
+ return ret;
}
/**
@@ -10955,6 +10969,7 @@ int __dev_change_net_namespace(struct ne
const char *pat, int new_ifindex)
{
struct net *net_old = dev_net(dev);
+ char new_name[IFNAMSIZ] = {};
int err, new_nsid;
ASSERT_RTNL();
@@ -10981,7 +10996,7 @@ int __dev_change_net_namespace(struct ne
/* We get here if we can't use the current device name */
if (!pat)
goto out;
- err = dev_get_valid_name(net, dev, pat);
+ err = dev_prep_valid_name(net, dev, pat, new_name);
if (err < 0)
goto out;
}
@@ -11049,6 +11064,9 @@ int __dev_change_net_namespace(struct ne
kobject_uevent(&dev->dev.kobj, KOBJ_ADD);
netdev_adjacent_add_links(dev);
+ if (new_name[0]) /* Rename the netdev to prepared name */
+ strscpy(dev->name, new_name, IFNAMSIZ);
+
/* Fixup kobjects */
err = device_rename(&dev->dev, dev->name);
WARN_ON(err);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 095/241] net: check for altname conflicts when changing netdevs netns
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (93 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 094/241] net: fix ifname in netlink ntf during netns move Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 096/241] iio: light: vcnl4000: Dont power on/off chip in config Greg Kroah-Hartman
` (155 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Jakub Kicinski, Paolo Abeni
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 7663d522099ecc464512164e660bc771b2ff7b64 upstream.
It's currently possible to create an altname conflicting
with an altname or real name of another device by creating
it in another netns and moving it over:
[ ~]$ ip link add dev eth0 type dummy
[ ~]$ ip netns add test
[ ~]$ ip -netns test link add dev ethX netns test type dummy
[ ~]$ ip -netns test link property add dev ethX altname eth0
[ ~]$ ip -netns test link set dev ethX netns 1
[ ~]$ ip link
...
3: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff
...
5: ethX: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 26:b7:28:78:38:0f brd ff:ff:ff:ff:ff:ff
altname eth0
Create a macro for walking the altnames, this hopefully makes
it clearer that the list we walk contains only altnames.
Which is otherwise not entirely intuitive.
Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames")
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 9 ++++++++-
net/core/dev.h | 3 +++
2 files changed, 11 insertions(+), 1 deletion(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -1079,7 +1079,8 @@ static int __dev_alloc_name(struct net *
for_each_netdev(net, d) {
struct netdev_name_node *name_node;
- list_for_each_entry(name_node, &d->name_node->list, list) {
+
+ netdev_for_each_altname(d, name_node) {
if (!sscanf(name_node->name, name, &i))
continue;
if (i < 0 || i >= max_netdevices)
@@ -10968,6 +10969,7 @@ EXPORT_SYMBOL(unregister_netdev);
int __dev_change_net_namespace(struct net_device *dev, struct net *net,
const char *pat, int new_ifindex)
{
+ struct netdev_name_node *name_node;
struct net *net_old = dev_net(dev);
char new_name[IFNAMSIZ] = {};
int err, new_nsid;
@@ -11000,6 +11002,11 @@ int __dev_change_net_namespace(struct ne
if (err < 0)
goto out;
}
+ /* Check that none of the altnames conflicts. */
+ err = -EEXIST;
+ netdev_for_each_altname(dev, name_node)
+ if (netdev_name_in_use(net, name_node->name))
+ goto out;
/* Check that new_ifindex isn't used yet. */
err = -EBUSY;
--- a/net/core/dev.h
+++ b/net/core/dev.h
@@ -62,6 +62,9 @@ struct netdev_name_node {
int netdev_get_name(struct net *net, char *name, int ifindex);
int dev_change_name(struct net_device *dev, const char *newname);
+#define netdev_for_each_altname(dev, namenode) \
+ list_for_each_entry((namenode), &(dev)->name_node->list, list)
+
int netdev_name_node_alt_create(struct net_device *dev, const char *name);
int netdev_name_node_alt_destroy(struct net_device *dev, const char *name);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 096/241] iio: light: vcnl4000: Dont power on/off chip in config
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (94 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 095/241] net: check for altname conflicts when changing netdevs netns Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 097/241] pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency Greg Kroah-Hartman
` (154 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mårten Lindahl, Stable,
Jonathan Cameron, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Mårten Lindahl <marten.lindahl@axis.com>
[ Upstream commit 7e87ab38eed09c9dec56da361d74158159ae84a3 ]
After enabling/disabling interrupts on the vcnl4040 chip the als and/or
ps sensor is powered on or off depending on the interrupt enable bits.
This is made as a last step in write_event_config.
But there is no reason to do this as the runtime PM handles the power
state of the sensors. Interfering with this may impact sensor readings.
Consider the following:
1. Userspace makes sensor data reading which triggers RPM resume
(sensor powered on) and a RPM suspend timeout. The timeout is 2000ms
before RPM suspend powers the sensor off if no new reading is made
within the timeout period.
2. Userspace disables interrupts => powers sensor off
3. Userspace reads sensor data = 0 because sensor is off and the
suspend timeout has not passed. For each new reading made within the
timeout period the timeout is renewed with 2000ms and RPM will not
make a new resume (device was not suspended). So the sensor will
not be powered on.
4. No further userspace reading for 2000ms ends RPM suspend timeout and
triggers suspend (powers off already powered off sensor).
Powering sensor off in (2) makes all consecutive readings made within
2000ms to the previous reading (3) return invalid data.
Skip setting power state when writing new event config.
Fixes: 546676121cb9 ("iio: light: vcnl4000: Add interrupt support for vcnl4040")
Fixes: bc292aaf9cb4 ("iio: light: vcnl4000: add illuminance irq vcnl4040/4200")
Signed-off-by: Mårten Lindahl <marten.lindahl@axis.com>
Link: https://lore.kernel.org/r/20230907-vcnl4000-pm-fix-v2-1-298e01f54db4@axis.com
Cc: <Stable@vger.kernel.org>
Signed-off-by: Jonathan Cameron <Jonathan.Cameron@huawei.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/iio/light/vcnl4000.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/drivers/iio/light/vcnl4000.c b/drivers/iio/light/vcnl4000.c
index 7c7362e288213..66433886b7b03 100644
--- a/drivers/iio/light/vcnl4000.c
+++ b/drivers/iio/light/vcnl4000.c
@@ -994,7 +994,6 @@ static int vcnl4040_write_event_config(struct iio_dev *indio_dev,
out:
mutex_unlock(&data->vcnl4000_lock);
- data->chip_spec->set_power_state(data, data->ps_int != 0);
return ret;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 097/241] pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (95 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 096/241] iio: light: vcnl4000: Dont power on/off chip in config Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 098/241] ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone Greg Kroah-Hartman
` (153 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, David Thompson, Asmaa Mnebhi,
Sebastian Reichel, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Thompson <davthompson@nvidia.com>
[ Upstream commit 82f07f1acf417b81e793145c167dd5e156024de4 ]
The BlueField power handling driver (pwr-mlxbf.c) provides
functionality for both BlueField-2 and BlueField-3 based
platforms. This driver also depends on the SoC-specific
BlueField GPIO driver, whether gpio-mlxbf2 or gpio-mlxbf3.
This patch extends the Kconfig definition to include the
dependency on the gpio-mlxbf3 driver, if applicable.
Signed-off-by: David Thompson <davthompson@nvidia.com>
Reviewed-by: Asmaa Mnebhi <asmaa@nvidia.com>
Link: https://lore.kernel.org/r/20230823133743.31275-1-davthompson@nvidia.com
Signed-off-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/power/reset/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/power/reset/Kconfig b/drivers/power/reset/Kconfig
index fff07b2bd77b9..62f592e617339 100644
--- a/drivers/power/reset/Kconfig
+++ b/drivers/power/reset/Kconfig
@@ -307,7 +307,7 @@ config NVMEM_REBOOT_MODE
config POWER_MLXBF
tristate "Mellanox BlueField power handling driver"
- depends on (GPIO_MLXBF2 && ACPI)
+ depends on (GPIO_MLXBF2 || GPIO_MLXBF3) && ACPI
help
This driver supports reset or low power mode handling for Mellanox BlueField.
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 098/241] ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (96 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 097/241] pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 099/241] arm64: dts: mediatek: Fix "mediatek,merge-mute" and "mediatek,merge-fifo-en" types Greg Kroah-Hartman
` (152 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivaylo Dimitrov, Carl Philipp Klemm,
Merlijn Wajer, Pavel Machek, Sebastian Reichel, Tony Lindgren,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 5ad37b5e30433afa7a5513e3eb61f69fa0976785 ]
On mapphone devices we may get lots of noise on the micro-USB port in debug
uart mode until the phy-cpcap-usb driver probes. Let's limit the noise by
using overrun-throttle-ms.
Note that there is also a related separate issue where the charger cable
connected may cause random sysrq requests until phy-cpcap-usb probes that
still remains.
Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Cc: Carl Philipp Klemm <philipp@uvos.xyz>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Signed-off-by: Tony Lindgren <tony@atomide.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi | 1 +
1 file changed, 1 insertion(+)
diff --git a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
index d69f0f4b4990d..d2d516d113baa 100644
--- a/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
+++ b/arch/arm/boot/dts/ti/omap/motorola-mapphone-common.dtsi
@@ -640,6 +640,7 @@ &uart1 {
&uart3 {
interrupts-extended = <&wakeupgen GIC_SPI 74 IRQ_TYPE_LEVEL_HIGH
&omap4_pmx_core 0x17c>;
+ overrun-throttle-ms = <500>;
};
&uart4 {
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 099/241] arm64: dts: mediatek: Fix "mediatek,merge-mute" and "mediatek,merge-fifo-en" types
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (97 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 098/241] ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 100/241] fs-writeback: do not requeue a clean inode having skipped pages Greg Kroah-Hartman
` (151 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rob Herring,
AngeloGioacchino Del Regno, Arnd Bergmann, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rob Herring <robh@kernel.org>
[ Upstream commit 5f8456b1faefb06fcf6028dced9f37aa880c779d ]
"mediatek,merge-mute" and "mediatek,merge-fifo-en" properties are defined
and used as boolean properties which in DT have no value.
Signed-off-by: Rob Herring <robh@kernel.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioacchino.delregno@collabora.com>
Link: https://lore.kernel.org/r/20230830195650.704737-1-robh@kernel.org
Signed-off-by: Arnd Bergmann <arnd@arndb.de>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/arm64/boot/dts/mediatek/mt8195.dtsi | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
diff --git a/arch/arm64/boot/dts/mediatek/mt8195.dtsi b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
index 43011bc41da77..54c674c45b49a 100644
--- a/arch/arm64/boot/dts/mediatek/mt8195.dtsi
+++ b/arch/arm64/boot/dts/mediatek/mt8195.dtsi
@@ -2958,7 +2958,7 @@ merge1: vpp-merge@1c10c000 {
clock-names = "merge","merge_async";
power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xc000 0x1000>;
- mediatek,merge-mute = <1>;
+ mediatek,merge-mute;
resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE0_DL_ASYNC>;
};
@@ -2971,7 +2971,7 @@ merge2: vpp-merge@1c10d000 {
clock-names = "merge","merge_async";
power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xd000 0x1000>;
- mediatek,merge-mute = <1>;
+ mediatek,merge-mute;
resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE1_DL_ASYNC>;
};
@@ -2984,7 +2984,7 @@ merge3: vpp-merge@1c10e000 {
clock-names = "merge","merge_async";
power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xe000 0x1000>;
- mediatek,merge-mute = <1>;
+ mediatek,merge-mute;
resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE2_DL_ASYNC>;
};
@@ -2997,7 +2997,7 @@ merge4: vpp-merge@1c10f000 {
clock-names = "merge","merge_async";
power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
mediatek,gce-client-reg = <&gce0 SUBSYS_1c10XXXX 0xf000 0x1000>;
- mediatek,merge-mute = <1>;
+ mediatek,merge-mute;
resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE3_DL_ASYNC>;
};
@@ -3010,7 +3010,7 @@ merge5: vpp-merge@1c110000 {
clock-names = "merge","merge_async";
power-domains = <&spm MT8195_POWER_DOMAIN_VDOSYS1>;
mediatek,gce-client-reg = <&gce0 SUBSYS_1c11XXXX 0x0000 0x1000>;
- mediatek,merge-fifo-en = <1>;
+ mediatek,merge-fifo-en;
resets = <&vdosys1 MT8195_VDOSYS1_SW0_RST_B_MERGE4_DL_ASYNC>;
};
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 100/241] fs-writeback: do not requeue a clean inode having skipped pages
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (98 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 099/241] arm64: dts: mediatek: Fix "mediatek,merge-mute" and "mediatek,merge-fifo-en" types Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 101/241] btrfs: fix race when refilling delayed refs block reserve Greg Kroah-Hartman
` (150 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chunhai Guo, Jan Kara,
Christian Brauner, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chunhai Guo <guochunhai@vivo.com>
[ Upstream commit be049c3a088d512187407b7fd036cecfab46d565 ]
When writing back an inode and performing an fsync on it concurrently, a
deadlock issue may arise as shown below. In each writeback iteration, a
clean inode is requeued to the wb->b_dirty queue due to non-zero
pages_skipped, without anything actually being written. This causes an
infinite loop and prevents the plug from being flushed, resulting in a
deadlock. We now avoid requeuing the clean inode to prevent this issue.
wb_writeback fsync (inode-Y)
blk_start_plug(&plug)
for (;;) {
iter i-1: some reqs with page-X added into plug->mq_list // f2fs node page-X with PG_writeback
filemap_fdatawrite
__filemap_fdatawrite_range // write inode-Y with sync_mode WB_SYNC_ALL
do_writepages
f2fs_write_data_pages
__f2fs_write_data_pages // wb_sync_req[DATA]++ for WB_SYNC_ALL
f2fs_write_cache_pages
f2fs_write_single_data_page
f2fs_do_write_data_page
f2fs_outplace_write_data
f2fs_update_data_blkaddr
f2fs_wait_on_page_writeback
wait_on_page_writeback // wait for f2fs node page-X
iter i:
progress = __writeback_inodes_wb(wb, work)
. writeback_sb_inodes
. __writeback_single_inode // write inode-Y with sync_mode WB_SYNC_NONE
. . do_writepages
. . f2fs_write_data_pages
. . . __f2fs_write_data_pages // skip writepages due to (wb_sync_req[DATA]>0)
. . . wbc->pages_skipped += get_dirty_pages(inode) // wbc->pages_skipped = 1
. if (!(inode->i_state & I_DIRTY_ALL)) // i_state = I_SYNC | I_SYNC_QUEUED
. total_wrote++; // total_wrote = 1
. requeue_inode // requeue inode-Y to wb->b_dirty queue due to non-zero pages_skipped
if (progress) // progress = 1
continue;
iter i+1:
queue_io
// similar process with iter i, infinite for-loop !
}
blk_finish_plug(&plug) // flush plug won't be called
Signed-off-by: Chunhai Guo <guochunhai@vivo.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Message-Id: <20230916045131.957929-1-guochunhai@vivo.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/fs-writeback.c | 11 ++++++++---
1 file changed, 8 insertions(+), 3 deletions(-)
diff --git a/fs/fs-writeback.c b/fs/fs-writeback.c
index aca4b48113945..d532a93e980d7 100644
--- a/fs/fs-writeback.c
+++ b/fs/fs-writeback.c
@@ -1535,10 +1535,15 @@ static void requeue_inode(struct inode *inode, struct bdi_writeback *wb,
if (wbc->pages_skipped) {
/*
- * writeback is not making progress due to locked
- * buffers. Skip this inode for now.
+ * Writeback is not making progress due to locked buffers.
+ * Skip this inode for now. Although having skipped pages
+ * is odd for clean inodes, it can happen for some
+ * filesystems so handle that gracefully.
*/
- redirty_tail_locked(inode, wb);
+ if (inode->i_state & I_DIRTY_ALL)
+ redirty_tail_locked(inode, wb);
+ else
+ inode_cgwb_move_to_attached(inode, wb);
return;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 101/241] btrfs: fix race when refilling delayed refs block reserve
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (99 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 100/241] fs-writeback: do not requeue a clean inode having skipped pages Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 102/241] btrfs: prevent transaction block reserve underflow when starting transaction Greg Kroah-Hartman
` (149 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 2ed45c0f1879079b30248568c515cf60fc668d8a ]
If we have two (or more) tasks attempting to refill the delayed refs block
reserve we can end up with the delayed block reserve being over reserved,
that is, with a reserved space greater than its size. If this happens, we
are holding to more reserved space than necessary for a while.
The race happens like this:
1) The delayed refs block reserve has a size of 8M and a reserved space of
6M for example;
2) Task A calls btrfs_delayed_refs_rsv_refill();
3) Task B also calls btrfs_delayed_refs_rsv_refill();
4) Task A sees there's a 2M difference between the size and the reserved
space of the delayed refs rsv, so it will reserve 2M of space by
calling btrfs_reserve_metadata_bytes();
5) Task B also sees that 2M difference, and like task A, it reserves
another 2M of metadata space;
6) Both task A and task B increase the reserved space of block reserve
by 2M, by calling btrfs_block_rsv_add_bytes(), so the block reserve
ends up with a size of 8M and a reserved space of 10M;
7) The extra, over reserved space will eventually be freed by some task
calling btrfs_delayed_refs_rsv_release() -> btrfs_block_rsv_release()
-> block_rsv_release_bytes(), as there we will detect the over reserve
and release that space.
So fix this by checking if we still need to add space to the delayed refs
block reserve after reserving the metadata space, and if we don't, just
release that space immediately.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/delayed-ref.c | 37 ++++++++++++++++++++++++++++++++++---
1 file changed, 34 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
index 6a13cf00218bc..1043f66cc130d 100644
--- a/fs/btrfs/delayed-ref.c
+++ b/fs/btrfs/delayed-ref.c
@@ -163,6 +163,8 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
struct btrfs_block_rsv *block_rsv = &fs_info->delayed_refs_rsv;
u64 limit = btrfs_calc_delayed_ref_bytes(fs_info, 1);
u64 num_bytes = 0;
+ u64 refilled_bytes;
+ u64 to_free;
int ret = -ENOSPC;
spin_lock(&block_rsv->lock);
@@ -178,9 +180,38 @@ int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
ret = btrfs_reserve_metadata_bytes(fs_info, block_rsv, num_bytes, flush);
if (ret)
return ret;
- btrfs_block_rsv_add_bytes(block_rsv, num_bytes, false);
- trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv",
- 0, num_bytes, 1);
+
+ /*
+ * We may have raced with someone else, so check again if we the block
+ * reserve is still not full and release any excess space.
+ */
+ spin_lock(&block_rsv->lock);
+ if (block_rsv->reserved < block_rsv->size) {
+ u64 needed = block_rsv->size - block_rsv->reserved;
+
+ if (num_bytes >= needed) {
+ block_rsv->reserved += needed;
+ block_rsv->full = true;
+ to_free = num_bytes - needed;
+ refilled_bytes = needed;
+ } else {
+ block_rsv->reserved += num_bytes;
+ to_free = 0;
+ refilled_bytes = num_bytes;
+ }
+ } else {
+ to_free = num_bytes;
+ refilled_bytes = 0;
+ }
+ spin_unlock(&block_rsv->lock);
+
+ if (to_free > 0)
+ btrfs_space_info_free_bytes_may_use(fs_info, block_rsv->space_info,
+ to_free);
+
+ if (refilled_bytes > 0)
+ trace_btrfs_space_reservation(fs_info, "delayed_refs_rsv", 0,
+ refilled_bytes, 1);
return 0;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 102/241] btrfs: prevent transaction block reserve underflow when starting transaction
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (100 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 101/241] btrfs: fix race when refilling delayed refs block reserve Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 103/241] btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 Greg Kroah-Hartman
` (148 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Filipe Manana,
David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit a7ddeeb079505961355cf0106154da0110f1fdff ]
When starting a transaction, with a non-zero number of items, we reserve
metadata space for that number of items and for delayed refs by doing a
call to btrfs_block_rsv_add(), with the transaction block reserve passed
as the block reserve argument. This reserves metadata space and adds it
to the transaction block reserve. Later we migrate the space we reserved
for delayed references from the transaction block reserve into the delayed
refs block reserve, by calling btrfs_migrate_to_delayed_refs_rsv().
btrfs_migrate_to_delayed_refs_rsv() decrements the number of bytes to
migrate from the source block reserve, and this however may result in an
underflow in case the space added to the transaction block reserve ended
up being used by another task that has not reserved enough space for its
own use - examples are tasks doing reflinks or hole punching because they
end up calling btrfs_replace_file_extents() -> btrfs_drop_extents() and
may need to modify/COW a variable number of leaves/paths, so they keep
trying to use space from the transaction block reserve when they need to
COW an extent buffer, and may end up trying to use more space then they
have reserved (1 unit/path only for removing file extent items).
This can be avoided by simply reserving space first without adding it to
the transaction block reserve, then add the space for delayed refs to the
delayed refs block reserve and finally add the remaining reserved space
to the transaction block reserve. This also makes the code a bit shorter
and simpler. So just do that.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/delayed-ref.c | 9 +--------
fs/btrfs/delayed-ref.h | 1 -
fs/btrfs/transaction.c | 6 +++---
3 files changed, 4 insertions(+), 12 deletions(-)
diff --git a/fs/btrfs/delayed-ref.c b/fs/btrfs/delayed-ref.c
index 1043f66cc130d..9fe4ccca50a06 100644
--- a/fs/btrfs/delayed-ref.c
+++ b/fs/btrfs/delayed-ref.c
@@ -103,24 +103,17 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans)
* Transfer bytes to our delayed refs rsv.
*
* @fs_info: the filesystem
- * @src: source block rsv to transfer from
* @num_bytes: number of bytes to transfer
*
- * This transfers up to the num_bytes amount from the src rsv to the
+ * This transfers up to the num_bytes amount, previously reserved, to the
* delayed_refs_rsv. Any extra bytes are returned to the space info.
*/
void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info,
- struct btrfs_block_rsv *src,
u64 num_bytes)
{
struct btrfs_block_rsv *delayed_refs_rsv = &fs_info->delayed_refs_rsv;
u64 to_free = 0;
- spin_lock(&src->lock);
- src->reserved -= num_bytes;
- src->size -= num_bytes;
- spin_unlock(&src->lock);
-
spin_lock(&delayed_refs_rsv->lock);
if (delayed_refs_rsv->size > delayed_refs_rsv->reserved) {
u64 delta = delayed_refs_rsv->size -
diff --git a/fs/btrfs/delayed-ref.h b/fs/btrfs/delayed-ref.h
index b8e14b0ba5f16..fd9bf2b709c0e 100644
--- a/fs/btrfs/delayed-ref.h
+++ b/fs/btrfs/delayed-ref.h
@@ -407,7 +407,6 @@ void btrfs_update_delayed_refs_rsv(struct btrfs_trans_handle *trans);
int btrfs_delayed_refs_rsv_refill(struct btrfs_fs_info *fs_info,
enum btrfs_reserve_flush_enum flush);
void btrfs_migrate_to_delayed_refs_rsv(struct btrfs_fs_info *fs_info,
- struct btrfs_block_rsv *src,
u64 num_bytes);
bool btrfs_check_space_for_delayed_refs(struct btrfs_fs_info *fs_info);
diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c
index 5bbd288b9cb54..0554ca2a8e3ba 100644
--- a/fs/btrfs/transaction.c
+++ b/fs/btrfs/transaction.c
@@ -625,14 +625,14 @@ start_transaction(struct btrfs_root *root, unsigned int num_items,
reloc_reserved = true;
}
- ret = btrfs_block_rsv_add(fs_info, rsv, num_bytes, flush);
+ ret = btrfs_reserve_metadata_bytes(fs_info, rsv, num_bytes, flush);
if (ret)
goto reserve_fail;
if (delayed_refs_bytes) {
- btrfs_migrate_to_delayed_refs_rsv(fs_info, rsv,
- delayed_refs_bytes);
+ btrfs_migrate_to_delayed_refs_rsv(fs_info, delayed_refs_bytes);
num_bytes -= delayed_refs_bytes;
}
+ btrfs_block_rsv_add_bytes(rsv, num_bytes, true);
if (rsv->space_info->force_alloc)
do_chunk_alloc = true;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 103/241] btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (101 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 102/241] btrfs: prevent transaction block reserve underflow when starting transaction Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 104/241] btrfs: initialize start_slot in btrfs_log_prealloc_extents Greg Kroah-Hartman
` (147 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Josef Bacik, Filipe Manana,
David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 1bf76df3fee56d6637718e267f7c34ed70d0c7dc ]
When running a delayed tree reference, if we find a ref count different
from 1, we return -EIO. This isn't an IO error, as it indicates either a
bug in the delayed refs code or a memory corruption, so change the error
code from -EIO to -EUCLEAN. Also tag the branch as 'unlikely' as this is
not expected to ever happen, and change the error message to print the
tree block's bytenr without the parenthesis (and there was a missing space
between the 'block' word and the opening parenthesis), for consistency as
that's the style we used everywhere else.
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/extent-tree.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/extent-tree.c b/fs/btrfs/extent-tree.c
index 0917c5f39e3d0..2cf8d646085c2 100644
--- a/fs/btrfs/extent-tree.c
+++ b/fs/btrfs/extent-tree.c
@@ -1715,12 +1715,12 @@ static int run_delayed_tree_ref(struct btrfs_trans_handle *trans,
parent = ref->parent;
ref_root = ref->root;
- if (node->ref_mod != 1) {
+ if (unlikely(node->ref_mod != 1)) {
btrfs_err(trans->fs_info,
- "btree block(%llu) has %d references rather than 1: action %d ref_root %llu parent %llu",
+ "btree block %llu has %d references rather than 1: action %d ref_root %llu parent %llu",
node->bytenr, node->ref_mod, node->action, ref_root,
parent);
- return -EIO;
+ return -EUCLEAN;
}
if (node->action == BTRFS_ADD_DELAYED_REF && insert_reserved) {
BUG_ON(!extent_op || !extent_op->update_flags);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 104/241] btrfs: initialize start_slot in btrfs_log_prealloc_extents
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (102 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 103/241] btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 105/241] i2c: mux: Avoid potential false error message in i2c_mux_add_adapter Greg Kroah-Hartman
` (146 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Axboe, Josef Bacik,
David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit b4c639f699349880b7918b861e1bd360442ec450 ]
Jens reported a compiler warning when using
CONFIG_CC_OPTIMIZE_FOR_SIZE=y that looks like this
fs/btrfs/tree-log.c: In function ‘btrfs_log_prealloc_extents’:
fs/btrfs/tree-log.c:4828:23: warning: ‘start_slot’ may be used
uninitialized [-Wmaybe-uninitialized]
4828 | ret = copy_items(trans, inode, dst_path, path,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
4829 | start_slot, ins_nr, 1, 0);
| ~~~~~~~~~~~~~~~~~~~~~~~~~
fs/btrfs/tree-log.c:4725:13: note: ‘start_slot’ was declared here
4725 | int start_slot;
| ^~~~~~~~~~
The compiler is incorrect, as we only use this code when ins_len > 0,
and when ins_len > 0 we have start_slot properly initialized. However
we generally find the -Wmaybe-uninitialized warnings valuable, so
initialize start_slot to get rid of the warning.
Reported-by: Jens Axboe <axboe@kernel.dk>
Tested-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/tree-log.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/btrfs/tree-log.c b/fs/btrfs/tree-log.c
index 365a1cc0a3c35..a00e7a0bc713d 100644
--- a/fs/btrfs/tree-log.c
+++ b/fs/btrfs/tree-log.c
@@ -4722,7 +4722,7 @@ static int btrfs_log_prealloc_extents(struct btrfs_trans_handle *trans,
struct extent_buffer *leaf;
int slot;
int ins_nr = 0;
- int start_slot;
+ int start_slot = 0;
int ret;
if (!(inode->flags & BTRFS_INODE_PREALLOC))
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 105/241] i2c: mux: Avoid potential false error message in i2c_mux_add_adapter
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (103 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 104/241] btrfs: initialize start_slot in btrfs_log_prealloc_extents Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 106/241] overlayfs: set ctime when setting mtime and atime Greg Kroah-Hartman
` (145 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Heiner Kallweit, Peter Rosin,
Wolfram Sang, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Heiner Kallweit <hkallweit1@gmail.com>
[ Upstream commit b13e59e74ff71a1004e0508107e91e9a84fd7388 ]
I2C_CLASS_DEPRECATED is a flag and not an actual class.
There's nothing speaking against both, parent and child, having
I2C_CLASS_DEPRECATED set. Therefore exclude it from the check.
Signed-off-by: Heiner Kallweit <hkallweit1@gmail.com>
Acked-by: Peter Rosin <peda@axentia.se>
Signed-off-by: Wolfram Sang <wsa@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/i2c/i2c-mux.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/i2c/i2c-mux.c b/drivers/i2c/i2c-mux.c
index 313904be5f3bd..57ff09f18c371 100644
--- a/drivers/i2c/i2c-mux.c
+++ b/drivers/i2c/i2c-mux.c
@@ -341,7 +341,7 @@ int i2c_mux_add_adapter(struct i2c_mux_core *muxc,
priv->adap.lock_ops = &i2c_parent_lock_ops;
/* Sanity check on class */
- if (i2c_mux_parent_classes(parent) & class)
+ if (i2c_mux_parent_classes(parent) & class & ~I2C_CLASS_DEPRECATED)
dev_err(&parent->dev,
"Segment %d behind mux can't share classes with ancestors\n",
chan_id);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 106/241] overlayfs: set ctime when setting mtime and atime
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (104 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 105/241] i2c: mux: Avoid potential false error message in i2c_mux_add_adapter Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 107/241] accel/ivpu: Dont flood dmesg with VPU ready message Greg Kroah-Hartman
` (144 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Nathan Chancellor, Jeff Layton,
Christian Brauner, Amir Goldstein, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit 03dbab3bba5f009d053635c729d1244f2c8bad38 ]
Nathan reported that he was seeing the new warning in
setattr_copy_mgtime pop when starting podman containers. Overlayfs is
trying to set the atime and mtime via notify_change without also
setting the ctime.
POSIX states that when the atime and mtime are updated via utimes() that
we must also update the ctime to the current time. The situation with
overlayfs copy-up is analogies, so add ATTR_CTIME to the bitmask.
notify_change will fill in the value.
Reported-by: Nathan Chancellor <nathan@kernel.org>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Nathan Chancellor <nathan@kernel.org>
Acked-by: Christian Brauner <brauner@kernel.org>
Acked-by: Amir Goldstein <amir73il@gmail.com>
Message-Id: <20230913-ctime-v1-1-c6bc509cbc27@kernel.org>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/overlayfs/copy_up.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/overlayfs/copy_up.c b/fs/overlayfs/copy_up.c
index 986d37a4c2750..ab32c6b28d400 100644
--- a/fs/overlayfs/copy_up.c
+++ b/fs/overlayfs/copy_up.c
@@ -337,7 +337,7 @@ static int ovl_set_timestamps(struct ovl_fs *ofs, struct dentry *upperdentry,
{
struct iattr attr = {
.ia_valid =
- ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET,
+ ATTR_ATIME | ATTR_MTIME | ATTR_ATIME_SET | ATTR_MTIME_SET | ATTR_CTIME,
.ia_atime = stat->atime,
.ia_mtime = stat->mtime,
};
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 107/241] accel/ivpu: Dont flood dmesg with VPU ready message
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (105 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 106/241] overlayfs: set ctime when setting mtime and atime Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 108/241] gpio: timberdale: Fix potential deadlock on &tgpio->lock Greg Kroah-Hartman
` (143 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jacek Lawrynowicz,
Stanislaw Gruszka, Jeffrey Hugo, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
[ Upstream commit 002652555022728c42b5517c6c11265b8c3ab827 ]
Use ivpu_dbg() to print the VPU ready message so it doesn't pollute
the dmesg.
Signed-off-by: Jacek Lawrynowicz <jacek.lawrynowicz@linux.intel.com>
Reviewed-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Reviewed-by: Jeffrey Hugo <quic_jhugo@quicinc.com>
Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20230925121137.872158-3-stanislaw.gruszka@linux.intel.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/accel/ivpu/ivpu_drv.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/accel/ivpu/ivpu_drv.c b/drivers/accel/ivpu/ivpu_drv.c
index 8396db2b52030..09dee5be20700 100644
--- a/drivers/accel/ivpu/ivpu_drv.c
+++ b/drivers/accel/ivpu/ivpu_drv.c
@@ -303,7 +303,7 @@ static int ivpu_wait_for_ready(struct ivpu_device *vdev)
}
if (!ret)
- ivpu_info(vdev, "VPU ready message received successfully\n");
+ ivpu_dbg(vdev, PM, "VPU ready message received successfully\n");
else
ivpu_hw_diagnose_failure(vdev);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 108/241] gpio: timberdale: Fix potential deadlock on &tgpio->lock
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (106 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 107/241] accel/ivpu: Dont flood dmesg with VPU ready message Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 109/241] ata: libata-core: Fix compilation warning in ata_dev_config_ncq() Greg Kroah-Hartman
` (142 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chengfeng Ye, Andy Shevchenko,
Bartosz Golaszewski, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chengfeng Ye <dg573847474@gmail.com>
[ Upstream commit 9e8bc2dda5a7a8e2babc9975f4b11c9a6196e490 ]
As timbgpio_irq_enable()/timbgpio_irq_disable() callback could be
executed under irq context, it could introduce double locks on
&tgpio->lock if it preempts other execution units requiring
the same locks.
timbgpio_gpio_set()
--> timbgpio_update_bit()
--> spin_lock(&tgpio->lock)
<interrupt>
--> timbgpio_irq_disable()
--> spin_lock_irqsave(&tgpio->lock)
This flaw was found by an experimental static analysis tool I am
developing for irq-related deadlock.
To prevent the potential deadlock, the patch uses spin_lock_irqsave()
on &tgpio->lock inside timbgpio_gpio_set() to prevent the possible
deadlock scenario.
Signed-off-by: Chengfeng Ye <dg573847474@gmail.com>
Reviewed-by: Andy Shevchenko <andy@kernel.org>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpio/gpio-timberdale.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/gpio/gpio-timberdale.c b/drivers/gpio/gpio-timberdale.c
index de14949a3fe5a..92c1f2baa4bff 100644
--- a/drivers/gpio/gpio-timberdale.c
+++ b/drivers/gpio/gpio-timberdale.c
@@ -43,9 +43,10 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
unsigned offset, bool enabled)
{
struct timbgpio *tgpio = gpiochip_get_data(gpio);
+ unsigned long flags;
u32 reg;
- spin_lock(&tgpio->lock);
+ spin_lock_irqsave(&tgpio->lock, flags);
reg = ioread32(tgpio->membase + offset);
if (enabled)
@@ -54,7 +55,7 @@ static int timbgpio_update_bit(struct gpio_chip *gpio, unsigned index,
reg &= ~(1 << index);
iowrite32(reg, tgpio->membase + offset);
- spin_unlock(&tgpio->lock);
+ spin_unlock_irqrestore(&tgpio->lock, flags);
return 0;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 109/241] ata: libata-core: Fix compilation warning in ata_dev_config_ncq()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (107 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 108/241] gpio: timberdale: Fix potential deadlock on &tgpio->lock Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 110/241] ata: libata-eh: Fix compilation warning in ata_eh_link_report() Greg Kroah-Hartman
` (141 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Geert Uytterhoeven, Martin K. Petersen, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit ed518d9ba980dc0d27c7d1dea1e627ba001d1977 ]
The 24 bytes length allocated to the ncq_desc string in
ata_dev_config_lba() for ata_dev_config_ncq() to use is too short,
causing the following gcc compilation warnings when compiling with W=1:
drivers/ata/libata-core.c: In function ‘ata_dev_configure’:
drivers/ata/libata-core.c:2378:56: warning: ‘%d’ directive output may be truncated writing between 1 and 2 bytes into a region of size between 1 and 11 [-Wformat-truncation=]
2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
| ^~
In function ‘ata_dev_config_ncq’,
inlined from ‘ata_dev_config_lba’ at drivers/ata/libata-core.c:2649:8,
inlined from ‘ata_dev_configure’ at drivers/ata/libata-core.c:2952:9:
drivers/ata/libata-core.c:2378:41: note: directive argument in the range [1, 32]
2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
| ^~~~~~~~~~~~~~~~~~~~~
drivers/ata/libata-core.c:2378:17: note: ‘snprintf’ output between 16 and 31 bytes into a destination of size 24
2378 | snprintf(desc, desc_sz, "NCQ (depth %d/%d)%s", hdepth,
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2379 | ddepth, aa_desc);
| ~~~~~~~~~~~~~~~~
Avoid these warnings and the potential truncation by changing the size
of the ncq_desc string to 32 characters.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-core.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-core.c b/drivers/ata/libata-core.c
index 2a21f4d9500db..97a842b57a751 100644
--- a/drivers/ata/libata-core.c
+++ b/drivers/ata/libata-core.c
@@ -2624,7 +2624,7 @@ static int ata_dev_config_lba(struct ata_device *dev)
{
const u16 *id = dev->id;
const char *lba_desc;
- char ncq_desc[24];
+ char ncq_desc[32];
int ret;
dev->flags |= ATA_DFLAG_LBA;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 110/241] ata: libata-eh: Fix compilation warning in ata_eh_link_report()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (108 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 109/241] ata: libata-core: Fix compilation warning in ata_dev_config_ncq() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 111/241] tracing: relax trace_event_eval_update() execution with cond_resched() Greg Kroah-Hartman
` (140 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Damien Le Moal, Hannes Reinecke,
Geert Uytterhoeven, Martin K. Petersen, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Damien Le Moal <dlemoal@kernel.org>
[ Upstream commit 49728bdc702391902a473b9393f1620eea32acb0 ]
The 6 bytes length of the tries_buf string in ata_eh_link_report() is
too short and results in a gcc compilation warning with W-!:
drivers/ata/libata-eh.c: In function ‘ata_eh_link_report’:
drivers/ata/libata-eh.c:2371:59: warning: ‘%d’ directive output may be truncated writing between 1 and 11 bytes into a region of size 4 [-Wformat-truncation=]
2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
| ^~
drivers/ata/libata-eh.c:2371:56: note: directive argument in the range [-2147483648, 4]
2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
| ^~~~~~
drivers/ata/libata-eh.c:2371:17: note: ‘snprintf’ output between 4 and 14 bytes into a destination of size 6
2371 | snprintf(tries_buf, sizeof(tries_buf), " t%d",
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
2372 | ap->eh_tries);
| ~~~~~~~~~~~~~
Avoid this warning by increasing the string size to 16B.
Signed-off-by: Damien Le Moal <dlemoal@kernel.org>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Tested-by: Geert Uytterhoeven <geert+renesas@glider.be>
Reviewed-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/ata/libata-eh.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/ata/libata-eh.c b/drivers/ata/libata-eh.c
index 150e7ab62d1ae..e7c4edb04f8ed 100644
--- a/drivers/ata/libata-eh.c
+++ b/drivers/ata/libata-eh.c
@@ -2366,7 +2366,7 @@ static void ata_eh_link_report(struct ata_link *link)
struct ata_eh_context *ehc = &link->eh_context;
struct ata_queued_cmd *qc;
const char *frozen, *desc;
- char tries_buf[6] = "";
+ char tries_buf[16] = "";
int tag, nr_failed = 0;
if (ehc->i.flags & ATA_EHI_QUIET)
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 111/241] tracing: relax trace_event_eval_update() execution with cond_resched()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (109 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 110/241] ata: libata-eh: Fix compilation warning in ata_eh_link_report() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 112/241] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Greg Kroah-Hartman
` (139 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu,
Clément Léger, Atish Patra, Steven Rostedt (Google),
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Clément Léger <cleger@rivosinc.com>
[ Upstream commit 23cce5f25491968b23fb9c399bbfb25f13870cd9 ]
When kernel is compiled without preemption, the eval_map_work_func()
(which calls trace_event_eval_update()) will not be preempted up to its
complete execution. This can actually cause a problem since if another
CPU call stop_machine(), the call will have to wait for the
eval_map_work_func() function to finish executing in the workqueue
before being able to be scheduled. This problem was observe on a SMP
system at boot time, when the CPU calling the initcalls executed
clocksource_done_booting() which in the end calls stop_machine(). We
observed a 1 second delay because one CPU was executing
eval_map_work_func() and was not preempted by the stop_machine() task.
Adding a call to cond_resched() in trace_event_eval_update() allows
other tasks to be executed and thus continue working asynchronously
like before without blocking any pending task at boot time.
Link: https://lore.kernel.org/linux-trace-kernel/20230929191637.416931-1-cleger@rivosinc.com
Cc: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Clément Léger <cleger@rivosinc.com>
Tested-by: Atish Patra <atishp@rivosinc.com>
Reviewed-by: Atish Patra <atishp@rivosinc.com>
Signed-off-by: Steven Rostedt (Google) <rostedt@goodmis.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/trace/trace_events.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/kernel/trace/trace_events.c b/kernel/trace/trace_events.c
index 0cf84a7449f5b..9841589b4af7f 100644
--- a/kernel/trace/trace_events.c
+++ b/kernel/trace/trace_events.c
@@ -2777,6 +2777,7 @@ void trace_event_eval_update(struct trace_eval_map **map, int len)
update_event_fields(call, map[i]);
}
}
+ cond_resched();
}
up_write(&trace_event_sem);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 112/241] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (110 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 111/241] tracing: relax trace_event_eval_update() execution with cond_resched() Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 113/241] wifi: cfg80211: validate AP phy operation before starting it Greg Kroah-Hartman
` (138 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Williams, Gustavo A. R. Silva,
Kees Cook, Kalle Valo, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gustavo A. R. Silva <gustavoars@kernel.org>
[ Upstream commit d5a93b7d2877aae4ba7590ad6cb65f8d33079489 ]
Add sanity checks for both `tlv_len` and `tlv_bitmap_len` before
decoding data from `event_buf`.
This prevents any malicious or buggy firmware from overflowing
`event_buf` through large values for `tlv_len` and `tlv_bitmap_len`.
Suggested-by: Dan Williams <dcbw@redhat.com>
Signed-off-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Reviewed-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Kalle Valo <kvalo@kernel.org>
Link: https://lore.kernel.org/r/d4f8780527d551552ee96f17a0229e02e1c200d1.1692931954.git.gustavoars@kernel.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/wireless/marvell/mwifiex/11n_rxreorder.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
index d1d3632a3ed7b..4ab3a14567b65 100644
--- a/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
+++ b/drivers/net/wireless/marvell/mwifiex/11n_rxreorder.c
@@ -921,6 +921,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
while (tlv_buf_left >= sizeof(*tlv_rxba)) {
tlv_type = le16_to_cpu(tlv_rxba->header.type);
tlv_len = le16_to_cpu(tlv_rxba->header.len);
+ if (size_add(sizeof(tlv_rxba->header), tlv_len) > tlv_buf_left) {
+ mwifiex_dbg(priv->adapter, WARN,
+ "TLV size (%zu) overflows event_buf buf_left=%d\n",
+ size_add(sizeof(tlv_rxba->header), tlv_len),
+ tlv_buf_left);
+ return;
+ }
+
if (tlv_type != TLV_TYPE_RXBA_SYNC) {
mwifiex_dbg(priv->adapter, ERROR,
"Wrong TLV id=0x%x\n", tlv_type);
@@ -929,6 +937,14 @@ void mwifiex_11n_rxba_sync_event(struct mwifiex_private *priv,
tlv_seq_num = le16_to_cpu(tlv_rxba->seq_num);
tlv_bitmap_len = le16_to_cpu(tlv_rxba->bitmap_len);
+ if (size_add(sizeof(*tlv_rxba), tlv_bitmap_len) > tlv_buf_left) {
+ mwifiex_dbg(priv->adapter, WARN,
+ "TLV size (%zu) overflows event_buf buf_left=%d\n",
+ size_add(sizeof(*tlv_rxba), tlv_bitmap_len),
+ tlv_buf_left);
+ return;
+ }
+
mwifiex_dbg(priv->adapter, INFO,
"%pM tid=%d seq_num=%d bitmap_len=%d\n",
tlv_rxba->mac, tlv_rxba->tid, tlv_seq_num,
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 113/241] wifi: cfg80211: validate AP phy operation before starting it
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (111 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 112/241] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Greg Kroah-Hartman
@ 2023-10-23 10:54 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 114/241] wifi: iwlwifi: Ensure ack flag is properly cleared Greg Kroah-Hartman
` (137 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:54 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aditya Kumar Singh, Jeff Johnson,
Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Aditya Kumar Singh <quic_adisi@quicinc.com>
[ Upstream commit 5112fa502708aaaf80acb78273fc8625f221eb11 ]
Many regulatories can have HE/EHT Operation as not permitted. In such
cases, AP should not be allowed to start if it is using a channel
having the no operation flag set. However, currently there is no such
check in place.
Fix this issue by validating such IEs sent during start AP against the
channel flags.
Signed-off-by: Aditya Kumar Singh <quic_adisi@quicinc.com>
Reviewed-by: Jeff Johnson <quic_jjohnson@quicinc.com>
Link: https://lore.kernel.org/r/20230905064857.1503-1-quic_adisi@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 705d1cf048309..3d286f3a60e60 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -5910,6 +5910,21 @@ static void nl80211_send_ap_started(struct wireless_dev *wdev,
nlmsg_free(msg);
}
+static int nl80211_validate_ap_phy_operation(struct cfg80211_ap_settings *params)
+{
+ struct ieee80211_channel *channel = params->chandef.chan;
+
+ if ((params->he_cap || params->he_oper) &&
+ (channel->flags & IEEE80211_CHAN_NO_HE))
+ return -EOPNOTSUPP;
+
+ if ((params->eht_cap || params->eht_oper) &&
+ (channel->flags & IEEE80211_CHAN_NO_EHT))
+ return -EOPNOTSUPP;
+
+ return 0;
+}
+
static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
{
struct cfg80211_registered_device *rdev = info->user_ptr[0];
@@ -6179,6 +6194,10 @@ static int nl80211_start_ap(struct sk_buff *skb, struct genl_info *info)
if (err)
goto out_unlock;
+ err = nl80211_validate_ap_phy_operation(params);
+ if (err)
+ goto out_unlock;
+
if (info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS])
params->flags = nla_get_u32(
info->attrs[NL80211_ATTR_AP_SETTINGS_FLAGS]);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 114/241] wifi: iwlwifi: Ensure ack flag is properly cleared.
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (112 preceding siblings ...)
2023-10-23 10:54 ` [PATCH 6.5 113/241] wifi: cfg80211: validate AP phy operation before starting it Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 115/241] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
` (136 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ben Greear, Gregory Greenman,
Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ben Greear <greearb@candelatech.com>
[ Upstream commit e8fbe99e87877f0412655f40d7c45bf8471470ac ]
Debugging indicates that nothing else is clearing the info->flags,
so some frames were flagged as ACKed when they should not be.
Explicitly clear the ack flag to ensure this does not happen.
Signed-off-by: Ben Greear <greearb@candelatech.com>
Acked-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230808205605.4105670-1-greearb@candelatech.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/wireless/intel/iwlwifi/mvm/tx.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
index 36d70d589aedd..898dca3936435 100644
--- a/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
+++ b/drivers/net/wireless/intel/iwlwifi/mvm/tx.c
@@ -1612,6 +1612,7 @@ static void iwl_mvm_rx_tx_cmd_single(struct iwl_mvm *mvm,
iwl_trans_free_tx_cmd(mvm->trans, info->driver_data[1]);
memset(&info->status, 0, sizeof(info->status));
+ info->flags &= ~(IEEE80211_TX_STAT_ACK | IEEE80211_TX_STAT_TX_FILTERED);
/* inform mac80211 about what happened with the frame */
switch (status & TX_STATUS_MSK) {
@@ -1964,6 +1965,8 @@ static void iwl_mvm_tx_reclaim(struct iwl_mvm *mvm, int sta_id, int tid,
*/
if (!is_flush)
info->flags |= IEEE80211_TX_STAT_ACK;
+ else
+ info->flags &= ~IEEE80211_TX_STAT_ACK;
}
/*
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 115/241] rfkill: sync before userspace visibility/changes
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (113 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 114/241] wifi: iwlwifi: Ensure ack flag is properly cleared Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 116/241] HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse Greg Kroah-Hartman
` (135 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 2c3dfba4cf84ac4f306cc6653b37b6dd6859ae9d ]
If userspace quickly opens /dev/rfkill after a new
instance was created, it might see the old state of
the instance from before the sync work runs and may
even _change_ the state, only to have the sync work
change it again.
Fix this by doing the sync inline where needed, not
just for /dev/rfkill but also for sysfs.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/rfkill/core.c | 32 ++++++++++++++++++++++++++------
1 file changed, 26 insertions(+), 6 deletions(-)
diff --git a/net/rfkill/core.c b/net/rfkill/core.c
index 01fca7a10b4bb..08630896b6c88 100644
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -48,6 +48,7 @@ struct rfkill {
bool persistent;
bool polling_paused;
bool suspended;
+ bool need_sync;
const struct rfkill_ops *ops;
void *data;
@@ -368,6 +369,17 @@ static void rfkill_set_block(struct rfkill *rfkill, bool blocked)
rfkill_event(rfkill);
}
+static void rfkill_sync(struct rfkill *rfkill)
+{
+ lockdep_assert_held(&rfkill_global_mutex);
+
+ if (!rfkill->need_sync)
+ return;
+
+ rfkill_set_block(rfkill, rfkill_global_states[rfkill->type].cur);
+ rfkill->need_sync = false;
+}
+
static void rfkill_update_global_state(enum rfkill_type type, bool blocked)
{
int i;
@@ -730,6 +742,10 @@ static ssize_t soft_show(struct device *dev, struct device_attribute *attr,
{
struct rfkill *rfkill = to_rfkill(dev);
+ mutex_lock(&rfkill_global_mutex);
+ rfkill_sync(rfkill);
+ mutex_unlock(&rfkill_global_mutex);
+
return sysfs_emit(buf, "%d\n", (rfkill->state & RFKILL_BLOCK_SW) ? 1 : 0);
}
@@ -751,6 +767,7 @@ static ssize_t soft_store(struct device *dev, struct device_attribute *attr,
return -EINVAL;
mutex_lock(&rfkill_global_mutex);
+ rfkill_sync(rfkill);
rfkill_set_block(rfkill, state);
mutex_unlock(&rfkill_global_mutex);
@@ -783,6 +800,10 @@ static ssize_t state_show(struct device *dev, struct device_attribute *attr,
{
struct rfkill *rfkill = to_rfkill(dev);
+ mutex_lock(&rfkill_global_mutex);
+ rfkill_sync(rfkill);
+ mutex_unlock(&rfkill_global_mutex);
+
return sysfs_emit(buf, "%d\n", user_state_from_blocked(rfkill->state));
}
@@ -805,6 +826,7 @@ static ssize_t state_store(struct device *dev, struct device_attribute *attr,
return -EINVAL;
mutex_lock(&rfkill_global_mutex);
+ rfkill_sync(rfkill);
rfkill_set_block(rfkill, state == RFKILL_USER_STATE_SOFT_BLOCKED);
mutex_unlock(&rfkill_global_mutex);
@@ -1032,14 +1054,10 @@ static void rfkill_uevent_work(struct work_struct *work)
static void rfkill_sync_work(struct work_struct *work)
{
- struct rfkill *rfkill;
- bool cur;
-
- rfkill = container_of(work, struct rfkill, sync_work);
+ struct rfkill *rfkill = container_of(work, struct rfkill, sync_work);
mutex_lock(&rfkill_global_mutex);
- cur = rfkill_global_states[rfkill->type].cur;
- rfkill_set_block(rfkill, cur);
+ rfkill_sync(rfkill);
mutex_unlock(&rfkill_global_mutex);
}
@@ -1087,6 +1105,7 @@ int __must_check rfkill_register(struct rfkill *rfkill)
round_jiffies_relative(POLL_INTERVAL));
if (!rfkill->persistent || rfkill_epo_lock_active) {
+ rfkill->need_sync = true;
schedule_work(&rfkill->sync_work);
} else {
#ifdef CONFIG_RFKILL_INPUT
@@ -1171,6 +1190,7 @@ static int rfkill_fop_open(struct inode *inode, struct file *file)
ev = kzalloc(sizeof(*ev), GFP_KERNEL);
if (!ev)
goto free;
+ rfkill_sync(rfkill);
rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
list_add_tail(&ev->list, &data->events);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 116/241] HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (114 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 115/241] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 117/241] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Greg Kroah-Hartman
` (134 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Hans de Goede, Bastien Nocera,
Jiri Kosina, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
[ Upstream commit 2d866603e25b1ce7e536839f62d1faae1c03d92f ]
Using hidpp for the M720 adds battery info reporting and hires
scrolling support.
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Bastien Nocera <hadess@hadess.net>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-logitech-hidpp.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/hid/hid-logitech-hidpp.c b/drivers/hid/hid-logitech-hidpp.c
index 1c00e4121c7ef..08b68f8476dbb 100644
--- a/drivers/hid/hid-logitech-hidpp.c
+++ b/drivers/hid/hid-logitech-hidpp.c
@@ -4676,6 +4676,8 @@ static const struct hid_device_id hidpp_devices[] = {
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb008) },
{ /* MX Master mouse over Bluetooth */
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb012) },
+ { /* M720 Triathlon mouse over Bluetooth */
+ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb015) },
{ /* MX Ergo trackball over Bluetooth */
HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01d) },
{ HID_BLUETOOTH_DEVICE(USB_VENDOR_ID_LOGITECH, 0xb01e) },
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 117/241] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (115 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 116/241] HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 118/241] Bluetooth: btusb: add shutdown function for QCA6174 Greg Kroah-Hartman
` (133 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Ma Ke, Jiri Kosina, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ma Ke <make_ruc2021@163.com>
[ Upstream commit ffe3b7837a2bb421df84d0177481db9f52c93a71 ]
There is a slab-out-of-bounds Write bug in hid-holtek-kbd driver.
The problem is the driver assumes the device must have an input
but some malicious devices violate this assumption.
Fix this by checking hid_device's input is non-empty before its usage.
Signed-off-by: Ma Ke <make_ruc2021@163.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-holtek-kbd.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-holtek-kbd.c b/drivers/hid/hid-holtek-kbd.c
index 403506b9697e7..b346d68a06f5a 100644
--- a/drivers/hid/hid-holtek-kbd.c
+++ b/drivers/hid/hid-holtek-kbd.c
@@ -130,6 +130,10 @@ static int holtek_kbd_input_event(struct input_dev *dev, unsigned int type,
return -ENODEV;
boot_hid = usb_get_intfdata(boot_interface);
+ if (list_empty(&boot_hid->inputs)) {
+ hid_err(hid, "no inputs found\n");
+ return -ENODEV;
+ }
boot_hid_input = list_first_entry(&boot_hid->inputs,
struct hid_input, list);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 118/241] Bluetooth: btusb: add shutdown function for QCA6174
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (116 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 117/241] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 119/241] Bluetooth: Avoid redundant authentication Greg Kroah-Hartman
` (132 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rocky Liao, Luiz Augusto von Dentz,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rocky Liao <quic_rjliao@quicinc.com>
[ Upstream commit 187f8b648cc16f07c66ab1d89d961bdcff779bf7 ]
We should send hci reset command before bt turn off, which can reset bt
firmware status.
Signed-off-by: Rocky Liao <quic_rjliao@quicinc.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/bluetooth/btusb.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/bluetooth/btusb.c b/drivers/bluetooth/btusb.c
index dfdfb72d350fe..ca9e2a210fff2 100644
--- a/drivers/bluetooth/btusb.c
+++ b/drivers/bluetooth/btusb.c
@@ -4348,6 +4348,7 @@ static int btusb_probe(struct usb_interface *intf,
if (id->driver_info & BTUSB_QCA_ROME) {
data->setup_on_usb = btusb_setup_qca;
+ hdev->shutdown = btusb_shutdown_qca;
hdev->set_bdaddr = btusb_set_bdaddr_ath3012;
hdev->cmd_timeout = btusb_qca_cmd_timeout;
set_bit(HCI_QUIRK_SIMULTANEOUS_DISCOVERY, &hdev->quirks);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 119/241] Bluetooth: Avoid redundant authentication
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (117 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 118/241] Bluetooth: btusb: add shutdown function for QCA6174 Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 120/241] Bluetooth: hci_core: Fix build warnings Greg Kroah-Hartman
` (131 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ying Hsu, Luiz Augusto von Dentz,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ying Hsu <yinghsu@chromium.org>
[ Upstream commit 1d8e801422d66e4b8c7b187c52196bef94eed887 ]
While executing the Android 13 CTS Verifier Secure Server test on a
ChromeOS device, it was observed that the Bluetooth host initiates
authentication for an RFCOMM connection after SSP completes.
When this happens, some Intel Bluetooth controllers, like AC9560, would
disconnect with "Connection Rejected due to Security Reasons (0x0e)".
Historically, BlueZ did not mandate this authentication while an
authenticated combination key was already in use for the connection.
This behavior was changed since commit 7b5a9241b780
("Bluetooth: Introduce requirements for security level 4").
So, this patch addresses the aforementioned disconnection issue by
restoring the previous behavior.
Signed-off-by: Ying Hsu <yinghsu@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 63 ++++++++++++++++++++++------------------
1 file changed, 35 insertions(+), 28 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index d75bb9a1d4acf..41250e4b94dff 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -2400,34 +2400,41 @@ int hci_conn_security(struct hci_conn *conn, __u8 sec_level, __u8 auth_type,
if (!test_bit(HCI_CONN_AUTH, &conn->flags))
goto auth;
- /* An authenticated FIPS approved combination key has sufficient
- * security for security level 4. */
- if (conn->key_type == HCI_LK_AUTH_COMBINATION_P256 &&
- sec_level == BT_SECURITY_FIPS)
- goto encrypt;
-
- /* An authenticated combination key has sufficient security for
- security level 3. */
- if ((conn->key_type == HCI_LK_AUTH_COMBINATION_P192 ||
- conn->key_type == HCI_LK_AUTH_COMBINATION_P256) &&
- sec_level == BT_SECURITY_HIGH)
- goto encrypt;
-
- /* An unauthenticated combination key has sufficient security for
- security level 1 and 2. */
- if ((conn->key_type == HCI_LK_UNAUTH_COMBINATION_P192 ||
- conn->key_type == HCI_LK_UNAUTH_COMBINATION_P256) &&
- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW))
- goto encrypt;
-
- /* A combination key has always sufficient security for the security
- levels 1 or 2. High security level requires the combination key
- is generated using maximum PIN code length (16).
- For pre 2.1 units. */
- if (conn->key_type == HCI_LK_COMBINATION &&
- (sec_level == BT_SECURITY_MEDIUM || sec_level == BT_SECURITY_LOW ||
- conn->pin_length == 16))
- goto encrypt;
+ switch (conn->key_type) {
+ case HCI_LK_AUTH_COMBINATION_P256:
+ /* An authenticated FIPS approved combination key has
+ * sufficient security for security level 4 or lower.
+ */
+ if (sec_level <= BT_SECURITY_FIPS)
+ goto encrypt;
+ break;
+ case HCI_LK_AUTH_COMBINATION_P192:
+ /* An authenticated combination key has sufficient security for
+ * security level 3 or lower.
+ */
+ if (sec_level <= BT_SECURITY_HIGH)
+ goto encrypt;
+ break;
+ case HCI_LK_UNAUTH_COMBINATION_P192:
+ case HCI_LK_UNAUTH_COMBINATION_P256:
+ /* An unauthenticated combination key has sufficient security
+ * for security level 2 or lower.
+ */
+ if (sec_level <= BT_SECURITY_MEDIUM)
+ goto encrypt;
+ break;
+ case HCI_LK_COMBINATION:
+ /* A combination key has always sufficient security for the
+ * security levels 2 or lower. High security level requires the
+ * combination key is generated using maximum PIN code length
+ * (16). For pre 2.1 units.
+ */
+ if (sec_level <= BT_SECURITY_MEDIUM || conn->pin_length == 16)
+ goto encrypt;
+ break;
+ default:
+ break;
+ }
auth:
if (test_bit(HCI_CONN_ENCRYPT_PEND, &conn->flags))
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 120/241] Bluetooth: hci_core: Fix build warnings
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (118 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 119/241] Bluetooth: Avoid redundant authentication Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 121/241] wifi: cfg80211: Fix 6GHz scan configuration Greg Kroah-Hartman
` (130 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit dcda165706b9fbfd685898d46a6749d7d397e0c0 ]
This fixes the following warnings:
net/bluetooth/hci_core.c: In function ‘hci_register_dev’:
net/bluetooth/hci_core.c:2620:54: warning: ‘%d’ directive output may
be truncated writing between 1 and 10 bytes into a region of size 5
[-Wformat-truncation=]
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~
net/bluetooth/hci_core.c:2620:50: note: directive argument in the range
[0, 2147483647]
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~~~~~~
net/bluetooth/hci_core.c:2620:9: note: ‘snprintf’ output between 5 and
14 bytes into a destination of size 8
2620 | snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_core.h | 2 +-
net/bluetooth/hci_core.c | 8 +++++---
2 files changed, 6 insertions(+), 4 deletions(-)
diff --git a/include/net/bluetooth/hci_core.h b/include/net/bluetooth/hci_core.h
index 87e063250d142..abb7cb5db9457 100644
--- a/include/net/bluetooth/hci_core.h
+++ b/include/net/bluetooth/hci_core.h
@@ -350,7 +350,7 @@ struct hci_dev {
struct list_head list;
struct mutex lock;
- char name[8];
+ const char *name;
unsigned long flags;
__u16 id;
__u8 bus;
diff --git a/net/bluetooth/hci_core.c b/net/bluetooth/hci_core.c
index 26a265d9c59cd..63d4d38863acb 100644
--- a/net/bluetooth/hci_core.c
+++ b/net/bluetooth/hci_core.c
@@ -2617,7 +2617,11 @@ int hci_register_dev(struct hci_dev *hdev)
if (id < 0)
return id;
- snprintf(hdev->name, sizeof(hdev->name), "hci%d", id);
+ error = dev_set_name(&hdev->dev, "hci%u", id);
+ if (error)
+ return error;
+
+ hdev->name = dev_name(&hdev->dev);
hdev->id = id;
BT_DBG("%p name %s bus %d", hdev, hdev->name, hdev->bus);
@@ -2639,8 +2643,6 @@ int hci_register_dev(struct hci_dev *hdev)
if (!IS_ERR_OR_NULL(bt_debugfs))
hdev->debugfs = debugfs_create_dir(hdev->name, bt_debugfs);
- dev_set_name(&hdev->dev, "%s", hdev->name);
-
error = device_add(&hdev->dev);
if (error < 0)
goto err_wqueue;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 121/241] wifi: cfg80211: Fix 6GHz scan configuration
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (119 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 120/241] Bluetooth: hci_core: Fix build warnings Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 122/241] wifi: mac80211: work around Cisco AP 9115 VHT MPDU length Greg Kroah-Hartman
` (129 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ilan Peer, Gregory Greenman,
Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ilan Peer <ilan.peer@intel.com>
[ Upstream commit 0914468adf92296c4cba8a2134e06e3dea150f2e ]
When the scan request includes a non broadcast BSSID, when adding the
scan parameters for 6GHz collocated scanning, do not include entries
that do not match the given BSSID.
Signed-off-by: Ilan Peer <ilan.peer@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230918140607.6d31d2a96baf.I6c4e3e3075d1d1878ee41f45190fdc6b86f18708@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/scan.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/wireless/scan.c b/net/wireless/scan.c
index 0cf1ce7b69342..939deecf0bbef 100644
--- a/net/wireless/scan.c
+++ b/net/wireless/scan.c
@@ -908,6 +908,10 @@ static int cfg80211_scan_6ghz(struct cfg80211_registered_device *rdev)
!cfg80211_find_ssid_match(ap, request))
continue;
+ if (!is_broadcast_ether_addr(request->bssid) &&
+ !ether_addr_equal(request->bssid, ap->bssid))
+ continue;
+
if (!request->n_ssids && ap->multi_bss && !ap->transmitted_bssid)
continue;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 122/241] wifi: mac80211: work around Cisco AP 9115 VHT MPDU length
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (120 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 121/241] wifi: cfg80211: Fix 6GHz scan configuration Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 123/241] wifi: mac80211: allow transmitting EAPOL frames with tainted key Greg Kroah-Hartman
` (128 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Johannes Berg, Gregory Greenman,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
[ Upstream commit 084cf2aeca97566db4fa15d55653c1cba2db83ed ]
Cisco AP module 9115 with FW 17.3 has a bug and sends a too
large maximum MPDU length in the association response
(indicating 12k) that it cannot actually process.
Work around that by taking the minimum between what's in the
association response and the BSS elements (from beacon or
probe response).
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Gregory Greenman <gregory.greenman@intel.com>
Link: https://lore.kernel.org/r/20230918140607.d1966a9a532e.I090225babb7cd4d1081ee9acd40e7de7e41c15ae@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/cfg.c | 3 ++-
net/mac80211/ibss.c | 2 +-
net/mac80211/ieee80211_i.h | 1 +
net/mac80211/mesh_plink.c | 2 +-
net/mac80211/mlme.c | 27 +++++++++++++++++++++++++--
net/mac80211/vht.c | 16 ++++++++++++++--
6 files changed, 44 insertions(+), 7 deletions(-)
diff --git a/net/mac80211/cfg.c b/net/mac80211/cfg.c
index e883c41a2163b..0e3a1753a51c6 100644
--- a/net/mac80211/cfg.c
+++ b/net/mac80211/cfg.c
@@ -1860,7 +1860,8 @@ static int sta_link_apply_parameters(struct ieee80211_local *local,
/* VHT can override some HT caps such as the A-MSDU max length */
if (params->vht_capa)
ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
- params->vht_capa, link_sta);
+ params->vht_capa, NULL,
+ link_sta);
if (params->he_capa)
ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband,
diff --git a/net/mac80211/ibss.c b/net/mac80211/ibss.c
index e1900077bc4b9..5542c93edfba0 100644
--- a/net/mac80211/ibss.c
+++ b/net/mac80211/ibss.c
@@ -1072,7 +1072,7 @@ static void ieee80211_update_sta_info(struct ieee80211_sub_if_data *sdata,
&chandef);
memcpy(&cap_ie, elems->vht_cap_elem, sizeof(cap_ie));
ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
- &cap_ie,
+ &cap_ie, NULL,
&sta->deflink);
if (memcmp(&cap, &sta->sta.deflink.vht_cap, sizeof(cap)))
rates_updated |= true;
diff --git a/net/mac80211/ieee80211_i.h b/net/mac80211/ieee80211_i.h
index f8cd94ba55ccc..2cce9eba6a120 100644
--- a/net/mac80211/ieee80211_i.h
+++ b/net/mac80211/ieee80211_i.h
@@ -2142,6 +2142,7 @@ void
ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
struct ieee80211_supported_band *sband,
const struct ieee80211_vht_cap *vht_cap_ie,
+ const struct ieee80211_vht_cap *vht_cap_ie2,
struct link_sta_info *link_sta);
enum ieee80211_sta_rx_bandwidth
ieee80211_sta_cap_rx_bw(struct link_sta_info *link_sta);
diff --git a/net/mac80211/mesh_plink.c b/net/mac80211/mesh_plink.c
index f3d5bb0a59f10..a1e526419e9d2 100644
--- a/net/mac80211/mesh_plink.c
+++ b/net/mac80211/mesh_plink.c
@@ -451,7 +451,7 @@ static void mesh_sta_info_init(struct ieee80211_sub_if_data *sdata,
changed |= IEEE80211_RC_BW_CHANGED;
ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
- elems->vht_cap_elem,
+ elems->vht_cap_elem, NULL,
&sta->deflink);
ieee80211_he_cap_ie_to_sta_he_cap(sdata, sband, elems->he_cap,
diff --git a/net/mac80211/mlme.c b/net/mac80211/mlme.c
index 24b2833e0e475..0c9198997482b 100644
--- a/net/mac80211/mlme.c
+++ b/net/mac80211/mlme.c
@@ -4202,10 +4202,33 @@ static bool ieee80211_assoc_config_link(struct ieee80211_link_data *link,
elems->ht_cap_elem,
link_sta);
- if (elems->vht_cap_elem && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT))
+ if (elems->vht_cap_elem &&
+ !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_VHT)) {
+ const struct ieee80211_vht_cap *bss_vht_cap = NULL;
+ const struct cfg80211_bss_ies *ies;
+
+ /*
+ * Cisco AP module 9115 with FW 17.3 has a bug and sends a
+ * too large maximum MPDU length in the association response
+ * (indicating 12k) that it cannot actually process ...
+ * Work around that.
+ */
+ rcu_read_lock();
+ ies = rcu_dereference(cbss->ies);
+ if (ies) {
+ const struct element *elem;
+
+ elem = cfg80211_find_elem(WLAN_EID_VHT_CAPABILITY,
+ ies->data, ies->len);
+ if (elem && elem->datalen >= sizeof(*bss_vht_cap))
+ bss_vht_cap = (const void *)elem->data;
+ }
+
ieee80211_vht_cap_ie_to_sta_vht_cap(sdata, sband,
elems->vht_cap_elem,
- link_sta);
+ bss_vht_cap, link_sta);
+ rcu_read_unlock();
+ }
if (elems->he_operation && !(link->u.mgd.conn_flags & IEEE80211_CONN_DISABLE_HE) &&
elems->he_cap) {
diff --git a/net/mac80211/vht.c b/net/mac80211/vht.c
index c1250aa478083..b3a5c3e96a720 100644
--- a/net/mac80211/vht.c
+++ b/net/mac80211/vht.c
@@ -4,7 +4,7 @@
*
* Portions of this file
* Copyright(c) 2015 - 2016 Intel Deutschland GmbH
- * Copyright (C) 2018 - 2022 Intel Corporation
+ * Copyright (C) 2018 - 2023 Intel Corporation
*/
#include <linux/ieee80211.h>
@@ -116,12 +116,14 @@ void
ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
struct ieee80211_supported_band *sband,
const struct ieee80211_vht_cap *vht_cap_ie,
+ const struct ieee80211_vht_cap *vht_cap_ie2,
struct link_sta_info *link_sta)
{
struct ieee80211_sta_vht_cap *vht_cap = &link_sta->pub->vht_cap;
struct ieee80211_sta_vht_cap own_cap;
u32 cap_info, i;
bool have_80mhz;
+ u32 mpdu_len;
memset(vht_cap, 0, sizeof(*vht_cap));
@@ -317,11 +319,21 @@ ieee80211_vht_cap_ie_to_sta_vht_cap(struct ieee80211_sub_if_data *sdata,
link_sta->pub->bandwidth = ieee80211_sta_cur_vht_bw(link_sta);
+ /*
+ * Work around the Cisco 9115 FW 17.3 bug by taking the min of
+ * both reported MPDU lengths.
+ */
+ mpdu_len = vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK;
+ if (vht_cap_ie2)
+ mpdu_len = min_t(u32, mpdu_len,
+ le32_get_bits(vht_cap_ie2->vht_cap_info,
+ IEEE80211_VHT_CAP_MAX_MPDU_MASK));
+
/*
* FIXME - should the amsdu len be per link? store per link
* and maintain a minimum?
*/
- switch (vht_cap->cap & IEEE80211_VHT_CAP_MAX_MPDU_MASK) {
+ switch (mpdu_len) {
case IEEE80211_VHT_CAP_MAX_MPDU_LENGTH_11454:
link_sta->pub->agg.max_amsdu_len = IEEE80211_MAX_MPDU_LEN_VHT_11454;
break;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 123/241] wifi: mac80211: allow transmitting EAPOL frames with tainted key
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (121 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 122/241] wifi: mac80211: work around Cisco AP 9115 VHT MPDU length Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 124/241] wifi: cfg80211: avoid leaking stack data into trace Greg Kroah-Hartman
` (127 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Wen Gong, Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wen Gong <quic_wgong@quicinc.com>
[ Upstream commit 61304336c67358d49a989e5e0060d8c99bad6ca8 ]
Lower layer device driver stop/wake TX by calling ieee80211_stop_queue()/
ieee80211_wake_queue() while hw scan. Sometimes hw scan and PTK rekey are
running in parallel, when M4 sent from wpa_supplicant arrive while the TX
queue is stopped, then the M4 will pending send, and then new key install
from wpa_supplicant. After TX queue wake up by lower layer device driver,
the M4 will be dropped by below call stack.
When key install started, the current key flag is set KEY_FLAG_TAINTED in
ieee80211_pairwise_rekey(), and then mac80211 wait key install complete by
lower layer device driver. Meanwhile ieee80211_tx_h_select_key() will return
TX_DROP for the M4 in step 12 below, and then ieee80211_free_txskb() called
by ieee80211_tx_dequeue(), so the M4 will not send and free, then the rekey
process failed becaue AP not receive M4. Please see details in steps below.
There are a interval between KEY_FLAG_TAINTED set for current key flag and
install key complete by lower layer device driver, the KEY_FLAG_TAINTED is
set in this interval, all packet including M4 will be dropped in this
interval, the interval is step 8~13 as below.
issue steps:
TX thread install key thread
1. stop_queue -idle-
2. sending M4 -idle-
3. M4 pending -idle-
4. -idle- starting install key from wpa_supplicant
5. -idle- =>ieee80211_key_replace()
6. -idle- =>ieee80211_pairwise_rekey() and set
currently key->flags |= KEY_FLAG_TAINTED
7. -idle- =>ieee80211_key_enable_hw_accel()
8. -idle- =>drv_set_key() and waiting key install
complete from lower layer device driver
9. wake_queue -waiting state-
10. re-sending M4 -waiting state-
11. =>ieee80211_tx_h_select_key() -waiting state-
12. drop M4 by KEY_FLAG_TAINTED -waiting state-
13. -idle- install key complete with success/fail
success: clear flag KEY_FLAG_TAINTED
fail: start disconnect
Hence add check in step 11 above to allow the EAPOL send out in the
interval. If lower layer device driver use the old key/cipher to encrypt
the M4, then AP received/decrypt M4 correctly, after M4 send out, lower
layer device driver install the new key/cipher to hardware and return
success.
If lower layer device driver use new key/cipher to send the M4, then AP
will/should drop the M4, then it is same result with this issue, AP will/
should kick out station as well as this issue.
issue log:
kworker/u16:4-5238 [000] 6456.108926: stop_queue: phy1 queue:0, reason:0
wpa_supplicant-961 [003] 6456.119737: rdev_tx_control_port: wiphy_name=phy1 name=wlan0 ifindex=6 dest=ARRAY[9e, 05, 31, 20, 9b, d0] proto=36488 unencrypted=0
wpa_supplicant-961 [003] 6456.119839: rdev_return_int_cookie: phy1, returned 0, cookie: 504
wpa_supplicant-961 [003] 6456.120287: rdev_add_key: phy1, netdev:wlan0(6), key_index: 0, mode: 0, pairwise: true, mac addr: 9e:05:31:20:9b:d0
wpa_supplicant-961 [003] 6456.120453: drv_set_key: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 cipher:0xfac04, flags=0x9, keyidx=0, hw_key_idx=0
kworker/u16:9-3829 [001] 6456.168240: wake_queue: phy1 queue:0, reason:0
kworker/u16:9-3829 [001] 6456.168255: drv_wake_tx_queue: phy1 vif:wlan0(2) sta:9e:05:31:20:9b:d0 ac:0 tid:7
kworker/u16:9-3829 [001] 6456.168305: cfg80211_control_port_tx_status: wdev(1), cookie: 504, ack: false
wpa_supplicant-961 [003] 6459.167982: drv_return_int: phy1 - -110
issue call stack:
nl80211_frame_tx_status+0x230/0x340 [cfg80211]
cfg80211_control_port_tx_status+0x1c/0x28 [cfg80211]
ieee80211_report_used_skb+0x374/0x3e8 [mac80211]
ieee80211_free_txskb+0x24/0x40 [mac80211]
ieee80211_tx_dequeue+0x644/0x954 [mac80211]
ath10k_mac_tx_push_txq+0xac/0x238 [ath10k_core]
ath10k_mac_op_wake_tx_queue+0xac/0xe0 [ath10k_core]
drv_wake_tx_queue+0x80/0x168 [mac80211]
__ieee80211_wake_txqs+0xe8/0x1c8 [mac80211]
_ieee80211_wake_txqs+0xb4/0x120 [mac80211]
ieee80211_wake_txqs+0x48/0x80 [mac80211]
tasklet_action_common+0xa8/0x254
tasklet_action+0x2c/0x38
__do_softirq+0xdc/0x384
Signed-off-by: Wen Gong <quic_wgong@quicinc.com>
Link: https://lore.kernel.org/r/20230801064751.25803-1-quic_wgong@quicinc.com
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/mac80211/tx.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/mac80211/tx.c b/net/mac80211/tx.c
index 7fe7280e84374..d45d4be63dd87 100644
--- a/net/mac80211/tx.c
+++ b/net/mac80211/tx.c
@@ -665,7 +665,8 @@ ieee80211_tx_h_select_key(struct ieee80211_tx_data *tx)
}
if (unlikely(tx->key && tx->key->flags & KEY_FLAG_TAINTED &&
- !ieee80211_is_deauth(hdr->frame_control)))
+ !ieee80211_is_deauth(hdr->frame_control)) &&
+ tx->skb->protocol != tx->sdata->control_port_protocol)
return TX_DROP;
if (!skip_hw && tx->key &&
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 124/241] wifi: cfg80211: avoid leaking stack data into trace
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (122 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 123/241] wifi: mac80211: allow transmitting EAPOL frames with tainted key Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 125/241] regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" Greg Kroah-Hartman
` (126 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benjamin Berg, Johannes Berg, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benjamin Berg <benjamin.berg@intel.com>
[ Upstream commit 334bf33eec5701a1e4e967bcb7cc8611a998334b ]
If the structure is not initialized then boolean types might be copied
into the tracing data without being initialised. This causes data from
the stack to leak into the trace and also triggers a UBSAN failure which
can easily be avoided here.
Signed-off-by: Benjamin Berg <benjamin.berg@intel.com>
Link: https://lore.kernel.org/r/20230925171855.a9271ef53b05.I8180bae663984c91a3e036b87f36a640ba409817@changeid
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/wireless/nl80211.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/wireless/nl80211.c b/net/wireless/nl80211.c
index 3d286f3a60e60..bf968cdbfbb51 100644
--- a/net/wireless/nl80211.c
+++ b/net/wireless/nl80211.c
@@ -8502,7 +8502,7 @@ static int nl80211_update_mesh_config(struct sk_buff *skb,
struct cfg80211_registered_device *rdev = info->user_ptr[0];
struct net_device *dev = info->user_ptr[1];
struct wireless_dev *wdev = dev->ieee80211_ptr;
- struct mesh_config cfg;
+ struct mesh_config cfg = {};
u32 mask;
int err;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 125/241] regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()"
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (123 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 124/241] wifi: cfg80211: avoid leaking stack data into trace Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 126/241] SUNRPC: Fail quickly when server does not recognize TLS Greg Kroah-Hartman
` (125 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Michał Mirosław,
Mark Brown, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michał Mirosław <mirq-linux@rere.qmqm.pl>
[ Upstream commit 6e800968f6a715c0661716d2ec5e1f56ed9f9c08 ]
This reverts commit 5f4b204b6b8153923d5be8002c5f7082985d153f.
Since rdev->dev now has a release() callback, the proper way of freeing
the initialized device can be restored.
Signed-off-by: Michał Mirosław <mirq-linux@rere.qmqm.pl>
Link: https://lore.kernel.org/r/d7f469f3f7b1f0e1d52f9a7ede3f3c5703382090.1695077303.git.mirq-linux@rere.qmqm.pl
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/regulator/core.c | 6 +-----
1 file changed, 1 insertion(+), 5 deletions(-)
diff --git a/drivers/regulator/core.c b/drivers/regulator/core.c
index 2820badc7a126..3137e40fcd3e0 100644
--- a/drivers/regulator/core.c
+++ b/drivers/regulator/core.c
@@ -5724,15 +5724,11 @@ regulator_register(struct device *dev,
mutex_lock(®ulator_list_mutex);
regulator_ena_gpio_free(rdev);
mutex_unlock(®ulator_list_mutex);
- put_device(&rdev->dev);
- rdev = NULL;
clean:
if (dangling_of_gpiod)
gpiod_put(config->ena_gpiod);
- if (rdev && rdev->dev.of_node)
- of_node_put(rdev->dev.of_node);
- kfree(rdev);
kfree(config);
+ put_device(&rdev->dev);
rinse:
if (dangling_cfg_gpiod)
gpiod_put(cfg->ena_gpiod);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 126/241] SUNRPC: Fail quickly when server does not recognize TLS
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (124 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 125/241] regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 127/241] SUNRPC/TLS: Lock the lower_xprt during the tls handshake Greg Kroah-Hartman
` (124 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Chuck Lever,
Anna Schumaker, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Chuck Lever <chuck.lever@oracle.com>
[ Upstream commit 5623ecfcbec165f040a23248d39680f0cc5c0854 ]
rpcauth_checkverf() should return a distinct error code when a
server recognizes the AUTH_TLS probe but does not support TLS so
that the client's header decoder can respond appropriately and
quickly. No retries are necessary is in this case, since the server
has already affirmatively answered "TLS is unsupported".
Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/auth.c | 11 ++++++++---
net/sunrpc/auth_tls.c | 4 ++--
net/sunrpc/clnt.c | 10 +++++++++-
3 files changed, 19 insertions(+), 6 deletions(-)
diff --git a/net/sunrpc/auth.c b/net/sunrpc/auth.c
index 2f16f9d179662..814b0169f9723 100644
--- a/net/sunrpc/auth.c
+++ b/net/sunrpc/auth.c
@@ -769,9 +769,14 @@ int rpcauth_wrap_req(struct rpc_task *task, struct xdr_stream *xdr)
* @task: controlling RPC task
* @xdr: xdr_stream containing RPC Reply header
*
- * On success, @xdr is updated to point past the verifier and
- * zero is returned. Otherwise, @xdr is in an undefined state
- * and a negative errno is returned.
+ * Return values:
+ * %0: Verifier is valid. @xdr now points past the verifier.
+ * %-EIO: Verifier is corrupted or message ended early.
+ * %-EACCES: Verifier is intact but not valid.
+ * %-EPROTONOSUPPORT: Server does not support the requested auth type.
+ *
+ * When a negative errno is returned, @xdr is left in an undefined
+ * state.
*/
int
rpcauth_checkverf(struct rpc_task *task, struct xdr_stream *xdr)
diff --git a/net/sunrpc/auth_tls.c b/net/sunrpc/auth_tls.c
index de7678f8a23d2..87f570fd3b00e 100644
--- a/net/sunrpc/auth_tls.c
+++ b/net/sunrpc/auth_tls.c
@@ -129,9 +129,9 @@ static int tls_validate(struct rpc_task *task, struct xdr_stream *xdr)
if (*p != rpc_auth_null)
return -EIO;
if (xdr_stream_decode_opaque_inline(xdr, &str, starttls_len) != starttls_len)
- return -EIO;
+ return -EPROTONOSUPPORT;
if (memcmp(str, starttls_token, starttls_len))
- return -EIO;
+ return -EPROTONOSUPPORT;
return 0;
}
diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index be6be7d785315..9fb0ccabc1a26 100644
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -2721,7 +2721,15 @@ rpc_decode_header(struct rpc_task *task, struct xdr_stream *xdr)
out_verifier:
trace_rpc_bad_verifier(task);
- goto out_garbage;
+ switch (error) {
+ case -EPROTONOSUPPORT:
+ goto out_err;
+ case -EACCES:
+ /* Re-encode with a fresh cred */
+ fallthrough;
+ default:
+ goto out_garbage;
+ }
out_msg_denied:
error = -EACCES;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 127/241] SUNRPC/TLS: Lock the lower_xprt during the tls handshake
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (125 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 126/241] SUNRPC: Fail quickly when server does not recognize TLS Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 128/241] nfs: decrement nrequests counter before releasing the req Greg Kroah-Hartman
` (123 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chuck Lever, Anna Schumaker, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Anna Schumaker <Anna.Schumaker@Netapp.com>
[ Upstream commit 26e8bfa30dac2ccd29dd25f391dfc73475c33329 ]
Otherwise we run the risk of having the lower_xprt freed from underneath
us, causing an oops that looks like this:
[ 224.150698] BUG: kernel NULL pointer dereference, address: 0000000000000018
[ 224.150951] #PF: supervisor read access in kernel mode
[ 224.151117] #PF: error_code(0x0000) - not-present page
[ 224.151278] PGD 0 P4D 0
[ 224.151361] Oops: 0000 [#1] PREEMPT SMP NOPTI
[ 224.151499] CPU: 2 PID: 99 Comm: kworker/u10:6 Not tainted 6.6.0-rc3-g6465e260f487 #41264 a00b0960990fb7bc6d6a330ee03588b67f08a47b
[ 224.151977] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS unknown 2/2/2022
[ 224.152216] Workqueue: xprtiod xs_tcp_tls_setup_socket [sunrpc]
[ 224.152434] RIP: 0010:xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc]
[ 224.152643] Code: 00 00 48 8b 7c 24 08 e9 f3 01 00 00 48 83 7b c0 00 0f 85 d2 01 00 00 49 8d 84 24 f8 05 00 00 48 89 44 24 10 48 8b 00 48 89 c5 <4c> 8b 68 18 66 41 83 3f 0a 75 71 45 31 ff 4c 89 ef 31 f6 e8 5c 76
[ 224.153246] RSP: 0018:ffffb00ec060fd18 EFLAGS: 00010246
[ 224.153427] RAX: 0000000000000000 RBX: ffff8c06c2e53e40 RCX: 0000000000000001
[ 224.153652] RDX: ffff8c073bca2408 RSI: 0000000000000282 RDI: ffff8c06c259ee00
[ 224.153868] RBP: 0000000000000000 R08: ffffffff9da55aa0 R09: 0000000000000001
[ 224.154084] R10: 00000034306c30f1 R11: 0000000000000002 R12: ffff8c06c2e51800
[ 224.154300] R13: ffff8c06c355d400 R14: 0000000004208160 R15: ffff8c06c2e53820
[ 224.154521] FS: 0000000000000000(0000) GS:ffff8c073bd00000(0000) knlGS:0000000000000000
[ 224.154763] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 224.154940] CR2: 0000000000000018 CR3: 0000000062c1e000 CR4: 0000000000750ee0
[ 224.155157] PKRU: 55555554
[ 224.155244] Call Trace:
[ 224.155325] <TASK>
[ 224.155395] ? __die_body+0x68/0xb0
[ 224.155507] ? page_fault_oops+0x34c/0x3a0
[ 224.155635] ? _raw_spin_unlock_irqrestore+0xe/0x40
[ 224.155793] ? exc_page_fault+0x7a/0x1b0
[ 224.155916] ? asm_exc_page_fault+0x26/0x30
[ 224.156047] ? xs_tcp_tls_setup_socket+0x3cc/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
[ 224.156367] ? xs_tcp_tls_setup_socket+0x2fe/0x7e0 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
[ 224.156697] ? __pfx_xs_tls_handshake_done+0x10/0x10 [sunrpc ae3a15912ae37fd51dafbdbc2dbd069117f8f5c8]
[ 224.157013] process_scheduled_works+0x24e/0x450
[ 224.157158] worker_thread+0x21c/0x2d0
[ 224.157275] ? __pfx_worker_thread+0x10/0x10
[ 224.157409] kthread+0xe8/0x110
[ 224.157510] ? __pfx_kthread+0x10/0x10
[ 224.157628] ret_from_fork+0x37/0x50
[ 224.157741] ? __pfx_kthread+0x10/0x10
[ 224.157859] ret_from_fork_asm+0x1b/0x30
[ 224.157983] </TASK>
Reviewed-by: Chuck Lever <chuck.lever@oracle.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/sunrpc/xprtsock.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sunrpc/xprtsock.c b/net/sunrpc/xprtsock.c
index 9f010369100a2..f392718951b1e 100644
--- a/net/sunrpc/xprtsock.c
+++ b/net/sunrpc/xprtsock.c
@@ -2645,6 +2645,10 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
rcu_read_lock();
lower_xprt = rcu_dereference(lower_clnt->cl_xprt);
rcu_read_unlock();
+
+ if (wait_on_bit_lock(&lower_xprt->state, XPRT_LOCKED, TASK_KILLABLE))
+ goto out_unlock;
+
status = xs_tls_handshake_sync(lower_xprt, &upper_xprt->xprtsec);
if (status) {
trace_rpc_tls_not_started(upper_clnt, upper_xprt);
@@ -2654,6 +2658,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
status = xs_tcp_tls_finish_connecting(lower_xprt, upper_transport);
if (status)
goto out_close;
+ xprt_release_write(lower_xprt, NULL);
trace_rpc_socket_connect(upper_xprt, upper_transport->sock, 0);
if (!xprt_test_and_set_connected(upper_xprt)) {
@@ -2675,6 +2680,7 @@ static void xs_tcp_tls_setup_socket(struct work_struct *work)
return;
out_close:
+ xprt_release_write(lower_xprt, NULL);
rpc_shutdown_client(lower_clnt);
/* xprt_force_disconnect() wakes tasks with a fixed tk_status code.
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 128/241] nfs: decrement nrequests counter before releasing the req
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (126 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 127/241] SUNRPC/TLS: Lock the lower_xprt during the tls handshake Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 129/241] sky2: Make sure there is at least one frag_addr available Greg Kroah-Hartman
` (122 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jeff Layton, Benjamin Coddington,
Anna Schumaker, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Layton <jlayton@kernel.org>
[ Upstream commit dd1b2026323a2d075ac553cecfd7a0c23c456c59 ]
I hit this panic in testing:
[ 6235.500016] run fstests generic/464 at 2023-09-18 22:51:24
[ 6288.410761] BUG: kernel NULL pointer dereference, address: 0000000000000000
[ 6288.412174] #PF: supervisor read access in kernel mode
[ 6288.413160] #PF: error_code(0x0000) - not-present page
[ 6288.413992] PGD 0 P4D 0
[ 6288.414603] Oops: 0000 [#1] PREEMPT SMP PTI
[ 6288.415419] CPU: 0 PID: 340798 Comm: kworker/u18:8 Not tainted 6.6.0-rc1-gdcf620ceebac #95
[ 6288.416538] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-1.fc38 04/01/2014
[ 6288.417701] Workqueue: nfsiod rpc_async_release [sunrpc]
[ 6288.418676] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.419836] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
[ 6288.422389] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
[ 6288.423234] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
[ 6288.424351] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
[ 6288.425345] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
[ 6288.426334] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
[ 6288.427353] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
[ 6288.428358] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
[ 6288.429513] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6288.430427] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
[ 6288.431553] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6288.432715] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6288.433698] PKRU: 55555554
[ 6288.434196] Call Trace:
[ 6288.434667] <TASK>
[ 6288.435132] ? __die+0x1f/0x70
[ 6288.435723] ? page_fault_oops+0x159/0x450
[ 6288.436389] ? try_to_wake_up+0x98/0x5d0
[ 6288.437044] ? do_user_addr_fault+0x65/0x660
[ 6288.437728] ? exc_page_fault+0x7a/0x180
[ 6288.438368] ? asm_exc_page_fault+0x22/0x30
[ 6288.439137] ? nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.440112] ? nfs_inode_remove_request+0xa0/0x150 [nfs]
[ 6288.440924] nfs_commit_release_pages+0x16e/0x340 [nfs]
[ 6288.441700] ? __pfx_call_transmit+0x10/0x10 [sunrpc]
[ 6288.442475] ? _raw_spin_lock_irqsave+0x23/0x50
[ 6288.443161] nfs_commit_release+0x15/0x40 [nfs]
[ 6288.443926] rpc_free_task+0x36/0x60 [sunrpc]
[ 6288.444741] rpc_async_release+0x29/0x40 [sunrpc]
[ 6288.445509] process_one_work+0x171/0x340
[ 6288.446135] worker_thread+0x277/0x3a0
[ 6288.446724] ? __pfx_worker_thread+0x10/0x10
[ 6288.447376] kthread+0xf0/0x120
[ 6288.447903] ? __pfx_kthread+0x10/0x10
[ 6288.448500] ret_from_fork+0x2d/0x50
[ 6288.449078] ? __pfx_kthread+0x10/0x10
[ 6288.449665] ret_from_fork_asm+0x1b/0x30
[ 6288.450283] </TASK>
[ 6288.450688] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace sunrpc nls_iso8859_1 nls_cp437 vfat fat 9p netfs ext4 kvm_intel crc16 mbcache jbd2 joydev kvm xfs irqbypass virtio_net pcspkr net_failover psmouse failover 9pnet_virtio cirrus drm_shmem_helper virtio_balloon drm_kms_helper button evdev drm loop dm_mod zram zsmalloc crct10dif_pclmul crc32_pclmul ghash_clmulni_intel sha512_ssse3 sha512_generic virtio_blk nvme aesni_intel crypto_simd cryptd nvme_core t10_pi i6300esb crc64_rocksoft_generic crc64_rocksoft crc64 virtio_pci virtio virtio_pci_legacy_dev virtio_pci_modern_dev virtio_ring serio_raw btrfs blake2b_generic libcrc32c crc32c_generic crc32c_intel xor raid6_pq autofs4
[ 6288.460211] CR2: 0000000000000000
[ 6288.460787] ---[ end trace 0000000000000000 ]---
[ 6288.461571] RIP: 0010:nfs_inode_remove_request+0xc8/0x150 [nfs]
[ 6288.462500] Code: ff ff 48 8b 43 38 48 8b 7b 10 a8 04 74 5b 48 85 ff 74 56 48 8b 07 a9 00 00 08 00 74 58 48 8b 07 f6 c4 10 74 50 e8 c8 44 b3 d5 <48> 8b 00 f0 48 ff 88 30 ff ff ff 5b 5d 41 5c c3 cc cc cc cc 48 8b
[ 6288.465136] RSP: 0018:ffffbd618353bda8 EFLAGS: 00010246
[ 6288.465963] RAX: 0000000000000000 RBX: ffff9a29f9a25280 RCX: 0000000000000000
[ 6288.467035] RDX: ffff9a29f9a252b4 RSI: 000000000000000b RDI: ffffef41448e3840
[ 6288.468093] RBP: ffffef41448e3840 R08: 0000000000000038 R09: ffffffffffffffff
[ 6288.469121] R10: 0000000000033f80 R11: ffff9a2a7fffa000 R12: ffff9a29093f98c4
[ 6288.470109] R13: 0000000000000000 R14: ffff9a29230f62e0 R15: ffff9a29230f62d0
[ 6288.471106] FS: 0000000000000000(0000) GS:ffff9a2a77c00000(0000) knlGS:0000000000000000
[ 6288.472216] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 6288.473059] CR2: 0000000000000000 CR3: 0000000264748002 CR4: 0000000000770ef0
[ 6288.474096] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 6288.475097] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 6288.476148] PKRU: 55555554
[ 6288.476665] note: kworker/u18:8[340798] exited with irqs disabled
Once we've released "req", it's not safe to dereference it anymore.
Decrement the nrequests counter before dropping the reference.
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/nfs/write.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 8c1ee1a1a28f1..7720b5e43014b 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -802,8 +802,8 @@ static void nfs_inode_remove_request(struct nfs_page *req)
}
if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) {
- nfs_release_request(req);
atomic_long_dec(&NFS_I(nfs_page_to_inode(req))->nrequests);
+ nfs_release_request(req);
}
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 129/241] sky2: Make sure there is at least one frag_addr available
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (127 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 128/241] nfs: decrement nrequests counter before releasing the req Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 130/241] ipv4/fib: send notify when delete source address routes Greg Kroah-Hartman
` (121 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mirko Lindner, Stephen Hemminger,
David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
netdev, kernel test robot, Alexander Lobakin, Kees Cook,
Gustavo A. R. Silva, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
[ Upstream commit 6a70e5cbedaf8ad10528ac9ac114f3ec20f422df ]
In the pathological case of building sky2 with 16k PAGE_SIZE, the
frag_addr[] array would never be used, so the original code was correct
that size should be 0. But the compiler now gets upset with 0 size arrays
in places where it hasn't eliminated the code that might access such an
array (it can't figure out that in this case an rx skb with fragments
would never be created). To keep the compiler happy, make sure there is
at least 1 frag_addr in struct rx_ring_info:
In file included from include/linux/skbuff.h:28,
from include/net/net_namespace.h:43,
from include/linux/netdevice.h:38,
from drivers/net/ethernet/marvell/sky2.c:18:
drivers/net/ethernet/marvell/sky2.c: In function 'sky2_rx_unmap_skb':
include/linux/dma-mapping.h:416:36: warning: array subscript i is outside array bounds of 'dma_addr_t[0]' {aka 'long long unsigned int[]'} [-Warray-bounds=]
416 | #define dma_unmap_page(d, a, s, r) dma_unmap_page_attrs(d, a, s, r, 0)
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
drivers/net/ethernet/marvell/sky2.c:1257:17: note: in expansion of macro 'dma_unmap_page'
1257 | dma_unmap_page(&pdev->dev, re->frag_addr[i],
| ^~~~~~~~~~~~~~
In file included from drivers/net/ethernet/marvell/sky2.c:41:
drivers/net/ethernet/marvell/sky2.h:2198:25: note: while referencing 'frag_addr'
2198 | dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
| ^~~~~~~~~
With CONFIG_PAGE_SIZE_16KB=y, PAGE_SHIFT == 14, so:
#define ETH_JUMBO_MTU 9000
causes "ETH_JUMBO_MTU >> PAGE_SHIFT" to be 0. Use "?: 1" to solve this build warning.
Cc: Mirko Lindner <mlindner@marvell.com>
Cc: Stephen Hemminger <stephen@networkplumber.org>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: netdev@vger.kernel.org
Reported-by: kernel test robot <lkp@intel.com>
Closes: https://lore.kernel.org/oe-kbuild-all/202309191958.UBw1cjXk-lkp@intel.com/
Reviewed-by: Alexander Lobakin <aleksander.lobakin@intel.com>
Signed-off-by: Kees Cook <keescook@chromium.org>
Reviewed-by: Gustavo A. R. Silva <gustavoars@kernel.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/marvell/sky2.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/marvell/sky2.h b/drivers/net/ethernet/marvell/sky2.h
index ddec1627f1a7b..8d0bacf4e49cc 100644
--- a/drivers/net/ethernet/marvell/sky2.h
+++ b/drivers/net/ethernet/marvell/sky2.h
@@ -2195,7 +2195,7 @@ struct rx_ring_info {
struct sk_buff *skb;
dma_addr_t data_addr;
DEFINE_DMA_UNMAP_LEN(data_size);
- dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT];
+ dma_addr_t frag_addr[ETH_JUMBO_MTU >> PAGE_SHIFT ?: 1];
};
enum flow_control {
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 130/241] ipv4/fib: send notify when delete source address routes
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (128 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 129/241] sky2: Make sure there is at least one frag_addr available Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 131/241] drm: panel-orientation-quirks: Add quirk for One Mix 2S Greg Kroah-Hartman
` (120 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Thomas Haller, Hangbin Liu,
Nicolas Dichtel, David Ahern, Paolo Abeni, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hangbin Liu <liuhangbin@gmail.com>
[ Upstream commit 4b2b606075e50cdae62ab2356b0a1e206947c354 ]
After deleting an interface address in fib_del_ifaddr(), the function
scans the fib_info list for stray entries and calls fib_flush() and
fib_table_flush(). Then the stray entries will be deleted silently and no
RTM_DELROUTE notification will be sent.
This lack of notification can make routing daemons, or monitor like
`ip monitor route` miss the routing changes. e.g.
+ ip link add dummy1 type dummy
+ ip link add dummy2 type dummy
+ ip link set dummy1 up
+ ip link set dummy2 up
+ ip addr add 192.168.5.5/24 dev dummy1
+ ip route add 7.7.7.0/24 dev dummy2 src 192.168.5.5
+ ip -4 route
7.7.7.0/24 dev dummy2 scope link src 192.168.5.5
192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
+ ip monitor route
+ ip addr del 192.168.5.5/24 dev dummy1
Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5
Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5
As Ido reminded, fib_table_flush() isn't only called when an address is
deleted, but also when an interface is deleted or put down. The lack of
notification in these cases is deliberate. And commit 7c6bb7d2faaf
("net/ipv6: Add knob to skip DELROUTE message on device down") introduced
a sysctl to make IPv6 behave like IPv4 in this regard. So we can't send
the route delete notify blindly in fib_table_flush().
To fix this issue, let's add a new flag in "struct fib_info" to track the
deleted prefer source address routes, and only send notify for them.
After update:
+ ip monitor route
+ ip addr del 192.168.5.5/24 dev dummy1
Deleted 192.168.5.0/24 dev dummy1 proto kernel scope link src 192.168.5.5
Deleted broadcast 192.168.5.255 dev dummy1 table local proto kernel scope link src 192.168.5.5
Deleted local 192.168.5.5 dev dummy1 table local proto kernel scope host src 192.168.5.5
Deleted 7.7.7.0/24 dev dummy2 scope link src 192.168.5.5
Suggested-by: Thomas Haller <thaller@redhat.com>
Signed-off-by: Hangbin Liu <liuhangbin@gmail.com>
Acked-by: Nicolas Dichtel <nicolas.dichtel@6wind.com>
Reviewed-by: David Ahern <dsahern@kernel.org>
Link: https://lore.kernel.org/r/20230922075508.848925-1-liuhangbin@gmail.com
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/ip_fib.h | 1 +
net/ipv4/fib_semantics.c | 1 +
net/ipv4/fib_trie.c | 4 ++++
3 files changed, 6 insertions(+)
diff --git a/include/net/ip_fib.h b/include/net/ip_fib.h
index f0c13864180e2..15de07d365405 100644
--- a/include/net/ip_fib.h
+++ b/include/net/ip_fib.h
@@ -154,6 +154,7 @@ struct fib_info {
int fib_nhs;
bool fib_nh_is_v6;
bool nh_updated;
+ bool pfsrc_removed;
struct nexthop *nh;
struct rcu_head rcu;
struct fib_nh fib_nh[];
diff --git a/net/ipv4/fib_semantics.c b/net/ipv4/fib_semantics.c
index 894d8ac6b9d0e..5eb1b8d302bbd 100644
--- a/net/ipv4/fib_semantics.c
+++ b/net/ipv4/fib_semantics.c
@@ -1891,6 +1891,7 @@ int fib_sync_down_addr(struct net_device *dev, __be32 local)
continue;
if (fi->fib_prefsrc == local) {
fi->fib_flags |= RTNH_F_DEAD;
+ fi->pfsrc_removed = true;
ret++;
}
}
diff --git a/net/ipv4/fib_trie.c b/net/ipv4/fib_trie.c
index d13fb9e76b971..9bdfdab906fe0 100644
--- a/net/ipv4/fib_trie.c
+++ b/net/ipv4/fib_trie.c
@@ -2027,6 +2027,7 @@ void fib_table_flush_external(struct fib_table *tb)
int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
{
struct trie *t = (struct trie *)tb->tb_data;
+ struct nl_info info = { .nl_net = net };
struct key_vector *pn = t->kv;
unsigned long cindex = 1;
struct hlist_node *tmp;
@@ -2089,6 +2090,9 @@ int fib_table_flush(struct net *net, struct fib_table *tb, bool flush_all)
fib_notify_alias_delete(net, n->key, &n->leaf, fa,
NULL);
+ if (fi->pfsrc_removed)
+ rtmsg_fib(RTM_DELROUTE, htonl(n->key), fa,
+ KEYLENGTH - fa->fa_slen, tb->tb_id, &info, 0);
hlist_del_rcu(&fa->fa_list);
fib_release_info(fa->fa_info);
alias_free_mem_rcu(fa);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 131/241] drm: panel-orientation-quirks: Add quirk for One Mix 2S
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (129 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 130/241] ipv4/fib: send notify when delete source address routes Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 132/241] btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c Greg Kroah-Hartman
` (119 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kai Uwe Broulik, Hans de Goede,
Liviu Dudau, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kai Uwe Broulik <foss-linux@broulik.de>
[ Upstream commit cbb7eb2dbd9472816e42a1b0fdb51af49abbf812 ]
The One Mix 2S is a mini laptop with a 1200x1920 portrait screen
mounted in a landscape oriented clamshell case. Because of the too
generic DMI strings this entry is also doing bios-date matching.
Signed-off-by: Kai Uwe Broulik <foss-linux@broulik.de>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Liviu Dudau <liviu.dudau@arm.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231001114710.336172-1-foss-linux@broulik.de
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/drm_panel_orientation_quirks.c | 16 ++++++++++++++++
1 file changed, 16 insertions(+)
diff --git a/drivers/gpu/drm/drm_panel_orientation_quirks.c b/drivers/gpu/drm/drm_panel_orientation_quirks.c
index 0cb646cb04ee1..d5c15292ae937 100644
--- a/drivers/gpu/drm/drm_panel_orientation_quirks.c
+++ b/drivers/gpu/drm/drm_panel_orientation_quirks.c
@@ -38,6 +38,14 @@ static const struct drm_dmi_panel_orientation_data gpd_micropc = {
.orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
};
+static const struct drm_dmi_panel_orientation_data gpd_onemix2s = {
+ .width = 1200,
+ .height = 1920,
+ .bios_dates = (const char * const []){ "05/21/2018", "10/26/2018",
+ "03/04/2019", NULL },
+ .orientation = DRM_MODE_PANEL_ORIENTATION_RIGHT_UP,
+};
+
static const struct drm_dmi_panel_orientation_data gpd_pocket = {
.width = 1200,
.height = 1920,
@@ -401,6 +409,14 @@ static const struct dmi_system_id orientation_data[] = {
DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "LTH17"),
},
.driver_data = (void *)&lcd800x1280_rightside_up,
+ }, { /* One Mix 2S (generic strings, also match on bios date) */
+ .matches = {
+ DMI_EXACT_MATCH(DMI_SYS_VENDOR, "Default string"),
+ DMI_EXACT_MATCH(DMI_PRODUCT_NAME, "Default string"),
+ DMI_EXACT_MATCH(DMI_BOARD_VENDOR, "Default string"),
+ DMI_EXACT_MATCH(DMI_BOARD_NAME, "Default string"),
+ },
+ .driver_data = (void *)&gpd_onemix2s,
},
{}
};
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 132/241] btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (130 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 131/241] drm: panel-orientation-quirks: Add quirk for One Mix 2S Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 133/241] btrfs: error out when COWing block using a stale transaction Greg Kroah-Hartman
` (118 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Axboe, Josef Bacik,
David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Josef Bacik <josef@toxicpanda.com>
[ Upstream commit 9147b9ded499d9853bdf0e9804b7eaa99c4429ed ]
Jens reported the following warnings from -Wmaybe-uninitialized recent
Linus' branch.
In file included from ./include/asm-generic/rwonce.h:26,
from ./arch/arm64/include/asm/rwonce.h:71,
from ./include/linux/compiler.h:246,
from ./include/linux/export.h:5,
from ./include/linux/linkage.h:7,
from ./include/linux/kernel.h:17,
from fs/btrfs/ioctl.c:6:
In function ‘instrument_copy_from_user_before’,
inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
inlined from ‘btrfs_ioctl_space_info’ at fs/btrfs/ioctl.c:2999:6,
inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4616:10:
./include/linux/kasan-checks.h:38:27: warning: ‘space_args’ may be used
uninitialized [-Wmaybe-uninitialized]
38 | #define kasan_check_write __kasan_check_write
./include/linux/instrumented.h:129:9: note: in expansion of macro
‘kasan_check_write’
129 | kasan_check_write(to, n);
| ^~~~~~~~~~~~~~~~~
./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
volatile void *’ to ‘__kasan_check_write’ declared here
20 | bool __kasan_check_write(const volatile void *p, unsigned int
size);
| ^~~~~~~~~~~~~~~~~~~
fs/btrfs/ioctl.c:2981:39: note: ‘space_args’ declared here
2981 | struct btrfs_ioctl_space_args space_args;
| ^~~~~~~~~~
In function ‘instrument_copy_from_user_before’,
inlined from ‘_copy_from_user’ at ./include/linux/uaccess.h:148:3,
inlined from ‘copy_from_user’ at ./include/linux/uaccess.h:183:7,
inlined from ‘_btrfs_ioctl_send’ at fs/btrfs/ioctl.c:4343:9,
inlined from ‘btrfs_ioctl’ at fs/btrfs/ioctl.c:4658:10:
./include/linux/kasan-checks.h:38:27: warning: ‘args32’ may be used
uninitialized [-Wmaybe-uninitialized]
38 | #define kasan_check_write __kasan_check_write
./include/linux/instrumented.h:129:9: note: in expansion of macro
‘kasan_check_write’
129 | kasan_check_write(to, n);
| ^~~~~~~~~~~~~~~~~
./include/linux/kasan-checks.h: In function ‘btrfs_ioctl’:
./include/linux/kasan-checks.h:20:6: note: by argument 1 of type ‘const
volatile void *’ to ‘__kasan_check_write’ declared here
20 | bool __kasan_check_write(const volatile void *p, unsigned int
size);
| ^~~~~~~~~~~~~~~~~~~
fs/btrfs/ioctl.c:4341:49: note: ‘args32’ declared here
4341 | struct btrfs_ioctl_send_args_32 args32;
| ^~~~~~
This was due to his config options and having KASAN turned on,
which adds some extra checks around copy_from_user(), which then
triggered the -Wmaybe-uninitialized checker for these cases.
Fix the warnings by initializing the different structs we're copying
into.
Reported-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Josef Bacik <josef@toxicpanda.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ioctl.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index d27b0d86b8e2c..bf35b6fce8f07 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -2978,7 +2978,7 @@ static void get_block_group_info(struct list_head *groups_list,
static long btrfs_ioctl_space_info(struct btrfs_fs_info *fs_info,
void __user *arg)
{
- struct btrfs_ioctl_space_args space_args;
+ struct btrfs_ioctl_space_args space_args = { 0 };
struct btrfs_ioctl_space_info space;
struct btrfs_ioctl_space_info *dest;
struct btrfs_ioctl_space_info *dest_orig;
@@ -4338,7 +4338,7 @@ static int _btrfs_ioctl_send(struct inode *inode, void __user *argp, bool compat
if (compat) {
#if defined(CONFIG_64BIT) && defined(CONFIG_COMPAT)
- struct btrfs_ioctl_send_args_32 args32;
+ struct btrfs_ioctl_send_args_32 args32 = { 0 };
ret = copy_from_user(&args32, argp, sizeof(args32));
if (ret)
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 133/241] btrfs: error out when COWing block using a stale transaction
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (131 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 132/241] btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 134/241] btrfs: error when COWing block from a root that is being deleted Greg Kroah-Hartman
` (117 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit 48774f3bf8b4dd3b1a0e155825c9ce48483db14c ]
At btrfs_cow_block() we have these checks to verify we are not using a
stale transaction (a past transaction with an unblocked state or higher),
and the only thing we do is to trigger a WARN with a message and a stack
trace. This however is a critical problem, highly unexpected and if it
happens it's most likely due to a bug, so we should error out and turn the
fs into error state so that such issue is much more easily noticed if it's
triggered.
The problem is critical because using such stale transaction will lead to
not persisting the extent buffer used for the COW operation, as allocating
a tree block adds the range of the respective extent buffer to the
->dirty_pages iotree of the transaction, and a stale transaction, in the
unlocked state or higher, will not flush dirty extent buffers anymore,
therefore resulting in not persisting the tree block and resource leaks
(not cleaning the dirty_pages iotree for example).
So do the following changes:
1) Return -EUCLEAN if we find a stale transaction;
2) Turn the fs into error state, with error -EUCLEAN, so that no
transaction can be committed, and generate a stack trace;
3) Combine both conditions into a single if statement, as both are related
and have the same error message;
4) Mark the check as unlikely, since this is not expected to ever happen.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.c | 24 ++++++++++++++++--------
1 file changed, 16 insertions(+), 8 deletions(-)
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index a4cb4b6429870..7afd0a6495f37 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -686,14 +686,22 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans,
btrfs_err(fs_info,
"COW'ing blocks on a fs root that's being dropped");
- if (trans->transaction != fs_info->running_transaction)
- WARN(1, KERN_CRIT "trans %llu running %llu\n",
- trans->transid,
- fs_info->running_transaction->transid);
-
- if (trans->transid != fs_info->generation)
- WARN(1, KERN_CRIT "trans %llu running %llu\n",
- trans->transid, fs_info->generation);
+ /*
+ * COWing must happen through a running transaction, which always
+ * matches the current fs generation (it's a transaction with a state
+ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs
+ * into error state to prevent the commit of any transaction.
+ */
+ if (unlikely(trans->transaction != fs_info->running_transaction ||
+ trans->transid != fs_info->generation)) {
+ btrfs_abort_transaction(trans, -EUCLEAN);
+ btrfs_crit(fs_info,
+"unexpected transaction when attempting to COW block %llu on root %llu, transaction %llu running transaction %llu fs generation %llu",
+ buf->start, btrfs_root_id(root), trans->transid,
+ fs_info->running_transaction->transid,
+ fs_info->generation);
+ return -EUCLEAN;
+ }
if (!should_cow_block(trans, root, buf)) {
*cow_ret = buf;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 134/241] btrfs: error when COWing block from a root that is being deleted
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (132 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 133/241] btrfs: error out when COWing block using a stale transaction Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 135/241] btrfs: error out when reallocating block for defrag using a stale transaction Greg Kroah-Hartman
` (116 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit a2caab29884397e583d09be6546259a83ebfbdb1 ]
At btrfs_cow_block() we check if the block being COWed belongs to a root
that is being deleted and if so we log an error message. However this is
an unexpected case and it indicates a bug somewhere, so we should return
an error and abort the transaction. So change this in the following ways:
1) Abort the transaction with -EUCLEAN, so that if the issue ever happens
it can easily be noticed;
2) Change the logged message level from error to critical, and change the
message itself to print the block's logical address and the ID of the
root;
3) Return -EUCLEAN to the caller;
4) As this is an unexpected scenario, that should never happen, mark the
check as unlikely, allowing the compiler to potentially generate better
code.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index 7afd0a6495f37..db1f3bc7f3284 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -682,9 +682,13 @@ noinline int btrfs_cow_block(struct btrfs_trans_handle *trans,
u64 search_start;
int ret;
- if (test_bit(BTRFS_ROOT_DELETING, &root->state))
- btrfs_err(fs_info,
- "COW'ing blocks on a fs root that's being dropped");
+ if (unlikely(test_bit(BTRFS_ROOT_DELETING, &root->state))) {
+ btrfs_abort_transaction(trans, -EUCLEAN);
+ btrfs_crit(fs_info,
+ "attempt to COW block %llu on root %llu that is being deleted",
+ buf->start, btrfs_root_id(root));
+ return -EUCLEAN;
+ }
/*
* COWing must happen through a running transaction, which always
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 135/241] btrfs: error out when reallocating block for defrag using a stale transaction
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (133 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 134/241] btrfs: error when COWing block from a root that is being deleted Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 136/241] platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet Greg Kroah-Hartman
` (115 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Filipe Manana, David Sterba, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Filipe Manana <fdmanana@suse.com>
[ Upstream commit e36f94914021e58ee88a8856c7fdf35adf9c7ee1 ]
At btrfs_realloc_node() we have these checks to verify we are not using a
stale transaction (a past transaction with an unblocked state or higher),
and the only thing we do is to trigger two WARN_ON(). This however is a
critical problem, highly unexpected and if it happens it's most likely due
to a bug, so we should error out and turn the fs into error state so that
such issue is much more easily noticed if it's triggered.
The problem is critical because in btrfs_realloc_node() we COW tree blocks,
and using such stale transaction will lead to not persisting the extent
buffers used for the COW operations, as allocating tree block adds the
range of the respective extent buffers to the ->dirty_pages iotree of the
transaction, and a stale transaction, in the unlocked state or higher,
will not flush dirty extent buffers anymore, therefore resulting in not
persisting the tree block and resource leaks (not cleaning the dirty_pages
iotree for example).
So do the following changes:
1) Return -EUCLEAN if we find a stale transaction;
2) Turn the fs into error state, with error -EUCLEAN, so that no
transaction can be committed, and generate a stack trace;
3) Combine both conditions into a single if statement, as both are related
and have the same error message;
4) Mark the check as unlikely, since this is not expected to ever happen.
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/btrfs/ctree.c | 18 ++++++++++++++++--
1 file changed, 16 insertions(+), 2 deletions(-)
diff --git a/fs/btrfs/ctree.c b/fs/btrfs/ctree.c
index db1f3bc7f3284..da519c1b6ad08 100644
--- a/fs/btrfs/ctree.c
+++ b/fs/btrfs/ctree.c
@@ -817,8 +817,22 @@ int btrfs_realloc_node(struct btrfs_trans_handle *trans,
int progress_passed = 0;
struct btrfs_disk_key disk_key;
- WARN_ON(trans->transaction != fs_info->running_transaction);
- WARN_ON(trans->transid != fs_info->generation);
+ /*
+ * COWing must happen through a running transaction, which always
+ * matches the current fs generation (it's a transaction with a state
+ * less than TRANS_STATE_UNBLOCKED). If it doesn't, then turn the fs
+ * into error state to prevent the commit of any transaction.
+ */
+ if (unlikely(trans->transaction != fs_info->running_transaction ||
+ trans->transid != fs_info->generation)) {
+ btrfs_abort_transaction(trans, -EUCLEAN);
+ btrfs_crit(fs_info,
+"unexpected transaction when attempting to reallocate parent %llu for root %llu, transaction %llu running transaction %llu fs generation %llu",
+ parent->start, btrfs_root_id(root), trans->transid,
+ fs_info->running_transaction->transid,
+ fs_info->generation);
+ return -EUCLEAN;
+ }
parent_nritems = btrfs_header_nritems(parent);
blocksize = fs_info->nodesize;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 136/241] platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (134 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 135/241] btrfs: error out when reallocating block for defrag using a stale transaction Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 137/241] drm/amd/pm: add unique_id for gc 11.0.3 Greg Kroah-Hartman
` (114 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tomasz Swiatek, Hans de Goede, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tomasz Swiatek <swiatektomasz99@gmail.com>
[ Upstream commit 34c271e778c1d8589ee9c833eee5ecb6fbb03149 ]
Add touchscreen info for the BUSH Bush Windows tablet.
It was tested using gslx680_ts_acpi module and on patched kernel
installed on device.
Link: https://github.com/onitake/gsl-firmware/pull/215
Link: https://github.com/systemd/systemd/pull/29268
Signed-off-by: Tomasz Swiatek <swiatektomasz99@gmail.com>
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/touchscreen_dmi.c | 22 ++++++++++++++++++++++
1 file changed, 22 insertions(+)
diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index f9301a9382e74..363a9848e2b88 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -42,6 +42,21 @@ static const struct ts_dmi_data archos_101_cesium_educ_data = {
.properties = archos_101_cesium_educ_props,
};
+static const struct property_entry bush_bush_windows_tablet_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1850),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1280),
+ PROPERTY_ENTRY_BOOL("touchscreen-swapped-x-y"),
+ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
+ PROPERTY_ENTRY_BOOL("silead,home-button"),
+ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-bush-bush-windows-tablet.fw"),
+ { }
+};
+
+static const struct ts_dmi_data bush_bush_windows_tablet_data = {
+ .acpi_name = "MSSL1680:00",
+ .properties = bush_bush_windows_tablet_props,
+};
+
static const struct property_entry chuwi_hi8_props[] = {
PROPERTY_ENTRY_U32("touchscreen-size-x", 1665),
PROPERTY_ENTRY_U32("touchscreen-size-y", 1140),
@@ -1070,6 +1085,13 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
DMI_MATCH(DMI_PRODUCT_NAME, "ARCHOS 101 Cesium Educ"),
},
},
+ {
+ /* Bush Windows tablet */
+ .driver_data = (void *)&bush_bush_windows_tablet_data,
+ .matches = {
+ DMI_MATCH(DMI_PRODUCT_NAME, "Bush Windows tablet"),
+ },
+ },
{
/* Chuwi Hi8 */
.driver_data = (void *)&chuwi_hi8_data,
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 137/241] drm/amd/pm: add unique_id for gc 11.0.3
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (135 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 136/241] platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 138/241] HID: multitouch: Add required quirk for Synaptics 0xcd7e device Greg Kroah-Hartman
` (113 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kenneth Feng, Feifei Xu,
Alex Deucher, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kenneth Feng <kenneth.feng@amd.com>
[ Upstream commit 4953856f280b2b606089a72a93a1e9212a3adaca ]
add unique_id for gc 11.0.3
Signed-off-by: Kenneth Feng <kenneth.feng@amd.com>
Reviewed-by: Feifei Xu <Feifei.Xu@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/pm/amdgpu_pm.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpu/drm/amd/pm/amdgpu_pm.c b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
index d68fe5474676b..7f7a476b6829c 100644
--- a/drivers/gpu/drm/amd/pm/amdgpu_pm.c
+++ b/drivers/gpu/drm/amd/pm/amdgpu_pm.c
@@ -2077,6 +2077,7 @@ static int default_attr_update(struct amdgpu_device *adev, struct amdgpu_device_
case IP_VERSION(11, 0, 0):
case IP_VERSION(11, 0, 1):
case IP_VERSION(11, 0, 2):
+ case IP_VERSION(11, 0, 3):
*states = ATTR_STATE_SUPPORTED;
break;
default:
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 138/241] HID: multitouch: Add required quirk for Synaptics 0xcd7e device
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (136 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 137/241] drm/amd/pm: add unique_id for gc 11.0.3 Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 139/241] HID: nintendo: reinitialize USB Pro Controller after resuming from suspend Greg Kroah-Hartman
` (112 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Rain, Rahul Rameshbabu, Jiri Kosina,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rahul Rameshbabu <sergeantsagara@protonmail.com>
[ Upstream commit 1437e4547edf41689d7135faaca4222ef0081bc1 ]
Register the Synaptics device as a special multitouch device with certain
quirks that may improve usability of the touchpad device.
Reported-by: Rain <rain@sunshowers.io>
Closes: https://lore.kernel.org/linux-input/2bbb8e1d-1793-4df1-810f-cb0137341ff4@app.fastmail.com/
Signed-off-by: Rahul Rameshbabu <sergeantsagara@protonmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-multitouch.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/hid/hid-multitouch.c b/drivers/hid/hid-multitouch.c
index 521b2ffb42449..8db4ae05febc8 100644
--- a/drivers/hid/hid-multitouch.c
+++ b/drivers/hid/hid-multitouch.c
@@ -2144,6 +2144,10 @@ static const struct hid_device_id mt_devices[] = {
USB_DEVICE_ID_MTP_STM)},
/* Synaptics devices */
+ { .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
+ HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
+ USB_VENDOR_ID_SYNAPTICS, 0xcd7e) },
+
{ .driver_data = MT_CLS_WIN_8_FORCE_MULTI_INPUT,
HID_DEVICE(BUS_I2C, HID_GROUP_MULTITOUCH_WIN_8,
USB_VENDOR_ID_SYNAPTICS, 0xce08) },
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 139/241] HID: nintendo: reinitialize USB Pro Controller after resuming from suspend
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (137 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 138/241] HID: multitouch: Add required quirk for Synaptics 0xcd7e device Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 140/241] HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng Greg Kroah-Hartman
` (111 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martino Fontana,
Daniel J. Ogorchock, Jiri Kosina, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martino Fontana <tinozzo123@gmail.com>
[ Upstream commit 95ea4d9fd385fe335b989f22d409df079a042b7a ]
When suspending the computer, a Switch Pro Controller connected via USB will
lose its internal status. However, because the USB connection was technically
never lost, when resuming the computer, the driver will attempt to communicate
with the controller as if nothing happened (and fail).
Because of this, the user was forced to manually disconnect the controller
(or to press the sync button on the controller to power it off), so that it
can be re-initialized.
With this patch, the controller will be automatically re-initialized after
resuming from suspend.
Closes: https://bugzilla.kernel.org/show_bug.cgi?id=216233
Signed-off-by: Martino Fontana <tinozzo123@gmail.com>
Reviewed-by: Daniel J. Ogorchock <djogorchock@gmail.com>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-nintendo.c | 175 ++++++++++++++++++++++---------------
1 file changed, 103 insertions(+), 72 deletions(-)
diff --git a/drivers/hid/hid-nintendo.c b/drivers/hid/hid-nintendo.c
index 250f5d2f888ab..10468f727e5bb 100644
--- a/drivers/hid/hid-nintendo.c
+++ b/drivers/hid/hid-nintendo.c
@@ -2088,7 +2088,9 @@ static int joycon_read_info(struct joycon_ctlr *ctlr)
struct joycon_input_report *report;
req.subcmd_id = JC_SUBCMD_REQ_DEV_INFO;
+ mutex_lock(&ctlr->output_mutex);
ret = joycon_send_subcmd(ctlr, &req, 0, HZ);
+ mutex_unlock(&ctlr->output_mutex);
if (ret) {
hid_err(ctlr->hdev, "Failed to get joycon info; ret=%d\n", ret);
return ret;
@@ -2117,6 +2119,85 @@ static int joycon_read_info(struct joycon_ctlr *ctlr)
return 0;
}
+static int joycon_init(struct hid_device *hdev)
+{
+ struct joycon_ctlr *ctlr = hid_get_drvdata(hdev);
+ int ret = 0;
+
+ mutex_lock(&ctlr->output_mutex);
+ /* if handshake command fails, assume ble pro controller */
+ if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) &&
+ !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) {
+ hid_dbg(hdev, "detected USB controller\n");
+ /* set baudrate for improved latency */
+ ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ);
+ if (ret) {
+ hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret);
+ goto out_unlock;
+ }
+ /* handshake */
+ ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ);
+ if (ret) {
+ hid_err(hdev, "Failed handshake; ret=%d\n", ret);
+ goto out_unlock;
+ }
+ /*
+ * Set no timeout (to keep controller in USB mode).
+ * This doesn't send a response, so ignore the timeout.
+ */
+ joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10);
+ } else if (jc_type_is_chrggrip(ctlr)) {
+ hid_err(hdev, "Failed charging grip handshake\n");
+ ret = -ETIMEDOUT;
+ goto out_unlock;
+ }
+
+ /* get controller calibration data, and parse it */
+ ret = joycon_request_calibration(ctlr);
+ if (ret) {
+ /*
+ * We can function with default calibration, but it may be
+ * inaccurate. Provide a warning, and continue on.
+ */
+ hid_warn(hdev, "Analog stick positions may be inaccurate\n");
+ }
+
+ /* get IMU calibration data, and parse it */
+ ret = joycon_request_imu_calibration(ctlr);
+ if (ret) {
+ /*
+ * We can function with default calibration, but it may be
+ * inaccurate. Provide a warning, and continue on.
+ */
+ hid_warn(hdev, "Unable to read IMU calibration data\n");
+ }
+
+ /* Set the reporting mode to 0x30, which is the full report mode */
+ ret = joycon_set_report_mode(ctlr);
+ if (ret) {
+ hid_err(hdev, "Failed to set report mode; ret=%d\n", ret);
+ goto out_unlock;
+ }
+
+ /* Enable rumble */
+ ret = joycon_enable_rumble(ctlr);
+ if (ret) {
+ hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret);
+ goto out_unlock;
+ }
+
+ /* Enable the IMU */
+ ret = joycon_enable_imu(ctlr);
+ if (ret) {
+ hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret);
+ goto out_unlock;
+ }
+
+out_unlock:
+ mutex_unlock(&ctlr->output_mutex);
+ return ret;
+}
+
/* Common handler for parsing inputs */
static int joycon_ctlr_read_handler(struct joycon_ctlr *ctlr, u8 *data,
int size)
@@ -2248,85 +2329,19 @@ static int nintendo_hid_probe(struct hid_device *hdev,
hid_device_io_start(hdev);
- /* Initialize the controller */
- mutex_lock(&ctlr->output_mutex);
- /* if handshake command fails, assume ble pro controller */
- if ((jc_type_is_procon(ctlr) || jc_type_is_chrggrip(ctlr)) &&
- !joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ)) {
- hid_dbg(hdev, "detected USB controller\n");
- /* set baudrate for improved latency */
- ret = joycon_send_usb(ctlr, JC_USB_CMD_BAUDRATE_3M, HZ);
- if (ret) {
- hid_err(hdev, "Failed to set baudrate; ret=%d\n", ret);
- goto err_mutex;
- }
- /* handshake */
- ret = joycon_send_usb(ctlr, JC_USB_CMD_HANDSHAKE, HZ);
- if (ret) {
- hid_err(hdev, "Failed handshake; ret=%d\n", ret);
- goto err_mutex;
- }
- /*
- * Set no timeout (to keep controller in USB mode).
- * This doesn't send a response, so ignore the timeout.
- */
- joycon_send_usb(ctlr, JC_USB_CMD_NO_TIMEOUT, HZ/10);
- } else if (jc_type_is_chrggrip(ctlr)) {
- hid_err(hdev, "Failed charging grip handshake\n");
- ret = -ETIMEDOUT;
- goto err_mutex;
- }
-
- /* get controller calibration data, and parse it */
- ret = joycon_request_calibration(ctlr);
+ ret = joycon_init(hdev);
if (ret) {
- /*
- * We can function with default calibration, but it may be
- * inaccurate. Provide a warning, and continue on.
- */
- hid_warn(hdev, "Analog stick positions may be inaccurate\n");
- }
-
- /* get IMU calibration data, and parse it */
- ret = joycon_request_imu_calibration(ctlr);
- if (ret) {
- /*
- * We can function with default calibration, but it may be
- * inaccurate. Provide a warning, and continue on.
- */
- hid_warn(hdev, "Unable to read IMU calibration data\n");
- }
-
- /* Set the reporting mode to 0x30, which is the full report mode */
- ret = joycon_set_report_mode(ctlr);
- if (ret) {
- hid_err(hdev, "Failed to set report mode; ret=%d\n", ret);
- goto err_mutex;
- }
-
- /* Enable rumble */
- ret = joycon_enable_rumble(ctlr);
- if (ret) {
- hid_err(hdev, "Failed to enable rumble; ret=%d\n", ret);
- goto err_mutex;
- }
-
- /* Enable the IMU */
- ret = joycon_enable_imu(ctlr);
- if (ret) {
- hid_err(hdev, "Failed to enable the IMU; ret=%d\n", ret);
- goto err_mutex;
+ hid_err(hdev, "Failed to initialize controller; ret=%d\n", ret);
+ goto err_close;
}
ret = joycon_read_info(ctlr);
if (ret) {
hid_err(hdev, "Failed to retrieve controller info; ret=%d\n",
ret);
- goto err_mutex;
+ goto err_close;
}
- mutex_unlock(&ctlr->output_mutex);
-
/* Initialize the leds */
ret = joycon_leds_create(ctlr);
if (ret) {
@@ -2352,8 +2367,6 @@ static int nintendo_hid_probe(struct hid_device *hdev,
hid_dbg(hdev, "probe - success\n");
return 0;
-err_mutex:
- mutex_unlock(&ctlr->output_mutex);
err_close:
hid_hw_close(hdev);
err_stop:
@@ -2383,6 +2396,20 @@ static void nintendo_hid_remove(struct hid_device *hdev)
hid_hw_stop(hdev);
}
+#ifdef CONFIG_PM
+
+static int nintendo_hid_resume(struct hid_device *hdev)
+{
+ int ret = joycon_init(hdev);
+
+ if (ret)
+ hid_err(hdev, "Failed to restore controller after resume");
+
+ return ret;
+}
+
+#endif
+
static const struct hid_device_id nintendo_hid_devices[] = {
{ HID_USB_DEVICE(USB_VENDOR_ID_NINTENDO,
USB_DEVICE_ID_NINTENDO_PROCON) },
@@ -2404,6 +2431,10 @@ static struct hid_driver nintendo_hid_driver = {
.probe = nintendo_hid_probe,
.remove = nintendo_hid_remove,
.raw_event = nintendo_hid_event,
+
+#ifdef CONFIG_PM
+ .resume = nintendo_hid_resume,
+#endif
};
module_hid_driver(nintendo_hid_driver);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 140/241] HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (138 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 139/241] HID: nintendo: reinitialize USB Pro Controller after resuming from suspend Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 141/241] platform/x86: touchscreen_dmi: Add info for the Positivo C4128B Greg Kroah-Hartman
` (110 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Fabian Vogt, Jiri Kosina, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabian Vogt <fabian@ritter-vogt.de>
[ Upstream commit b009aa38a380becd98cc4e01c9b7626a11cb4905 ]
Like various other devices using similar hardware, this model reports a
perpetually empty battery (0-1%).
Join the others and apply HID_BATTERY_QUIRK_IGNORE.
Signed-off-by: Fabian Vogt <fabian@ritter-vogt.de>
Signed-off-by: Jiri Kosina <jkosina@suse.cz>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/hid/hid-ids.h | 1 +
drivers/hid/hid-input.c | 2 ++
2 files changed, 3 insertions(+)
diff --git a/drivers/hid/hid-ids.h b/drivers/hid/hid-ids.h
index 8a310f8ff20f5..cc0d0186a0d95 100644
--- a/drivers/hid/hid-ids.h
+++ b/drivers/hid/hid-ids.h
@@ -425,6 +425,7 @@
#define I2C_DEVICE_ID_HP_SPECTRE_X360_13T_AW100 0x29F5
#define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V1 0x2BED
#define I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2 0x2BEE
+#define I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG 0x2D02
#define USB_VENDOR_ID_ELECOM 0x056e
#define USB_DEVICE_ID_ELECOM_BM084 0x0061
diff --git a/drivers/hid/hid-input.c b/drivers/hid/hid-input.c
index 40a5645f8fe81..5e2f721855e59 100644
--- a/drivers/hid/hid-input.c
+++ b/drivers/hid/hid-input.c
@@ -406,6 +406,8 @@ static const struct hid_device_id hid_battery_quirks[] = {
HID_BATTERY_QUIRK_IGNORE },
{ HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_SPECTRE_X360_14T_EA100_V2),
HID_BATTERY_QUIRK_IGNORE },
+ { HID_I2C_DEVICE(USB_VENDOR_ID_ELAN, I2C_DEVICE_ID_HP_ENVY_X360_15_EU0556NG),
+ HID_BATTERY_QUIRK_IGNORE },
{}
};
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 141/241] platform/x86: touchscreen_dmi: Add info for the Positivo C4128B
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (139 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 140/241] HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 142/241] cpufreq: schedutil: Update next_freq when cpufreq_limits change Greg Kroah-Hartman
` (109 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Renan Guilherme Lebre Ramos,
Hans de Goede, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
[ Upstream commit aa7dcba3bae6869122828b144a3cfd231718089d ]
Add information for the Positivo C4128B, a notebook/tablet convertible.
Link: https://github.com/onitake/gsl-firmware/pull/217
Signed-off-by: Renan Guilherme Lebre Ramos <japareaggae@gmail.com>
Link: https://lore.kernel.org/r/20231004235900.426240-1-japareaggae@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/platform/x86/touchscreen_dmi.c | 23 +++++++++++++++++++++++
1 file changed, 23 insertions(+)
diff --git a/drivers/platform/x86/touchscreen_dmi.c b/drivers/platform/x86/touchscreen_dmi.c
index 363a9848e2b88..0c67337726984 100644
--- a/drivers/platform/x86/touchscreen_dmi.c
+++ b/drivers/platform/x86/touchscreen_dmi.c
@@ -771,6 +771,21 @@ static const struct ts_dmi_data pipo_w11_data = {
.properties = pipo_w11_props,
};
+static const struct property_entry positivo_c4128b_props[] = {
+ PROPERTY_ENTRY_U32("touchscreen-min-x", 4),
+ PROPERTY_ENTRY_U32("touchscreen-min-y", 13),
+ PROPERTY_ENTRY_U32("touchscreen-size-x", 1915),
+ PROPERTY_ENTRY_U32("touchscreen-size-y", 1269),
+ PROPERTY_ENTRY_STRING("firmware-name", "gsl1680-positivo-c4128b.fw"),
+ PROPERTY_ENTRY_U32("silead,max-fingers", 10),
+ { }
+};
+
+static const struct ts_dmi_data positivo_c4128b_data = {
+ .acpi_name = "MSSL1680:00",
+ .properties = positivo_c4128b_props,
+};
+
static const struct property_entry pov_mobii_wintab_p800w_v20_props[] = {
PROPERTY_ENTRY_U32("touchscreen-min-x", 32),
PROPERTY_ENTRY_U32("touchscreen-min-y", 16),
@@ -1502,6 +1517,14 @@ const struct dmi_system_id touchscreen_dmi_table[] = {
DMI_MATCH(DMI_BIOS_VERSION, "MOMO.G.WI71C.MABMRBA02"),
},
},
+ {
+ /* Positivo C4128B */
+ .driver_data = (void *)&positivo_c4128b_data,
+ .matches = {
+ DMI_MATCH(DMI_SYS_VENDOR, "Positivo Tecnologia SA"),
+ DMI_MATCH(DMI_PRODUCT_NAME, "C4128B-1"),
+ },
+ },
{
/* Point of View mobii wintab p800w (v2.0) */
.driver_data = (void *)&pov_mobii_wintab_p800w_v20_data,
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 142/241] cpufreq: schedutil: Update next_freq when cpufreq_limits change
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (140 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 141/241] platform/x86: touchscreen_dmi: Add info for the Positivo C4128B Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 143/241] io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls() Greg Kroah-Hartman
` (108 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Xuewen Yan, Guohua Yan, Ingo Molnar,
Rafael J. Wysocki, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xuewen Yan <xuewen.yan@unisoc.com>
[ Upstream commit 9e0bc36ab07c550d791bf17feeb479f1dfc42d89 ]
When cpufreq's policy is 'single', there is a scenario that will
cause sg_policy's next_freq to be unable to update.
When the CPU's util is always max, the cpufreq will be max,
and then if we change the policy's scaling_max_freq to be a
lower freq, indeed, the sg_policy's next_freq need change to
be the lower freq, however, because the cpu_is_busy, the next_freq
would keep the max_freq.
For example:
The cpu7 is a single CPU:
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # while true;do done& [1] 4737
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # taskset -p 80 4737
pid 4737's current affinity mask: ff
pid 4737's new affinity mask: 80
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
2301000
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_cur_freq
2301000
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # echo 2171000 > scaling_max_freq
unisoc:/sys/devices/system/cpu/cpufreq/policy7 # cat scaling_max_freq
2171000
At this time, the sg_policy's next_freq would stay at 2301000, which
is wrong.
To fix this, add a check for the ->need_freq_update flag.
[ mingo: Clarified the changelog. ]
Co-developed-by: Guohua Yan <guohua.yan@unisoc.com>
Signed-off-by: Xuewen Yan <xuewen.yan@unisoc.com>
Signed-off-by: Guohua Yan <guohua.yan@unisoc.com>
Signed-off-by: Ingo Molnar <mingo@kernel.org>
Acked-by: "Rafael J. Wysocki" <rafael@kernel.org>
Link: https://lore.kernel.org/r/20230719130527.8074-1-xuewen.yan@unisoc.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
kernel/sched/cpufreq_schedutil.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/kernel/sched/cpufreq_schedutil.c b/kernel/sched/cpufreq_schedutil.c
index 4492608b7d7f1..458d359f5991c 100644
--- a/kernel/sched/cpufreq_schedutil.c
+++ b/kernel/sched/cpufreq_schedutil.c
@@ -350,7 +350,8 @@ static void sugov_update_single_freq(struct update_util_data *hook, u64 time,
* Except when the rq is capped by uclamp_max.
*/
if (!uclamp_rq_is_capped(cpu_rq(sg_cpu->cpu)) &&
- sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq) {
+ sugov_cpu_is_busy(sg_cpu) && next_f < sg_policy->next_freq &&
+ !sg_policy->need_freq_update) {
next_f = sg_policy->next_freq;
/* Restore cached freq as next_freq has changed */
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 143/241] io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (141 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 142/241] cpufreq: schedutil: Update next_freq when cpufreq_limits change Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 144/241] Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync Greg Kroah-Hartman
` (107 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Jeff Moyer, Jens Axboe, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jeff Moyer <jmoyer@redhat.com>
[ Upstream commit 0f8baa3c9802fbfe313c901e1598397b61b91ada ]
I received a bug report with the following signature:
[ 1759.937637] BUG: unable to handle page fault for address: ffffffffffffffe8
[ 1759.944564] #PF: supervisor read access in kernel mode
[ 1759.949732] #PF: error_code(0x0000) - not-present page
[ 1759.954901] PGD 7ab615067 P4D 7ab615067 PUD 7ab617067 PMD 0
[ 1759.960596] Oops: 0000 1 PREEMPT SMP PTI
[ 1759.964804] CPU: 15 PID: 109 Comm: cpuhp/15 Kdump: loaded Tainted: G X ------- — 5.14.0-362.3.1.el9_3.x86_64 #1
[ 1759.976609] Hardware name: HPE ProLiant DL380 Gen10/ProLiant DL380 Gen10, BIOS U30 06/20/2018
[ 1759.985181] RIP: 0010:io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1759.990877] Code: 90 90 90 90 90 90 0f 1f 44 00 00 41 56 41 55 41 54 55 48 8d 6f 78 53 48 8b 47 78 48 39 c5 74 4f 49 89 f5 49 89 d4 48 8d 58 e8 <8b> 13 85 d2 74 32 8d 4a 01 89 d0 f0 0f b1 0b 75 5c 09 ca 78 3d 48
[ 1760.009758] RSP: 0000:ffffb6f403603e20 EFLAGS: 00010286
[ 1760.015013] RAX: 0000000000000000 RBX: ffffffffffffffe8 RCX: 0000000000000000
[ 1760.022188] RDX: ffffb6f403603e50 RSI: ffffffffb11e95b0 RDI: ffff9f73b09e9400
[ 1760.029362] RBP: ffff9f73b09e9478 R08: 000000000000000f R09: 0000000000000000
[ 1760.036536] R10: ffffffffffffff00 R11: ffffb6f403603d80 R12: ffffb6f403603e50
[ 1760.043712] R13: ffffffffb11e95b0 R14: ffffffffb28531e8 R15: ffff9f7a6fbdf548
[ 1760.050887] FS: 0000000000000000(0000) GS:ffff9f7a6fbc0000(0000) knlGS:0000000000000000
[ 1760.059025] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1760.064801] CR2: ffffffffffffffe8 CR3: 00000007ab610002 CR4: 00000000007706e0
[ 1760.071976] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 1760.079150] DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
[ 1760.086325] PKRU: 55555554
[ 1760.089044] Call Trace:
[ 1760.091501] <TASK>
[ 1760.093612] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.097995] ? show_trace_log_lvl+0x1c4/0x2df
[ 1760.102377] ? __io_wq_cpu_online+0x54/0xb0
[ 1760.106584] ? __die_body.cold+0x8/0xd
[ 1760.110356] ? page_fault_oops+0x134/0x170
[ 1760.114479] ? kernelmode_fixup_or_oops+0x84/0x110
[ 1760.119298] ? exc_page_fault+0xa8/0x150
[ 1760.123247] ? asm_exc_page_fault+0x22/0x30
[ 1760.127458] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.132453] ? __pfx_io_wq_worker_affinity+0x10/0x10
[ 1760.137446] ? io_wq_for_each_worker.isra.0+0x24/0xa0
[ 1760.142527] __io_wq_cpu_online+0x54/0xb0
[ 1760.146558] cpuhp_invoke_callback+0x109/0x460
[ 1760.151029] ? __pfx_io_wq_cpu_offline+0x10/0x10
[ 1760.155673] ? __pfx_smpboot_thread_fn+0x10/0x10
[ 1760.160320] cpuhp_thread_fun+0x8d/0x140
[ 1760.164266] smpboot_thread_fn+0xd3/0x1a0
[ 1760.168297] kthread+0xdd/0x100
[ 1760.171457] ? __pfx_kthread+0x10/0x10
[ 1760.175225] ret_from_fork+0x29/0x50
[ 1760.178826] </TASK>
[ 1760.181022] Modules linked in: rpcsec_gss_krb5 auth_rpcgss nfsv4 dns_resolver nfs lockd grace fscache netfs rfkill sunrpc vfat fat dm_multipath intel_rapl_msr intel_rapl_common isst_if_common ipmi_ssif nfit libnvdimm mgag200 i2c_algo_bit ioatdma drm_shmem_helper drm_kms_helper acpi_ipmi syscopyarea x86_pkg_temp_thermal sysfillrect ipmi_si intel_powerclamp sysimgblt ipmi_devintf coretemp acpi_power_meter ipmi_msghandler rapl pcspkr dca intel_pch_thermal intel_cstate ses lpc_ich intel_uncore enclosure hpilo mei_me mei acpi_tad fuse drm xfs sd_mod sg bnx2x nvme nvme_core crct10dif_pclmul crc32_pclmul nvme_common ghash_clmulni_intel smartpqi tg3 t10_pi mdio uas libcrc32c crc32c_intel scsi_transport_sas usb_storage hpwdt wmi dm_mirror dm_region_hash dm_log dm_mod
[ 1760.248623] CR2: ffffffffffffffe8
A cpu hotplug callback was issued before wq->all_list was initialized.
This results in a null pointer dereference. The fix is to fully setup
the io_wq before calling cpuhp_state_add_instance_nocalls().
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Link: https://lore.kernel.org/r/x49y1ghnecs.fsf@segfault.boston.devel.redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
io_uring/io-wq.c | 10 ++++------
1 file changed, 4 insertions(+), 6 deletions(-)
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c
index 2c03bc881edfd..fbab9b2727fde 100644
--- a/io_uring/io-wq.c
+++ b/io_uring/io-wq.c
@@ -1130,9 +1130,6 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
wq = kzalloc(sizeof(struct io_wq), GFP_KERNEL);
if (!wq)
return ERR_PTR(-ENOMEM);
- ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node);
- if (ret)
- goto err_wq;
refcount_inc(&data->hash->refs);
wq->hash = data->hash;
@@ -1165,13 +1162,14 @@ struct io_wq *io_wq_create(unsigned bounded, struct io_wq_data *data)
wq->task = get_task_struct(data->task);
atomic_set(&wq->worker_refs, 1);
init_completion(&wq->worker_done);
+ ret = cpuhp_state_add_instance_nocalls(io_wq_online, &wq->cpuhp_node);
+ if (ret)
+ goto err;
+
return wq;
err:
io_wq_put_hash(data->hash);
- cpuhp_state_remove_instance_nocalls(io_wq_online, &wq->cpuhp_node);
-
free_cpumask_var(wq->cpu_mask);
-err_wq:
kfree(wq);
return ERR_PTR(ret);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 144/241] Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (142 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 143/241] io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls() Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 145/241] Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros Greg Kroah-Hartman
` (106 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit 04a51d616929eb96b7a3e547bc11d3bb46af2c9f ]
ISO_LINK connections where not being handled properly on
hci_abort_conn_sync which sometimes resulted in sending the wrong
commands, or in case of having the reject command being sent by the
socket code (iso.c) which is sort of a layer violation.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_conn.c | 23 +++++++++++++++++++----
net/bluetooth/hci_sync.c | 34 ++++++++++++++++++++++++++++++++++
net/bluetooth/iso.c | 14 --------------
3 files changed, 53 insertions(+), 18 deletions(-)
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 41250e4b94dff..4e9654fe89c9e 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -1277,7 +1277,12 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
{
- struct hci_conn *conn = data;
+ struct hci_conn *conn;
+ u16 handle = PTR_ERR(data);
+
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!conn)
+ return;
bt_dev_dbg(hdev, "err %d", err);
@@ -1302,10 +1307,17 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
{
- struct hci_conn *conn = data;
+ struct hci_conn *conn;
+ u16 handle = PTR_ERR(data);
+
+ conn = hci_conn_hash_lookup_handle(hdev, handle);
+ if (!conn)
+ return 0;
bt_dev_dbg(hdev, "conn %p", conn);
+ conn->state = BT_CONNECT;
+
return hci_le_create_conn_sync(hdev, conn);
}
@@ -1375,10 +1387,10 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
conn->sec_level = BT_SECURITY_LOW;
conn->conn_timeout = conn_timeout;
- conn->state = BT_CONNECT;
clear_bit(HCI_CONN_SCANNING, &conn->flags);
- err = hci_cmd_sync_queue(hdev, hci_connect_le_sync, conn,
+ err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
+ ERR_PTR(conn->handle),
create_le_conn_complete);
if (err) {
hci_conn_del(conn);
@@ -2905,6 +2917,9 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
/* If the connection is pending check the command opcode since that
* might be blocking on hci_cmd_sync_work while waiting its respective
* event so we need to hci_cmd_sync_cancel to cancel it.
+ *
+ * hci_connect_le serializes the connection attempts so only one
+ * connection can be in BT_CONNECT at time.
*/
if (conn->state == BT_CONNECT && hdev->req_status == HCI_REQ_PEND) {
switch (hci_skb_event(hdev->sent_cmd)) {
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 6aaecd6e656bc..caf4263ef9b77 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5290,6 +5290,24 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
if (conn->type == LE_LINK)
return hci_le_connect_cancel_sync(hdev, conn, reason);
+ if (conn->type == ISO_LINK) {
+ /* BLUETOOTH CORE SPECIFICATION Version 5.3 | Vol 4, Part E
+ * page 1857:
+ *
+ * If this command is issued for a CIS on the Central and the
+ * CIS is successfully terminated before being established,
+ * then an HCI_LE_CIS_Established event shall also be sent for
+ * this CIS with the Status Operation Cancelled by Host (0x44).
+ */
+ if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
+ return hci_disconnect_sync(hdev, conn, reason);
+
+ /* There is no way to cancel a BIS without terminating the BIG
+ * which is done later on connection cleanup.
+ */
+ return 0;
+ }
+
if (hdev->hci_ver < BLUETOOTH_VER_1_2)
return 0;
@@ -5316,11 +5334,27 @@ static int hci_reject_sco_sync(struct hci_dev *hdev, struct hci_conn *conn,
sizeof(cp), &cp, HCI_CMD_TIMEOUT);
}
+static int hci_le_reject_cis_sync(struct hci_dev *hdev, struct hci_conn *conn,
+ u8 reason)
+{
+ struct hci_cp_le_reject_cis cp;
+
+ memset(&cp, 0, sizeof(cp));
+ cp.handle = cpu_to_le16(conn->handle);
+ cp.reason = reason;
+
+ return __hci_cmd_sync_status(hdev, HCI_OP_LE_REJECT_CIS,
+ sizeof(cp), &cp, HCI_CMD_TIMEOUT);
+}
+
static int hci_reject_conn_sync(struct hci_dev *hdev, struct hci_conn *conn,
u8 reason)
{
struct hci_cp_reject_conn_req cp;
+ if (conn->type == ISO_LINK)
+ return hci_le_reject_cis_sync(hdev, conn, reason);
+
if (conn->type == SCO_LINK || conn->type == ESCO_LINK)
return hci_reject_sco_sync(hdev, conn, reason);
diff --git a/net/bluetooth/iso.c b/net/bluetooth/iso.c
index 42f7b257bdfbc..c8460eb7f5c0b 100644
--- a/net/bluetooth/iso.c
+++ b/net/bluetooth/iso.c
@@ -622,18 +622,6 @@ static void iso_sock_kill(struct sock *sk)
sock_put(sk);
}
-static void iso_conn_defer_reject(struct hci_conn *conn)
-{
- struct hci_cp_le_reject_cis cp;
-
- BT_DBG("conn %p", conn);
-
- memset(&cp, 0, sizeof(cp));
- cp.handle = cpu_to_le16(conn->handle);
- cp.reason = HCI_ERROR_REJ_BAD_ADDR;
- hci_send_cmd(conn->hdev, HCI_OP_LE_REJECT_CIS, sizeof(cp), &cp);
-}
-
static void __iso_sock_close(struct sock *sk)
{
BT_DBG("sk %p state %d socket %p", sk, sk->sk_state, sk->sk_socket);
@@ -658,8 +646,6 @@ static void __iso_sock_close(struct sock *sk)
break;
case BT_CONNECT2:
- if (iso_pi(sk)->conn->hcon)
- iso_conn_defer_reject(iso_pi(sk)->conn->hcon);
iso_chan_del(sk, ECONNRESET);
break;
case BT_CONNECT:
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 145/241] Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (143 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 144/241] Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 146/241] Bluetooth: ISO: Fix invalid context error Greg Kroah-Hartman
` (105 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit a1f6c3aef13c9e7f8d459bd464e9e34da1342c0c ]
This introduces PTR_UINT/UINT_PTR macros and replace the use of
PTR_ERR/ERR_PTR.
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: acab8ff29a2a ("Bluetooth: ISO: Fix invalid context error")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
include/net/bluetooth/hci_sync.h | 3 +++
net/bluetooth/hci_conn.c | 19 ++++++++++---------
net/bluetooth/hci_sync.c | 4 ++--
3 files changed, 15 insertions(+), 11 deletions(-)
diff --git a/include/net/bluetooth/hci_sync.h b/include/net/bluetooth/hci_sync.h
index b516a0f4a55b8..57eeb07aeb251 100644
--- a/include/net/bluetooth/hci_sync.h
+++ b/include/net/bluetooth/hci_sync.h
@@ -5,6 +5,9 @@
* Copyright (C) 2021 Intel Corporation
*/
+#define UINT_PTR(_handle) ((void *)((uintptr_t)_handle))
+#define PTR_UINT(_ptr) ((uintptr_t)((void *)_ptr))
+
typedef int (*hci_cmd_sync_work_func_t)(struct hci_dev *hdev, void *data);
typedef void (*hci_cmd_sync_work_destroy_t)(struct hci_dev *hdev, void *data,
int err);
diff --git a/net/bluetooth/hci_conn.c b/net/bluetooth/hci_conn.c
index 4e9654fe89c9e..6d6192f514d0f 100644
--- a/net/bluetooth/hci_conn.c
+++ b/net/bluetooth/hci_conn.c
@@ -874,7 +874,7 @@ static void bis_cleanup(struct hci_conn *conn)
static int remove_cig_sync(struct hci_dev *hdev, void *data)
{
- u8 handle = PTR_ERR(data);
+ u8 handle = PTR_UINT(data);
return hci_le_remove_cig_sync(hdev, handle);
}
@@ -883,7 +883,8 @@ static int hci_le_remove_cig(struct hci_dev *hdev, u8 handle)
{
bt_dev_dbg(hdev, "handle 0x%2.2x", handle);
- return hci_cmd_sync_queue(hdev, remove_cig_sync, ERR_PTR(handle), NULL);
+ return hci_cmd_sync_queue(hdev, remove_cig_sync, UINT_PTR(handle),
+ NULL);
}
static void find_cis(struct hci_conn *conn, void *data)
@@ -1278,7 +1279,7 @@ u8 hci_conn_set_handle(struct hci_conn *conn, u16 handle)
static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
{
struct hci_conn *conn;
- u16 handle = PTR_ERR(data);
+ u16 handle = PTR_UINT(data);
conn = hci_conn_hash_lookup_handle(hdev, handle);
if (!conn)
@@ -1308,7 +1309,7 @@ static void create_le_conn_complete(struct hci_dev *hdev, void *data, int err)
static int hci_connect_le_sync(struct hci_dev *hdev, void *data)
{
struct hci_conn *conn;
- u16 handle = PTR_ERR(data);
+ u16 handle = PTR_UINT(data);
conn = hci_conn_hash_lookup_handle(hdev, handle);
if (!conn)
@@ -1390,7 +1391,7 @@ struct hci_conn *hci_connect_le(struct hci_dev *hdev, bdaddr_t *dst,
clear_bit(HCI_CONN_SCANNING, &conn->flags);
err = hci_cmd_sync_queue(hdev, hci_connect_le_sync,
- ERR_PTR(conn->handle),
+ UINT_PTR(conn->handle),
create_le_conn_complete);
if (err) {
hci_conn_del(conn);
@@ -1767,7 +1768,7 @@ static int hci_le_create_big(struct hci_conn *conn, struct bt_iso_qos *qos)
static int set_cig_params_sync(struct hci_dev *hdev, void *data)
{
- u8 cig_id = PTR_ERR(data);
+ u8 cig_id = PTR_UINT(data);
struct hci_conn *conn;
struct bt_iso_qos *qos;
struct iso_cig_params pdu;
@@ -1877,7 +1878,7 @@ static bool hci_le_set_cig_params(struct hci_conn *conn, struct bt_iso_qos *qos)
done:
if (hci_cmd_sync_queue(hdev, set_cig_params_sync,
- ERR_PTR(qos->ucast.cig), NULL) < 0)
+ UINT_PTR(qos->ucast.cig), NULL) < 0)
return false;
return true;
@@ -2891,7 +2892,7 @@ u32 hci_conn_get_phy(struct hci_conn *conn)
static int abort_conn_sync(struct hci_dev *hdev, void *data)
{
struct hci_conn *conn;
- u16 handle = PTR_ERR(data);
+ u16 handle = PTR_UINT(data);
conn = hci_conn_hash_lookup_handle(hdev, handle);
if (!conn)
@@ -2931,6 +2932,6 @@ int hci_abort_conn(struct hci_conn *conn, u8 reason)
}
}
- return hci_cmd_sync_queue(hdev, abort_conn_sync, ERR_PTR(conn->handle),
+ return hci_cmd_sync_queue(hdev, abort_conn_sync, UINT_PTR(conn->handle),
NULL);
}
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index caf4263ef9b77..73cdd051dd464 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -6545,7 +6545,7 @@ int hci_get_random_address(struct hci_dev *hdev, bool require_privacy,
static int _update_adv_data_sync(struct hci_dev *hdev, void *data)
{
- u8 instance = PTR_ERR(data);
+ u8 instance = PTR_UINT(data);
return hci_update_adv_data_sync(hdev, instance);
}
@@ -6553,5 +6553,5 @@ static int _update_adv_data_sync(struct hci_dev *hdev, void *data)
int hci_update_adv_data(struct hci_dev *hdev, u8 instance)
{
return hci_cmd_sync_queue(hdev, _update_adv_data_sync,
- ERR_PTR(instance), NULL);
+ UINT_PTR(instance), NULL);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 146/241] Bluetooth: ISO: Fix invalid context error
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (144 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 145/241] Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 147/241] Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when aborting Greg Kroah-Hartman
` (104 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c715e1bd8dfbcb1ab176,
Iulia Tanasescu, Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Iulia Tanasescu <iulia.tanasescu@nxp.com>
[ Upstream commit acab8ff29a2a226409cfe04e6d2e0896928c1b3a ]
This moves the hci_le_terminate_big_sync call from rx_work
to cmd_sync_work, to avoid calling sleeping function from
an invalid context.
Reported-by: syzbot+c715e1bd8dfbcb1ab176@syzkaller.appspotmail.com
Fixes: a0bfde167b50 ("Bluetooth: ISO: Add support for connecting multiple BISes")
Signed-off-by: Iulia Tanasescu <iulia.tanasescu@nxp.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 15 ++++++++++++---
1 file changed, 12 insertions(+), 3 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index d331027363313..9d8aa6ad23dc2 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -6978,6 +6978,14 @@ static void hci_le_cis_req_evt(struct hci_dev *hdev, void *data,
hci_dev_unlock(hdev);
}
+static int hci_iso_term_big_sync(struct hci_dev *hdev, void *data)
+{
+ u8 handle = PTR_UINT(data);
+
+ return hci_le_terminate_big_sync(hdev, handle,
+ HCI_ERROR_LOCAL_HOST_TERM);
+}
+
static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
struct sk_buff *skb)
{
@@ -7022,16 +7030,17 @@ static void hci_le_create_big_complete_evt(struct hci_dev *hdev, void *data,
rcu_read_lock();
}
+ rcu_read_unlock();
+
if (!ev->status && !i)
/* If no BISes have been connected for the BIG,
* terminate. This is in case all bound connections
* have been closed before the BIG creation
* has completed.
*/
- hci_le_terminate_big_sync(hdev, ev->handle,
- HCI_ERROR_LOCAL_HOST_TERM);
+ hci_cmd_sync_queue(hdev, hci_iso_term_big_sync,
+ UINT_PTR(ev->handle), NULL);
- rcu_read_unlock();
hci_dev_unlock(hdev);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 147/241] Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when aborting
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (145 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 146/241] Bluetooth: ISO: Fix invalid context error Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 148/241] Bluetooth: hci_sync: always check if connection is alive before deleting Greg Kroah-Hartman
` (103 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit 2889bdd0a9a195533c2103e7b39ab0de844d72f6 ]
Dropped CIS that are in state BT_OPEN/BT_BOUND, and in state BT_CONNECT
with HCI_CONN_CREATE_CIS unset, should be cleaned up immediately.
Closing CIS ISO sockets should result to the hci_conn be deleted, so
that potentially pending CIG removal can run.
hci_abort_conn cannot refer to them by handle, since their handle is
still unset if Set CIG Parameters has not yet completed.
This fixes CIS not being terminated if the socket is shut down
immediately after connection, so that the hci_abort_conn runs before Set
CIG Parameters completes. See new BlueZ test "ISO Connect Close - Success"
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Stable-dep-of: a239110ee8e0 ("Bluetooth: hci_sync: always check if connection is alive before deleting")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 16 +++++++++-------
1 file changed, 9 insertions(+), 7 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index 73cdd051dd464..d21127e992c0f 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5302,6 +5302,10 @@ static int hci_connect_cancel_sync(struct hci_dev *hdev, struct hci_conn *conn,
if (test_bit(HCI_CONN_CREATE_CIS, &conn->flags))
return hci_disconnect_sync(hdev, conn, reason);
+ /* CIS with no Create CIS sent have nothing to cancel */
+ if (bacmp(&conn->dst, BDADDR_ANY))
+ return HCI_ERROR_LOCAL_HOST_TERM;
+
/* There is no way to cancel a BIS without terminating the BIG
* which is done later on connection cleanup.
*/
@@ -5384,13 +5388,11 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
err = hci_reject_conn_sync(hdev, conn, reason);
break;
case BT_OPEN:
- /* Cleanup bises that failed to be established */
- if (test_and_clear_bit(HCI_CONN_BIG_SYNC_FAILED, &conn->flags)) {
- hci_dev_lock(hdev);
- hci_conn_failed(conn, reason);
- hci_dev_unlock(hdev);
- }
- break;
+ case BT_BOUND:
+ hci_dev_lock(hdev);
+ hci_conn_failed(conn, reason);
+ hci_dev_unlock(hdev);
+ return 0;
default:
hci_dev_lock(hdev);
conn->state = BT_CLOSED;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 148/241] Bluetooth: hci_sync: always check if connection is alive before deleting
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (146 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 147/241] Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when aborting Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 149/241] net/mlx5: E-switch, register event handler before arming the event Greg Kroah-Hartman
` (102 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pauli Virtanen,
Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pauli Virtanen <pav@iki.fi>
[ Upstream commit a239110ee8e0b0aafa265f0d54f7a16744855e70 ]
In hci_abort_conn_sync it is possible that conn is deleted concurrently
by something else, also e.g. when waiting for hdev->lock. This causes
double deletion of the conn, so UAF or conn_hash.list corruption.
Fix by having all code paths check that the connection is still in
conn_hash before deleting it, while holding hdev->lock which prevents
any races.
Log (when powering off while BAP streaming, occurs rarely):
=======================================================================
kernel BUG at lib/list_debug.c:56!
...
? __list_del_entry_valid (lib/list_debug.c:56)
hci_conn_del (net/bluetooth/hci_conn.c:154) bluetooth
hci_abort_conn_sync (net/bluetooth/hci_sync.c:5415) bluetooth
? __pfx_hci_abort_conn_sync+0x10/0x10 [bluetooth]
? lock_release+0x1d5/0x3c0
? hci_disconnect_all_sync.constprop.0+0xb2/0x230 [bluetooth]
? __pfx_lock_release+0x10/0x10
? __kmem_cache_free+0x14d/0x2e0
hci_disconnect_all_sync.constprop.0+0xda/0x230 [bluetooth]
? __pfx_hci_disconnect_all_sync.constprop.0+0x10/0x10 [bluetooth]
? hci_clear_adv_sync+0x14f/0x170 [bluetooth]
? __pfx_set_powered_sync+0x10/0x10 [bluetooth]
hci_set_powered_sync+0x293/0x450 [bluetooth]
=======================================================================
Fixes: 94d9ba9f9888 ("Bluetooth: hci_sync: Fix UAF in hci_disconnect_all_sync")
Signed-off-by: Pauli Virtanen <pav@iki.fi>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_sync.c | 26 ++++++++++++--------------
1 file changed, 12 insertions(+), 14 deletions(-)
diff --git a/net/bluetooth/hci_sync.c b/net/bluetooth/hci_sync.c
index d21127e992c0f..360813ab0c4db 100644
--- a/net/bluetooth/hci_sync.c
+++ b/net/bluetooth/hci_sync.c
@@ -5374,6 +5374,7 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
{
int err = 0;
u16 handle = conn->handle;
+ bool disconnect = false;
struct hci_conn *c;
switch (conn->state) {
@@ -5389,24 +5390,15 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
break;
case BT_OPEN:
case BT_BOUND:
- hci_dev_lock(hdev);
- hci_conn_failed(conn, reason);
- hci_dev_unlock(hdev);
- return 0;
+ break;
default:
- hci_dev_lock(hdev);
- conn->state = BT_CLOSED;
- hci_disconn_cfm(conn, reason);
- hci_conn_del(conn);
- hci_dev_unlock(hdev);
- return 0;
+ disconnect = true;
+ break;
}
hci_dev_lock(hdev);
- /* Check if the connection hasn't been cleanup while waiting
- * commands to complete.
- */
+ /* Check if the connection has been cleaned up concurrently */
c = hci_conn_hash_lookup_handle(hdev, handle);
if (!c || c != conn) {
err = 0;
@@ -5418,7 +5410,13 @@ int hci_abort_conn_sync(struct hci_dev *hdev, struct hci_conn *conn, u8 reason)
* or in case of LE it was still scanning so it can be cleanup
* safely.
*/
- hci_conn_failed(conn, reason);
+ if (disconnect) {
+ conn->state = BT_CLOSED;
+ hci_disconn_cfm(conn, reason);
+ hci_conn_del(conn);
+ } else {
+ hci_conn_failed(conn, reason);
+ }
unlock:
hci_dev_unlock(hdev);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 149/241] net/mlx5: E-switch, register event handler before arming the event
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (147 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 148/241] Bluetooth: hci_sync: always check if connection is alive before deleting Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 150/241] net/mlx5: Handle fw tracer change ownership event based on MTRC Greg Kroah-Hartman
` (101 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Shay Drory, Mark Bloch,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Shay Drory <shayd@nvidia.com>
[ Upstream commit 7624e58a8b3a251e3e5108b32f2183b34453db32 ]
Currently, mlx5 is registering event handler for vport context change
event some time after arming the event. this can lead to missing an
event, which will result in wrong rules in the FDB.
Hence, register the event handler before arming the event.
This solution is valid since FW is sending vport context change event
only on vports which SW armed, and SW arming the vport when enabling
it, which is done after the FDB has been created.
Fixes: 6933a9379559 ("net/mlx5: E-Switch, Use async events chain")
Signed-off-by: Shay Drory <shayd@nvidia.com>
Reviewed-by: Mark Bloch <mbloch@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/eswitch.c | 17 ++++++++---------
1 file changed, 8 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
index 6e9b1b183190d..51afb97b9e452 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/eswitch.c
@@ -1022,11 +1022,8 @@ const u32 *mlx5_esw_query_functions(struct mlx5_core_dev *dev)
return ERR_PTR(err);
}
-static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw)
+static void mlx5_eswitch_event_handler_register(struct mlx5_eswitch *esw)
{
- MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE);
- mlx5_eq_notifier_register(esw->dev, &esw->nb);
-
if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev)) {
MLX5_NB_INIT(&esw->esw_funcs.nb, mlx5_esw_funcs_changed_handler,
ESW_FUNCTIONS_CHANGED);
@@ -1034,13 +1031,11 @@ static void mlx5_eswitch_event_handlers_register(struct mlx5_eswitch *esw)
}
}
-static void mlx5_eswitch_event_handlers_unregister(struct mlx5_eswitch *esw)
+static void mlx5_eswitch_event_handler_unregister(struct mlx5_eswitch *esw)
{
if (esw->mode == MLX5_ESWITCH_OFFLOADS && mlx5_eswitch_is_funcs_handler(esw->dev))
mlx5_eq_notifier_unregister(esw->dev, &esw->esw_funcs.nb);
- mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
-
flush_workqueue(esw->work_queue);
}
@@ -1419,6 +1414,9 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
mlx5_eswitch_update_num_of_vfs(esw, num_vfs);
+ MLX5_NB_INIT(&esw->nb, eswitch_vport_event, NIC_VPORT_CHANGE);
+ mlx5_eq_notifier_register(esw->dev, &esw->nb);
+
if (esw->mode == MLX5_ESWITCH_LEGACY) {
err = esw_legacy_enable(esw);
} else {
@@ -1431,7 +1429,7 @@ int mlx5_eswitch_enable_locked(struct mlx5_eswitch *esw, int num_vfs)
esw->fdb_table.flags |= MLX5_ESW_FDB_CREATED;
- mlx5_eswitch_event_handlers_register(esw);
+ mlx5_eswitch_event_handler_register(esw);
esw_info(esw->dev, "Enable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n",
esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS",
@@ -1558,7 +1556,8 @@ void mlx5_eswitch_disable_locked(struct mlx5_eswitch *esw)
*/
mlx5_esw_mode_change_notify(esw, MLX5_ESWITCH_LEGACY);
- mlx5_eswitch_event_handlers_unregister(esw);
+ mlx5_eq_notifier_unregister(esw->dev, &esw->nb);
+ mlx5_eswitch_event_handler_unregister(esw);
esw_info(esw->dev, "Disable: mode(%s), nvfs(%d), necvfs(%d), active vports(%d)\n",
esw->mode == MLX5_ESWITCH_LEGACY ? "LEGACY" : "OFFLOADS",
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 150/241] net/mlx5: Handle fw tracer change ownership event based on MTRC
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (148 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 149/241] net/mlx5: E-switch, register event handler before arming the event Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 151/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for striding rq Greg Kroah-Hartman
` (100 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maher Sanalla, Shay Drory,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maher Sanalla <msanalla@nvidia.com>
[ Upstream commit 92fd39634541eb0a11bf1bafbc8ba92d6ddb8dba ]
Currently, whenever fw issues a change ownership event, the PF that owns
the fw tracer drops its ownership directly and the other PFs try to pick
up the ownership via what MTRC register suggests.
In some cases, driver releases the ownership of the tracer and reacquires
it later on. Whenever the driver releases ownership of the tracer, fw
issues a change ownership event. This event can be delayed and come after
driver has reacquired ownership of the tracer. Thus the late event will
trigger the tracer owner PF to release the ownership again and lead to a
scenario where no PF is owning the tracer.
To prevent the scenario described above, when handling a change
ownership event, do not drop ownership of the tracer directly, instead
read the fw MTRC register to retrieve the up-to-date owner of the tracer
and set it accordingly in driver level.
Fixes: f53aaa31cce7 ("net/mlx5: FW tracer, implement tracer logic")
Signed-off-by: Maher Sanalla <msanalla@nvidia.com>
Reviewed-by: Shay Drory <shayd@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
index 7c0f2adbea000..ad789349c06e6 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/diag/fw_tracer.c
@@ -848,7 +848,7 @@ static void mlx5_fw_tracer_ownership_change(struct work_struct *work)
mlx5_core_dbg(tracer->dev, "FWTracer: ownership changed, current=(%d)\n", tracer->owner);
if (tracer->owner) {
- tracer->owner = false;
+ mlx5_fw_tracer_ownership_acquire(tracer);
return;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 151/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for striding rq
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (149 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 150/241] net/mlx5: Handle fw tracer change ownership event based on MTRC Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 152/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy rq Greg Kroah-Hartman
` (99 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Dragos Tatulea,
Tariq Toukan, Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit be43b7489a3c4702799e50179da69c3df7d6899b ]
When a page allocation fails during refill in mlx5e_post_rx_mpwqes, the
page will be released again on the next refill call. This triggers the
page_pool negative page fragment count warning below:
[ 2436.447717] WARNING: CPU: 1 PID: 2419 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
...
[ 2436.447895] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 2436.447991] Call Trace:
[ 2436.447975] mlx5e_post_rx_mpwqes+0x1d5/0xcf0 [mlx5_core]
[ 2436.447994] <IRQ>
[ 2436.447996] ? __warn+0x7d/0x120
[ 2436.448009] ? mlx5e_handle_rx_cqe_mpwrq+0x109/0x1d0 [mlx5_core]
[ 2436.448002] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 2436.448044] ? mlx5e_poll_rx_cq+0x87/0x6e0 [mlx5_core]
[ 2436.448061] ? report_bug+0x155/0x180
[ 2436.448065] ? handle_bug+0x36/0x70
[ 2436.448067] ? exc_invalid_op+0x13/0x60
[ 2436.448070] ? asm_exc_invalid_op+0x16/0x20
[ 2436.448079] mlx5e_napi_poll+0x122/0x6b0 [mlx5_core]
[ 2436.448077] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 2436.448113] ? generic_exec_single+0x35/0x100
[ 2436.448117] __napi_poll+0x25/0x1a0
[ 2436.448120] net_rx_action+0x28a/0x300
[ 2436.448122] __do_softirq+0xcd/0x279
[ 2436.448126] irq_exit_rcu+0x6a/0x90
[ 2436.448128] sysvec_apic_timer_interrupt+0x6e/0x90
[ 2436.448130] </IRQ>
This patch fixes the striding rq case by setting the skip flag on all
the wqe pages that were expected to have new pages allocated.
Fixes: 4c2a13236807 ("net/mlx5e: RX, Defer page release in striding rq for better recycling")
Tested-by: Chris Mason <clm@fb.com>
Reported-by: Chris Mason <clm@fb.com>
Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rx.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index 41d37159e027b..0b558db1a9455 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -816,6 +816,8 @@ static int mlx5e_alloc_rx_mpwqe(struct mlx5e_rq *rq, u16 ix)
mlx5e_page_release_fragmented(rq, frag_page);
}
+ bitmap_fill(wi->skip_release_bitmap, rq->mpwqe.pages_per_wqe);
+
err:
rq->stats->buff_alloc_err++;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 152/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy rq
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (150 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 151/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for striding rq Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 153/241] net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on shutdown Greg Kroah-Hartman
` (98 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Chris Mason, Dragos Tatulea,
Tariq Toukan, Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit ef9369e9c30846f5e052a11ccc70e1f6b8dc557a ]
When a page allocation fails during refill in mlx5e_refill_rx_wqes, the
page will be released again on the next refill call. This triggers the
page_pool negative page fragment count warning below:
[ 338.326070] WARNING: CPU: 4 PID: 0 at include/net/page_pool/helpers.h:130 mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
...
[ 338.328993] RIP: 0010:mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 338.329094] Call Trace:
[ 338.329097] <IRQ>
[ 338.329100] ? __warn+0x7d/0x120
[ 338.329105] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 338.329173] ? report_bug+0x155/0x180
[ 338.329179] ? handle_bug+0x3c/0x60
[ 338.329183] ? exc_invalid_op+0x13/0x60
[ 338.329187] ? asm_exc_invalid_op+0x16/0x20
[ 338.329192] ? mlx5e_page_release_fragmented.isra.0+0x42/0x50 [mlx5_core]
[ 338.329259] mlx5e_post_rx_wqes+0x210/0x5a0 [mlx5_core]
[ 338.329327] ? mlx5e_poll_rx_cq+0x88/0x6f0 [mlx5_core]
[ 338.329394] mlx5e_napi_poll+0x127/0x6b0 [mlx5_core]
[ 338.329461] __napi_poll+0x25/0x1a0
[ 338.329465] net_rx_action+0x28a/0x300
[ 338.329468] __do_softirq+0xcd/0x279
[ 338.329473] irq_exit_rcu+0x6a/0x90
[ 338.329477] common_interrupt+0x82/0xa0
[ 338.329482] </IRQ>
This patch fixes the legacy rq case by releasing all allocated fragments
and then setting the skip flag on all released fragments. It is
important to note that the number of released fragments will be higher
than the number of allocated fragments when an allocation error occurs.
Fixes: 3f93f82988bc ("net/mlx5e: RX, Defer page release in legacy rq for better recycling")
Tested-by: Chris Mason <clm@fb.com>
Reported-by: Chris Mason <clm@fb.com>
Closes: https://lore.kernel.org/netdev/117FF31A-7BE0-4050-B2BB-E41F224FF72F@meta.com
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../net/ethernet/mellanox/mlx5/core/en_rx.c | 33 ++++++++++++++-----
1 file changed, 24 insertions(+), 9 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
index 0b558db1a9455..5df970e6e29d5 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rx.c
@@ -457,26 +457,41 @@ static int mlx5e_alloc_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk)
static int mlx5e_refill_rx_wqes(struct mlx5e_rq *rq, u16 ix, int wqe_bulk)
{
int remaining = wqe_bulk;
- int i = 0;
+ int total_alloc = 0;
+ int refill_alloc;
+ int refill;
/* The WQE bulk is split into smaller bulks that are sized
* according to the page pool cache refill size to avoid overflowing
* the page pool cache due to too many page releases at once.
*/
do {
- int refill = min_t(u16, rq->wqe.info.refill_unit, remaining);
- int alloc_count;
+ refill = min_t(u16, rq->wqe.info.refill_unit, remaining);
- mlx5e_free_rx_wqes(rq, ix + i, refill);
- alloc_count = mlx5e_alloc_rx_wqes(rq, ix + i, refill);
- i += alloc_count;
- if (unlikely(alloc_count != refill))
- break;
+ mlx5e_free_rx_wqes(rq, ix + total_alloc, refill);
+ refill_alloc = mlx5e_alloc_rx_wqes(rq, ix + total_alloc, refill);
+ if (unlikely(refill_alloc != refill))
+ goto err_free;
+ total_alloc += refill_alloc;
remaining -= refill;
} while (remaining);
- return i;
+ return total_alloc;
+
+err_free:
+ mlx5e_free_rx_wqes(rq, ix, total_alloc + refill_alloc);
+
+ for (int i = 0; i < total_alloc + refill; i++) {
+ int j = mlx5_wq_cyc_ctr2ix(&rq->wqe.wq, ix + i);
+ struct mlx5e_wqe_frag_info *frag;
+
+ frag = get_frag(rq, j);
+ for (int k = 0; k < rq->wqe.info.num_frags; k++, frag++)
+ frag->flags |= BIT(MLX5E_WQE_FRAG_SKIP_RELEASE);
+ }
+
+ return 0;
}
static void
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 153/241] net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on shutdown
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (151 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 152/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy rq Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 154/241] net/mlx5e: Take RTNL lock before triggering netdev notifiers Greg Kroah-Hartman
` (97 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dragos Tatulea, Tariq Toukan,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dragos Tatulea <dtatulea@nvidia.com>
[ Upstream commit aaab619ccd07a32e5b29aa7e59b20de1dcc7a29e ]
When mlx5e_xdp_xmit is called without the XDP_XMIT_FLUSH set it is
possible that it leaves a mpwqe session open. That is ok during runtime:
the session will be closed on the next call to mlx5e_xdp_xmit. But
having a mpwqe session still open at XDP sq close time is problematic:
the pc counter is not updated before flushing the contents of the
xdpi_fifo. This results in leaking page fragments.
The fix is to always close the mpwqe session at the end of
mlx5e_xdp_xmit, regardless of the XDP_XMIT_FLUSH flag being set or not.
Fixes: 5e0d2eef771e ("net/mlx5e: XDP, Support Enhanced Multi-Packet TX WQE")
Signed-off-by: Dragos Tatulea <dtatulea@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
index 40589cebb7730..4fd4c9febab95 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/xdp.c
@@ -873,11 +873,11 @@ int mlx5e_xdp_xmit(struct net_device *dev, int n, struct xdp_frame **frames,
}
out:
- if (flags & XDP_XMIT_FLUSH) {
- if (sq->mpwqe.wqe)
- mlx5e_xdp_mpwqe_complete(sq);
+ if (sq->mpwqe.wqe)
+ mlx5e_xdp_mpwqe_complete(sq);
+
+ if (flags & XDP_XMIT_FLUSH)
mlx5e_xmit_xdp_doorbell(sq);
- }
return nxmit;
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 154/241] net/mlx5e: Take RTNL lock before triggering netdev notifiers
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (152 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 153/241] net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on shutdown Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 155/241] net/mlx5e: Dont offload internal port if filter device is out device Greg Kroah-Hartman
` (96 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Lama Kayal, Tariq Toukan,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Lama Kayal <lkayal@nvidia.com>
[ Upstream commit c51c673462a266fb813cf189f8190798a12d3124 ]
Hold RTNL lock when calling xdp_set_features() with a registered netdev,
as the call triggers the netdev notifiers. This could happen when
switching from nic profile to uplink representor for example.
Similar logic which fixed a similar scenario was previously introduced in
the following commit:
commit 72cc65497065 net/mlx5e: Take RTNL lock when needed before calling
xdp_set_features().
This fixes the following assertion and warning call trace:
RTNL: assertion failed at net/core/dev.c (1961)
WARNING: CPU: 13 PID: 2529 at net/core/dev.c:1961
call_netdevice_notifiers_info+0x7c/0x80
Modules linked in: rpcrdma rdma_ucm ib_iser libiscsi
scsi_transport_iscsi ib_umad rdma_cm ib_ipoib iw_cm ib_cm mlx5_ib
ib_uverbs ib_core xt_conntrack xt_MASQUERADE nf_conntrack_netlink
nfnetlink xt_addrtype iptable_nat nf_nat br_netfilter rpcsec_gss_krb5
auth_rpcgss oid_registry overlay mlx5_core zram zsmalloc fuse
CPU: 13 PID: 2529 Comm: devlink Not tainted
6.5.0_for_upstream_min_debug_2023_09_07_20_04 #1
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS
rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
RIP: 0010:call_netdevice_notifiers_info+0x7c/0x80
Code: 8f ff 80 3d 77 0d 16 01 00 75 c5 ba a9 07 00 00 48
c7 c6 c4 bb 0d 82 48 c7 c7 18 c8 06 82 c6 05 5b 0d 16 01 01 e8 44 f6 8c
ff <0f> 0b eb a2 0f 1f 44 00 00 55 48 89 e5 41 54 48 83 e4 f0 48 83 ec
RSP: 0018:ffff88819930f7f0 EFLAGS: 00010282
RAX: 0000000000000000 RBX: ffffffff8309f740 RCX: 0000000000000027
RDX: ffff88885fb5b5c8 RSI: 0000000000000001 RDI: ffff88885fb5b5c0
RBP: 0000000000000028 R08: ffff88887ffabaa8 R09: 0000000000000003
R10: ffff88887fecbac0 R11: ffff88887ff7bac0 R12: ffff88819930f810
R13: ffff88810b7fea40 R14: ffff8881154e8fd8 R15: ffff888107e881a0
FS: 00007f3ad248f800(0000) GS:ffff88885fb40000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 0000563b85f164e0 CR3: 0000000113b5c006 CR4: 0000000000370ea0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
? __warn+0x79/0x120
? call_netdevice_notifiers_info+0x7c/0x80
? report_bug+0x17c/0x190
? handle_bug+0x3c/0x60
? exc_invalid_op+0x14/0x70
? asm_exc_invalid_op+0x16/0x20
? call_netdevice_notifiers_info+0x7c/0x80
call_netdevice_notifiers+0x2e/0x50
mlx5e_set_xdp_feature+0x21/0x50 [mlx5_core]
mlx5e_build_rep_params+0x97/0x130 [mlx5_core]
mlx5e_init_ul_rep+0x9f/0x100 [mlx5_core]
mlx5e_netdev_init_profile+0x76/0x110 [mlx5_core]
mlx5e_netdev_attach_profile+0x1f/0x90 [mlx5_core]
mlx5e_netdev_change_profile+0x92/0x160 [mlx5_core]
mlx5e_vport_rep_load+0x329/0x4a0 [mlx5_core]
mlx5_esw_offloads_rep_load+0x9e/0xf0 [mlx5_core]
esw_offloads_enable+0x4bc/0xe90 [mlx5_core]
mlx5_eswitch_enable_locked+0x3c8/0x570 [mlx5_core]
? kmalloc_trace+0x25/0x80
mlx5_devlink_eswitch_mode_set+0x224/0x680 [mlx5_core]
? devlink_get_from_attrs_lock+0x9e/0x110
devlink_nl_cmd_eswitch_set_doit+0x60/0xe0
genl_family_rcv_msg_doit+0xd0/0x120
genl_rcv_msg+0x180/0x2b0
? devlink_get_from_attrs_lock+0x110/0x110
? devlink_nl_cmd_eswitch_get_doit+0x290/0x290
? devlink_pernet_pre_exit+0xf0/0xf0
? genl_family_rcv_msg_dumpit+0xf0/0xf0
netlink_rcv_skb+0x54/0x100
genl_rcv+0x24/0x40
netlink_unicast+0x1fc/0x2c0
netlink_sendmsg+0x232/0x4a0
sock_sendmsg+0x38/0x60
? _copy_from_user+0x2a/0x60
__sys_sendto+0x110/0x160
? handle_mm_fault+0x161/0x260
? do_user_addr_fault+0x276/0x620
__x64_sys_sendto+0x20/0x30
do_syscall_64+0x3d/0x90
entry_SYSCALL_64_after_hwframe+0x46/0xb0
RIP: 0033:0x7f3ad231340a
Code: d8 64 89 02 48 c7 c0 ff ff ff ff eb b8 0f 1f 00 f3
0f 1e fa 41 89 ca 64 8b 04 25 18 00 00 00 85 c0 75 15 b8 2c 00 00 00 0f
05 <48> 3d 00 f0 ff ff 77 7e c3 0f 1f 44 00 00 41 54 48 83 ec 30 44 89
RSP: 002b:00007ffd70aad4b8 EFLAGS: 00000246 ORIG_RAX: 000000000000002c
RAX: ffffffffffffffda RBX: 0000000000c36b00 RCX:00007f3ad231340a
RDX: 0000000000000038 RSI: 0000000000c36b00 RDI: 0000000000000003
RBP: 0000000000c36910 R08: 00007f3ad2625200 R09: 000000000000000c
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 0000000000000000 R14: 0000000000000000 R15: 0000000000000001
</TASK>
---[ end trace 0000000000000000 ]---
------------[ cut here ]------------
Fixes: 4d5ab0ad964d ("net/mlx5e: take into account device reconfiguration for xdp_features flag")
Signed-off-by: Lama Kayal <lkayal@nvidia.com>
Reviewed-by: Tariq Toukan <tariqt@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
index 99b3843396f33..5bdd2d09a8d5c 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
@@ -772,6 +772,7 @@ static int mlx5e_rep_max_nch_limit(struct mlx5_core_dev *mdev)
static void mlx5e_build_rep_params(struct net_device *netdev)
{
+ const bool take_rtnl = netdev->reg_state == NETREG_REGISTERED;
struct mlx5e_priv *priv = netdev_priv(netdev);
struct mlx5e_rep_priv *rpriv = priv->ppriv;
struct mlx5_eswitch_rep *rep = rpriv->rep;
@@ -797,8 +798,15 @@ static void mlx5e_build_rep_params(struct net_device *netdev)
/* RQ */
mlx5e_build_rq_params(mdev, params);
+ /* If netdev is already registered (e.g. move from nic profile to uplink,
+ * RTNL lock must be held before triggering netdev notifiers.
+ */
+ if (take_rtnl)
+ rtnl_lock();
/* update XDP supported features */
mlx5e_set_xdp_feature(netdev);
+ if (take_rtnl)
+ rtnl_unlock();
/* CQ moderation params */
params->rx_dim_enabled = MLX5_CAP_GEN(mdev, cq_moderation);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 155/241] net/mlx5e: Dont offload internal port if filter device is out device
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (153 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 154/241] net/mlx5e: Take RTNL lock before triggering netdev notifiers Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 156/241] net/mlx5e: Fix VF representors reporting zero counters to "ip -s" command Greg Kroah-Hartman
` (95 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jianbo Liu, Ariel Levkovich,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jianbo Liu <jianbol@nvidia.com>
[ Upstream commit 06b4eac9c4beda520b8a4dbbb8e33dba9d1c8fba ]
In the cited commit, if the routing device is ovs internal port, the
out device is set to uplink, and packets go out after encapsulation.
If filter device is uplink, it can trigger the following syndrome:
mlx5_core 0000:08:00.0: mlx5_cmd_out_err:803:(pid 3966): SET_FLOW_TABLE_ENTRY(0x936) op_mod(0x0) failed, status bad parameter(0x3), syndrome (0xcdb051), err(-22)
Fix this issue by not offloading internal port if filter device is out
device. In this case, packets are not forwarded to the root table to
be processed, the termination table is used instead to forward them
from uplink to uplink.
Fixes: 100ad4e2d758 ("net/mlx5e: Offload internal port as encap route device")
Signed-off-by: Jianbo Liu <jianbol@nvidia.com>
Reviewed-by: Ariel Levkovich <lariel@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
index 1730f6a716eea..b10e40e1a9c14 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en/tc_tun_encap.c
@@ -24,7 +24,8 @@ static int mlx5e_set_int_port_tunnel(struct mlx5e_priv *priv,
route_dev = dev_get_by_index(dev_net(e->out_dev), e->route_dev_ifindex);
- if (!route_dev || !netif_is_ovs_master(route_dev))
+ if (!route_dev || !netif_is_ovs_master(route_dev) ||
+ attr->parse_attr->filter_dev == e->out_dev)
goto out;
err = mlx5e_set_fwd_to_int_port_actions(priv, attr, e->route_dev_ifindex,
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 156/241] net/mlx5e: Fix VF representors reporting zero counters to "ip -s" command
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (154 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 155/241] net/mlx5e: Dont offload internal port if filter device is out device Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 157/241] net/tls: split tls_rx_reader_lock Greg Kroah-Hartman
` (94 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Patrisious Haddad, Amir Tzin,
Saeed Mahameed, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Tzin <amirtz@nvidia.com>
[ Upstream commit 80f1241484dd1b1d4eab1a0211d52ec2bd83e2f1 ]
Although vf_vport entry of struct mlx5e_stats is never updated, its
values are mistakenly copied to the caller structure in the VF
representor .ndo_get_stat_64 callback mlx5e_rep_get_stats(). Remove
redundant entry and use the updated one, rep_stats, instead.
Fixes: 64b68e369649 ("net/mlx5: Refactor and expand rep vport stat group")
Reviewed-by: Patrisious Haddad <phaddad@nvidia.com>
Signed-off-by: Amir Tzin <amirtz@nvidia.com>
Signed-off-by: Saeed Mahameed <saeedm@nvidia.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/net/ethernet/mellanox/mlx5/core/en_rep.c | 2 +-
drivers/net/ethernet/mellanox/mlx5/core/en_stats.h | 11 ++++++++++-
drivers/net/ethernet/mellanox/mlx5/core/en_tc.c | 5 +++--
3 files changed, 14 insertions(+), 4 deletions(-)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
index 5bdd2d09a8d5c..0cd44ef190058 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_rep.c
@@ -704,7 +704,7 @@ mlx5e_rep_get_stats(struct net_device *dev, struct rtnl_link_stats64 *stats)
/* update HW stats in background for next time */
mlx5e_queue_update_stats(priv);
- memcpy(stats, &priv->stats.vf_vport, sizeof(*stats));
+ mlx5e_stats_copy_rep_stats(stats, &priv->stats.rep_stats);
}
static int mlx5e_rep_change_mtu(struct net_device *netdev, int new_mtu)
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
index 1ff8a06027dcf..67938b4ea1b90 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_stats.h
@@ -475,11 +475,20 @@ struct mlx5e_stats {
struct mlx5e_vnic_env_stats vnic;
struct mlx5e_vport_stats vport;
struct mlx5e_pport_stats pport;
- struct rtnl_link_stats64 vf_vport;
struct mlx5e_pcie_stats pcie;
struct mlx5e_rep_stats rep_stats;
};
+static inline void mlx5e_stats_copy_rep_stats(struct rtnl_link_stats64 *vf_vport,
+ struct mlx5e_rep_stats *rep_stats)
+{
+ memset(vf_vport, 0, sizeof(*vf_vport));
+ vf_vport->rx_packets = rep_stats->vport_rx_packets;
+ vf_vport->tx_packets = rep_stats->vport_tx_packets;
+ vf_vport->rx_bytes = rep_stats->vport_rx_bytes;
+ vf_vport->tx_bytes = rep_stats->vport_tx_bytes;
+}
+
extern mlx5e_stats_grp_t mlx5e_nic_stats_grps[];
unsigned int mlx5e_nic_stats_grps_num(struct mlx5e_priv *priv);
diff --git a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
index 4b22a91482cec..5797d8607633e 100644
--- a/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
+++ b/drivers/net/ethernet/mellanox/mlx5/core/en_tc.c
@@ -4931,7 +4931,8 @@ static int scan_tc_matchall_fdb_actions(struct mlx5e_priv *priv,
if (err)
return err;
- rpriv->prev_vf_vport_stats = priv->stats.vf_vport;
+ mlx5e_stats_copy_rep_stats(&rpriv->prev_vf_vport_stats,
+ &priv->stats.rep_stats);
break;
default:
NL_SET_ERR_MSG_MOD(extack, "mlx5 supports only police action for matchall");
@@ -4971,7 +4972,7 @@ void mlx5e_tc_stats_matchall(struct mlx5e_priv *priv,
u64 dbytes;
u64 dpkts;
- cur_stats = priv->stats.vf_vport;
+ mlx5e_stats_copy_rep_stats(&cur_stats, &priv->stats.rep_stats);
dpkts = cur_stats.rx_packets - rpriv->prev_vf_vport_stats.rx_packets;
dbytes = cur_stats.rx_bytes - rpriv->prev_vf_vport_stats.rx_bytes;
rpriv->prev_vf_vport_stats = cur_stats;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 157/241] net/tls: split tls_rx_reader_lock
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (155 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 156/241] net/mlx5e: Fix VF representors reporting zero counters to "ip -s" command Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 158/241] tcp: allow again tcp_disconnect() when threads are waiting Greg Kroah-Hartman
` (93 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Sagi Grimberg, Hannes Reinecke,
Jakub Kicinski, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hannes Reinecke <hare@suse.de>
[ Upstream commit f9ae3204fb45d0749befc1cdff50f691c7461e5a ]
Split tls_rx_reader_{lock,unlock} into an 'acquire/release' and
the actual locking part.
With that we can use the tls_rx_reader_lock in situations where
the socket is already locked.
Suggested-by: Sagi Grimberg <sagi@grimberg.me>
Signed-off-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Jakub Kicinski <kuba@kernel.org>
Link: https://lore.kernel.org/r/20230726191556.41714-6-hare@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Stable-dep-of: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/tls/tls_sw.c | 38 ++++++++++++++++++++++----------------
1 file changed, 22 insertions(+), 16 deletions(-)
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index e047abc600893..a83f474933033 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1845,13 +1845,10 @@ tls_read_flush_backlog(struct sock *sk, struct tls_prot_info *prot,
return sk_flush_backlog(sk);
}
-static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
- bool nonblock)
+static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
+ bool nonblock)
{
long timeo;
- int err;
-
- lock_sock(sk);
timeo = sock_rcvtimeo(sk, nonblock);
@@ -1865,26 +1862,30 @@ static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
!READ_ONCE(ctx->reader_present), &wait);
remove_wait_queue(&ctx->wq, &wait);
- if (timeo <= 0) {
- err = -EAGAIN;
- goto err_unlock;
- }
- if (signal_pending(current)) {
- err = sock_intr_errno(timeo);
- goto err_unlock;
- }
+ if (timeo <= 0)
+ return -EAGAIN;
+ if (signal_pending(current))
+ return sock_intr_errno(timeo);
}
WRITE_ONCE(ctx->reader_present, 1);
return 0;
+}
-err_unlock:
- release_sock(sk);
+static int tls_rx_reader_lock(struct sock *sk, struct tls_sw_context_rx *ctx,
+ bool nonblock)
+{
+ int err;
+
+ lock_sock(sk);
+ err = tls_rx_reader_acquire(sk, ctx, nonblock);
+ if (err)
+ release_sock(sk);
return err;
}
-static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
+static void tls_rx_reader_release(struct sock *sk, struct tls_sw_context_rx *ctx)
{
if (unlikely(ctx->reader_contended)) {
if (wq_has_sleeper(&ctx->wq))
@@ -1896,6 +1897,11 @@ static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
}
WRITE_ONCE(ctx->reader_present, 0);
+}
+
+static void tls_rx_reader_unlock(struct sock *sk, struct tls_sw_context_rx *ctx)
+{
+ tls_rx_reader_release(sk, ctx);
release_sock(sk);
}
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 158/241] tcp: allow again tcp_disconnect() when threads are waiting
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (156 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 157/241] net/tls: split tls_rx_reader_lock Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake Greg Kroah-Hartman
` (92 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Tom Deseyn, Eric Dumazet,
Paolo Abeni, Jakub Kicinski, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 419ce133ab928ab5efd7b50b2ef36ddfd4eadbd2 ]
As reported by Tom, .NET and applications build on top of it rely
on connect(AF_UNSPEC) to async cancel pending I/O operations on TCP
socket.
The blamed commit below caused a regression, as such cancellation
can now fail.
As suggested by Eric, this change addresses the problem explicitly
causing blocking I/O operation to terminate immediately (with an error)
when a concurrent disconnect() is executed.
Instead of tracking the number of threads blocked on a given socket,
track the number of disconnect() issued on such socket. If such counter
changes after a blocking operation releasing and re-acquiring the socket
lock, error out the current operation.
Fixes: 4faeee0cf8a5 ("tcp: deny tcp_disconnect() when threads are waiting")
Reported-by: Tom Deseyn <tdeseyn@redhat.com>
Closes: https://bugzilla.redhat.com/show_bug.cgi?id=1886305
Suggested-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/f3b95e47e3dbed840960548aebaa8d954372db41.1697008693.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
.../chelsio/inline_crypto/chtls/chtls_io.c | 36 +++++++++++++++----
include/net/sock.h | 10 +++---
net/core/stream.c | 12 ++++---
net/ipv4/af_inet.c | 10 ++++--
net/ipv4/inet_connection_sock.c | 1 -
net/ipv4/tcp.c | 16 ++++-----
net/ipv4/tcp_bpf.c | 4 +++
net/mptcp/protocol.c | 7 ----
net/tls/tls_main.c | 10 ++++--
net/tls/tls_sw.c | 19 ++++++----
10 files changed, 80 insertions(+), 45 deletions(-)
diff --git a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
index 5fc64e47568a9..d567e42e17601 100644
--- a/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
+++ b/drivers/net/ethernet/chelsio/inline_crypto/chtls/chtls_io.c
@@ -911,7 +911,7 @@ static int csk_wait_memory(struct chtls_dev *cdev,
struct sock *sk, long *timeo_p)
{
DEFINE_WAIT_FUNC(wait, woken_wake_function);
- int err = 0;
+ int ret, err = 0;
long current_timeo;
long vm_wait = 0;
bool noblock;
@@ -942,10 +942,13 @@ static int csk_wait_memory(struct chtls_dev *cdev,
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk->sk_write_pending++;
- sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
- (sk->sk_shutdown & SEND_SHUTDOWN) ||
- (csk_mem_free(cdev, sk) && !vm_wait), &wait);
+ ret = sk_wait_event(sk, ¤t_timeo, sk->sk_err ||
+ (sk->sk_shutdown & SEND_SHUTDOWN) ||
+ (csk_mem_free(cdev, sk) && !vm_wait),
+ &wait);
sk->sk_write_pending--;
+ if (ret < 0)
+ goto do_error;
if (vm_wait) {
vm_wait -= current_timeo;
@@ -1348,6 +1351,7 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
int copied = 0;
int target;
long timeo;
+ int ret;
buffers_freed = 0;
@@ -1423,7 +1427,11 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
if (copied >= target)
break;
chtls_cleanup_rbuf(sk, copied);
- sk_wait_data(sk, &timeo, NULL);
+ ret = sk_wait_data(sk, &timeo, NULL);
+ if (ret < 0) {
+ copied = copied ? : ret;
+ goto unlock;
+ }
continue;
found_ok_skb:
if (!skb->len) {
@@ -1518,6 +1526,8 @@ static int chtls_pt_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
if (buffers_freed)
chtls_cleanup_rbuf(sk, copied);
+
+unlock:
release_sock(sk);
return copied;
}
@@ -1534,6 +1544,7 @@ static int peekmsg(struct sock *sk, struct msghdr *msg,
int copied = 0;
size_t avail; /* amount of available data in current skb */
long timeo;
+ int ret;
lock_sock(sk);
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
@@ -1585,7 +1596,12 @@ static int peekmsg(struct sock *sk, struct msghdr *msg,
release_sock(sk);
lock_sock(sk);
} else {
- sk_wait_data(sk, &timeo, NULL);
+ ret = sk_wait_data(sk, &timeo, NULL);
+ if (ret < 0) {
+ /* here 'copied' is 0 due to previous checks */
+ copied = ret;
+ break;
+ }
}
if (unlikely(peek_seq != tp->copied_seq)) {
@@ -1656,6 +1672,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
int copied = 0;
long timeo;
int target; /* Read at least this many bytes */
+ int ret;
buffers_freed = 0;
@@ -1747,7 +1764,11 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
if (copied >= target)
break;
chtls_cleanup_rbuf(sk, copied);
- sk_wait_data(sk, &timeo, NULL);
+ ret = sk_wait_data(sk, &timeo, NULL);
+ if (ret < 0) {
+ copied = copied ? : ret;
+ goto unlock;
+ }
continue;
found_ok_skb:
@@ -1816,6 +1837,7 @@ int chtls_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
if (buffers_freed)
chtls_cleanup_rbuf(sk, copied);
+unlock:
release_sock(sk);
return copied;
}
diff --git a/include/net/sock.h b/include/net/sock.h
index 4e787285fc66b..fc189910e63fc 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -336,7 +336,7 @@ struct sk_filter;
* @sk_cgrp_data: cgroup data for this cgroup
* @sk_memcg: this socket's memory cgroup association
* @sk_write_pending: a write to stream socket waits to start
- * @sk_wait_pending: number of threads blocked on this socket
+ * @sk_disconnects: number of disconnect operations performed on this sock
* @sk_state_change: callback to indicate change in the state of the sock
* @sk_data_ready: callback to indicate there is data to be processed
* @sk_write_space: callback to indicate there is bf sending space available
@@ -429,7 +429,7 @@ struct sock {
unsigned int sk_napi_id;
#endif
int sk_rcvbuf;
- int sk_wait_pending;
+ int sk_disconnects;
struct sk_filter __rcu *sk_filter;
union {
@@ -1189,8 +1189,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
}
#define sk_wait_event(__sk, __timeo, __condition, __wait) \
- ({ int __rc; \
- __sk->sk_wait_pending++; \
+ ({ int __rc, __dis = __sk->sk_disconnects; \
release_sock(__sk); \
__rc = __condition; \
if (!__rc) { \
@@ -1200,8 +1199,7 @@ static inline void sock_rps_reset_rxhash(struct sock *sk)
} \
sched_annotate_sleep(); \
lock_sock(__sk); \
- __sk->sk_wait_pending--; \
- __rc = __condition; \
+ __rc = __dis == __sk->sk_disconnects ? __condition : -EPIPE; \
__rc; \
})
diff --git a/net/core/stream.c b/net/core/stream.c
index f5c4e47df1650..96fbcb9bbb30a 100644
--- a/net/core/stream.c
+++ b/net/core/stream.c
@@ -117,7 +117,7 @@ EXPORT_SYMBOL(sk_stream_wait_close);
*/
int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
{
- int err = 0;
+ int ret, err = 0;
long vm_wait = 0;
long current_timeo = *timeo_p;
DEFINE_WAIT_FUNC(wait, woken_wake_function);
@@ -142,11 +142,13 @@ int sk_stream_wait_memory(struct sock *sk, long *timeo_p)
set_bit(SOCK_NOSPACE, &sk->sk_socket->flags);
sk->sk_write_pending++;
- sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) ||
- (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
- (sk_stream_memory_free(sk) &&
- !vm_wait), &wait);
+ ret = sk_wait_event(sk, ¤t_timeo, READ_ONCE(sk->sk_err) ||
+ (READ_ONCE(sk->sk_shutdown) & SEND_SHUTDOWN) ||
+ (sk_stream_memory_free(sk) && !vm_wait),
+ &wait);
sk->sk_write_pending--;
+ if (ret < 0)
+ goto do_error;
if (vm_wait) {
vm_wait -= current_timeo;
diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 02736b83c3032..0c0ae021b7ff5 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -587,7 +587,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
add_wait_queue(sk_sleep(sk), &wait);
sk->sk_write_pending += writebias;
- sk->sk_wait_pending++;
/* Basic assumption: if someone sets sk->sk_err, he _must_
* change state of the socket from TCP_SYN_*.
@@ -603,7 +602,6 @@ static long inet_wait_for_connect(struct sock *sk, long timeo, int writebias)
}
remove_wait_queue(sk_sleep(sk), &wait);
sk->sk_write_pending -= writebias;
- sk->sk_wait_pending--;
return timeo;
}
@@ -632,6 +630,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
return -EINVAL;
if (uaddr->sa_family == AF_UNSPEC) {
+ sk->sk_disconnects++;
err = sk->sk_prot->disconnect(sk, flags);
sock->state = err ? SS_DISCONNECTING : SS_UNCONNECTED;
goto out;
@@ -686,6 +685,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
int writebias = (sk->sk_protocol == IPPROTO_TCP) &&
tcp_sk(sk)->fastopen_req &&
tcp_sk(sk)->fastopen_req->data ? 1 : 0;
+ int dis = sk->sk_disconnects;
/* Error code is set above */
if (!timeo || !inet_wait_for_connect(sk, timeo, writebias))
@@ -694,6 +694,11 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
err = sock_intr_errno(timeo);
if (signal_pending(current))
goto out;
+
+ if (dis != sk->sk_disconnects) {
+ err = -EPIPE;
+ goto out;
+ }
}
/* Connection was closed by RST, timeout, ICMP error
@@ -715,6 +720,7 @@ int __inet_stream_connect(struct socket *sock, struct sockaddr *uaddr,
sock_error:
err = sock_error(sk) ? : -ECONNABORTED;
sock->state = SS_UNCONNECTED;
+ sk->sk_disconnects++;
if (sk->sk_prot->disconnect(sk, flags))
sock->state = SS_DISCONNECTING;
goto out;
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index aeebe88166899..394a498c28232 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1145,7 +1145,6 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
if (newsk) {
struct inet_connection_sock *newicsk = inet_csk(newsk);
- newsk->sk_wait_pending = 0;
inet_sk_set_state(newsk, TCP_SYN_RECV);
newicsk->icsk_bind_hash = NULL;
newicsk->icsk_bind2_hash = NULL;
diff --git a/net/ipv4/tcp.c b/net/ipv4/tcp.c
index 9cfc07d1e4252..9bdc1b2eaf734 100644
--- a/net/ipv4/tcp.c
+++ b/net/ipv4/tcp.c
@@ -829,7 +829,9 @@ ssize_t tcp_splice_read(struct socket *sock, loff_t *ppos,
*/
if (!skb_queue_empty(&sk->sk_receive_queue))
break;
- sk_wait_data(sk, &timeo, NULL);
+ ret = sk_wait_data(sk, &timeo, NULL);
+ if (ret < 0)
+ break;
if (signal_pending(current)) {
ret = sock_intr_errno(timeo);
break;
@@ -2442,7 +2444,11 @@ static int tcp_recvmsg_locked(struct sock *sk, struct msghdr *msg, size_t len,
__sk_flush_backlog(sk);
} else {
tcp_cleanup_rbuf(sk, copied);
- sk_wait_data(sk, &timeo, last);
+ err = sk_wait_data(sk, &timeo, last);
+ if (err < 0) {
+ err = copied ? : err;
+ goto out;
+ }
}
if ((flags & MSG_PEEK) &&
@@ -2966,12 +2972,6 @@ int tcp_disconnect(struct sock *sk, int flags)
int old_state = sk->sk_state;
u32 seq;
- /* Deny disconnect if other threads are blocked in sk_wait_event()
- * or inet_wait_for_connect().
- */
- if (sk->sk_wait_pending)
- return -EBUSY;
-
if (old_state != TCP_CLOSE)
tcp_set_state(sk, TCP_CLOSE);
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 3272682030015..ba2e921881248 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -307,6 +307,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
}
data = tcp_msg_wait_data(sk, psock, timeo);
+ if (data < 0)
+ return data;
if (data && !sk_psock_queue_empty(psock))
goto msg_bytes_ready;
copied = -EAGAIN;
@@ -351,6 +353,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
data = tcp_msg_wait_data(sk, psock, timeo);
+ if (data < 0)
+ return data;
if (data) {
if (!sk_psock_queue_empty(psock))
goto msg_bytes_ready;
diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index d2a47c6f9655b..0850d6a43049c 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3063,12 +3063,6 @@ static int mptcp_disconnect(struct sock *sk, int flags)
{
struct mptcp_sock *msk = mptcp_sk(sk);
- /* Deny disconnect if other threads are blocked in sk_wait_event()
- * or inet_wait_for_connect().
- */
- if (sk->sk_wait_pending)
- return -EBUSY;
-
/* We are on the fastopen error path. We can't call straight into the
* subflows cleanup code due to lock nesting (we are already under
* msk->firstsocket lock).
@@ -3139,7 +3133,6 @@ struct sock *mptcp_sk_clone_init(const struct sock *sk,
inet_sk(nsk)->pinet6 = mptcp_inet6_sk(nsk);
#endif
- nsk->sk_wait_pending = 0;
__mptcp_init_sock(nsk);
msk = mptcp_sk(nsk);
diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c
index 4a8ee2f6badb9..f3d3fc1c32676 100644
--- a/net/tls/tls_main.c
+++ b/net/tls/tls_main.c
@@ -96,8 +96,8 @@ void update_sk_prot(struct sock *sk, struct tls_context *ctx)
int wait_on_pending_writer(struct sock *sk, long *timeo)
{
- int rc = 0;
DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int ret, rc = 0;
add_wait_queue(sk_sleep(sk), &wait);
while (1) {
@@ -111,9 +111,13 @@ int wait_on_pending_writer(struct sock *sk, long *timeo)
break;
}
- if (sk_wait_event(sk, timeo,
- !READ_ONCE(sk->sk_write_pending), &wait))
+ ret = sk_wait_event(sk, timeo,
+ !READ_ONCE(sk->sk_write_pending), &wait);
+ if (ret) {
+ if (ret < 0)
+ rc = ret;
break;
+ }
}
remove_wait_queue(sk_sleep(sk), &wait);
return rc;
diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index a83f474933033..ce925f3a52492 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -1288,6 +1288,7 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
struct tls_context *tls_ctx = tls_get_ctx(sk);
struct tls_sw_context_rx *ctx = tls_sw_ctx_rx(tls_ctx);
DEFINE_WAIT_FUNC(wait, woken_wake_function);
+ int ret = 0;
long timeo;
timeo = sock_rcvtimeo(sk, nonblock);
@@ -1299,6 +1300,9 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
if (sk->sk_err)
return sock_error(sk);
+ if (ret < 0)
+ return ret;
+
if (!skb_queue_empty(&sk->sk_receive_queue)) {
tls_strp_check_rcv(&ctx->strp);
if (tls_strp_msg_ready(ctx))
@@ -1317,10 +1321,10 @@ tls_rx_rec_wait(struct sock *sk, struct sk_psock *psock, bool nonblock,
released = true;
add_wait_queue(sk_sleep(sk), &wait);
sk_set_bit(SOCKWQ_ASYNC_WAITDATA, sk);
- sk_wait_event(sk, &timeo,
- tls_strp_msg_ready(ctx) ||
- !sk_psock_queue_empty(psock),
- &wait);
+ ret = sk_wait_event(sk, &timeo,
+ tls_strp_msg_ready(ctx) ||
+ !sk_psock_queue_empty(psock),
+ &wait);
sk_clear_bit(SOCKWQ_ASYNC_WAITDATA, sk);
remove_wait_queue(sk_sleep(sk), &wait);
@@ -1849,6 +1853,7 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
bool nonblock)
{
long timeo;
+ int ret;
timeo = sock_rcvtimeo(sk, nonblock);
@@ -1858,14 +1863,16 @@ static int tls_rx_reader_acquire(struct sock *sk, struct tls_sw_context_rx *ctx,
ctx->reader_contended = 1;
add_wait_queue(&ctx->wq, &wait);
- sk_wait_event(sk, &timeo,
- !READ_ONCE(ctx->reader_present), &wait);
+ ret = sk_wait_event(sk, &timeo,
+ !READ_ONCE(ctx->reader_present), &wait);
remove_wait_queue(&ctx->wq, &wait);
if (timeo <= 0)
return -EAGAIN;
if (signal_pending(current))
return sock_intr_errno(timeo);
+ if (ret < 0)
+ return ret;
}
WRITE_ONCE(ctx->reader_present, 1);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (157 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 158/241] tcp: allow again tcp_disconnect() when threads are waiting Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 12:05 ` Guangguan Wang
2023-10-23 10:55 ` [PATCH 6.5 160/241] net/smc: support smc v2.x features validate Greg Kroah-Hartman
` (91 subsequent siblings)
250 siblings, 1 reply; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangguan Wang, Tony Lu,
Jan Karcher, David S. Miller, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
[ Upstream commit 1e700948c9db0d09f691f715e8f4b947e51e35b5 ]
Support smc release version negotiation in clc handshake based on
SMC v2, where no negotiation process for different releases, but
for different versions. The latest smc release version was updated
to v2.1. And currently there are two release versions of SMCv2, v2.0
and v2.1. In the release version negotiation, client sends the preferred
release version by CLC Proposal Message, server makes decision for which
release version to use based on the client preferred release version and
self-supported release version (here choose the minimum release version
of the client preferred and server latest supported), then the decision
returns to client by CLC Accept Message. Client confirms the decision by
CLC Confirm Message.
Client Server
Proposal(preferred release version)
------------------------------------>
Accept(accpeted release version)
min(client preferred, server latest supported)
<------------------------------------
Confirm(accpeted release version)
------------------------------------>
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 21 +++++++++++++++++----
net/smc/smc.h | 5 ++++-
net/smc/smc_clc.c | 14 +++++++-------
net/smc/smc_clc.h | 23 ++++++++++++++++++++++-
net/smc/smc_core.h | 1 +
5 files changed, 51 insertions(+), 13 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index c0e4e587b4994..077e5864fc441 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1198,8 +1198,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
struct smc_clc_msg_accept_confirm_v2 *clc_v2 =
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
struct smc_clc_first_contact_ext *fce =
- (struct smc_clc_first_contact_ext *)
- (((u8 *)clc_v2) + sizeof(*clc_v2));
+ smc_get_clc_first_contact_ext(clc_v2, false);
if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
return 0;
@@ -1218,6 +1217,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
return SMC_CLC_DECL_NOINDIRECT;
}
}
+
+ ini->release_nr = fce->release;
+
return 0;
}
@@ -1386,6 +1388,13 @@ static int smc_connect_ism(struct smc_sock *smc,
struct smc_clc_msg_accept_confirm_v2 *aclc_v2 =
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
+ if (ini->first_contact_peer) {
+ struct smc_clc_first_contact_ext *fce =
+ smc_get_clc_first_contact_ext(aclc_v2, true);
+
+ ini->release_nr = fce->release;
+ }
+
rc = smc_v2_determine_accepted_chid(aclc_v2, ini);
if (rc)
return rc;
@@ -1420,7 +1429,7 @@ static int smc_connect_ism(struct smc_sock *smc,
}
rc = smc_clc_send_confirm(smc, ini->first_contact_local,
- aclc->hdr.version, eid, NULL);
+ aclc->hdr.version, eid, ini);
if (rc)
goto connect_abort;
mutex_unlock(&smc_server_lgr_pending);
@@ -1996,6 +2005,10 @@ static int smc_listen_v2_check(struct smc_sock *new_smc,
}
}
+ ini->release_nr = pclc_v2_ext->hdr.flag.release;
+ if (pclc_v2_ext->hdr.flag.release > SMC_RELEASE)
+ ini->release_nr = SMC_RELEASE;
+
out:
if (!ini->smcd_version && !ini->smcr_version)
return rc;
@@ -2443,7 +2456,7 @@ static void smc_listen_work(struct work_struct *work)
/* send SMC Accept CLC message */
accept_version = ini->is_smcd ? ini->smcd_version : ini->smcr_version;
rc = smc_clc_send_accept(new_smc, ini->first_contact_local,
- accept_version, ini->negotiated_eid);
+ accept_version, ini->negotiated_eid, ini);
if (rc)
goto out_unlock;
diff --git a/net/smc/smc.h b/net/smc/smc.h
index 1f2b912c43d10..24745fde4ac26 100644
--- a/net/smc/smc.h
+++ b/net/smc/smc.h
@@ -21,7 +21,10 @@
#define SMC_V1 1 /* SMC version V1 */
#define SMC_V2 2 /* SMC version V2 */
-#define SMC_RELEASE 0
+
+#define SMC_RELEASE_0 0
+#define SMC_RELEASE_1 1
+#define SMC_RELEASE SMC_RELEASE_1 /* the latest release version */
#define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */
#define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index c90d9e5dda540..fb0be0817e8a5 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -420,11 +420,11 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
return true;
}
-static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len)
+static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len, int release_nr)
{
memset(fce, 0, sizeof(*fce));
fce->os_type = SMC_CLC_OS_LINUX;
- fce->release = SMC_RELEASE;
+ fce->release = release_nr;
memcpy(fce->hostname, smc_hostname, sizeof(smc_hostname));
(*len) += sizeof(*fce);
}
@@ -1019,7 +1019,7 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
memcpy(clc_v2->d1.eid, eid, SMC_MAX_EID_LEN);
len = SMCD_CLC_ACCEPT_CONFIRM_LEN_V2;
if (first_contact)
- smc_clc_fill_fce(&fce, &len);
+ smc_clc_fill_fce(&fce, &len, ini->release_nr);
clc_v2->hdr.length = htons(len);
}
memcpy(trl.eyecatcher, SMCD_EYECATCHER,
@@ -1063,10 +1063,10 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
memcpy(clc_v2->r1.eid, eid, SMC_MAX_EID_LEN);
len = SMCR_CLC_ACCEPT_CONFIRM_LEN_V2;
if (first_contact) {
- smc_clc_fill_fce(&fce, &len);
+ smc_clc_fill_fce(&fce, &len, ini->release_nr);
fce.v2_direct = !link->lgr->uses_gateway;
memset(&gle, 0, sizeof(gle));
- if (ini && clc->hdr.type == SMC_CLC_CONFIRM) {
+ if (clc->hdr.type == SMC_CLC_CONFIRM) {
gle.gid_cnt = ini->smcrv2.gidlist.len;
len += sizeof(gle);
len += gle.gid_cnt * sizeof(gle.gid[0]);
@@ -1141,7 +1141,7 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
/* send CLC ACCEPT message across internal TCP socket */
int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
- u8 version, u8 *negotiated_eid)
+ u8 version, u8 *negotiated_eid, struct smc_init_info *ini)
{
struct smc_clc_msg_accept_confirm_v2 aclc_v2;
int len;
@@ -1149,7 +1149,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
memset(&aclc_v2, 0, sizeof(aclc_v2));
aclc_v2.hdr.type = SMC_CLC_ACCEPT;
len = smc_clc_send_confirm_accept(new_smc, &aclc_v2, srv_first_contact,
- version, negotiated_eid, NULL);
+ version, negotiated_eid, ini);
if (len < ntohs(aclc_v2.hdr.length))
len = len >= 0 ? -EPROTO : -new_smc->clcsock->sk->sk_err;
diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
index 5fee545c9a109..b923e89acafb0 100644
--- a/net/smc/smc_clc.h
+++ b/net/smc/smc_clc.h
@@ -370,6 +370,27 @@ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
ntohs(prop_v2ext->hdr.smcd_v2_ext_offset));
}
+static inline struct smc_clc_first_contact_ext *
+smc_get_clc_first_contact_ext(struct smc_clc_msg_accept_confirm_v2 *clc_v2,
+ bool is_smcd)
+{
+ int clc_v2_len;
+
+ if (clc_v2->hdr.version == SMC_V1 ||
+ !(clc_v2->hdr.typev2 & SMC_FIRST_CONTACT_MASK))
+ return NULL;
+
+ if (is_smcd)
+ clc_v2_len =
+ offsetofend(struct smc_clc_msg_accept_confirm_v2, d1);
+ else
+ clc_v2_len =
+ offsetofend(struct smc_clc_msg_accept_confirm_v2, r1);
+
+ return (struct smc_clc_first_contact_ext *)(((u8 *)clc_v2) +
+ clc_v2_len);
+}
+
struct smcd_dev;
struct smc_init_info;
@@ -382,7 +403,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini);
int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
u8 version, u8 *eid, struct smc_init_info *ini);
int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact,
- u8 version, u8 *negotiated_eid);
+ u8 version, u8 *negotiated_eid, struct smc_init_info *ini);
void smc_clc_init(void) __init;
void smc_clc_exit(void);
void smc_clc_get_hostname(u8 **host);
diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
index 1645fba0d2d38..5bbc16f851e05 100644
--- a/net/smc/smc_core.h
+++ b/net/smc/smc_core.h
@@ -374,6 +374,7 @@ struct smc_init_info {
u8 is_smcd;
u8 smc_type_v1;
u8 smc_type_v2;
+ u8 release_nr;
u8 first_contact_peer;
u8 first_contact_local;
unsigned short vlan_id;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 160/241] net/smc: support smc v2.x features validate
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (158 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 161/241] net/smc: fix smc clc failed issue when netdevice not in init_net Greg Kroah-Hartman
` (90 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Guangguan Wang, Tony Lu,
Jan Karcher, David S. Miller, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
[ Upstream commit 6ac1e6563f5915cd38b6bc6a8b26964b2252f751 ]
Support SMC v2.x features validate for SMC v2.1. This is the frame
code for SMC v2.x features validate, and will take effects only when
the negotiated release version is v2.1 or later.
For Server, v2.x features' validation should be done in smc_clc_srv_
v2x_features_validate when receiving v2.1 or later CLC Proposal Message,
such as max conns, max links negotiation, the decision of the final
value of max conns and max links should be made in this function.
And final check for server when receiving v2.1 or later CLC Confirm
Message should be done in smc_clc_v2x_features_confirm_check.
For client, v2.x features' validation should be done in smc_clc_clnt_
v2x_features_validate when receiving v2.1 or later CLC Accept Message,
for example, the decision to accpt the accepted value or to decline
should be made in this function.
Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 18 ++++++++++++++++++
net/smc/smc_clc.c | 46 ++++++++++++++++++++++++++++++++++++++++++++++
net/smc/smc_clc.h | 7 +++++++
3 files changed, 71 insertions(+)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index 077e5864fc441..fa7b8015cd7bb 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
struct smc_clc_first_contact_ext *fce =
smc_get_clc_first_contact_ext(clc_v2, false);
+ int rc;
if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
return 0;
@@ -1219,6 +1220,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
}
ini->release_nr = fce->release;
+ rc = smc_clc_clnt_v2x_features_validate(fce, ini);
+ if (rc)
+ return rc;
return 0;
}
@@ -1393,6 +1397,9 @@ static int smc_connect_ism(struct smc_sock *smc,
smc_get_clc_first_contact_ext(aclc_v2, true);
ini->release_nr = fce->release;
+ rc = smc_clc_clnt_v2x_features_validate(fce, ini);
+ if (rc)
+ return rc;
}
rc = smc_v2_determine_accepted_chid(aclc_v2, ini);
@@ -2443,6 +2450,10 @@ static void smc_listen_work(struct work_struct *work)
if (rc)
goto out_decl;
+ rc = smc_clc_srv_v2x_features_validate(pclc, ini);
+ if (rc)
+ goto out_decl;
+
mutex_lock(&smc_server_lgr_pending);
smc_close_init(new_smc);
smc_rx_init(new_smc);
@@ -2475,6 +2486,13 @@ static void smc_listen_work(struct work_struct *work)
goto out_decl;
}
+ rc = smc_clc_v2x_features_confirm_check(cclc, ini);
+ if (rc) {
+ if (!ini->is_smcd)
+ goto out_unlock;
+ goto out_decl;
+ }
+
/* finish worker */
if (!ini->is_smcd) {
rc = smc_listen_rdma_finish(new_smc, cclc,
diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
index fb0be0817e8a5..f50d1b019a80f 100644
--- a/net/smc/smc_clc.c
+++ b/net/smc/smc_clc.c
@@ -1156,6 +1156,52 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
return len > 0 ? 0 : len;
}
+int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc,
+ struct smc_init_info *ini)
+{
+ struct smc_clc_v2_extension *pclc_v2_ext;
+
+ if ((!(ini->smcd_version & SMC_V2) && !(ini->smcr_version & SMC_V2)) ||
+ ini->release_nr < SMC_RELEASE_1)
+ return 0;
+
+ pclc_v2_ext = smc_get_clc_v2_ext(pclc);
+ if (!pclc_v2_ext)
+ return SMC_CLC_DECL_NOV2EXT;
+
+ return 0;
+}
+
+int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce,
+ struct smc_init_info *ini)
+{
+ if (ini->release_nr < SMC_RELEASE_1)
+ return 0;
+
+ return 0;
+}
+
+int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc,
+ struct smc_init_info *ini)
+{
+ struct smc_clc_msg_accept_confirm_v2 *clc_v2 =
+ (struct smc_clc_msg_accept_confirm_v2 *)cclc;
+ struct smc_clc_first_contact_ext *fce =
+ smc_get_clc_first_contact_ext(clc_v2, ini->is_smcd);
+
+ if (cclc->hdr.version == SMC_V1 ||
+ !(cclc->hdr.typev2 & SMC_FIRST_CONTACT_MASK))
+ return 0;
+
+ if (ini->release_nr != fce->release)
+ return SMC_CLC_DECL_RELEASEERR;
+
+ if (fce->release < SMC_RELEASE_1)
+ return 0;
+
+ return 0;
+}
+
void smc_clc_get_hostname(u8 **host)
{
*host = &smc_hostname[0];
diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
index b923e89acafb0..32fa56bfa06d5 100644
--- a/net/smc/smc_clc.h
+++ b/net/smc/smc_clc.h
@@ -45,6 +45,7 @@
#define SMC_CLC_DECL_NOSEID 0x03030006 /* peer sent no SEID */
#define SMC_CLC_DECL_NOSMCD2DEV 0x03030007 /* no SMC-Dv2 device found */
#define SMC_CLC_DECL_NOUEID 0x03030008 /* peer sent no UEID */
+#define SMC_CLC_DECL_RELEASEERR 0x03030009 /* release version negotiate failed */
#define SMC_CLC_DECL_MODEUNSUPP 0x03040000 /* smc modes do not match (R or D)*/
#define SMC_CLC_DECL_RMBE_EC 0x03050000 /* peer has eyecatcher in RMBE */
#define SMC_CLC_DECL_OPTUNSUPP 0x03060000 /* fastopen sockopt not supported */
@@ -404,6 +405,12 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
u8 version, u8 *eid, struct smc_init_info *ini);
int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact,
u8 version, u8 *negotiated_eid, struct smc_init_info *ini);
+int smc_clc_srv_v2x_features_validate(struct smc_clc_msg_proposal *pclc,
+ struct smc_init_info *ini);
+int smc_clc_clnt_v2x_features_validate(struct smc_clc_first_contact_ext *fce,
+ struct smc_init_info *ini);
+int smc_clc_v2x_features_confirm_check(struct smc_clc_msg_accept_confirm *cclc,
+ struct smc_init_info *ini);
void smc_clc_init(void) __init;
void smc_clc_exit(void);
void smc_clc_get_hostname(u8 **host);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 161/241] net/smc: fix smc clc failed issue when netdevice not in init_net
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (159 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 160/241] net/smc: support smc v2.x features validate Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 162/241] Bluetooth: hci_event: Fix using memcmp when comparing keys Greg Kroah-Hartman
` (89 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Albert Huang, Dust Li, Wenjia Zhang,
Jakub Kicinski, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Albert Huang <huangjie.albert@bytedance.com>
[ Upstream commit c68681ae46eaaa1640b52fe366d21a93b2185df5 ]
If the netdevice is within a container and communicates externally
through network technologies such as VxLAN, we won't be able to find
routing information in the init_net namespace. To address this issue,
we need to add a struct net parameter to the smc_ib_find_route function.
This allow us to locate the routing information within the corresponding
net namespace, ensuring the correct completion of the SMC CLC interaction.
Fixes: e5c4744cfb59 ("net/smc: add SMC-Rv2 connection establishment")
Signed-off-by: Albert Huang <huangjie.albert@bytedance.com>
Reviewed-by: Dust Li <dust.li@linux.alibaba.com>
Reviewed-by: Wenjia Zhang <wenjia@linux.ibm.com>
Link: https://lore.kernel.org/r/20231011074851.95280-1-huangjie.albert@bytedance.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/smc/af_smc.c | 3 ++-
net/smc/smc_ib.c | 7 ++++---
net/smc/smc_ib.h | 2 +-
3 files changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
index fa7b8015cd7bb..01bd576ffa5e1 100644
--- a/net/smc/af_smc.c
+++ b/net/smc/af_smc.c
@@ -1199,6 +1199,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
struct smc_clc_first_contact_ext *fce =
smc_get_clc_first_contact_ext(clc_v2, false);
+ struct net *net = sock_net(&smc->sk);
int rc;
if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
@@ -1208,7 +1209,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
memcpy(ini->smcrv2.nexthop_mac, &aclc->r0.lcl.mac, ETH_ALEN);
ini->smcrv2.uses_gateway = false;
} else {
- if (smc_ib_find_route(smc->clcsock->sk->sk_rcv_saddr,
+ if (smc_ib_find_route(net, smc->clcsock->sk->sk_rcv_saddr,
smc_ib_gid_to_ipv4(aclc->r0.lcl.gid),
ini->smcrv2.nexthop_mac,
&ini->smcrv2.uses_gateway))
diff --git a/net/smc/smc_ib.c b/net/smc/smc_ib.c
index 9b66d6aeeb1ae..89981dbe46c94 100644
--- a/net/smc/smc_ib.c
+++ b/net/smc/smc_ib.c
@@ -193,7 +193,7 @@ bool smc_ib_port_active(struct smc_ib_device *smcibdev, u8 ibport)
return smcibdev->pattr[ibport - 1].state == IB_PORT_ACTIVE;
}
-int smc_ib_find_route(__be32 saddr, __be32 daddr,
+int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
u8 nexthop_mac[], u8 *uses_gateway)
{
struct neighbour *neigh = NULL;
@@ -205,7 +205,7 @@ int smc_ib_find_route(__be32 saddr, __be32 daddr,
if (daddr == cpu_to_be32(INADDR_NONE))
goto out;
- rt = ip_route_output_flow(&init_net, &fl4, NULL);
+ rt = ip_route_output_flow(net, &fl4, NULL);
if (IS_ERR(rt))
goto out;
if (rt->rt_uses_gateway && rt->rt_gw_family != AF_INET)
@@ -235,6 +235,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev,
if (smcrv2 && attr->gid_type == IB_GID_TYPE_ROCE_UDP_ENCAP &&
smc_ib_gid_to_ipv4((u8 *)&attr->gid) != cpu_to_be32(INADDR_NONE)) {
struct in_device *in_dev = __in_dev_get_rcu(ndev);
+ struct net *net = dev_net(ndev);
const struct in_ifaddr *ifa;
bool subnet_match = false;
@@ -248,7 +249,7 @@ static int smc_ib_determine_gid_rcu(const struct net_device *ndev,
}
if (!subnet_match)
goto out;
- if (smcrv2->daddr && smc_ib_find_route(smcrv2->saddr,
+ if (smcrv2->daddr && smc_ib_find_route(net, smcrv2->saddr,
smcrv2->daddr,
smcrv2->nexthop_mac,
&smcrv2->uses_gateway))
diff --git a/net/smc/smc_ib.h b/net/smc/smc_ib.h
index 034295676e881..ebcb05ede7f55 100644
--- a/net/smc/smc_ib.h
+++ b/net/smc/smc_ib.h
@@ -113,7 +113,7 @@ void smc_ib_sync_sg_for_device(struct smc_link *lnk,
int smc_ib_determine_gid(struct smc_ib_device *smcibdev, u8 ibport,
unsigned short vlan_id, u8 gid[], u8 *sgid_index,
struct smc_init_info_smcrv2 *smcrv2);
-int smc_ib_find_route(__be32 saddr, __be32 daddr,
+int smc_ib_find_route(struct net *net, __be32 saddr, __be32 daddr,
u8 nexthop_mac[], u8 *uses_gateway);
bool smc_ib_is_valid_local_systemid(void);
int smcr_nl_get_device(struct sk_buff *skb, struct netlink_callback *cb);
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 162/241] Bluetooth: hci_event: Fix using memcmp when comparing keys
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (160 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 161/241] net/smc: fix smc clc failed issue when netdevice not in init_net Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 163/241] tcp_bpf: properly release resources on error paths Greg Kroah-Hartman
` (88 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
[ Upstream commit b541260615f601ae1b5d6d0cc54e790de706303b ]
memcmp is not consider safe to use with cryptographic secrets:
'Do not use memcmp() to compare security critical data, such as
cryptographic secrets, because the required CPU time depends on the
number of equal bytes.'
While usage of memcmp for ZERO_KEY may not be considered a security
critical data, it can lead to more usage of memcmp with pairing keys
which could introduce more security problems.
Fixes: 455c2ff0a558 ("Bluetooth: Fix BR/EDR out-of-band pairing with only initiator data")
Fixes: 33155c4aae52 ("Bluetooth: hci_event: Ignore NULL link key")
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/bluetooth/hci_event.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/net/bluetooth/hci_event.c b/net/bluetooth/hci_event.c
index 9d8aa6ad23dc2..dd70fd5313840 100644
--- a/net/bluetooth/hci_event.c
+++ b/net/bluetooth/hci_event.c
@@ -26,6 +26,8 @@
/* Bluetooth HCI event handling. */
#include <asm/unaligned.h>
+#include <linux/crypto.h>
+#include <crypto/algapi.h>
#include <net/bluetooth/bluetooth.h>
#include <net/bluetooth/hci_core.h>
@@ -4730,7 +4732,7 @@ static void hci_link_key_notify_evt(struct hci_dev *hdev, void *data,
goto unlock;
/* Ignore NULL link key against CVE-2020-26555 */
- if (!memcmp(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
+ if (!crypto_memneq(ev->link_key, ZERO_KEY, HCI_LINK_KEY_SIZE)) {
bt_dev_dbg(hdev, "Ignore NULL link key (ZERO KEY) for %pMR",
&ev->bdaddr);
hci_disconnect(conn, HCI_ERROR_AUTH_FAILURE);
@@ -5270,8 +5272,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
* available, then do not declare that OOB data is
* present.
*/
- if (!memcmp(data->rand256, ZERO_KEY, 16) ||
- !memcmp(data->hash256, ZERO_KEY, 16))
+ if (!crypto_memneq(data->rand256, ZERO_KEY, 16) ||
+ !crypto_memneq(data->hash256, ZERO_KEY, 16))
return 0x00;
return 0x02;
@@ -5281,8 +5283,8 @@ static u8 bredr_oob_data_present(struct hci_conn *conn)
* not supported by the hardware, then check that if
* P-192 data values are present.
*/
- if (!memcmp(data->rand192, ZERO_KEY, 16) ||
- !memcmp(data->hash192, ZERO_KEY, 16))
+ if (!crypto_memneq(data->rand192, ZERO_KEY, 16) ||
+ !crypto_memneq(data->hash192, ZERO_KEY, 16))
return 0x00;
return 0x01;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 163/241] tcp_bpf: properly release resources on error paths
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (161 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 162/241] Bluetooth: hci_event: Fix using memcmp when comparing keys Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 164/241] mtd: rawnand: qcom: Unmap the right resource upon probe failure Greg Kroah-Hartman
` (87 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Paolo Abeni,
Jakub Sitnicki, Eric Dumazet, John Fastabend, Jakub Kicinski,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Paolo Abeni <pabeni@redhat.com>
[ Upstream commit 68b54aeff804acceb02f228ea2e28419272c1fb9 ]
In the blamed commit below, I completely forgot to release the acquired
resources before erroring out in the TCP BPF code, as reported by Dan.
Address the issues by replacing the bogus return with a jump to the
relevant cleanup code.
Fixes: 419ce133ab92 ("tcp: allow again tcp_disconnect() when threads are waiting")
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Acked-by: Jakub Sitnicki <jakub@cloudflare.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/r/8f99194c698bcef12666f0a9a999c58f8b1cb52c.1697557782.git.pabeni@redhat.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
net/ipv4/tcp_bpf.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index ba2e921881248..53b0d62fd2c2d 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -307,8 +307,10 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
}
data = tcp_msg_wait_data(sk, psock, timeo);
- if (data < 0)
- return data;
+ if (data < 0) {
+ copied = data;
+ goto unlock;
+ }
if (data && !sk_psock_queue_empty(psock))
goto msg_bytes_ready;
copied = -EAGAIN;
@@ -319,6 +321,8 @@ static int tcp_bpf_recvmsg_parser(struct sock *sk,
tcp_rcv_space_adjust(sk);
if (copied > 0)
__tcp_cleanup_rbuf(sk, copied);
+
+unlock:
release_sock(sk);
sk_psock_put(sk, psock);
return copied;
@@ -353,8 +357,10 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
timeo = sock_rcvtimeo(sk, flags & MSG_DONTWAIT);
data = tcp_msg_wait_data(sk, psock, timeo);
- if (data < 0)
- return data;
+ if (data < 0) {
+ ret = data;
+ goto unlock;
+ }
if (data) {
if (!sk_psock_queue_empty(psock))
goto msg_bytes_ready;
@@ -365,6 +371,8 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
copied = -EAGAIN;
}
ret = copied;
+
+unlock:
release_sock(sk);
sk_psock_put(sk, psock);
return ret;
--
2.40.1
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 164/241] mtd: rawnand: qcom: Unmap the right resource upon probe failure
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (162 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 163/241] tcp_bpf: properly release resources on error paths Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 165/241] mtd: rawnand: pl353: Ensure program page operations are successful Greg Kroah-Hartman
` (86 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Manivannan Sadhasivam,
Bibek Kumar Patro, Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Bibek Kumar Patro <quic_bibekkum@quicinc.com>
commit 5279f4a9eed3ee7d222b76511ea7a22c89e7eefd upstream.
We currently provide the physical address of the DMA region
rather than the output of dma_map_resource() which is obviously wrong.
Fixes: 7330fc505af4 ("mtd: rawnand: qcom: stop using phys_to_dma()")
Cc: stable@vger.kernel.org
Reviewed-by: Manivannan Sadhasivam <mani@kernel.org>
Signed-off-by: Bibek Kumar Patro <quic_bibekkum@quicinc.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230913070702.12707-1-quic_bibekkum@quicinc.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/qcom_nandc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/qcom_nandc.c
+++ b/drivers/mtd/nand/raw/qcom_nandc.c
@@ -3309,7 +3309,7 @@ err_nandc_alloc:
err_aon_clk:
clk_disable_unprepare(nandc->core_clk);
err_core_clk:
- dma_unmap_resource(dev, res->start, resource_size(res),
+ dma_unmap_resource(dev, nandc->base_dma, resource_size(res),
DMA_BIDIRECTIONAL, 0);
return ret;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 165/241] mtd: rawnand: pl353: Ensure program page operations are successful
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (163 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 164/241] mtd: rawnand: qcom: Unmap the right resource upon probe failure Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 166/241] mtd: rawnand: marvell: " Greg Kroah-Hartman
` (85 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Simek, Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 9777cc13fd2c3212618904636354be60835e10bb upstream.
The NAND core complies with the ONFI specification, which itself
mentions that after any program or erase operation, a status check
should be performed to see whether the operation was finished *and*
successful.
The NAND core offers helpers to finish a page write (sending the
"PAGE PROG" command, waiting for the NAND chip to be ready again, and
checking the operation status). But in some cases, advanced controller
drivers might want to optimize this and craft their own page write
helper to leverage additional hardware capabilities, thus not always
using the core facilities.
Some drivers, like this one, do not use the core helper to finish a page
write because the final cycles are automatically managed by the
hardware. In this case, the additional care must be taken to manually
perform the final status check.
Let's read the NAND chip status at the end of the page write helper and
return -EIO upon error.
Cc: Michal Simek <michal.simek@amd.com>
Cc: stable@vger.kernel.org
Fixes: 08d8c62164a3 ("mtd: rawnand: pl353: Add support for the ARM PL353 SMC NAND controller")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-3-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/pl35x-nand-controller.c | 9 +++++++++
1 file changed, 9 insertions(+)
--- a/drivers/mtd/nand/raw/pl35x-nand-controller.c
+++ b/drivers/mtd/nand/raw/pl35x-nand-controller.c
@@ -513,6 +513,7 @@ static int pl35x_nand_write_page_hwecc(s
u32 addr1 = 0, addr2 = 0, row;
u32 cmd_addr;
int i, ret;
+ u8 status;
ret = pl35x_smc_set_ecc_mode(nfc, chip, PL35X_SMC_ECC_CFG_MODE_APB);
if (ret)
@@ -565,6 +566,14 @@ static int pl35x_nand_write_page_hwecc(s
if (ret)
goto disable_ecc_engine;
+ /* Check write status on the chip side */
+ ret = nand_status_op(chip, &status);
+ if (ret)
+ goto disable_ecc_engine;
+
+ if (status & NAND_STATUS_FAIL)
+ ret = -EIO;
+
disable_ecc_engine:
pl35x_smc_set_ecc_mode(nfc, chip, PL35X_SMC_ECC_CFG_MODE_BYPASS);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 166/241] mtd: rawnand: marvell: Ensure program page operations are successful
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (164 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 165/241] mtd: rawnand: pl353: Ensure program page operations are successful Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 167/241] mtd: rawnand: arasan: " Greg Kroah-Hartman
` (84 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aviram Dali, Miquel Raynal,
Ravi Chandra Minnikanti
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 3e01d5254698ea3d18e09d96b974c762328352cd upstream.
The NAND core complies with the ONFI specification, which itself
mentions that after any program or erase operation, a status check
should be performed to see whether the operation was finished *and*
successful.
The NAND core offers helpers to finish a page write (sending the
"PAGE PROG" command, waiting for the NAND chip to be ready again, and
checking the operation status). But in some cases, advanced controller
drivers might want to optimize this and craft their own page write
helper to leverage additional hardware capabilities, thus not always
using the core facilities.
Some drivers, like this one, do not use the core helper to finish a page
write because the final cycles are automatically managed by the
hardware. In this case, the additional care must be taken to manually
perform the final status check.
Let's read the NAND chip status at the end of the page write helper and
return -EIO upon error.
Cc: stable@vger.kernel.org
Fixes: 02f26ecf8c77 ("mtd: nand: add reworked Marvell NAND controller driver")
Reported-by: Aviram Dali <aviramd@marvell.com>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Tested-by: Ravi Chandra Minnikanti <rminnikanti@marvell.com>
Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-1-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/marvell_nand.c | 23 ++++++++++++++++++++++-
1 file changed, 22 insertions(+), 1 deletion(-)
--- a/drivers/mtd/nand/raw/marvell_nand.c
+++ b/drivers/mtd/nand/raw/marvell_nand.c
@@ -1162,6 +1162,7 @@ static int marvell_nfc_hw_ecc_hmg_do_wri
.ndcb[2] = NDCB2_ADDR5_PAGE(page),
};
unsigned int oob_bytes = lt->spare_bytes + (raw ? lt->ecc_bytes : 0);
+ u8 status;
int ret;
/* NFCv2 needs more information about the operation being executed */
@@ -1195,7 +1196,18 @@ static int marvell_nfc_hw_ecc_hmg_do_wri
ret = marvell_nfc_wait_op(chip,
PSEC_TO_MSEC(sdr->tPROG_max));
- return ret;
+ if (ret)
+ return ret;
+
+ /* Check write status on the chip side */
+ ret = nand_status_op(chip, &status);
+ if (ret)
+ return ret;
+
+ if (status & NAND_STATUS_FAIL)
+ return -EIO;
+
+ return 0;
}
static int marvell_nfc_hw_ecc_hmg_write_page_raw(struct nand_chip *chip,
@@ -1624,6 +1636,7 @@ static int marvell_nfc_hw_ecc_bch_write_
int data_len = lt->data_bytes;
int spare_len = lt->spare_bytes;
int chunk, ret;
+ u8 status;
marvell_nfc_select_target(chip, chip->cur_cs);
@@ -1660,6 +1673,14 @@ static int marvell_nfc_hw_ecc_bch_write_
if (ret)
return ret;
+ /* Check write status on the chip side */
+ ret = nand_status_op(chip, &status);
+ if (ret)
+ return ret;
+
+ if (status & NAND_STATUS_FAIL)
+ return -EIO;
+
return 0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 167/241] mtd: rawnand: arasan: Ensure program page operations are successful
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (165 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 166/241] mtd: rawnand: marvell: " Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 168/241] mtd: rawnand: Ensure the nand chip supports cached reads Greg Kroah-Hartman
` (83 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Michal Simek, Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miquel Raynal <miquel.raynal@bootlin.com>
commit 3a4a893dbb19e229db3b753f0462520b561dee98 upstream.
The NAND core complies with the ONFI specification, which itself
mentions that after any program or erase operation, a status check
should be performed to see whether the operation was finished *and*
successful.
The NAND core offers helpers to finish a page write (sending the
"PAGE PROG" command, waiting for the NAND chip to be ready again, and
checking the operation status). But in some cases, advanced controller
drivers might want to optimize this and craft their own page write
helper to leverage additional hardware capabilities, thus not always
using the core facilities.
Some drivers, like this one, do not use the core helper to finish a page
write because the final cycles are automatically managed by the
hardware. In this case, the additional care must be taken to manually
perform the final status check.
Let's read the NAND chip status at the end of the page write helper and
return -EIO upon error.
Cc: Michal Simek <michal.simek@amd.com>
Cc: stable@vger.kernel.org
Fixes: 88ffef1b65cf ("mtd: rawnand: arasan: Support the hardware BCH ECC engine")
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Acked-by: Michal Simek <michal.simek@amd.com>
Link: https://lore.kernel.org/linux-mtd/20230717194221.229778-2-miquel.raynal@bootlin.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/arasan-nand-controller.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- a/drivers/mtd/nand/raw/arasan-nand-controller.c
+++ b/drivers/mtd/nand/raw/arasan-nand-controller.c
@@ -515,6 +515,7 @@ static int anfc_write_page_hw_ecc(struct
struct mtd_info *mtd = nand_to_mtd(chip);
unsigned int len = mtd->writesize + (oob_required ? mtd->oobsize : 0);
dma_addr_t dma_addr;
+ u8 status;
int ret;
struct anfc_op nfc_op = {
.pkt_reg =
@@ -561,10 +562,21 @@ static int anfc_write_page_hw_ecc(struct
}
/* Spare data is not protected */
- if (oob_required)
+ if (oob_required) {
ret = nand_write_oob_std(chip, page);
+ if (ret)
+ return ret;
+ }
+
+ /* Check write status on the chip side */
+ ret = nand_status_op(chip, &status);
+ if (ret)
+ return ret;
+
+ if (status & NAND_STATUS_FAIL)
+ return -EIO;
- return ret;
+ return 0;
}
static int anfc_sel_write_page_hw_ecc(struct nand_chip *chip, const u8 *buf,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 168/241] mtd: rawnand: Ensure the nand chip supports cached reads
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (166 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 167/241] mtd: rawnand: arasan: " Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 169/241] mtd: spinand: micron: correct bitmask for ecc status Greg Kroah-Hartman
` (82 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Rouven Czerwinski, Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Rouven Czerwinski <r.czerwinski@pengutronix.de>
commit f6ca3fb6978f94d95ee79f95085fc22e71ca17cc upstream.
Both the JEDEC and ONFI specification say that read cache sequential
support is an optional command. This means that we not only need to
check whether the individual controller supports the command, we also
need to check the parameter pages for both ONFI and JEDEC NAND flashes
before enabling sequential cache reads.
This fixes support for NAND flashes which don't support enabling cache
reads, i.e. Samsung K9F4G08U0F or Toshiba TC58NVG0S3HTA00.
Sequential cache reads are now only available for ONFI and JEDEC
devices, if individual vendors implement this, it needs to be enabled
per vendor.
Tested on i.MX6Q with a Samsung NAND flash chip that doesn't support
sequential reads.
Fixes: 003fe4b9545b ("mtd: rawnand: Support for sequential cache reads")
Cc: stable@vger.kernel.org
Signed-off-by: Rouven Czerwinski <r.czerwinski@pengutronix.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230922141717.35977-1-r.czerwinski@pengutronix.de
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/raw/nand_base.c | 3 +++
drivers/mtd/nand/raw/nand_jedec.c | 3 +++
drivers/mtd/nand/raw/nand_onfi.c | 3 +++
include/linux/mtd/jedec.h | 3 +++
include/linux/mtd/onfi.h | 1 +
include/linux/mtd/rawnand.h | 2 ++
6 files changed, 15 insertions(+)
--- a/drivers/mtd/nand/raw/nand_base.c
+++ b/drivers/mtd/nand/raw/nand_base.c
@@ -5109,6 +5109,9 @@ static void rawnand_check_cont_read_supp
{
struct mtd_info *mtd = nand_to_mtd(chip);
+ if (!chip->parameters.supports_read_cache)
+ return;
+
if (chip->read_retries)
return;
--- a/drivers/mtd/nand/raw/nand_jedec.c
+++ b/drivers/mtd/nand/raw/nand_jedec.c
@@ -94,6 +94,9 @@ int nand_jedec_detect(struct nand_chip *
goto free_jedec_param_page;
}
+ if (p->opt_cmd[0] & JEDEC_OPT_CMD_READ_CACHE)
+ chip->parameters.supports_read_cache = true;
+
memorg->pagesize = le32_to_cpu(p->byte_per_page);
mtd->writesize = memorg->pagesize;
--- a/drivers/mtd/nand/raw/nand_onfi.c
+++ b/drivers/mtd/nand/raw/nand_onfi.c
@@ -303,6 +303,9 @@ int nand_onfi_detect(struct nand_chip *c
ONFI_FEATURE_ADDR_TIMING_MODE, 1);
}
+ if (le16_to_cpu(p->opt_cmd) & ONFI_OPT_CMD_READ_CACHE)
+ chip->parameters.supports_read_cache = true;
+
onfi = kzalloc(sizeof(*onfi), GFP_KERNEL);
if (!onfi) {
ret = -ENOMEM;
--- a/include/linux/mtd/jedec.h
+++ b/include/linux/mtd/jedec.h
@@ -21,6 +21,9 @@ struct jedec_ecc_info {
/* JEDEC features */
#define JEDEC_FEATURE_16_BIT_BUS (1 << 0)
+/* JEDEC Optional Commands */
+#define JEDEC_OPT_CMD_READ_CACHE BIT(1)
+
struct nand_jedec_params {
/* rev info and features block */
/* 'J' 'E' 'S' 'D' */
--- a/include/linux/mtd/onfi.h
+++ b/include/linux/mtd/onfi.h
@@ -55,6 +55,7 @@
#define ONFI_SUBFEATURE_PARAM_LEN 4
/* ONFI optional commands SET/GET FEATURES supported? */
+#define ONFI_OPT_CMD_READ_CACHE BIT(1)
#define ONFI_OPT_CMD_SET_GET_FEATURES BIT(2)
struct nand_onfi_params {
--- a/include/linux/mtd/rawnand.h
+++ b/include/linux/mtd/rawnand.h
@@ -225,6 +225,7 @@ struct gpio_desc;
* struct nand_parameters - NAND generic parameters from the parameter page
* @model: Model name
* @supports_set_get_features: The NAND chip supports setting/getting features
+ * @supports_read_cache: The NAND chip supports read cache operations
* @set_feature_list: Bitmap of features that can be set
* @get_feature_list: Bitmap of features that can be get
* @onfi: ONFI specific parameters
@@ -233,6 +234,7 @@ struct nand_parameters {
/* Generic parameters */
const char *model;
bool supports_set_get_features;
+ bool supports_read_cache;
DECLARE_BITMAP(set_feature_list, ONFI_FEATURE_NUMBER);
DECLARE_BITMAP(get_feature_list, ONFI_FEATURE_NUMBER);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 169/241] mtd: spinand: micron: correct bitmask for ecc status
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (167 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 168/241] mtd: rawnand: Ensure the nand chip supports cached reads Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 170/241] mtd: physmap-core: Restore map_rom fallback Greg Kroah-Hartman
` (81 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Kurbanov, Frieder Schrempf,
Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Kurbanov <mmkurbanov@sberdevices.ru>
commit 9836a987860e33943945d4b257729a4f94eae576 upstream.
Valid bitmask is 0x70 in the status register.
Fixes: a508e8875e13 ("mtd: spinand: Add initial support for Micron MT29F2G01ABAGD")
Signed-off-by: Martin Kurbanov <mmkurbanov@sberdevices.ru>
Reviewed-by: Frieder Schrempf <frieder.schrempf@kontron.de>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/20230905145637.139068-1-mmkurbanov@sberdevices.ru
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/nand/spi/micron.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mtd/nand/spi/micron.c
+++ b/drivers/mtd/nand/spi/micron.c
@@ -12,7 +12,7 @@
#define SPINAND_MFR_MICRON 0x2c
-#define MICRON_STATUS_ECC_MASK GENMASK(7, 4)
+#define MICRON_STATUS_ECC_MASK GENMASK(6, 4)
#define MICRON_STATUS_ECC_NO_BITFLIPS (0 << 4)
#define MICRON_STATUS_ECC_1TO3_BITFLIPS (1 << 4)
#define MICRON_STATUS_ECC_4TO6_BITFLIPS (3 << 4)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 170/241] mtd: physmap-core: Restore map_rom fallback
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (168 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 169/241] mtd: spinand: micron: correct bitmask for ecc status Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 171/241] dt-bindings: mmc: sdhci-msm: correct minimum number of clocks Greg Kroah-Hartman
` (80 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Geert Uytterhoeven, Miquel Raynal
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geert Uytterhoeven <geert+renesas@glider.be>
commit 6792b7fce610bcd1cf3e07af3607fe7e2c38c1d8 upstream.
When the exact mapping type driver was not available, the old
physmap_of_core driver fell back to mapping the region as ROM.
Unfortunately this feature was lost when the DT and pdata cases were
merged. Revive this useful feature.
Fixes: 642b1e8dbed7bbbf ("mtd: maps: Merge physmap_of.c into physmap-core.c")
Signed-off-by: Geert Uytterhoeven <geert+renesas@glider.be>
Signed-off-by: Miquel Raynal <miquel.raynal@bootlin.com>
Link: https://lore.kernel.org/linux-mtd/550e8c8c1da4c4baeb3d71ff79b14a18d4194f9e.1693407371.git.geert+renesas@glider.be
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/maps/physmap-core.c | 11 +++++++++++
1 file changed, 11 insertions(+)
--- a/drivers/mtd/maps/physmap-core.c
+++ b/drivers/mtd/maps/physmap-core.c
@@ -552,6 +552,17 @@ static int physmap_flash_probe(struct pl
if (info->probe_type) {
info->mtds[i] = do_map_probe(info->probe_type,
&info->maps[i]);
+
+ /* Fall back to mapping region as ROM */
+ if (!info->mtds[i] && IS_ENABLED(CONFIG_MTD_ROM) &&
+ strcmp(info->probe_type, "map_rom")) {
+ dev_warn(&dev->dev,
+ "map_probe() failed for type %s\n",
+ info->probe_type);
+
+ info->mtds[i] = do_map_probe("map_rom",
+ &info->maps[i]);
+ }
} else {
int j;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 171/241] dt-bindings: mmc: sdhci-msm: correct minimum number of clocks
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (169 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 170/241] mtd: physmap-core: Restore map_rom fallback Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 172/241] mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend Greg Kroah-Hartman
` (79 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Krzysztof Kozlowski, Conor Dooley,
Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit 1bbac8d6af085408885675c1e29b2581250be124 upstream.
In the TXT binding before conversion, the "xo" clock was listed as
optional. Conversion kept it optional in "clock-names", but not in
"clocks". This fixes dbts_check warnings like:
qcom-sdx65-mtp.dtb: mmc@8804000: clocks: [[13, 59], [13, 58]] is too short
Cc: <stable@vger.kernel.org>
Fixes: a45537723f4b ("dt-bindings: mmc: sdhci-msm: Convert bindings to yaml")
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Acked-by: Conor Dooley <conor.dooley@microchip.com>
Link: https://lore.kernel.org/r/20230825135503.282135-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/devicetree/bindings/mmc/sdhci-msm.yaml | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/devicetree/bindings/mmc/sdhci-msm.yaml
+++ b/Documentation/devicetree/bindings/mmc/sdhci-msm.yaml
@@ -69,7 +69,7 @@ properties:
maxItems: 4
clocks:
- minItems: 3
+ minItems: 2
items:
- description: Main peripheral bus clock, PCLK/HCLK - AHB Bus clock
- description: SDC MMC clock, MCLK
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 172/241] mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (170 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 171/241] dt-bindings: mmc: sdhci-msm: correct minimum number of clocks Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 173/241] mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw Greg Kroah-Hartman
` (78 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Stanislaw Kardach,
Sven van Ashbrook, Adrian Hunter, Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sven van Ashbrook <svenva@chromium.org>
commit 1202d617e3d04c8d27a14ef30784a698c48170b3 upstream.
To improve the r/w performance of GL9763E, the current driver inhibits LPM
negotiation while the device is active.
This prevents a large number of SoCs from suspending, notably x86 systems
which commonly use S0ix as the suspend mechanism - for example, Intel
Alder Lake and Raptor Lake processors.
Failure description:
1. Userspace initiates s2idle suspend (e.g. via writing to
/sys/power/state)
2. This switches the runtime_pm device state to active, which disables
LPM negotiation, then calls the "regular" suspend callback
3. With LPM negotiation disabled, the bus cannot enter low-power state
4. On a large number of SoCs, if the bus not in a low-power state, S0ix
cannot be entered, which in turn prevents the SoC from entering
suspend.
Fix by re-enabling LPM negotiation in the device's suspend callback.
Suggested-by: Stanislaw Kardach <skardach@google.com>
Fixes: f9e5b33934ce ("mmc: host: Improve I/O read/write performance for GL9763E")
Cc: stable@vger.kernel.org
Signed-off-by: Sven van Ashbrook <svenva@chromium.org>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Link: https://lore.kernel.org/r/20230831160055.v3.1.I7ed1ca09797be2dd76ca914c57d88b32d24dac88@changeid
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/sdhci-pci-gli.c | 104 ++++++++++++++++++++++++---------------
1 file changed, 66 insertions(+), 38 deletions(-)
--- a/drivers/mmc/host/sdhci-pci-gli.c
+++ b/drivers/mmc/host/sdhci-pci-gli.c
@@ -1144,42 +1144,6 @@ static u32 sdhci_gl9750_readl(struct sdh
return value;
}
-#ifdef CONFIG_PM_SLEEP
-static int sdhci_pci_gli_resume(struct sdhci_pci_chip *chip)
-{
- struct sdhci_pci_slot *slot = chip->slots[0];
-
- pci_free_irq_vectors(slot->chip->pdev);
- gli_pcie_enable_msi(slot);
-
- return sdhci_pci_resume_host(chip);
-}
-
-static int sdhci_cqhci_gli_resume(struct sdhci_pci_chip *chip)
-{
- struct sdhci_pci_slot *slot = chip->slots[0];
- int ret;
-
- ret = sdhci_pci_gli_resume(chip);
- if (ret)
- return ret;
-
- return cqhci_resume(slot->host->mmc);
-}
-
-static int sdhci_cqhci_gli_suspend(struct sdhci_pci_chip *chip)
-{
- struct sdhci_pci_slot *slot = chip->slots[0];
- int ret;
-
- ret = cqhci_suspend(slot->host->mmc);
- if (ret)
- return ret;
-
- return sdhci_suspend_host(slot->host);
-}
-#endif
-
static void gl9763e_hs400_enhanced_strobe(struct mmc_host *mmc,
struct mmc_ios *ios)
{
@@ -1420,6 +1384,70 @@ static int gl9763e_runtime_resume(struct
}
#endif
+#ifdef CONFIG_PM_SLEEP
+static int sdhci_pci_gli_resume(struct sdhci_pci_chip *chip)
+{
+ struct sdhci_pci_slot *slot = chip->slots[0];
+
+ pci_free_irq_vectors(slot->chip->pdev);
+ gli_pcie_enable_msi(slot);
+
+ return sdhci_pci_resume_host(chip);
+}
+
+static int gl9763e_resume(struct sdhci_pci_chip *chip)
+{
+ struct sdhci_pci_slot *slot = chip->slots[0];
+ int ret;
+
+ ret = sdhci_pci_gli_resume(chip);
+ if (ret)
+ return ret;
+
+ ret = cqhci_resume(slot->host->mmc);
+ if (ret)
+ return ret;
+
+ /*
+ * Disable LPM negotiation to bring device back in sync
+ * with its runtime_pm state.
+ */
+ gl9763e_set_low_power_negotiation(slot, false);
+
+ return 0;
+}
+
+static int gl9763e_suspend(struct sdhci_pci_chip *chip)
+{
+ struct sdhci_pci_slot *slot = chip->slots[0];
+ int ret;
+
+ /*
+ * Certain SoCs can suspend only with the bus in low-
+ * power state, notably x86 SoCs when using S0ix.
+ * Re-enable LPM negotiation to allow entering L1 state
+ * and entering system suspend.
+ */
+ gl9763e_set_low_power_negotiation(slot, true);
+
+ ret = cqhci_suspend(slot->host->mmc);
+ if (ret)
+ goto err_suspend;
+
+ ret = sdhci_suspend_host(slot->host);
+ if (ret)
+ goto err_suspend_host;
+
+ return 0;
+
+err_suspend_host:
+ cqhci_resume(slot->host->mmc);
+err_suspend:
+ gl9763e_set_low_power_negotiation(slot, false);
+ return ret;
+}
+#endif
+
static int gli_probe_slot_gl9763e(struct sdhci_pci_slot *slot)
{
struct pci_dev *pdev = slot->chip->pdev;
@@ -1527,8 +1555,8 @@ const struct sdhci_pci_fixes sdhci_gl976
.probe_slot = gli_probe_slot_gl9763e,
.ops = &sdhci_gl9763e_ops,
#ifdef CONFIG_PM_SLEEP
- .resume = sdhci_cqhci_gli_resume,
- .suspend = sdhci_cqhci_gli_suspend,
+ .resume = gl9763e_resume,
+ .suspend = gl9763e_suspend,
#endif
#ifdef CONFIG_PM
.runtime_suspend = gl9763e_runtime_suspend,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 173/241] mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (171 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 172/241] mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend Greg Kroah-Hartman
@ 2023-10-23 10:55 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 174/241] mmc: core: Fix error propagation for some ioctl commands Greg Kroah-Hartman
` (77 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:55 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Pablo Sun, Chen-Yu Tsai,
AngeloGioacchino Del Regno, Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Pablo Sun <pablo.sun@mediatek.com>
commit c7bb120c1c66672b657e95d0942c989b8275aeb3 upstream.
Use atomic readl_poll_timeout_atomic, because msdc_reset_hw
may be invoked in IRQ handler in the following context:
msdc_irq() -> msdc_cmd_done() -> msdc_reset_hw()
The following kernel BUG stack trace can be observed on
Genio 1200 EVK after initializing MSDC1 hardware during kernel boot:
[ 1.187441] BUG: scheduling while atomic: swapper/0/0/0x00010002
[ 1.189157] Modules linked in:
[ 1.204633] CPU: 0 PID: 0 Comm: swapper/0 Tainted: G W 5.15.42-mtk+modified #1
[ 1.205713] Hardware name: MediaTek Genio 1200 EVK-P1V2-EMMC (DT)
[ 1.206484] Call trace:
[ 1.206796] dump_backtrace+0x0/0x1ac
[ 1.207266] show_stack+0x24/0x30
[ 1.207692] dump_stack_lvl+0x68/0x84
[ 1.208162] dump_stack+0x1c/0x38
[ 1.208587] __schedule_bug+0x68/0x80
[ 1.209056] __schedule+0x6ec/0x7c0
[ 1.209502] schedule+0x7c/0x110
[ 1.209915] schedule_hrtimeout_range_clock+0xc4/0x1f0
[ 1.210569] schedule_hrtimeout_range+0x20/0x30
[ 1.211148] usleep_range_state+0x84/0xc0
[ 1.211661] msdc_reset_hw+0xc8/0x1b0
[ 1.212134] msdc_cmd_done.isra.0+0x4ac/0x5f0
[ 1.212693] msdc_irq+0x104/0x2d4
[ 1.213121] __handle_irq_event_percpu+0x68/0x280
[ 1.213725] handle_irq_event+0x70/0x15c
[ 1.214230] handle_fasteoi_irq+0xb0/0x1a4
[ 1.214755] handle_domain_irq+0x6c/0x9c
[ 1.215260] gic_handle_irq+0xc4/0x180
[ 1.215741] call_on_irq_stack+0x2c/0x54
[ 1.216245] do_interrupt_handler+0x5c/0x70
[ 1.216782] el1_interrupt+0x30/0x80
[ 1.217242] el1h_64_irq_handler+0x1c/0x2c
[ 1.217769] el1h_64_irq+0x78/0x7c
[ 1.218206] cpuidle_enter_state+0xc8/0x600
[ 1.218744] cpuidle_enter+0x44/0x5c
[ 1.219205] do_idle+0x224/0x2d0
[ 1.219624] cpu_startup_entry+0x30/0x80
[ 1.220129] rest_init+0x108/0x134
[ 1.220568] arch_call_rest_init+0x1c/0x28
[ 1.221094] start_kernel+0x6c0/0x700
[ 1.221564] __primary_switched+0xc0/0xc8
Fixes: ffaea6ebfe9c ("mmc: mtk-sd: Use readl_poll_timeout instead of open-coded polling")
Signed-off-by: Pablo Sun <pablo.sun@mediatek.com>
Reviewed-by: Chen-Yu Tsai <wenst@chromium.org>
Reviewed-by: AngeloGioacchino Del Regno <angelogioachino.delregno@collabora.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230922095348.22182-1-pablo.sun@mediatek.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/host/mtk-sd.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- a/drivers/mmc/host/mtk-sd.c
+++ b/drivers/mmc/host/mtk-sd.c
@@ -671,11 +671,11 @@ static void msdc_reset_hw(struct msdc_ho
u32 val;
sdr_set_bits(host->base + MSDC_CFG, MSDC_CFG_RST);
- readl_poll_timeout(host->base + MSDC_CFG, val, !(val & MSDC_CFG_RST), 0, 0);
+ readl_poll_timeout_atomic(host->base + MSDC_CFG, val, !(val & MSDC_CFG_RST), 0, 0);
sdr_set_bits(host->base + MSDC_FIFOCS, MSDC_FIFOCS_CLR);
- readl_poll_timeout(host->base + MSDC_FIFOCS, val,
- !(val & MSDC_FIFOCS_CLR), 0, 0);
+ readl_poll_timeout_atomic(host->base + MSDC_FIFOCS, val,
+ !(val & MSDC_FIFOCS_CLR), 0, 0);
val = readl(host->base + MSDC_INT);
writel(val, host->base + MSDC_INT);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 174/241] mmc: core: Fix error propagation for some ioctl commands
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (172 preceding siblings ...)
2023-10-23 10:55 ` [PATCH 6.5 173/241] mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 175/241] mmc: core: sdio: hold retuning if sdio in 1-bit mode Greg Kroah-Hartman
` (76 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Avri Altman, Christian Loehle, Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ulf Hansson <ulf.hansson@linaro.org>
commit f19c5a73e6f78d69efce66cfdce31148c76a61a6 upstream.
Userspace has currently no way of checking the internal R1 response error
bits for some commands. This is a problem for some commands, like RPMB for
example. Typically, we may detect that the busy completion has successfully
ended, while in fact the card did not complete the requested operation.
To fix the problem, let's always poll with CMD13 for these commands and
during the polling, let's also aggregate the R1 response bits. Before
completing the ioctl request, let's propagate the R1 response bits too.
Reviewed-by: Avri Altman <avri.altman@wdc.com>
Co-developed-by: Christian Loehle <christian.loehle@arm.com>
Signed-off-by: Christian Loehle <christian.loehle@arm.com>
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230913112921.553019-1-ulf.hansson@linaro.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/block.c | 31 ++++++++++++++++++++-----------
1 file changed, 20 insertions(+), 11 deletions(-)
--- a/drivers/mmc/core/block.c
+++ b/drivers/mmc/core/block.c
@@ -179,6 +179,7 @@ static void mmc_blk_rw_rq_prep(struct mm
struct mmc_queue *mq);
static void mmc_blk_hsq_req_done(struct mmc_request *mrq);
static int mmc_spi_err_check(struct mmc_card *card);
+static int mmc_blk_busy_cb(void *cb_data, bool *busy);
static struct mmc_blk_data *mmc_blk_get(struct gendisk *disk)
{
@@ -470,7 +471,7 @@ static int __mmc_blk_ioctl_cmd(struct mm
struct mmc_data data = {};
struct mmc_request mrq = {};
struct scatterlist sg;
- bool r1b_resp, use_r1b_resp = false;
+ bool r1b_resp;
unsigned int busy_timeout_ms;
int err;
unsigned int target_part;
@@ -551,8 +552,7 @@ static int __mmc_blk_ioctl_cmd(struct mm
busy_timeout_ms = idata->ic.cmd_timeout_ms ? : MMC_BLK_TIMEOUT_MS;
r1b_resp = (cmd.flags & MMC_RSP_R1B) == MMC_RSP_R1B;
if (r1b_resp)
- use_r1b_resp = mmc_prepare_busy_cmd(card->host, &cmd,
- busy_timeout_ms);
+ mmc_prepare_busy_cmd(card->host, &cmd, busy_timeout_ms);
mmc_wait_for_req(card->host, &mrq);
memcpy(&idata->ic.response, cmd.resp, sizeof(cmd.resp));
@@ -605,19 +605,28 @@ static int __mmc_blk_ioctl_cmd(struct mm
if (idata->ic.postsleep_min_us)
usleep_range(idata->ic.postsleep_min_us, idata->ic.postsleep_max_us);
- /* No need to poll when using HW busy detection. */
- if ((card->host->caps & MMC_CAP_WAIT_WHILE_BUSY) && use_r1b_resp)
- return 0;
-
if (mmc_host_is_spi(card->host)) {
if (idata->ic.write_flag || r1b_resp || cmd.flags & MMC_RSP_SPI_BUSY)
return mmc_spi_err_check(card);
return err;
}
- /* Ensure RPMB/R1B command has completed by polling with CMD13. */
- if (idata->rpmb || r1b_resp)
- err = mmc_poll_for_busy(card, busy_timeout_ms, false,
- MMC_BUSY_IO);
+
+ /*
+ * Ensure RPMB, writes and R1B responses are completed by polling with
+ * CMD13. Note that, usually we don't need to poll when using HW busy
+ * detection, but here it's needed since some commands may indicate the
+ * error through the R1 status bits.
+ */
+ if (idata->rpmb || idata->ic.write_flag || r1b_resp) {
+ struct mmc_blk_busy_data cb_data = {
+ .card = card,
+ };
+
+ err = __mmc_poll_for_busy(card->host, 0, busy_timeout_ms,
+ &mmc_blk_busy_cb, &cb_data);
+
+ idata->ic.response[0] = cb_data.status;
+ }
return err;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 175/241] mmc: core: sdio: hold retuning if sdio in 1-bit mode
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (173 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 174/241] mmc: core: Fix error propagation for some ioctl commands Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 176/241] mmc: core: Capture correct oemid-bits for eMMC cards Greg Kroah-Hartman
` (75 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Haibo Chen, Adrian Hunter, Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 32a9cdb8869dc111a0c96cf8e1762be9684af15b upstream.
tuning only support in 4-bit mode or 8 bit mode, so in 1-bit mode,
need to hold retuning.
Find this issue when use manual tuning method on imx93. When system
resume back, SDIO WIFI try to switch back to 4 bit mode, first will
trigger retuning, and all tuning command failed.
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Acked-by: Adrian Hunter <adrian.hunter@intel.com>
Fixes: dfa13ebbe334 ("mmc: host: Add facility to support re-tuning")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230830093922.3095850-1-haibo.chen@nxp.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/sdio.c | 8 +++++++-
1 file changed, 7 insertions(+), 1 deletion(-)
--- a/drivers/mmc/core/sdio.c
+++ b/drivers/mmc/core/sdio.c
@@ -1089,8 +1089,14 @@ static int mmc_sdio_resume(struct mmc_ho
}
err = mmc_sdio_reinit_card(host);
} else if (mmc_card_wake_sdio_irq(host)) {
- /* We may have switched to 1-bit mode during suspend */
+ /*
+ * We may have switched to 1-bit mode during suspend,
+ * need to hold retuning, because tuning only supprt
+ * 4-bit mode or 8 bit mode.
+ */
+ mmc_retune_hold_now(host);
err = sdio_enable_4bit_bus(host->card);
+ mmc_retune_release(host);
}
if (err)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 176/241] mmc: core: Capture correct oemid-bits for eMMC cards
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (174 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 175/241] mmc: core: sdio: hold retuning if sdio in 1-bit mode Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 177/241] pinctrl: qcom: lpass-lpi: fix concurrent register updates Greg Kroah-Hartman
` (74 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Avri Altman, Ulf Hansson
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Avri Altman <avri.altman@wdc.com>
commit 84ee19bffc9306128cd0f1c650e89767079efeff upstream.
The OEMID is an 8-bit binary number rather than 16-bit as the current code
parses for. The OEMID occupies bits [111:104] in the CID register, see the
eMMC spec JESD84-B51 paragraph 7.2.3. It seems that the 16-bit comes from
the legacy MMC specs (v3.31 and before).
Let's fix the parsing by simply move to use 8-bit instead of 16-bit. This
means we ignore the impact on some of those old MMC cards that may be out
there, but on the other hand this shouldn't be a problem as the OEMID seems
not be an important feature for these cards.
Signed-off-by: Avri Altman <avri.altman@wdc.com>
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230927071500.1791882-1-avri.altman@wdc.com
Signed-off-by: Ulf Hansson <ulf.hansson@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mmc/core/mmc.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/mmc/core/mmc.c
+++ b/drivers/mmc/core/mmc.c
@@ -104,7 +104,7 @@ static int mmc_decode_cid(struct mmc_car
case 3: /* MMC v3.1 - v3.3 */
case 4: /* MMC v4 */
card->cid.manfid = UNSTUFF_BITS(resp, 120, 8);
- card->cid.oemid = UNSTUFF_BITS(resp, 104, 16);
+ card->cid.oemid = UNSTUFF_BITS(resp, 104, 8);
card->cid.prod_name[0] = UNSTUFF_BITS(resp, 96, 8);
card->cid.prod_name[1] = UNSTUFF_BITS(resp, 88, 8);
card->cid.prod_name[2] = UNSTUFF_BITS(resp, 80, 8);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 177/241] pinctrl: qcom: lpass-lpi: fix concurrent register updates
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (175 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 176/241] mmc: core: Capture correct oemid-bits for eMMC cards Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 178/241] Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" Greg Kroah-Hartman
` (73 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Linus Walleij, Krzysztof Kozlowski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
commit c8befdc411e5fd1bf95a13e8744c8ca79b412bee upstream.
The Qualcomm LPASS LPI pin controller driver uses one lock for guarding
Read-Modify-Write code for slew rate registers. However the pin
configuration and muxing registers have exactly the same RMW code but
are not protected.
Pin controller framework does not provide locking here, thus it is
possible to trigger simultaneous change of pin configuration registers
resulting in non-atomic changes.
Protect from concurrent access by re-using the same lock used to cover
the slew rate register. Using the same lock instead of adding second
one will make more sense, once we add support for newer Qualcomm SoC,
where slew rate is configured in the same register as pin
configuration/muxing.
Fixes: 6e261d1090d6 ("pinctrl: qcom: Add sm8250 lpass lpi pinctrl driver")
Cc: stable@vger.kernel.org
Reviewed-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Krzysztof Kozlowski <krzysztof.kozlowski@linaro.org>
Link: https://lore.kernel.org/r/20231013145705.219954-1-krzysztof.kozlowski@linaro.org
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/qcom/pinctrl-lpass-lpi.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
--- a/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
+++ b/drivers/pinctrl/qcom/pinctrl-lpass-lpi.c
@@ -31,7 +31,8 @@ struct lpi_pinctrl {
char __iomem *tlmm_base;
char __iomem *slew_base;
struct clk_bulk_data clks[MAX_LPI_NUM_CLKS];
- struct mutex slew_access_lock;
+ /* Protects from concurrent register updates */
+ struct mutex lock;
DECLARE_BITMAP(ever_gpio, MAX_NR_GPIO);
const struct lpi_pinctrl_variant_data *data;
};
@@ -102,6 +103,7 @@ static int lpi_gpio_set_mux(struct pinct
if (WARN_ON(i == g->nfuncs))
return -EINVAL;
+ mutex_lock(&pctrl->lock);
val = lpi_gpio_read(pctrl, pin, LPI_GPIO_CFG_REG);
/*
@@ -127,6 +129,7 @@ static int lpi_gpio_set_mux(struct pinct
u32p_replace_bits(&val, i, LPI_GPIO_FUNCTION_MASK);
lpi_gpio_write(pctrl, pin, LPI_GPIO_CFG_REG, val);
+ mutex_unlock(&pctrl->lock);
return 0;
}
@@ -232,14 +235,14 @@ static int lpi_config_set(struct pinctrl
if (slew_offset == LPI_NO_SLEW)
break;
- mutex_lock(&pctrl->slew_access_lock);
+ mutex_lock(&pctrl->lock);
sval = ioread32(pctrl->slew_base + LPI_SLEW_RATE_CTL_REG);
sval &= ~(LPI_SLEW_RATE_MASK << slew_offset);
sval |= arg << slew_offset;
iowrite32(sval, pctrl->slew_base + LPI_SLEW_RATE_CTL_REG);
- mutex_unlock(&pctrl->slew_access_lock);
+ mutex_unlock(&pctrl->lock);
break;
default:
return -EINVAL;
@@ -255,6 +258,7 @@ static int lpi_config_set(struct pinctrl
lpi_gpio_write(pctrl, group, LPI_GPIO_VALUE_REG, val);
}
+ mutex_lock(&pctrl->lock);
val = lpi_gpio_read(pctrl, group, LPI_GPIO_CFG_REG);
u32p_replace_bits(&val, pullup, LPI_GPIO_PULL_MASK);
@@ -263,6 +267,7 @@ static int lpi_config_set(struct pinctrl
u32p_replace_bits(&val, output_enabled, LPI_GPIO_OE_MASK);
lpi_gpio_write(pctrl, group, LPI_GPIO_CFG_REG, val);
+ mutex_unlock(&pctrl->lock);
return 0;
}
@@ -464,7 +469,7 @@ int lpi_pinctrl_probe(struct platform_de
pctrl->chip.label = dev_name(dev);
pctrl->chip.can_sleep = false;
- mutex_init(&pctrl->slew_access_lock);
+ mutex_init(&pctrl->lock);
pctrl->ctrl = devm_pinctrl_register(dev, &pctrl->desc, pctrl);
if (IS_ERR(pctrl->ctrl)) {
@@ -486,7 +491,7 @@ int lpi_pinctrl_probe(struct platform_de
return 0;
err_pinctrl:
- mutex_destroy(&pctrl->slew_access_lock);
+ mutex_destroy(&pctrl->lock);
clk_bulk_disable_unprepare(MAX_LPI_NUM_CLKS, pctrl->clks);
return ret;
@@ -498,7 +503,7 @@ int lpi_pinctrl_remove(struct platform_d
struct lpi_pinctrl *pctrl = platform_get_drvdata(pdev);
int i;
- mutex_destroy(&pctrl->slew_access_lock);
+ mutex_destroy(&pctrl->lock);
clk_bulk_disable_unprepare(MAX_LPI_NUM_CLKS, pctrl->clks);
for (i = 0; i < pctrl->data->npins; i++)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 178/241] Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()"
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (176 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 177/241] pinctrl: qcom: lpass-lpi: fix concurrent register updates Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 179/241] pNFS: Fix a hang in nfs4_evict_inode() Greg Kroah-Hartman
` (72 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Andy Shevchenko, Linus Walleij
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 62140a1e4dec4594d5d1e1d353747bf2ef434e8b upstream.
The commit breaks MMC enumeration on the Intel Merrifield
plaform.
Before:
[ 36.439057] mmc0: SDHCI controller on PCI [0000:00:01.0] using ADMA
[ 36.450924] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA
[ 36.459355] mmc1: SDHCI controller on PCI [0000:00:01.2] using ADMA
[ 36.706399] mmc0: new DDR MMC card at address 0001
[ 37.058972] mmc2: new ultra high speed DDR50 SDIO card at address 0001
[ 37.278977] mmcblk0: mmc0:0001 H4G1d 3.64 GiB
[ 37.297300] mmcblk0: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10
After:
[ 36.436704] mmc2: SDHCI controller on PCI [0000:00:01.3] using ADMA
[ 36.436720] mmc1: SDHCI controller on PCI [0000:00:01.0] using ADMA
[ 36.463685] mmc0: SDHCI controller on PCI [0000:00:01.2] using ADMA
[ 36.720627] mmc1: new DDR MMC card at address 0001
[ 37.068181] mmc2: new ultra high speed DDR50 SDIO card at address 0001
[ 37.279998] mmcblk1: mmc1:0001 H4G1d 3.64 GiB
[ 37.302670] mmcblk1: p1 p2 p3 p4 p5 p6 p7 p8 p9 p10
This reverts commit c153a4edff6ab01370fcac8e46f9c89cca1060c2.
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Link: https://lore.kernel.org/r/20231017141806.535191-1-andriy.shevchenko@linux.intel.com
Signed-off-by: Linus Walleij <linus.walleij@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/pinctrl/core.c | 16 +++++++---------
1 file changed, 7 insertions(+), 9 deletions(-)
--- a/drivers/pinctrl/core.c
+++ b/drivers/pinctrl/core.c
@@ -1012,20 +1012,17 @@ static int add_setting(struct pinctrl *p
static struct pinctrl *find_pinctrl(struct device *dev)
{
- struct pinctrl *entry, *p = NULL;
+ struct pinctrl *p;
mutex_lock(&pinctrl_list_mutex);
-
- list_for_each_entry(entry, &pinctrl_list, node) {
- if (entry->dev == dev) {
- p = entry;
- kref_get(&p->users);
- break;
+ list_for_each_entry(p, &pinctrl_list, node)
+ if (p->dev == dev) {
+ mutex_unlock(&pinctrl_list_mutex);
+ return p;
}
- }
mutex_unlock(&pinctrl_list_mutex);
- return p;
+ return NULL;
}
static void pinctrl_free(struct pinctrl *p, bool inlist);
@@ -1133,6 +1130,7 @@ struct pinctrl *pinctrl_get(struct devic
p = find_pinctrl(dev);
if (p) {
dev_dbg(dev, "obtain a copy of previously claimed pinctrl\n");
+ kref_get(&p->users);
return p;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 179/241] pNFS: Fix a hang in nfs4_evict_inode()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (177 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 178/241] Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 180/241] pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats Greg Kroah-Hartman
` (71 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Anna Schumaker
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
commit f63955721a8020e979b99cc417dcb6da3106aa24 upstream.
We are not allowed to call pnfs_mark_matching_lsegs_return() without
also holding a reference to the layout header, since doing so could lead
to the reference count going to zero when we call
pnfs_layout_remove_lseg(). This again can lead to a hang when we get to
nfs4_evict_inode() and are unable to clear the layout pointer.
pnfs_layout_return_unused_byserver() is guilty of this behaviour, and
has been seen to trigger the refcount warning prior to a hang.
Fixes: b6d49ecd1081 ("NFSv4: Fix a pNFS layout related use-after-free race when freeing the inode")
Cc: stable@vger.kernel.org
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/pnfs.c | 33 +++++++++++++++++++++++----------
1 file changed, 23 insertions(+), 10 deletions(-)
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -2634,31 +2634,44 @@ pnfs_should_return_unused_layout(struct
return mode == 0;
}
-static int
-pnfs_layout_return_unused_byserver(struct nfs_server *server, void *data)
+static int pnfs_layout_return_unused_byserver(struct nfs_server *server,
+ void *data)
{
const struct pnfs_layout_range *range = data;
+ const struct cred *cred;
struct pnfs_layout_hdr *lo;
struct inode *inode;
+ nfs4_stateid stateid;
+ enum pnfs_iomode iomode;
+
restart:
rcu_read_lock();
list_for_each_entry_rcu(lo, &server->layouts, plh_layouts) {
- if (!pnfs_layout_can_be_returned(lo) ||
+ inode = lo->plh_inode;
+ if (!inode || !pnfs_layout_can_be_returned(lo) ||
test_bit(NFS_LAYOUT_RETURN_REQUESTED, &lo->plh_flags))
continue;
- inode = lo->plh_inode;
spin_lock(&inode->i_lock);
- if (!pnfs_should_return_unused_layout(lo, range)) {
+ if (!lo->plh_inode ||
+ !pnfs_should_return_unused_layout(lo, range)) {
spin_unlock(&inode->i_lock);
continue;
}
+ pnfs_get_layout_hdr(lo);
+ pnfs_set_plh_return_info(lo, range->iomode, 0);
+ if (pnfs_mark_matching_lsegs_return(lo, &lo->plh_return_segs,
+ range, 0) != 0 ||
+ !pnfs_prepare_layoutreturn(lo, &stateid, &cred, &iomode)) {
+ spin_unlock(&inode->i_lock);
+ rcu_read_unlock();
+ pnfs_put_layout_hdr(lo);
+ cond_resched();
+ goto restart;
+ }
spin_unlock(&inode->i_lock);
- inode = pnfs_grab_inode_layout_hdr(lo);
- if (!inode)
- continue;
rcu_read_unlock();
- pnfs_mark_layout_for_return(inode, range);
- iput(inode);
+ pnfs_send_layoutreturn(lo, &stateid, &cred, iomode, false);
+ pnfs_put_layout_hdr(lo);
cond_resched();
goto restart;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 180/241] pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (178 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 179/241] pNFS: Fix a hang in nfs4_evict_inode() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 181/241] NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server Greg Kroah-Hartman
` (70 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Anna Schumaker
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Trond Myklebust <trond.myklebust@hammerspace.com>
commit e1c6cfbb3bd1377e2ddcbe06cf8fb1ec323ea7d3 upstream.
Ensure that we check the layout pointer and validity after dereferencing
it in ff_layout_mirror_prepare_stats.
Fixes: 08e2e5bc6c9a ("pNFS/flexfiles: Clean up layoutstats")
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/flexfilelayout/flexfilelayout.c | 17 ++++++++++-------
1 file changed, 10 insertions(+), 7 deletions(-)
--- a/fs/nfs/flexfilelayout/flexfilelayout.c
+++ b/fs/nfs/flexfilelayout/flexfilelayout.c
@@ -2520,9 +2520,9 @@ ff_layout_mirror_prepare_stats(struct pn
return i;
}
-static int
-ff_layout_prepare_layoutstats(struct nfs42_layoutstat_args *args)
+static int ff_layout_prepare_layoutstats(struct nfs42_layoutstat_args *args)
{
+ struct pnfs_layout_hdr *lo;
struct nfs4_flexfile_layout *ff_layout;
const int dev_count = PNFS_LAYOUTSTATS_MAXDEV;
@@ -2533,11 +2533,14 @@ ff_layout_prepare_layoutstats(struct nfs
return -ENOMEM;
spin_lock(&args->inode->i_lock);
- ff_layout = FF_LAYOUT_FROM_HDR(NFS_I(args->inode)->layout);
- args->num_dev = ff_layout_mirror_prepare_stats(&ff_layout->generic_hdr,
- &args->devinfo[0],
- dev_count,
- NFS4_FF_OP_LAYOUTSTATS);
+ lo = NFS_I(args->inode)->layout;
+ if (lo && pnfs_layout_is_valid(lo)) {
+ ff_layout = FF_LAYOUT_FROM_HDR(lo);
+ args->num_dev = ff_layout_mirror_prepare_stats(
+ &ff_layout->generic_hdr, &args->devinfo[0], dev_count,
+ NFS4_FF_OP_LAYOUTSTATS);
+ } else
+ args->num_dev = 0;
spin_unlock(&args->inode->i_lock);
if (!args->num_dev) {
kfree(args->devinfo);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 181/241] NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (179 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 180/241] pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 182/241] ACPI: irq: Fix incorrect return value in acpi_register_gsi() Greg Kroah-Hartman
` (69 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Olga Kornievskaia, Anna Schumaker
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Olga Kornievskaia <kolga@netapp.com>
commit 379e4adfddd6a2f95a4f2029b8ddcbacf92b21f9 upstream.
This patches fixes commit 51d674a5e488 "NFSv4.1: use
EXCHGID4_FLAG_USE_PNFS_DS for DS server", purpose of that
commit was to mark EXCHANGE_ID to the DS with the appropriate
flag.
However, connection to MDS can return both EXCHGID4_FLAG_USE_PNFS_DS
and EXCHGID4_FLAG_USE_PNFS_MDS set but previous patch would only
remember the USE_PNFS_DS and for the 2nd EXCHANGE_ID send that
to the MDS.
Instead, just mark the pnfs path exclusively.
Fixes: 51d674a5e488 ("NFSv4.1: use EXCHGID4_FLAG_USE_PNFS_DS for DS server")
Signed-off-by: Olga Kornievskaia <kolga@netapp.com>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs4proc.c | 2 --
1 file changed, 2 deletions(-)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -8870,8 +8870,6 @@ static int _nfs4_proc_exchange_id(struct
/* Save the EXCHANGE_ID verifier session trunk tests */
memcpy(clp->cl_confirm.data, argp->verifier.data,
sizeof(clp->cl_confirm.data));
- if (resp->flags & EXCHGID4_FLAG_USE_PNFS_DS)
- set_bit(NFS_CS_DS, &clp->cl_flags);
out:
trace_nfs4_exchange_id(clp, status);
rpc_put_task(task);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 182/241] ACPI: irq: Fix incorrect return value in acpi_register_gsi()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (180 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 181/241] NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 183/241] ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init() Greg Kroah-Hartman
` (68 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Sunil V L, Rafael J. Wysocki
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Sunil V L <sunilvl@ventanamicro.com>
commit 0c21a18d5d6c6a73d098fb9b4701572370942df9 upstream.
acpi_register_gsi() should return a negative value in case of failure.
Currently, it returns the return value from irq_create_fwspec_mapping().
However, irq_create_fwspec_mapping() returns 0 for failure. Fix the
issue by returning -EINVAL if irq_create_fwspec_mapping() returns zero.
Fixes: d44fa3d46079 ("ACPI: Add support for ResourceSource/IRQ domain mapping")
Cc: 4.11+ <stable@vger.kernel.org> # 4.11+
Signed-off-by: Sunil V L <sunilvl@ventanamicro.com>
[ rjw: Rename a new local variable ]
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/irq.c | 7 ++++++-
1 file changed, 6 insertions(+), 1 deletion(-)
--- a/drivers/acpi/irq.c
+++ b/drivers/acpi/irq.c
@@ -57,6 +57,7 @@ int acpi_register_gsi(struct device *dev
int polarity)
{
struct irq_fwspec fwspec;
+ unsigned int irq;
fwspec.fwnode = acpi_get_gsi_domain_id(gsi);
if (WARN_ON(!fwspec.fwnode)) {
@@ -68,7 +69,11 @@ int acpi_register_gsi(struct device *dev
fwspec.param[1] = acpi_dev_get_irq_type(trigger, polarity);
fwspec.param_count = 2;
- return irq_create_fwspec_mapping(&fwspec);
+ irq = irq_create_fwspec_mapping(&fwspec);
+ if (!irq)
+ return -EINVAL;
+
+ return irq;
}
EXPORT_SYMBOL_GPL(acpi_register_gsi);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 183/241] ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (181 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 182/241] ACPI: irq: Fix incorrect return value in acpi_register_gsi() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 184/241] perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code() Greg Kroah-Hartman
` (67 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, D Scott Phillips, Hanjun Guo,
Sudeep Holla, Rafael J. Wysocki
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hanjun Guo <guohanjun@huawei.com>
commit d5921c460e543228d100daf67dac7a03dfaaa40a upstream.
acpi_agdi_init() in acpi_arm_init() will register a SDEI event, so
it needs the SDEI subsystem to be initialized (which is done in
acpi_ghes_init()) before the AGDI driver probing.
In commit fcea0ccf4fd7 ("ACPI: bus: Consolidate all arm specific
initialisation into acpi_arm_init()"), the acpi_agdi_init() was
called before acpi_ghes_init() and it causes following failure:
| [ 0.515864] sdei: Failed to create event 1073741825: -5
| [ 0.515866] agdi agdi.0: Failed to register for SDEI event 1073741825
| [ 0.515867] agdi: probe of agdi.0 failed with error -5
| ...
| [ 0.516022] sdei: SDEIv1.0 (0x0) detected in firmware.
Fix it by moving acpi_arm_init() to the place of after
acpi_ghes_init().
Fixes: fcea0ccf4fd7 ("ACPI: bus: Consolidate all arm specific initialisation into acpi_arm_init()")
Reported-by: D Scott Phillips <scott@os.amperecomputing.com>
Signed-off-by: Hanjun Guo <guohanjun@huawei.com>
Reviewed-by: Sudeep Holla <sudeep.holla@arm.com>
Tested-by: D Scott Phillips <scott@os.amperecomputing.com>
Cc: 6.5+ <stable@vger.kernel.org> # 6.5+
Signed-off-by: Rafael J. Wysocki <rafael.j.wysocki@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/acpi/bus.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/acpi/bus.c
+++ b/drivers/acpi/bus.c
@@ -1387,10 +1387,10 @@ static int __init acpi_init(void)
acpi_init_ffh();
pci_mmcfg_late_init();
- acpi_arm_init();
acpi_viot_early_init();
acpi_hest_init();
acpi_ghes_init();
+ acpi_arm_init();
acpi_scan_init();
acpi_ec_init();
acpi_debugfs_init();
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 184/241] perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (182 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 183/241] ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 185/241] Revert "accel/ivpu: Use cached buffers for FW loading" Greg Kroah-Hartman
` (66 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Adrian Hunter, Namhyung Kim
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrian Hunter <adrian.hunter@intel.com>
commit 7a48b58eb5ff3798f0480d2da16bf27df9654fc7 upstream.
Stop calling addr_location__exit() when addr_location__init() was not
called.
Fixes: 0dd5041c9a0e ("perf addr_location: Add init/exit/copy functions")
Cc: stable@vger.kernel.org
Signed-off-by: Adrian Hunter <adrian.hunter@intel.com>
Acked-by: Namhyung Kim <namhyung@kernel.org>
Link: https://lore.kernel.org/r/20230928071605.17624-1-adrian.hunter@intel.com
Signed-off-by: Namhyung Kim <namhyung@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/perf/util/dlfilter.c | 34 ++++++++++++++++------------------
1 file changed, 16 insertions(+), 18 deletions(-)
--- a/tools/perf/util/dlfilter.c
+++ b/tools/perf/util/dlfilter.c
@@ -280,13 +280,21 @@ static struct perf_event_attr *dlfilter_
return &d->evsel->core.attr;
}
+static __s32 code_read(__u64 ip, struct map *map, struct machine *machine, void *buf, __u32 len)
+{
+ u64 offset = map__map_ip(map, ip);
+
+ if (ip + len >= map__end(map))
+ len = map__end(map) - ip;
+
+ return dso__data_read_offset(map__dso(map), machine, offset, buf, len);
+}
+
static __s32 dlfilter__object_code(void *ctx, __u64 ip, void *buf, __u32 len)
{
struct dlfilter *d = (struct dlfilter *)ctx;
struct addr_location *al;
struct addr_location a;
- struct map *map;
- u64 offset;
__s32 ret;
if (!d->ctx_valid)
@@ -296,27 +304,17 @@ static __s32 dlfilter__object_code(void
if (!al)
return -1;
- map = al->map;
-
- if (map && ip >= map__start(map) && ip < map__end(map) &&
+ if (al->map && ip >= map__start(al->map) && ip < map__end(al->map) &&
machine__kernel_ip(d->machine, ip) == machine__kernel_ip(d->machine, d->sample->ip))
- goto have_map;
+ return code_read(ip, al->map, d->machine, buf, len);
addr_location__init(&a);
+
thread__find_map_fb(al->thread, d->sample->cpumode, ip, &a);
- if (!a.map) {
- ret = -1;
- goto out;
- }
-
- map = a.map;
-have_map:
- offset = map__map_ip(map, ip);
- if (ip + len >= map__end(map))
- len = map__end(map) - ip;
- ret = dso__data_read_offset(map__dso(map), d->machine, offset, buf, len);
-out:
+ ret = a.map ? code_read(ip, a.map, d->machine, buf, len) : -1;
+
addr_location__exit(&a);
+
return ret;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 185/241] Revert "accel/ivpu: Use cached buffers for FW loading"
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (183 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 184/241] perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 186/241] fanotify: limit reporting of event with non-decodeable file handles Greg Kroah-Hartman
` (65 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Karol Wachowski, Stanislaw Gruszka
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
commit 610b5d219d1ccac8064556310cc0e62e3c202389 upstream.
This reverts commit 645d694559cab36fe6a57c717efcfa27d9321396.
The commit cause issues with memory access from the device side.
Switch back to write-combined memory mappings until the issues
will be properly addressed.
Add extra wmb() needed when boot_params->save_restore_ret_address() is
modified.
Reviewed-by: Karol Wachowski <karol.wachowski@linux.intel.com>
Signed-off-by: Stanislaw Gruszka <stanislaw.gruszka@linux.intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231017121353.532466-1-stanislaw.gruszka@linux.intel.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/accel/ivpu/ivpu_fw.c | 9 ++++-----
drivers/accel/ivpu/ivpu_gem.h | 5 -----
2 files changed, 4 insertions(+), 10 deletions(-)
--- a/drivers/accel/ivpu/ivpu_fw.c
+++ b/drivers/accel/ivpu/ivpu_fw.c
@@ -195,8 +195,7 @@ static int ivpu_fw_mem_init(struct ivpu_
if (ret)
return ret;
- fw->mem = ivpu_bo_alloc_internal(vdev, fw->runtime_addr, fw->runtime_size,
- DRM_IVPU_BO_CACHED | DRM_IVPU_BO_NOSNOOP);
+ fw->mem = ivpu_bo_alloc_internal(vdev, fw->runtime_addr, fw->runtime_size, DRM_IVPU_BO_WC);
if (!fw->mem) {
ivpu_err(vdev, "Failed to allocate firmware runtime memory\n");
return -ENOMEM;
@@ -273,7 +272,7 @@ int ivpu_fw_load(struct ivpu_device *vde
memset(start, 0, size);
}
- clflush_cache_range(fw->mem->kvaddr, fw->mem->base.size);
+ wmb(); /* Flush WC buffers after writing fw->mem */
return 0;
}
@@ -375,7 +374,7 @@ void ivpu_fw_boot_params_setup(struct iv
if (!ivpu_fw_is_cold_boot(vdev)) {
boot_params->save_restore_ret_address = 0;
vdev->pm->is_warmboot = true;
- clflush_cache_range(vdev->fw->mem->kvaddr, SZ_4K);
+ wmb(); /* Flush WC buffers after writing save_restore_ret_address */
return;
}
@@ -430,7 +429,7 @@ void ivpu_fw_boot_params_setup(struct iv
boot_params->punit_telemetry_sram_size = ivpu_hw_reg_telemetry_size_get(vdev);
boot_params->vpu_telemetry_enable = ivpu_hw_reg_telemetry_enable_get(vdev);
- clflush_cache_range(vdev->fw->mem->kvaddr, SZ_4K);
+ wmb(); /* Flush WC buffers after writing bootparams */
ivpu_fw_boot_params_print(vdev, boot_params);
}
--- a/drivers/accel/ivpu/ivpu_gem.h
+++ b/drivers/accel/ivpu/ivpu_gem.h
@@ -8,8 +8,6 @@
#include <drm/drm_gem.h>
#include <drm/drm_mm.h>
-#define DRM_IVPU_BO_NOSNOOP 0x10000000
-
struct dma_buf;
struct ivpu_bo_ops;
struct ivpu_file_priv;
@@ -85,9 +83,6 @@ static inline u32 ivpu_bo_cache_mode(str
static inline bool ivpu_bo_is_snooped(struct ivpu_bo *bo)
{
- if (bo->flags & DRM_IVPU_BO_NOSNOOP)
- return false;
-
return ivpu_bo_cache_mode(bo) == DRM_IVPU_BO_CACHED;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 186/241] fanotify: limit reporting of event with non-decodeable file handles
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (184 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 185/241] Revert "accel/ivpu: Use cached buffers for FW loading" Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 187/241] NFS: Fix potential oops in nfs_inode_remove_request() Greg Kroah-Hartman
` (64 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Amir Goldstein, Jan Kara
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Amir Goldstein <amir73il@gmail.com>
commit 97ac489775f26acfd46a8a60c2f84ce7cc79fa4b upstream.
Commit a95aef69a740 ("fanotify: support reporting non-decodeable file
handles") merged in v6.5-rc1, added the ability to use an fanotify group
with FAN_REPORT_FID mode to watch filesystems that do not support nfs
export, but do know how to encode non-decodeable file handles, with the
newly introduced AT_HANDLE_FID flag.
At the time that this commit was merged, there were no filesystems
in-tree with those traits.
Commit 16aac5ad1fa9 ("ovl: support encoding non-decodable file handles"),
merged in v6.6-rc1, added this trait to overlayfs, thus allowing fanotify
watching of overlayfs with FAN_REPORT_FID mode.
In retrospect, allowing an fanotify filesystem/mount mark on such
filesystem in FAN_REPORT_FID mode will result in getting events with
file handles, without the ability to resolve the filesystem objects from
those file handles (i.e. no open_by_handle_at() support).
For v6.6, the safer option would be to allow this mode for inode marks
only, where the caller has the opportunity to use name_to_handle_at() at
the time of setting the mark. In the future we can revise this decision.
Fixes: a95aef69a740 ("fanotify: support reporting non-decodeable file handles")
Signed-off-by: Amir Goldstein <amir73il@gmail.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Message-Id: <20231018100000.2453965-2-amir73il@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/notify/fanotify/fanotify_user.c | 25 +++++++++++++++++--------
1 file changed, 17 insertions(+), 8 deletions(-)
diff --git a/fs/notify/fanotify/fanotify_user.c b/fs/notify/fanotify/fanotify_user.c
index f69c451018e3..62fe0b679e58 100644
--- a/fs/notify/fanotify/fanotify_user.c
+++ b/fs/notify/fanotify/fanotify_user.c
@@ -1585,16 +1585,25 @@ static int fanotify_test_fsid(struct dentry *dentry, __kernel_fsid_t *fsid)
}
/* Check if filesystem can encode a unique fid */
-static int fanotify_test_fid(struct dentry *dentry)
+static int fanotify_test_fid(struct dentry *dentry, unsigned int flags)
{
+ unsigned int mark_type = flags & FANOTIFY_MARK_TYPE_BITS;
+ const struct export_operations *nop = dentry->d_sb->s_export_op;
+
+ /*
+ * We need to make sure that the filesystem supports encoding of
+ * file handles so user can use name_to_handle_at() to compare fids
+ * reported with events to the file handle of watched objects.
+ */
+ if (!nop)
+ return -EOPNOTSUPP;
+
/*
- * We need to make sure that the file system supports at least
- * encoding a file handle so user can use name_to_handle_at() to
- * compare fid returned with event to the file handle of watched
- * objects. However, even the relaxed AT_HANDLE_FID flag requires
- * at least empty export_operations for ecoding unique file ids.
+ * For sb/mount mark, we also need to make sure that the filesystem
+ * supports decoding file handles, so user has a way to map back the
+ * reported fids to filesystem objects.
*/
- if (!dentry->d_sb->s_export_op)
+ if (mark_type != FAN_MARK_INODE && !nop->fh_to_dentry)
return -EOPNOTSUPP;
return 0;
@@ -1812,7 +1821,7 @@ static int do_fanotify_mark(int fanotify_fd, unsigned int flags, __u64 mask,
if (ret)
goto path_put_and_out;
- ret = fanotify_test_fid(path.dentry);
+ ret = fanotify_test_fid(path.dentry, flags);
if (ret)
goto path_put_and_out;
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 187/241] NFS: Fix potential oops in nfs_inode_remove_request()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (185 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 186/241] fanotify: limit reporting of event with non-decodeable file handles Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 188/241] nfs42: client needs to strip file modes suid/sgid bit after ALLOCATE op Greg Kroah-Hartman
` (63 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Scott Mayhew, Benjamin Coddington,
Jeff Layton, Anna Schumaker
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Scott Mayhew <smayhew@redhat.com>
commit 6a6d4644ce935ddec4f76223ac0ca68da56bd2d3 upstream.
Once a folio's private data has been cleared, it's possible for another
process to clear the folio->mapping (e.g. via invalidate_complete_folio2
or evict_mapping_folio), so it wouldn't be safe to call
nfs_page_to_inode() after that.
Fixes: 0c493b5cf16e ("NFS: Convert buffered writes to use folios")
Signed-off-by: Scott Mayhew <smayhew@redhat.com>
Reviewed-by: Benjamin Coddington <bcodding@redhat.com>
Tested-by: Benjamin Coddington <bcodding@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/write.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/fs/nfs/write.c b/fs/nfs/write.c
index 7720b5e43014..9d82d50ce0b1 100644
--- a/fs/nfs/write.c
+++ b/fs/nfs/write.c
@@ -788,6 +788,8 @@ static void nfs_inode_add_request(struct nfs_page *req)
*/
static void nfs_inode_remove_request(struct nfs_page *req)
{
+ struct nfs_inode *nfsi = NFS_I(nfs_page_to_inode(req));
+
if (nfs_page_group_sync_on_bit(req, PG_REMOVE)) {
struct folio *folio = nfs_page_to_folio(req->wb_head);
struct address_space *mapping = folio_file_mapping(folio);
@@ -802,7 +804,7 @@ static void nfs_inode_remove_request(struct nfs_page *req)
}
if (test_and_clear_bit(PG_INODE_REF, &req->wb_flags)) {
- atomic_long_dec(&NFS_I(nfs_page_to_inode(req))->nrequests);
+ atomic_long_dec(&nfsi->nrequests);
nfs_release_request(req);
}
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 188/241] nfs42: client needs to strip file modes suid/sgid bit after ALLOCATE op
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (186 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 187/241] NFS: Fix potential oops in nfs_inode_remove_request() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 189/241] nvme: sanitize metadata bounce buffer for reads Greg Kroah-Hartman
` (62 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Trond Myklebust, Dai Ngo,
Jeff Layton, Anna Schumaker
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dai Ngo <dai.ngo@oracle.com>
commit f588d72bd95f748849685412b1f0c7959ca228cf upstream.
The Linux NFS server strips the SUID and SGID from the file mode
on ALLOCATE op.
Modify _nfs42_proc_fallocate to add NFS_INO_REVAL_FORCED to
nfs_set_cache_invalid's argument to force update of the file
mode suid/sgid bit.
Suggested-by: Trond Myklebust <trondmy@hammerspace.com>
Signed-off-by: Dai Ngo <dai.ngo@oracle.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Tested-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Anna Schumaker <Anna.Schumaker@Netapp.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nfs/nfs42proc.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -81,7 +81,8 @@ static int _nfs42_proc_fallocate(struct
if (status == 0) {
if (nfs_should_remove_suid(inode)) {
spin_lock(&inode->i_lock);
- nfs_set_cache_invalid(inode, NFS_INO_INVALID_MODE);
+ nfs_set_cache_invalid(inode,
+ NFS_INO_REVAL_FORCED | NFS_INO_INVALID_MODE);
spin_unlock(&inode->i_lock);
}
status = nfs_post_op_update_inode_force_wcc(inode,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 189/241] nvme: sanitize metadata bounce buffer for reads
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (187 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 188/241] nfs42: client needs to strip file modes suid/sgid bit after ALLOCATE op Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 190/241] nvme-pci: add BOGUS_NID for Intel 0a54 device Greg Kroah-Hartman
` (61 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jens Axboe, Christoph Hellwig,
Kanchan Joshi, Chaitanya Kulkarni, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
commit 2b32c76e2b0154b98b9322ae7546b8156cd703e6 upstream.
User can request more metadata bytes than the device will write. Ensure
kernel buffer is initialized so we're not leaking unsanitized memory on
the copy-out.
Fixes: 0b7f1f26f95a51a ("nvme: use the block layer for userspace passthrough metadata")
Reviewed-by: Jens Axboe <axboe@kernel.dk>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Kanchan Joshi <joshi.k@samsung.com>
Reviewed-by: Chaitanya Kulkarni <kch@nvidia.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/ioctl.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/drivers/nvme/host/ioctl.c
+++ b/drivers/nvme/host/ioctl.c
@@ -108,9 +108,13 @@ static void *nvme_add_user_metadata(stru
if (!buf)
goto out;
- ret = -EFAULT;
- if ((req_op(req) == REQ_OP_DRV_OUT) && copy_from_user(buf, ubuf, len))
- goto out_free_meta;
+ if (req_op(req) == REQ_OP_DRV_OUT) {
+ ret = -EFAULT;
+ if (copy_from_user(buf, ubuf, len))
+ goto out_free_meta;
+ } else {
+ memset(buf, 0, len);
+ }
bip = bio_integrity_alloc(bio, GFP_KERNEL, 1);
if (IS_ERR(bip)) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 190/241] nvme-pci: add BOGUS_NID for Intel 0a54 device
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (188 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 189/241] nvme: sanitize metadata bounce buffer for reads Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 191/241] nvme-auth: use chap->s2 to indicate bidirectional authentication Greg Kroah-Hartman
` (60 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, welsh, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Keith Busch <kbusch@kernel.org>
commit 5c3f4066462a5f6cac04d3dd81c9f551fabbc6c7 upstream.
These ones claim cmic and nmic capable, so need special consideration to ignore
their duplicate identifiers.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=217981
Reported-by: welsh@cassens.com
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/pci.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/nvme/host/pci.c
+++ b/drivers/nvme/host/pci.c
@@ -3329,7 +3329,8 @@ static const struct pci_device_id nvme_i
{ PCI_VDEVICE(INTEL, 0x0a54), /* Intel P4500/P4600 */
.driver_data = NVME_QUIRK_STRIPE_SIZE |
NVME_QUIRK_DEALLOCATE_ZEROES |
- NVME_QUIRK_IGNORE_DEV_SUBNQN, },
+ NVME_QUIRK_IGNORE_DEV_SUBNQN |
+ NVME_QUIRK_BOGUS_NID, },
{ PCI_VDEVICE(INTEL, 0x0a55), /* Dell Express Flash P4600 */
.driver_data = NVME_QUIRK_STRIPE_SIZE |
NVME_QUIRK_DEALLOCATE_ZEROES, },
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 191/241] nvme-auth: use chap->s2 to indicate bidirectional authentication
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (189 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 190/241] nvme-pci: add BOGUS_NID for Intel 0a54 device Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 192/241] nvmet-auth: complete a request only after freeing the dhchap pointers Greg Kroah-Hartman
` (59 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Martin Wilck, Daniel Wagner,
Sagi Grimberg, Hannes Reinecke, Christoph Hellwig, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Martin Wilck <mwilck@suse.com>
commit 4ae55a7dce04989f289d5c5c8c8e5c37adc36c71 upstream.
Commit 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed")
replaced the condition "if (ctrl->ctrl_key)" (indicating bidirectional
auth) by "if (chap->ctrl_key)", because ctrl->ctrl_key is a resource shared
with sysfs. But chap->ctrl_key is set in
nvme_auth_process_dhchap_challenge() depending on the DHVLEN in the
DH-HMAC-CHAP Challenge message received from the controller, and will thus
be non-NULL for every DH-HMAC-CHAP exchange, even if unidirectional auth
was requested. This will lead to a protocol violation by sending a Success2
message in the unidirectional case (per NVMe base spec 2.0, the
authentication transaction ends after the Success1 message for
unidirectional auth). Use chap->s2 instead, which is non-zero if and only
if the host requested bi-directional authentication from the controller.
Fixes: 546dea18c999 ("nvme-auth: check chap ctrl_key once constructed")
Signed-off-by: Martin Wilck <mwilck@suse.com>
Reviewed-by: Daniel Wagner <dwagner@suse.de>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Reviewed-by: Hannes Reinecke <hare@suse.de>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/auth.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/drivers/nvme/host/auth.c b/drivers/nvme/host/auth.c
index daf5d144a8ea..064592a5d546 100644
--- a/drivers/nvme/host/auth.c
+++ b/drivers/nvme/host/auth.c
@@ -341,7 +341,7 @@ static int nvme_auth_process_dhchap_success1(struct nvme_ctrl *ctrl,
struct nvmf_auth_dhchap_success1_data *data = chap->buf;
size_t size = sizeof(*data);
- if (chap->ctrl_key)
+ if (chap->s2)
size += chap->hash_len;
if (size > CHAP_BUF_SIZE) {
@@ -825,7 +825,7 @@ static void nvme_queue_auth_work(struct work_struct *work)
goto fail2;
}
- if (chap->ctrl_key) {
+ if (chap->s2) {
/* DH-HMAC-CHAP Step 5: send success2 */
dev_dbg(ctrl->device, "%s: qid %d send success2\n",
__func__, chap->qid);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 192/241] nvmet-auth: complete a request only after freeing the dhchap pointers
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (190 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 191/241] nvme-auth: use chap->s2 to indicate bidirectional authentication Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 193/241] nvme-rdma: do not try to stop unallocated queues Greg Kroah-Hartman
` (58 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maurizio Lombardi,
Christoph Hellwig, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
commit f965b281fd872b2e18bd82dd97730db9834d0750 upstream.
It may happen that the work to destroy a queue
(for example nvmet_tcp_release_queue_work()) is started while
an auth-send or auth-receive command is still completing.
nvmet_sq_destroy() will block, waiting for all the references
to the sq to be dropped, the last reference is then
dropped when nvmet_req_complete() is called.
When this happens, both nvmet_sq_destroy() and
nvmet_execute_auth_send()/_receive() will free the dhchap pointers by
calling nvmet_auth_sq_free().
Since there isn't any lock, the two threads may race against each other,
causing double frees and memory corruptions, as reported by KASAN.
Reproduced by stress blktests nvme/041 nvme/042 nvme/043
nvme nvme2: qid 0: authenticated with hash hmac(sha512) dhgroup ffdhe4096
==================================================================
BUG: KASAN: double-free in kfree+0xec/0x4b0
Call Trace:
<TASK>
kfree+0xec/0x4b0
nvmet_auth_sq_free+0xe1/0x160 [nvmet]
nvmet_execute_auth_send+0x482/0x16d0 [nvmet]
process_one_work+0x8e5/0x1510
Allocated by task 191846:
__kasan_kmalloc+0x81/0xa0
nvmet_auth_ctrl_sesskey+0xf6/0x380 [nvmet]
nvmet_auth_reply+0x119/0x990 [nvmet]
Freed by task 143270:
kfree+0xec/0x4b0
nvmet_auth_sq_free+0xe1/0x160 [nvmet]
process_one_work+0x8e5/0x1510
Fix this bug by calling nvmet_req_complete() only after freeing the
pointers, so we will prevent the race by holding the sq reference.
V2: remove redundant code
Fixes: db1312dd9548 ("nvmet: implement basic In-Band Authentication")
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/target/fabrics-cmd-auth.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/drivers/nvme/target/fabrics-cmd-auth.c
+++ b/drivers/nvme/target/fabrics-cmd-auth.c
@@ -333,19 +333,21 @@ done:
__func__, ctrl->cntlid, req->sq->qid,
status, req->error_loc);
req->cqe->result.u64 = 0;
- nvmet_req_complete(req, status);
if (req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2 &&
req->sq->dhchap_step != NVME_AUTH_DHCHAP_MESSAGE_FAILURE2) {
unsigned long auth_expire_secs = ctrl->kato ? ctrl->kato : 120;
mod_delayed_work(system_wq, &req->sq->auth_expired_work,
auth_expire_secs * HZ);
- return;
+ goto complete;
}
/* Final states, clear up variables */
nvmet_auth_sq_free(req->sq);
if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE2)
nvmet_ctrl_fatal_error(ctrl);
+
+complete:
+ nvmet_req_complete(req, status);
}
static int nvmet_auth_challenge(struct nvmet_req *req, void *d, int al)
@@ -514,11 +516,12 @@ void nvmet_execute_auth_receive(struct n
kfree(d);
done:
req->cqe->result.u64 = 0;
- nvmet_req_complete(req, status);
+
if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_SUCCESS2)
nvmet_auth_sq_free(req->sq);
else if (req->sq->dhchap_step == NVME_AUTH_DHCHAP_MESSAGE_FAILURE1) {
nvmet_auth_sq_free(req->sq);
nvmet_ctrl_fatal_error(ctrl);
}
+ nvmet_req_complete(req, status);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 193/241] nvme-rdma: do not try to stop unallocated queues
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (191 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 192/241] nvmet-auth: complete a request only after freeing the dhchap pointers Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 194/241] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition Greg Kroah-Hartman
` (57 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Maurizio Lombardi, Sagi Grimberg,
Yi Zhang, Keith Busch
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Maurizio Lombardi <mlombard@redhat.com>
commit 3820c4fdc247b6f0a4162733bdb8ddf8f2e8a1e4 upstream.
Trying to stop a queue which hasn't been allocated will result
in a warning due to calling mutex_lock() against an uninitialized mutex.
DEBUG_LOCKS_WARN_ON(lock->magic != lock)
WARNING: CPU: 4 PID: 104150 at kernel/locking/mutex.c:579
Call trace:
RIP: 0010:__mutex_lock+0x1173/0x14a0
nvme_rdma_stop_queue+0x1b/0xa0 [nvme_rdma]
nvme_rdma_teardown_io_queues.part.0+0xb0/0x1d0 [nvme_rdma]
nvme_rdma_delete_ctrl+0x50/0x100 [nvme_rdma]
nvme_do_delete_ctrl+0x149/0x158 [nvme_core]
Signed-off-by: Maurizio Lombardi <mlombard@redhat.com>
Reviewed-by: Sagi Grimberg <sagi@grimberg.me>
Tested-by: Yi Zhang <yi.zhang@redhat.com>
Signed-off-by: Keith Busch <kbusch@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/nvme/host/rdma.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/nvme/host/rdma.c
+++ b/drivers/nvme/host/rdma.c
@@ -638,6 +638,9 @@ static void __nvme_rdma_stop_queue(struc
static void nvme_rdma_stop_queue(struct nvme_rdma_queue *queue)
{
+ if (!test_bit(NVME_RDMA_Q_ALLOCATED, &queue->flags))
+ return;
+
mutex_lock(&queue->queue_lock);
if (test_and_clear_bit(NVME_RDMA_Q_LIVE, &queue->flags))
__nvme_rdma_stop_queue(queue);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 194/241] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (192 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 193/241] nvme-rdma: do not try to stop unallocated queues Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 195/241] USB: serial: option: add entry for Sierra EM9191 with new firmware Greg Kroah-Hartman
` (56 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Fabio Porcedda, Daniele Palmas,
Johan Hovold
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Fabio Porcedda <fabio.porcedda@gmail.com>
commit 6a7be48e9bd18d309ba25c223a27790ad1bf0fa3 upstream.
Add support for the following Telit LE910C4-WWX composition:
0x1035: TTY, TTY, ECM
T: Bus=01 Lev=01 Prnt=01 Port=00 Cnt=01 Dev#= 5 Spd=480 MxCh= 0
D: Ver= 2.00 Cls=ef(misc ) Sub=02 Prot=01 MxPS=64 #Cfgs= 1
P: Vendor=1bc7 ProdID=1035 Rev=00.00
S: Manufacturer=Telit
S: Product=LE910C4-WWX
S: SerialNumber=e1b117c7
C: #Ifs= 4 Cfg#= 1 Atr=e0 MxPwr=500mA
I: If#= 0 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=ff Driver=option
E: Ad=01(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
E: Ad=82(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 1 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=fe Prot=ff Driver=option
E: Ad=02(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=83(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
E: Ad=84(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
I: If#= 2 Alt= 0 #EPs= 1 Cls=02(commc) Sub=06 Prot=00 Driver=cdc_ether
E: Ad=85(I) Atr=03(Int.) MxPS= 64 Ivl=2ms
I: If#= 3 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=00 Driver=cdc_ether
E: Ad=03(O) Atr=02(Bulk) MxPS= 512 Ivl=0ms
E: Ad=86(I) Atr=02(Bulk) MxPS= 512 Ivl=0ms
Signed-off-by: Fabio Porcedda <fabio.porcedda@gmail.com>
Cc: stable@vger.kernel.org
Reviewed-by: Daniele Palmas <dnlplm@gmail.com>
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -1290,6 +1290,7 @@ static const struct usb_device_id option
.driver_info = NCTRL(0) | RSVD(3) },
{ USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1033, 0xff), /* Telit LE910C1-EUX (ECM) */
.driver_info = NCTRL(0) },
+ { USB_DEVICE_INTERFACE_CLASS(TELIT_VENDOR_ID, 0x1035, 0xff) }, /* Telit LE910C4-WWX (ECM) */
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG0),
.driver_info = RSVD(0) | RSVD(1) | NCTRL(2) | RSVD(3) },
{ USB_DEVICE(TELIT_VENDOR_ID, TELIT_PRODUCT_LE922_USBCFG1),
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 195/241] USB: serial: option: add entry for Sierra EM9191 with new firmware
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (193 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 194/241] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 196/241] USB: serial: option: add Fibocom to DELL custom modem FM101R-GL Greg Kroah-Hartman
` (55 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Benoît Monin, Johan Hovold
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Benoît Monin <benoit.monin@gmx.fr>
commit 064f6e2ba9eb59b2c87b866e1e968e79ccedf9dd upstream.
Following a firmware update of the modem, the interface for the AT
command port changed, so add it back.
T: Bus=08 Lev=01 Prnt=01 Port=01 Cnt=02 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=1199 ProdID=90d3 Rev=00.06
S: Manufacturer=Sierra Wireless, Incorporated
S: Product=Sierra Wireless EM9191
S: SerialNumber=xxxxxxxxxxxxxxxx
C: #Ifs= 4 Cfg#= 1 Atr=a0 MxPwr=896mA
I: If#=0x0 Alt= 0 #EPs= 1 Cls=02(commc) Sub=0e Prot=00 Driver=cdc_mbim
I: If#=0x1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I: If#=0x3 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=ff Prot=40 Driver=(none)
I: If#=0x4 Alt= 0 #EPs= 2 Cls=ff(vend.) Sub=ff Prot=30 Driver=option
Signed-off-by: Benoît Monin <benoit.monin@gmx.fr>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 1 +
1 file changed, 1 insertion(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -2263,6 +2263,7 @@ static const struct usb_device_id option
{ USB_DEVICE_INTERFACE_CLASS(0x305a, 0x1406, 0xff) }, /* GosunCn GM500 ECM/NCM */
{ USB_DEVICE_AND_INTERFACE_INFO(OPPO_VENDOR_ID, OPPO_PRODUCT_R11, 0xff, 0xff, 0x30) },
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x30) },
+ { USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0xff, 0x40) },
{ USB_DEVICE_AND_INTERFACE_INFO(SIERRA_VENDOR_ID, SIERRA_PRODUCT_EM9191, 0xff, 0, 0) },
{ USB_DEVICE_AND_INTERFACE_INFO(UNISOC_VENDOR_ID, TOZED_PRODUCT_LT70C, 0xff, 0, 0) },
{ } /* Terminating entry */
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 196/241] USB: serial: option: add Fibocom to DELL custom modem FM101R-GL
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (194 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 195/241] USB: serial: option: add entry for Sierra EM9191 with new firmware Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 197/241] thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished Greg Kroah-Hartman
` (54 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Puliang Lu, Johan Hovold
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Puliang Lu <puliang.lu@fibocom.com>
commit 52480e1f1a259c93d749ba3961af0bffedfe7a7a upstream.
Update the USB serial option driver support for the Fibocom
FM101R-GL LTE modules as there are actually several different variants.
- VID:PID 413C:8213, FM101R-GL are laptop M.2 cards (with
MBIM interfaces for Linux)
- VID:PID 413C:8215, FM101R-GL ESIM are laptop M.2 cards (with
MBIM interface for Linux)
0x8213: mbim, tty
0x8215: mbim, tty
T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 2 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=413c ProdID=8213 Rev= 5.04
S: Manufacturer=Fibocom Wireless Inc.
S: Product=Fibocom FM101-GL Module
S: SerialNumber=a3b7cbf0
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none)
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
T: Bus=04 Lev=01 Prnt=01 Port=01 Cnt=01 Dev#= 3 Spd=5000 MxCh= 0
D: Ver= 3.20 Cls=00(>ifc ) Sub=00 Prot=00 MxPS= 9 #Cfgs= 1
P: Vendor=413c ProdID=8215 Rev= 5.04
S: Manufacturer=Fibocom Wireless Inc.
S: Product=Fibocom FM101-GL Module
S: SerialNumber=a3b7cbf0
C:* #Ifs= 3 Cfg#= 1 Atr=a0 MxPwr=896mA
A: FirstIf#= 0 IfCount= 2 Cls=02(comm.) Sub=0e Prot=00
I:* If#= 0 Alt= 0 #EPs= 1 Cls=02(comm.) Sub=0e Prot=00 Driver=cdc_mbim
E: Ad=81(I) Atr=03(Int.) MxPS= 64 Ivl=32ms
I: If#= 1 Alt= 0 #EPs= 0 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
I:* If#= 1 Alt= 1 #EPs= 2 Cls=0a(data ) Sub=00 Prot=02 Driver=cdc_mbim
E: Ad=8e(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=0f(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
I:* If#= 2 Alt= 0 #EPs= 3 Cls=ff(vend.) Sub=00 Prot=40 Driver=(none)
E: Ad=83(I) Atr=03(Int.) MxPS= 10 Ivl=32ms
E: Ad=82(I) Atr=02(Bulk) MxPS=1024 Ivl=0ms
E: Ad=01(O) Atr=02(Bulk) MxPS=1024 Ivl=0ms
Signed-off-by: Puliang Lu <puliang.lu@fibocom.com>
Cc: stable@vger.kernel.org
Signed-off-by: Johan Hovold <johan@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/usb/serial/option.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/usb/serial/option.c
+++ b/drivers/usb/serial/option.c
@@ -203,6 +203,9 @@ static void option_instat_callback(struc
#define DELL_PRODUCT_5829E_ESIM 0x81e4
#define DELL_PRODUCT_5829E 0x81e6
+#define DELL_PRODUCT_FM101R 0x8213
+#define DELL_PRODUCT_FM101R_ESIM 0x8215
+
#define KYOCERA_VENDOR_ID 0x0c88
#define KYOCERA_PRODUCT_KPC650 0x17da
#define KYOCERA_PRODUCT_KPC680 0x180a
@@ -1108,6 +1111,8 @@ static const struct usb_device_id option
.driver_info = RSVD(0) | RSVD(6) },
{ USB_DEVICE(DELL_VENDOR_ID, DELL_PRODUCT_5829E_ESIM),
.driver_info = RSVD(0) | RSVD(6) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R, 0xff) },
+ { USB_DEVICE_INTERFACE_CLASS(DELL_VENDOR_ID, DELL_PRODUCT_FM101R_ESIM, 0xff) },
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_E100A) }, /* ADU-E100, ADU-310 */
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_500A) },
{ USB_DEVICE(ANYDATA_VENDOR_ID, ANYDATA_PRODUCT_ADU_620UW) },
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 197/241] thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (195 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 196/241] USB: serial: option: add Fibocom to DELL custom modem FM101R-GL Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 198/241] perf: Disallow mis-matched inherited group reads Greg Kroah-Hartman
` (53 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Gil Fine, Mika Westerberg
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Gil Fine <gil.fine@linux.intel.com>
commit ec4405ed92036f5bb487b5c2f9a28f9e36a3e3d5 upstream.
When handling DisplayPort bandwidth request tb_switch_find_by_route() is
called and it returns a router structure with reference count increased.
In order to avoid resource leak call tb_switch_put() when finished.
Fixes: 6ce3563520be ("thunderbolt: Add support for DisplayPort bandwidth allocation mode")
Cc: stable@vger.kernel.org
Signed-off-by: Gil Fine <gil.fine@linux.intel.com>
Signed-off-by: Mika Westerberg <mika.westerberg@linux.intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/thunderbolt/tb.c | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/drivers/thunderbolt/tb.c b/drivers/thunderbolt/tb.c
index dd0a1ef8cf12..27bd6ca6f99e 100644
--- a/drivers/thunderbolt/tb.c
+++ b/drivers/thunderbolt/tb.c
@@ -1907,14 +1907,14 @@ static void tb_handle_dp_bandwidth_request(struct work_struct *work)
in = &sw->ports[ev->port];
if (!tb_port_is_dpin(in)) {
tb_port_warn(in, "bandwidth request to non-DP IN adapter\n");
- goto unlock;
+ goto put_sw;
}
tb_port_dbg(in, "handling bandwidth allocation request\n");
if (!usb4_dp_port_bandwidth_mode_enabled(in)) {
tb_port_warn(in, "bandwidth allocation mode not enabled\n");
- goto unlock;
+ goto put_sw;
}
ret = usb4_dp_port_requested_bandwidth(in);
@@ -1923,7 +1923,7 @@ static void tb_handle_dp_bandwidth_request(struct work_struct *work)
tb_port_dbg(in, "no bandwidth request active\n");
else
tb_port_warn(in, "failed to read requested bandwidth\n");
- goto unlock;
+ goto put_sw;
}
requested_bw = ret;
@@ -1932,7 +1932,7 @@ static void tb_handle_dp_bandwidth_request(struct work_struct *work)
tunnel = tb_find_tunnel(tb, TB_TUNNEL_DP, in, NULL);
if (!tunnel) {
tb_port_warn(in, "failed to find tunnel\n");
- goto unlock;
+ goto put_sw;
}
out = tunnel->dst_port;
@@ -1959,6 +1959,8 @@ static void tb_handle_dp_bandwidth_request(struct work_struct *work)
tb_recalc_estimated_bandwidth(tb);
}
+put_sw:
+ tb_switch_put(sw);
unlock:
mutex_unlock(&tb->lock);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 198/241] perf: Disallow mis-matched inherited group reads
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (196 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 197/241] thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 199/241] s390/pci: fix iommu bitmap allocation Greg Kroah-Hartman
` (52 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Budimir Markovic, Peter Zijlstra (Intel)
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Peter Zijlstra <peterz@infradead.org>
commit 32671e3799ca2e4590773fd0e63aaa4229e50c06 upstream.
Because group consistency is non-atomic between parent (filedesc) and children
(inherited) events, it is possible for PERF_FORMAT_GROUP read() to try and sum
non-matching counter groups -- with non-sensical results.
Add group_generation to distinguish the case where a parent group removes and
adds an event and thus has the same number, but a different configuration of
events as inherited groups.
This became a problem when commit fa8c269353d5 ("perf/core: Invert
perf_read_group() loops") flipped the order of child_list and sibling_list.
Previously it would iterate the group (sibling_list) first, and for each
sibling traverse the child_list. In this order, only the group composition of
the parent is relevant. By flipping the order the group composition of the
child (inherited) events becomes an issue and the mis-match in group
composition becomes evident.
That said; even prior to this commit, while reading of a group that is not
equally inherited was not broken, it still made no sense.
(Ab)use ECHILD as error return to indicate issues with child process group
composition.
Fixes: fa8c269353d5 ("perf/core: Invert perf_read_group() loops")
Reported-by: Budimir Markovic <markovicbudimir@gmail.com>
Signed-off-by: Peter Zijlstra (Intel) <peterz@infradead.org>
Link: https://lkml.kernel.org/r/20231018115654.GK33217@noisy.programming.kicks-ass.net
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/linux/perf_event.h | 1 +
kernel/events/core.c | 39 +++++++++++++++++++++++++++++++++------
2 files changed, 34 insertions(+), 6 deletions(-)
--- a/include/linux/perf_event.h
+++ b/include/linux/perf_event.h
@@ -704,6 +704,7 @@ struct perf_event {
/* The cumulative AND of all event_caps for events in this group. */
int group_caps;
+ unsigned int group_generation;
struct perf_event *group_leader;
/*
* event->pmu will always point to pmu in which this event belongs.
--- a/kernel/events/core.c
+++ b/kernel/events/core.c
@@ -1954,6 +1954,7 @@ static void perf_group_attach(struct per
list_add_tail(&event->sibling_list, &group_leader->sibling_list);
group_leader->nr_siblings++;
+ group_leader->group_generation++;
perf_event__header_size(group_leader);
@@ -2144,6 +2145,7 @@ static void perf_group_detach(struct per
if (leader != event) {
list_del_init(&event->sibling_list);
event->group_leader->nr_siblings--;
+ event->group_leader->group_generation++;
goto out;
}
@@ -5440,7 +5442,7 @@ static int __perf_read_group_add(struct
u64 read_format, u64 *values)
{
struct perf_event_context *ctx = leader->ctx;
- struct perf_event *sub;
+ struct perf_event *sub, *parent;
unsigned long flags;
int n = 1; /* skip @nr */
int ret;
@@ -5450,6 +5452,33 @@ static int __perf_read_group_add(struct
return ret;
raw_spin_lock_irqsave(&ctx->lock, flags);
+ /*
+ * Verify the grouping between the parent and child (inherited)
+ * events is still in tact.
+ *
+ * Specifically:
+ * - leader->ctx->lock pins leader->sibling_list
+ * - parent->child_mutex pins parent->child_list
+ * - parent->ctx->mutex pins parent->sibling_list
+ *
+ * Because parent->ctx != leader->ctx (and child_list nests inside
+ * ctx->mutex), group destruction is not atomic between children, also
+ * see perf_event_release_kernel(). Additionally, parent can grow the
+ * group.
+ *
+ * Therefore it is possible to have parent and child groups in a
+ * different configuration and summing over such a beast makes no sense
+ * what so ever.
+ *
+ * Reject this.
+ */
+ parent = leader->parent;
+ if (parent &&
+ (parent->group_generation != leader->group_generation ||
+ parent->nr_siblings != leader->nr_siblings)) {
+ ret = -ECHILD;
+ goto unlock;
+ }
/*
* Since we co-schedule groups, {enabled,running} times of siblings
@@ -5483,8 +5512,9 @@ static int __perf_read_group_add(struct
values[n++] = atomic64_read(&sub->lost_samples);
}
+unlock:
raw_spin_unlock_irqrestore(&ctx->lock, flags);
- return 0;
+ return ret;
}
static int perf_read_group(struct perf_event *event,
@@ -5503,10 +5533,6 @@ static int perf_read_group(struct perf_e
values[0] = 1 + leader->nr_siblings;
- /*
- * By locking the child_mutex of the leader we effectively
- * lock the child list of all siblings.. XXX explain how.
- */
mutex_lock(&leader->child_mutex);
ret = __perf_read_group_add(leader, read_format, values);
@@ -13357,6 +13383,7 @@ static int inherit_group(struct perf_eve
!perf_get_aux_event(child_ctr, leader))
return -EINVAL;
}
+ leader->group_generation = parent_event->group_generation;
return 0;
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 199/241] s390/pci: fix iommu bitmap allocation
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (197 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 198/241] perf: Disallow mis-matched inherited group reads Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 200/241] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
` (51 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthew Rosato, Niklas Schnelle,
Vasily Gorbik
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Niklas Schnelle <schnelle@linux.ibm.com>
commit c1ae1c59c8c6e0b66a718308c623e0cb394dab6b upstream.
Since the fixed commits both zdev->iommu_bitmap and zdev->lazy_bitmap
are allocated as vzalloc(zdev->iommu_pages / 8). The problem is that
zdev->iommu_bitmap is a pointer to unsigned long but the above only
yields an allocation that is a multiple of sizeof(unsigned long) which
is 8 on s390x if the number of IOMMU pages is a multiple of 64.
This in turn is the case only if the effective IOMMU aperture is
a multiple of 64 * 4K = 256K. This is usually the case and so didn't
cause visible issues since both the virt_to_phys(high_memory) reduced
limit and hardware limits use nice numbers.
Under KVM, and in particular with QEMU limiting the IOMMU aperture to
the vfio DMA limit (default 65535), it is possible for the reported
aperture not to be a multiple of 256K however. In this case we end up
with an iommu_bitmap whose allocation is not a multiple of
8 causing bitmap operations to access it out of bounds.
Sadly we can't just fix this in the obvious way and use bitmap_zalloc()
because for large RAM systems (tested on 8 TiB) the zdev->iommu_bitmap
grows too large for kmalloc(). So add our own bitmap_vzalloc() wrapper.
This might be a candidate for common code, but this area of code will
be replaced by the upcoming conversion to use the common code DMA API on
s390 so just add a local routine.
Fixes: 224593215525 ("s390/pci: use virtual memory for iommu bitmap")
Fixes: 13954fd6913a ("s390/pci_dma: improve lazy flush for unmap")
Cc: stable@vger.kernel.org
Reviewed-by: Matthew Rosato <mjrosato@linux.ibm.com>
Signed-off-by: Niklas Schnelle <schnelle@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/s390/pci/pci_dma.c | 15 +++++++++++++--
1 file changed, 13 insertions(+), 2 deletions(-)
--- a/arch/s390/pci/pci_dma.c
+++ b/arch/s390/pci/pci_dma.c
@@ -564,6 +564,17 @@ static void s390_dma_unmap_sg(struct dev
s->dma_length = 0;
}
}
+
+static unsigned long *bitmap_vzalloc(size_t bits, gfp_t flags)
+{
+ size_t n = BITS_TO_LONGS(bits);
+ size_t bytes;
+
+ if (unlikely(check_mul_overflow(n, sizeof(unsigned long), &bytes)))
+ return NULL;
+
+ return vzalloc(bytes);
+}
int zpci_dma_init_device(struct zpci_dev *zdev)
{
@@ -604,13 +615,13 @@ int zpci_dma_init_device(struct zpci_dev
zdev->end_dma - zdev->start_dma + 1);
zdev->end_dma = zdev->start_dma + zdev->iommu_size - 1;
zdev->iommu_pages = zdev->iommu_size >> PAGE_SHIFT;
- zdev->iommu_bitmap = vzalloc(zdev->iommu_pages / 8);
+ zdev->iommu_bitmap = bitmap_vzalloc(zdev->iommu_pages, GFP_KERNEL);
if (!zdev->iommu_bitmap) {
rc = -ENOMEM;
goto free_dma_table;
}
if (!s390_iommu_strict) {
- zdev->lazy_bitmap = vzalloc(zdev->iommu_pages / 8);
+ zdev->lazy_bitmap = bitmap_vzalloc(zdev->iommu_pages, GFP_KERNEL);
if (!zdev->lazy_bitmap) {
rc = -ENOMEM;
goto free_bitmap;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 200/241] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (198 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 199/241] s390/pci: fix iommu bitmap allocation Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 201/241] selftests/ftrace: Add new test case which checks non unique symbol Greg Kroah-Hartman
` (50 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Masami Hiramatsu, Francis Laniel
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francis Laniel <flaniel@linux.microsoft.com>
commit b022f0c7e404887a7c5229788fc99eff9f9a80d5 upstream.
When a kprobe is attached to a function that's name is not unique (is
static and shares the name with other functions in the kernel), the
kprobe is attached to the first function it finds. This is a bug as the
function that it is attaching to is not necessarily the one that the
user wants to attach to.
Instead of blindly picking a function to attach to what is ambiguous,
error with EADDRNOTAVAIL to let the user know that this function is not
unique, and that the user must use another unique function with an
address offset to get to the function they want to attach to.
Link: https://lore.kernel.org/all/20231020104250.9537-2-flaniel@linux.microsoft.com/
Cc: stable@vger.kernel.org
Fixes: 413d37d1eb69 ("tracing: Add kprobe-based event tracer")
Suggested-by: Masami Hiramatsu <mhiramat@kernel.org>
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
Link: https://lore.kernel.org/lkml/20230819101105.b0c104ae4494a7d1f2eea742@kernel.org/
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
kernel/trace/trace_kprobe.c | 63 ++++++++++++++++++++++++++++++++++++++++++++
kernel/trace/trace_probe.h | 1
2 files changed, 64 insertions(+)
--- a/kernel/trace/trace_kprobe.c
+++ b/kernel/trace/trace_kprobe.c
@@ -705,6 +705,25 @@ static struct notifier_block trace_kprob
.priority = 1 /* Invoked after kprobe module callback */
};
+static int count_symbols(void *data, unsigned long unused)
+{
+ unsigned int *count = data;
+
+ (*count)++;
+
+ return 0;
+}
+
+static unsigned int number_of_same_symbols(char *func_name)
+{
+ unsigned int count;
+
+ count = 0;
+ kallsyms_on_each_match_symbol(count_symbols, func_name, &count);
+
+ return count;
+}
+
static int __trace_kprobe_create(int argc, const char *argv[])
{
/*
@@ -836,6 +855,31 @@ static int __trace_kprobe_create(int arg
}
}
+ if (symbol && !strchr(symbol, ':')) {
+ unsigned int count;
+
+ count = number_of_same_symbols(symbol);
+ if (count > 1) {
+ /*
+ * Users should use ADDR to remove the ambiguity of
+ * using KSYM only.
+ */
+ trace_probe_log_err(0, NON_UNIQ_SYMBOL);
+ ret = -EADDRNOTAVAIL;
+
+ goto error;
+ } else if (count == 0) {
+ /*
+ * We can return ENOENT earlier than when register the
+ * kprobe.
+ */
+ trace_probe_log_err(0, BAD_PROBE_ADDR);
+ ret = -ENOENT;
+
+ goto error;
+ }
+ }
+
trace_probe_log_set_index(0);
if (event) {
ret = traceprobe_parse_event_name(&event, &group, gbuf,
@@ -1699,6 +1743,7 @@ static int unregister_kprobe_event(struc
}
#ifdef CONFIG_PERF_EVENTS
+
/* create a trace_kprobe, but don't add it to global lists */
struct trace_event_call *
create_local_trace_kprobe(char *func, void *addr, unsigned long offs,
@@ -1709,6 +1754,24 @@ create_local_trace_kprobe(char *func, vo
int ret;
char *event;
+ if (func) {
+ unsigned int count;
+
+ count = number_of_same_symbols(func);
+ if (count > 1)
+ /*
+ * Users should use addr to remove the ambiguity of
+ * using func only.
+ */
+ return ERR_PTR(-EADDRNOTAVAIL);
+ else if (count == 0)
+ /*
+ * We can return ENOENT earlier than when register the
+ * kprobe.
+ */
+ return ERR_PTR(-ENOENT);
+ }
+
/*
* local trace_kprobes are not added to dyn_event, so they are never
* searched in find_trace_kprobe(). Therefore, there is no concern of
--- a/kernel/trace/trace_probe.h
+++ b/kernel/trace/trace_probe.h
@@ -438,6 +438,7 @@ extern int traceprobe_define_arg_fields(
C(BAD_MAXACT, "Invalid maxactive number"), \
C(MAXACT_TOO_BIG, "Maxactive is too big"), \
C(BAD_PROBE_ADDR, "Invalid probed address or symbol"), \
+ C(NON_UNIQ_SYMBOL, "The symbol is not unique"), \
C(BAD_RETPROBE, "Retprobe address must be an function entry"), \
C(NO_TRACEPOINT, "Tracepoint is not found"), \
C(BAD_ADDR_SUFFIX, "Invalid probed address suffix"), \
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 201/241] selftests/ftrace: Add new test case which checks non unique symbol
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (199 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 200/241] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 202/241] KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash Greg Kroah-Hartman
` (49 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Francis Laniel, Masami Hiramatsu (Google)
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Francis Laniel <flaniel@linux.microsoft.com>
commit 03b80ff8023adae6780e491f66e932df8165e3a0 upstream.
If name_show() is non unique, this test will try to install a kprobe on this
function which should fail returning EADDRNOTAVAIL.
On kernel where name_show() is not unique, this test is skipped.
Link: https://lore.kernel.org/all/20231020104250.9537-3-flaniel@linux.microsoft.com/
Cc: stable@vger.kernel.org
Signed-off-by: Francis Laniel <flaniel@linux.microsoft.com>
Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/ftrace/test.d/kprobe/kprobe_non_uniq_symbol.tc | 13 ++++++++++
1 file changed, 13 insertions(+)
create mode 100644 tools/testing/selftests/ftrace/test.d/kprobe/kprobe_non_uniq_symbol.tc
--- /dev/null
+++ b/tools/testing/selftests/ftrace/test.d/kprobe/kprobe_non_uniq_symbol.tc
@@ -0,0 +1,13 @@
+#!/bin/sh
+# SPDX-License-Identifier: GPL-2.0
+# description: Test failure of registering kprobe on non unique symbol
+# requires: kprobe_events
+
+SYMBOL='name_show'
+
+# We skip this test on kernel where SYMBOL is unique or does not exist.
+if [ "$(grep -c -E "[[:alnum:]]+ t ${SYMBOL}" /proc/kallsyms)" -le '1' ]; then
+ exit_unsupported
+fi
+
+! echo "p:test_non_unique ${SYMBOL}" > kprobe_events
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 202/241] KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (200 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 201/241] selftests/ftrace: Add new test case which checks non unique symbol Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 203/241] apple-gmux: Hard Code max brightness for MMIO gmux Greg Kroah-Hartman
` (48 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Denis Kenzior, Herbert Xu
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Herbert Xu <herbert@gondor.apana.org.au>
commit b11950356c4b416d2e87941f3aa7a8bf089db72b upstream.
The new sign/verify code broke the case of pkcs1pad without a
hash algorithm. Fix it by setting issig correctly for this case.
Fixes: 63ba4d67594a ("KEYS: asymmetric: Use new crypto interface without scatterlists")
Cc: stable@vger.kernel.org # v6.5
Reported-by: Denis Kenzior <denkenz@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Tested-by: Denis Kenzior <denkenz@gmail.com>
Signed-off-by: Herbert Xu <herbert@gondor.apana.org.au>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
crypto/asymmetric_keys/public_key.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
diff --git a/crypto/asymmetric_keys/public_key.c b/crypto/asymmetric_keys/public_key.c
index abeecb8329b3..1dcab27986a6 100644
--- a/crypto/asymmetric_keys/public_key.c
+++ b/crypto/asymmetric_keys/public_key.c
@@ -81,14 +81,13 @@ software_key_determine_akcipher(const struct public_key *pkey,
* RSA signatures usually use EMSA-PKCS1-1_5 [RFC3447 sec 8.2].
*/
if (strcmp(encoding, "pkcs1") == 0) {
+ *sig = op == kernel_pkey_sign ||
+ op == kernel_pkey_verify;
if (!hash_algo) {
- *sig = false;
n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
"pkcs1pad(%s)",
pkey->pkey_algo);
} else {
- *sig = op == kernel_pkey_sign ||
- op == kernel_pkey_verify;
n = snprintf(alg_name, CRYPTO_MAX_ALG_NAME,
"pkcs1pad(%s,%s)",
pkey->pkey_algo, hash_algo);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 203/241] apple-gmux: Hard Code max brightness for MMIO gmux
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (201 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 202/241] KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 204/241] s390/cio: fix a memleak in css_alloc_subchannel Greg Kroah-Hartman
` (47 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Karsten Leipold,
Orlando Chamberlain, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Orlando Chamberlain <orlandoch.dev@gmail.com>
commit 0e51cb42438b8754d8f4cee4c802a8c5bb2cd5e0 upstream.
The data in the max brightness port for iMacs with MMIO gmux incorrectly
reports 0x03ff, but it should be 0xffff. As all other MMIO gmux models
have 0xffff, hard code this for all MMIO gmux's so they all have the
proper brightness range accessible.
Fixes: 0c18184de990 ("platform/x86: apple-gmux: support MMIO gmux on T2 Macs")
Reported-by: Karsten Leipold <poldi@dfn.de>
Signed-off-by: Orlando Chamberlain <orlandoch.dev@gmail.com>
Link: https://lore.kernel.org/r/20231017111444.19304-2-orlandoch.dev@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/apple-gmux.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
--- a/drivers/platform/x86/apple-gmux.c
+++ b/drivers/platform/x86/apple-gmux.c
@@ -105,6 +105,8 @@ struct apple_gmux_config {
#define GMUX_BRIGHTNESS_MASK 0x00ffffff
#define GMUX_MAX_BRIGHTNESS GMUX_BRIGHTNESS_MASK
+# define MMIO_GMUX_MAX_BRIGHTNESS 0xffff
+
static u8 gmux_pio_read8(struct apple_gmux_data *gmux_data, int port)
{
return inb(gmux_data->iostart + port);
@@ -857,7 +859,17 @@ get_version:
memset(&props, 0, sizeof(props));
props.type = BACKLIGHT_PLATFORM;
- props.max_brightness = gmux_read32(gmux_data, GMUX_PORT_MAX_BRIGHTNESS);
+
+ /*
+ * All MMIO gmux's have 0xffff as max brightness, but some iMacs incorrectly
+ * report 0x03ff, despite the firmware being happy to set 0xffff as the brightness
+ * at boot. Force 0xffff for all MMIO gmux's so they all have the correct brightness
+ * range.
+ */
+ if (type == APPLE_GMUX_TYPE_MMIO)
+ props.max_brightness = MMIO_GMUX_MAX_BRIGHTNESS;
+ else
+ props.max_brightness = gmux_read32(gmux_data, GMUX_PORT_MAX_BRIGHTNESS);
#if IS_REACHABLE(CONFIG_ACPI_VIDEO)
register_bdev = acpi_video_get_backlight_type() == acpi_backlight_apple_gmux;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 204/241] s390/cio: fix a memleak in css_alloc_subchannel
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (202 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 203/241] apple-gmux: Hard Code max brightness for MMIO gmux Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 205/241] platform/surface: platform_profile: Propagate error if profile registration fails Greg Kroah-Hartman
` (46 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dinghao Liu, Halil Pasic,
Peter Oberparleiter, Vasily Gorbik
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dinghao Liu <dinghao.liu@zju.edu.cn>
commit 63e8b94ad1840f02462633abdb363397f56bc642 upstream.
When dma_set_coherent_mask() fails, sch->lock has not been
freed, which is allocated in css_sch_create_locks(), leading
to a memleak.
Fixes: 4520a91a976e ("s390/cio: use dma helpers for setting masks")
Signed-off-by: Dinghao Liu <dinghao.liu@zju.edu.cn>
Message-Id: <20230921071412.13806-1-dinghao.liu@zju.edu.cn>
Link: https://lore.kernel.org/linux-s390/bd38baa8-7b9d-4d89-9422-7e943d626d6e@linux.ibm.com/
Reviewed-by: Halil Pasic <pasic@linux.ibm.com>
Reviewed-by: Peter Oberparleiter <oberpar@linux.ibm.com>
Signed-off-by: Vasily Gorbik <gor@linux.ibm.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/s390/cio/css.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
--- a/drivers/s390/cio/css.c
+++ b/drivers/s390/cio/css.c
@@ -233,17 +233,19 @@ struct subchannel *css_alloc_subchannel(
*/
ret = dma_set_coherent_mask(&sch->dev, DMA_BIT_MASK(31));
if (ret)
- goto err;
+ goto err_lock;
/*
* But we don't have such restrictions imposed on the stuff that
* is handled by the streaming API.
*/
ret = dma_set_mask(&sch->dev, DMA_BIT_MASK(64));
if (ret)
- goto err;
+ goto err_lock;
return sch;
+err_lock:
+ kfree(sch->lock);
err:
kfree(sch);
return ERR_PTR(ret);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 205/241] platform/surface: platform_profile: Propagate error if profile registration fails
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (203 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 204/241] s390/cio: fix a memleak in css_alloc_subchannel Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 206/241] platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency Greg Kroah-Hartman
` (45 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Armin Wolf, Maximilian Luz, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Armin Wolf <W_Armin@gmx.de>
commit fe0e04cf66a12ffe6d1b43725ddaabd5599d024f upstream.
If platform_profile_register() fails, the driver does not propagate
the error, but instead probes successfully. This means when the driver
unbinds, the a warning might be issued by platform_profile_remove().
Fix this by propagating the error back to the caller of
surface_platform_profile_probe().
Compile-tested only.
Fixes: b78b4982d763 ("platform/surface: Add platform profile driver")
Signed-off-by: Armin Wolf <W_Armin@gmx.de>
Reviewed-by: Maximilian Luz <luzmaximilian@gmail.com>
Tested-by: Maximilian Luz <luzmaximilian@gmail.com>
Link: https://lore.kernel.org/r/20231014235449.288702-1-W_Armin@gmx.de
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/surface/surface_platform_profile.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/platform/surface/surface_platform_profile.c
+++ b/drivers/platform/surface/surface_platform_profile.c
@@ -159,8 +159,7 @@ static int surface_platform_profile_prob
set_bit(PLATFORM_PROFILE_BALANCED_PERFORMANCE, tpd->handler.choices);
set_bit(PLATFORM_PROFILE_PERFORMANCE, tpd->handler.choices);
- platform_profile_register(&tpd->handler);
- return 0;
+ return platform_profile_register(&tpd->handler);
}
static void surface_platform_profile_remove(struct ssam_device *sdev)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 206/241] platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (204 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 205/241] platform/surface: platform_profile: Propagate error if profile registration fails Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 207/241] platform/x86: msi-ec: Fix the 3rd config Greg Kroah-Hartman
` (44 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srinivas Pandruvada,
Ilpo Järvinen, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
commit 4d73c6772ab771cbbe7e46a73e7c78ba490350fa upstream.
When the current uncore frequency can't be read, don't create attribute
"current_freq_khz" as any read will fail later. Some user space
applications like turbostat fail to continue with the failure. So, check
error during attribute creation.
Fixes: 414eef27283a ("platform/x86/intel/uncore-freq: Display uncore current frequency")
Signed-off-by: Srinivas Pandruvada <srinivas.pandruvada@linux.intel.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20231004181915.1887913-1-srinivas.pandruvada@linux.intel.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c
+++ b/drivers/platform/x86/intel/uncore-frequency/uncore-frequency-common.c
@@ -176,7 +176,7 @@ show_uncore_data(initial_max_freq_khz);
static int create_attr_group(struct uncore_data *data, char *name)
{
- int ret, index = 0;
+ int ret, freq, index = 0;
init_attribute_rw(max_freq_khz);
init_attribute_rw(min_freq_khz);
@@ -197,7 +197,11 @@ static int create_attr_group(struct unco
data->uncore_attrs[index++] = &data->min_freq_khz_dev_attr.attr;
data->uncore_attrs[index++] = &data->initial_min_freq_khz_dev_attr.attr;
data->uncore_attrs[index++] = &data->initial_max_freq_khz_dev_attr.attr;
- data->uncore_attrs[index++] = &data->current_freq_khz_dev_attr.attr;
+
+ ret = uncore_read_freq(data, &freq);
+ if (!ret)
+ data->uncore_attrs[index++] = &data->current_freq_khz_dev_attr.attr;
+
data->uncore_attrs[index] = NULL;
data->uncore_attr_group.name = name;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 207/241] platform/x86: msi-ec: Fix the 3rd config
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (205 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 206/241] platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 208/241] platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e Greg Kroah-Hartman
` (43 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Aakash Singh, Jose Angel Pastrana,
Nikita Kravets, Ilpo Järvinen, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nikita Kravets <teackot@gmail.com>
commit 6284e67aa6cb3af870ed11dfcfafd80fd927777b upstream.
Fix the charge control address of CONF3 and remove an incorrect firmware
version which turned out to be a BIOS firmware and not an EC firmware.
Fixes: 392cacf2aa10 ("platform/x86: Add new msi-ec driver")
Cc: Aakash Singh <mail@singhaakash.dev>
Cc: Jose Angel Pastrana <japp0005@red.ujaen.es>
Signed-off-by: Nikita Kravets <teackot@gmail.com>
Reviewed-by: Ilpo Järvinen <ilpo.jarvinen@linux.intel.com>
Link: https://lore.kernel.org/r/20231006175352.1753017-5-teackot@gmail.com
Reviewed-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/msi-ec.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/drivers/platform/x86/msi-ec.c
+++ b/drivers/platform/x86/msi-ec.c
@@ -276,14 +276,13 @@ static struct msi_ec_conf CONF2 __initda
static const char * const ALLOWED_FW_3[] __initconst = {
"1592EMS1.111",
- "E1592IMS.10C",
NULL
};
static struct msi_ec_conf CONF3 __initdata = {
.allowed_fw = ALLOWED_FW_3,
.charge_control = {
- .address = 0xef,
+ .address = 0xd7,
.offset_start = 0x8a,
.offset_end = 0x80,
.range_min = 0x8a,
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 208/241] platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (206 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 207/241] platform/x86: msi-ec: Fix the 3rd config Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 209/241] platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control Greg Kroah-Hartman
` (42 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, James John, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit f37cc2fc277b371fc491890afb7d8a26e36bb3a1 upstream.
Older Asus laptops change the backlight level themselves and then send
WMI events with different codes for different backlight levels.
The asus-wmi.c code maps the entire range of codes reported on
brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code:
define NOTIFY_BRNUP_MIN 0x11
define NOTIFY_BRNUP_MAX 0x1f
define NOTIFY_BRNDOWN_MIN 0x20
define NOTIFY_BRNDOWN_MAX 0x2e
if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX)
code = ASUS_WMI_BRN_UP;
else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX)
code = ASUS_WMI_BRN_DOWN;
Before this commit all the NOTIFY_BRNDOWN_MIN - NOTIFY_BRNDOWN_MAX
aka 0x20 - 0x2e events were mapped to 0x20.
This mapping is causing issues on new laptop models which actually
send 0x2b events for printscreen presses and 0x2c events for
capslock presses, which get translated into spurious brightness-down
presses.
The plan is disable the 0x11-0x2e special mapping on laptops
where asus-wmi does not register a backlight-device to avoid
the spurious brightness-down keypresses. New laptops always send
0x2e for brightness-down presses, change the special internal
ASUS_WMI_BRN_DOWN value from 0x20 to 0x2e to match this in
preparation for fixing the spurious brightness-down presses.
This change does not have any functional impact since all
of 0x20 - 0x2e is mapped to ASUS_WMI_BRN_DOWN first and only
then checked against the keymap code and the new 0x2e
value is still in the 0x20 - 0x2e range.
Reported-by: James John <me@donjajo.com>
Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/
Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231017090725.38163-2-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-wmi.h | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/drivers/platform/x86/asus-wmi.h
+++ b/drivers/platform/x86/asus-wmi.h
@@ -18,7 +18,7 @@
#include <linux/i8042.h>
#define ASUS_WMI_KEY_IGNORE (-1)
-#define ASUS_WMI_BRN_DOWN 0x20
+#define ASUS_WMI_BRN_DOWN 0x2e
#define ASUS_WMI_BRN_UP 0x2f
struct module;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 209/241] platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (207 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 208/241] platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 210/241] platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events Greg Kroah-Hartman
` (41 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, James John, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit a5b92be2482e5f9ef30be4e4cda12ed484381493 upstream.
Older Asus laptops change the backlight level themselves and then send
WMI events with different codes for different backlight levels.
The asus-wmi.c code maps the entire range of codes reported on
brightness down keypresses to an internal ASUS_WMI_BRN_DOWN code:
define NOTIFY_BRNUP_MIN 0x11
define NOTIFY_BRNUP_MAX 0x1f
define NOTIFY_BRNDOWN_MIN 0x20
define NOTIFY_BRNDOWN_MAX 0x2e
if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX)
code = ASUS_WMI_BRN_UP;
else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX)
code = ASUS_WMI_BRN_DOWN;
This mapping is causing issues on new laptop models which actually
send 0x2b events for printscreen presses and 0x2c events for
capslock presses, which get translated into spurious brightness-down
presses.
This mapping is really only necessary when asus-wmi has registered
a backlight-device for backlight control. In this case the mapping
was used to decide to filter out the keypresss since in this case
the firmware has already modified the brightness itself and instead
of reporting a keypress asus-wmi will just report the new brightness
value to userspace.
OTOH when the firmware does not adjust the brightness itself then
it seems to always report 0x2e for brightness-down presses and
0x2f for brightness up presses independent of the actual brightness
level. So in this case the mapping of the code is not necessary
and this translation actually leads to spurious brightness-down
presses being send to userspace when pressing printscreen or capslock.
Modify asus_wmi_handle_event_code() to only do the mapping
when using asus-wmi backlight control to fix the spurious
brightness-down presses.
Reported-by: James John <me@donjajo.com>
Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/
Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231017090725.38163-3-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-wmi.c | 15 ++++-----------
1 file changed, 4 insertions(+), 11 deletions(-)
--- a/drivers/platform/x86/asus-wmi.c
+++ b/drivers/platform/x86/asus-wmi.c
@@ -3268,7 +3268,6 @@ static void asus_wmi_handle_event_code(i
{
unsigned int key_value = 1;
bool autorelease = 1;
- int orig_code = code;
if (asus->driver->key_filter) {
asus->driver->key_filter(asus->driver, &code, &key_value,
@@ -3277,16 +3276,10 @@ static void asus_wmi_handle_event_code(i
return;
}
- if (code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNUP_MAX)
- code = ASUS_WMI_BRN_UP;
- else if (code >= NOTIFY_BRNDOWN_MIN && code <= NOTIFY_BRNDOWN_MAX)
- code = ASUS_WMI_BRN_DOWN;
-
- if (code == ASUS_WMI_BRN_DOWN || code == ASUS_WMI_BRN_UP) {
- if (acpi_video_get_backlight_type() == acpi_backlight_vendor) {
- asus_wmi_backlight_notify(asus, orig_code);
- return;
- }
+ if (acpi_video_get_backlight_type() == acpi_backlight_vendor &&
+ code >= NOTIFY_BRNUP_MIN && code <= NOTIFY_BRNDOWN_MAX) {
+ asus_wmi_backlight_notify(asus, code);
+ return;
}
if (code == NOTIFY_KBD_BRTUP) {
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 210/241] platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (208 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 209/241] platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 211/241] rust: error: fix the description for `ECHILD` Greg Kroah-Hartman
` (40 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, James John, Hans de Goede
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Hans de Goede <hdegoede@redhat.com>
commit 235985d1763f7aba92c1c64e5f5aaec26c2c9b18 upstream.
Newer Asus laptops send the following new WMI event codes when some
of the F1 - F12 "media" hotkeys are pressed:
0x2a Screen Capture
0x2b PrintScreen
0x2c CapsLock
Map 0x2a to KEY_SELECTIVE_SCREENSHOT mirroring how similar hotkeys
are mapped on other laptops.
PrintScreem and CapsLock are also reported as normal PS/2 keyboard events,
map these event codes to KE_IGNORE to avoid "Unknown key code 0x%x\n" log
messages.
Reported-by: James John <me@donjajo.com>
Closes: https://lore.kernel.org/platform-driver-x86/a2c441fe-457e-44cf-a146-0ecd86b037cf@donjajo.com/
Closes: https://bbs.archlinux.org/viewtopic.php?pid=2123716
Signed-off-by: Hans de Goede <hdegoede@redhat.com>
Link: https://lore.kernel.org/r/20231017090725.38163-4-hdegoede@redhat.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/platform/x86/asus-nb-wmi.c | 3 +++
1 file changed, 3 insertions(+)
--- a/drivers/platform/x86/asus-nb-wmi.c
+++ b/drivers/platform/x86/asus-nb-wmi.c
@@ -531,6 +531,9 @@ static void asus_nb_wmi_quirks(struct as
static const struct key_entry asus_nb_wmi_keymap[] = {
{ KE_KEY, ASUS_WMI_BRN_DOWN, { KEY_BRIGHTNESSDOWN } },
{ KE_KEY, ASUS_WMI_BRN_UP, { KEY_BRIGHTNESSUP } },
+ { KE_KEY, 0x2a, { KEY_SELECTIVE_SCREENSHOT } },
+ { KE_IGNORE, 0x2b, }, /* PrintScreen (also send via PS/2) on newer models */
+ { KE_IGNORE, 0x2c, }, /* CapsLock (also send via PS/2) on newer models */
{ KE_KEY, 0x30, { KEY_VOLUMEUP } },
{ KE_KEY, 0x31, { KEY_VOLUMEDOWN } },
{ KE_KEY, 0x32, { KEY_MUTE } },
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 211/241] rust: error: fix the description for `ECHILD`
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (209 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 210/241] platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 212/241] gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data() Greg Kroah-Hartman
` (39 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Wedson Almeida Filho,
Martin Rodriguez Reboredo, Trevor Gross, Finn Behrens,
Alice Ryhl, Miguel Ojeda
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Wedson Almeida Filho <walmeida@microsoft.com>
commit 17bfcd6a81535d7d580ddafb6e54806890aaca6c upstream.
A mistake was made and the description of `ECHILD` is wrong (it reuses
the description of `ENOEXEC`). This fixes it to reflect what's in
`errno-base.h`.
Signed-off-by: Wedson Almeida Filho <walmeida@microsoft.com>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Reviewed-by: Trevor Gross <tmgross@umich.edu>
Reviewed-by: Finn Behrens <me@kloenk.dev>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Fixes: 266def2a0f5b ("rust: error: add codes from `errno-base.h`")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/r/20230930144958.46051-1-wedsonaf@gmail.com
[ Use the plural, as noticed by Benno. ]
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
rust/kernel/error.rs | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rust/kernel/error.rs b/rust/kernel/error.rs
index 05fcab6abfe6..0f29e7b2194c 100644
--- a/rust/kernel/error.rs
+++ b/rust/kernel/error.rs
@@ -37,7 +37,7 @@ macro_rules! declare_err {
declare_err!(E2BIG, "Argument list too long.");
declare_err!(ENOEXEC, "Exec format error.");
declare_err!(EBADF, "Bad file number.");
- declare_err!(ECHILD, "Exec format error.");
+ declare_err!(ECHILD, "No child processes.");
declare_err!(EAGAIN, "Try again.");
declare_err!(ENOMEM, "Out of memory.");
declare_err!(EACCES, "Permission denied.");
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 212/241] gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (210 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 211/241] rust: error: fix the description for `ECHILD` Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 213/241] gpio: vf610: set value before the direction to avoid a glitch Greg Kroah-Hartman
` (38 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ferry Toth, Andy Shevchenko,
Dmitry Torokhov, Bartosz Golaszewski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
commit 479ac419206b5fe4ce4e40de61ac3210a36711aa upstream.
When refactoring the acpi_get_gpiod_from_data() the change missed
cleaning up the variable on stack. Add missing memset().
Reported-by: Ferry Toth <ftoth@exalondelft.nl>
Fixes: 16ba046e86e9 ("gpiolib: acpi: teach acpi_find_gpio() to handle data-only nodes")
Signed-off-by: Andy Shevchenko <andriy.shevchenko@linux.intel.com>
Reviewed-by: Dmitry Torokhov <dmitry.torokhov@gmail.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpiolib-acpi.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/gpio/gpiolib-acpi.c b/drivers/gpio/gpiolib-acpi.c
index fbda452fb4d6..51e41676de0b 100644
--- a/drivers/gpio/gpiolib-acpi.c
+++ b/drivers/gpio/gpiolib-acpi.c
@@ -951,6 +951,7 @@ static struct gpio_desc *acpi_get_gpiod_from_data(struct fwnode_handle *fwnode,
if (!propname)
return ERR_PTR(-EINVAL);
+ memset(&lookup, 0, sizeof(lookup));
lookup.index = index;
ret = acpi_gpio_property_lookup(fwnode, propname, index, &lookup);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 213/241] gpio: vf610: set value before the direction to avoid a glitch
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (211 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 212/241] gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 214/241] gpio: vf610: mask the gpio irq in system suspend and support wakeup Greg Kroah-Hartman
` (37 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, Bartosz Golaszewski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit fc363413ef8ea842ae7a99e3caf5465dafdd3a49 upstream.
We found a glitch when configuring the pad as output high. To avoid this
glitch, move the data value setting before direction config in the
function vf610_gpio_direction_output().
Fixes: 659d8a62311f ("gpio: vf610: add imx7ulp support")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
[Bartosz: tweak the commit message]
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-vf610.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- a/drivers/gpio/gpio-vf610.c
+++ b/drivers/gpio/gpio-vf610.c
@@ -127,14 +127,14 @@ static int vf610_gpio_direction_output(s
unsigned long mask = BIT(gpio);
u32 val;
+ vf610_gpio_set(chip, gpio, value);
+
if (port->sdata && port->sdata->have_paddr) {
val = vf610_gpio_readl(port->gpio_base + GPIO_PDDR);
val |= mask;
vf610_gpio_writel(val, port->gpio_base + GPIO_PDDR);
}
- vf610_gpio_set(chip, gpio, value);
-
return pinctrl_gpio_direction_output(chip->base + gpio);
}
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 214/241] gpio: vf610: mask the gpio irq in system suspend and support wakeup
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (212 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 213/241] gpio: vf610: set value before the direction to avoid a glitch Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 215/241] ASoC: cs35l56: Fix illegal use of init_completion() Greg Kroah-Hartman
` (36 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable; +Cc: Greg Kroah-Hartman, patches, Haibo Chen, Bartosz Golaszewski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Haibo Chen <haibo.chen@nxp.com>
commit 430232619791e7de95191f2cd8ebaa4c380d17d0 upstream.
Add flag IRQCHIP_MASK_ON_SUSPEND to make sure gpio irq is masked on
suspend, if lack this flag, current irq arctitecture will not mask
the irq, and these unmasked gpio irq will wrongly wakeup the system
even they are not config as wakeup source.
Also add flag IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND to make sure the gpio
irq which is configed as wakeup source can work as expect.
Fixes: 7f2691a19627 ("gpio: vf610: add gpiolib/IRQ chip driver for Vybrid")
Signed-off-by: Haibo Chen <haibo.chen@nxp.com>
Signed-off-by: Bartosz Golaszewski <bartosz.golaszewski@linaro.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/gpio/gpio-vf610.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
--- a/drivers/gpio/gpio-vf610.c
+++ b/drivers/gpio/gpio-vf610.c
@@ -247,7 +247,8 @@ static const struct irq_chip vf610_irqch
.irq_unmask = vf610_gpio_irq_unmask,
.irq_set_type = vf610_gpio_irq_set_type,
.irq_set_wake = vf610_gpio_irq_set_wake,
- .flags = IRQCHIP_IMMUTABLE,
+ .flags = IRQCHIP_IMMUTABLE | IRQCHIP_MASK_ON_SUSPEND
+ | IRQCHIP_ENABLE_WAKEUP_ON_SUSPEND,
GPIOCHIP_IRQ_RESOURCE_HELPERS,
};
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 215/241] ASoC: cs35l56: Fix illegal use of init_completion()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (213 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 214/241] gpio: vf610: mask the gpio irq in system suspend and support wakeup Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 216/241] ASoC: pxa: fix a memory leak in probe() Greg Kroah-Hartman
` (35 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit af5fd122d7bd739a2b66405f6e8ab92557279325 ]
Fix cs35l56_patch() to call reinit_completion() to reinitialize
the completion object.
It was incorrectly using init_completion().
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: e49611252900 ("ASoC: cs35l56: Add driver for Cirrus Logic CS35L56")
Link: https://lore.kernel.org/r/20231006164405.253796-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs35l56.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/codecs/cs35l56.c b/sound/soc/codecs/cs35l56.c
index 7e241908b5f16..4d7ccf682647e 100644
--- a/sound/soc/codecs/cs35l56.c
+++ b/sound/soc/codecs/cs35l56.c
@@ -879,7 +879,7 @@ static void cs35l56_patch(struct cs35l56_private *cs35l56)
mutex_lock(&cs35l56->irq_lock);
- init_completion(&cs35l56->init_completion);
+ reinit_completion(&cs35l56->init_completion);
cs35l56_system_reset(cs35l56);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 216/241] ASoC: pxa: fix a memory leak in probe()
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (214 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 215/241] ASoC: cs35l56: Fix illegal use of init_completion() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 217/241] ASoC: cs42l42: Fix missing include of gpio/consumer.h Greg Kroah-Hartman
` (34 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dan Carpenter, Mark Brown, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Dan Carpenter <dan.carpenter@linaro.org>
[ Upstream commit aa6464edbd51af4a2f8db43df866a7642b244b5f ]
Free the "priv" pointer before returning the error code.
Fixes: 90eb6b59d311 ("ASoC: pxa-ssp: add support for an external clock in devicetree")
Signed-off-by: Dan Carpenter <dan.carpenter@linaro.org>
Link: https://lore.kernel.org/r/84ac2313-1420-471a-b2cb-3269a2e12a7c@moroto.mountain
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/pxa/pxa-ssp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/sound/soc/pxa/pxa-ssp.c b/sound/soc/pxa/pxa-ssp.c
index 430dd446321e5..452f0caf415b9 100644
--- a/sound/soc/pxa/pxa-ssp.c
+++ b/sound/soc/pxa/pxa-ssp.c
@@ -779,7 +779,7 @@ static int pxa_ssp_probe(struct snd_soc_dai *dai)
if (IS_ERR(priv->extclk)) {
ret = PTR_ERR(priv->extclk);
if (ret == -EPROBE_DEFER)
- return ret;
+ goto err_priv;
priv->extclk = NULL;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 217/241] ASoC: cs42l42: Fix missing include of gpio/consumer.h
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (215 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 216/241] ASoC: pxa: fix a memory leak in probe() Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 218/241] drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device Greg Kroah-Hartman
` (33 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Richard Fitzgerald, Mark Brown, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Richard Fitzgerald <rf@opensource.cirrus.com>
[ Upstream commit d6cbc6a3a856a7d8047316d81e2e039e44432acb ]
The call to gpiod_set_value_cansleep() in cs42l42_sdw_update_status()
needs the header file gpio/consumer.h to be included.
This was introduced by commit 2d066c6a7865 ("ASoC: cs42l42: Avoid stale
SoundWire ATTACH after hard reset")
and caused error:
sound/soc/codecs/cs42l42-sdw.c:374:4: error: implicit declaration of
function ‘gpiod_set_value_cansleep’;
did you mean gpio_set_value_cansleep’?
Signed-off-by: Richard Fitzgerald <rf@opensource.cirrus.com>
Fixes: 2d066c6a7865 ("ASoC: cs42l42: Avoid stale SoundWire ATTACH after hard reset")
Link: https://lore.kernel.org/r/20231011134853.20059-1-rf@opensource.cirrus.com
Signed-off-by: Mark Brown <broonie@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
sound/soc/codecs/cs42l42-sdw.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/sound/soc/codecs/cs42l42-sdw.c b/sound/soc/codecs/cs42l42-sdw.c
index 974bae4abfad1..94a66a325303b 100644
--- a/sound/soc/codecs/cs42l42-sdw.c
+++ b/sound/soc/codecs/cs42l42-sdw.c
@@ -6,6 +6,7 @@
#include <linux/acpi.h>
#include <linux/device.h>
+#include <linux/gpio/consumer.h>
#include <linux/iopoll.h>
#include <linux/module.h>
#include <linux/mod_devicetable.h>
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 218/241] drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (216 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 217/241] ASoC: cs42l42: Fix missing include of gpio/consumer.h Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple Greg Kroah-Hartman
` (32 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Douglas Anderson, Maxime Ripard,
Stephen Boyd, Neil Armstrong, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Stephen Boyd <swboyd@chromium.org>
[ Upstream commit 7b821db95140e2c118567aee22a78bf85f3617e0 ]
The kernel produces a warning splat and the DSI device fails to register
in this driver if the i2c driver probes, populates child auxiliary
devices, and then somewhere in ti_sn_bridge_probe() a function call
returns -EPROBE_DEFER. When the auxiliary driver probe defers, the dsi
device created by devm_mipi_dsi_device_register_full() is left
registered because the devm managed device used to manage the lifetime
of the DSI device is the parent i2c device, not the auxiliary device
that is being probed.
Associate the DSI device created and managed by this driver to the
lifetime of the auxiliary device, not the i2c device, so that the DSI
device is removed when the auxiliary driver unbinds. Similarly change
the device pointer used for dev_err_probe() so the deferred probe errors
are associated with the auxiliary device instead of the parent i2c
device so we can narrow down future problems faster.
Cc: Douglas Anderson <dianders@chromium.org>
Cc: Maxime Ripard <maxime@cerno.tech>
Fixes: c3b75d4734cb ("drm/bridge: sn65dsi86: Register and attach our DSI device at probe")
Signed-off-by: Stephen Boyd <swboyd@chromium.org>
Reviewed-by: Neil Armstrong <neil.armstrong@linaro.org>
Reviewed-by: Douglas Anderson <dianders@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20231002235407.769399-1-swboyd@chromium.org
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/bridge/ti-sn65dsi86.c | 14 +++++++-------
1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/drivers/gpu/drm/bridge/ti-sn65dsi86.c b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
index f448b903e1907..84148a79414b7 100644
--- a/drivers/gpu/drm/bridge/ti-sn65dsi86.c
+++ b/drivers/gpu/drm/bridge/ti-sn65dsi86.c
@@ -692,7 +692,7 @@ static struct ti_sn65dsi86 *bridge_to_ti_sn65dsi86(struct drm_bridge *bridge)
return container_of(bridge, struct ti_sn65dsi86, bridge);
}
-static int ti_sn_attach_host(struct ti_sn65dsi86 *pdata)
+static int ti_sn_attach_host(struct auxiliary_device *adev, struct ti_sn65dsi86 *pdata)
{
int val;
struct mipi_dsi_host *host;
@@ -707,7 +707,7 @@ static int ti_sn_attach_host(struct ti_sn65dsi86 *pdata)
if (!host)
return -EPROBE_DEFER;
- dsi = devm_mipi_dsi_device_register_full(dev, host, &info);
+ dsi = devm_mipi_dsi_device_register_full(&adev->dev, host, &info);
if (IS_ERR(dsi))
return PTR_ERR(dsi);
@@ -725,7 +725,7 @@ static int ti_sn_attach_host(struct ti_sn65dsi86 *pdata)
pdata->dsi = dsi;
- return devm_mipi_dsi_attach(dev, dsi);
+ return devm_mipi_dsi_attach(&adev->dev, dsi);
}
static int ti_sn_bridge_attach(struct drm_bridge *bridge,
@@ -1298,9 +1298,9 @@ static int ti_sn_bridge_probe(struct auxiliary_device *adev,
struct device_node *np = pdata->dev->of_node;
int ret;
- pdata->next_bridge = devm_drm_of_get_bridge(pdata->dev, np, 1, 0);
+ pdata->next_bridge = devm_drm_of_get_bridge(&adev->dev, np, 1, 0);
if (IS_ERR(pdata->next_bridge))
- return dev_err_probe(pdata->dev, PTR_ERR(pdata->next_bridge),
+ return dev_err_probe(&adev->dev, PTR_ERR(pdata->next_bridge),
"failed to create panel bridge\n");
ti_sn_bridge_parse_lanes(pdata, np);
@@ -1319,9 +1319,9 @@ static int ti_sn_bridge_probe(struct auxiliary_device *adev,
drm_bridge_add(&pdata->bridge);
- ret = ti_sn_attach_host(pdata);
+ ret = ti_sn_attach_host(adev, pdata);
if (ret) {
- dev_err_probe(pdata->dev, ret, "failed to attach dsi host\n");
+ dev_err_probe(&adev->dev, ret, "failed to attach dsi host\n");
goto err_remove_bridge;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (217 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 218/241] drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 14:35 ` Doug Anderson
2023-10-23 10:56 ` [PATCH 6.5 220/241] drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned Greg Kroah-Hartman
` (31 subsequent siblings)
250 siblings, 1 reply; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Anton Bambura, Hsin-Yi Wang,
Douglas Anderson, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Douglas Anderson <dianders@chromium.org>
[ Upstream commit ad3e33fe071dffea07279f96dab4f3773c430fe2 ]
In commit 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of
panel-simple") I moved a pile of panels out of panel-simple driver
into the newly created panel-edp driver. One of those panels, however,
shouldn't have been moved.
As is clear from commit e35e305eff0f ("drm/panel: simple: Add AUO
B116XW03 panel support"), AUX B116XW03 is an LVDS panel. It's used in
exynos5250-snow and exynos5420-peach-pit where it's clear that the
panel is hooked up with LVDS. Furthermore, searching for datasheets I
found one that makes it clear that this panel is LVDS.
As far as I can tell, I got confused because in commit 88d3457ceb82
("drm/panel: auo,b116xw03: fix flash backlight when power on") Jitao
Shi added "DRM_MODE_CONNECTOR_eDP". That seems wrong. Looking at the
downstream ChromeOS trees, it seems like some Mediatek boards are
using a panel that they call "auo,b116xw03" that's an eDP panel. The
best I can guess is that they actually have a different panel that has
similar timing. If so then the proper panel should be used or they
should switch to the generic "edp-panel" compatible.
When moving this back to panel-edp, I wasn't sure what to use for
.bus_flags and .bus_format and whether to add the extra "enable" delay
from commit 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash
backlight when power on"). I've added formats/flags/delays based on my
(inexpert) analysis of the datasheet. These are untested.
NOTE: if/when this is backported to stable, we might run into some
trouble. Specifically, before 474c162878ba ("arm64: dts: mt8183:
jacuzzi: Move panel under aux-bus") this panel was used by
"mt8183-kukui-jacuzzi", which assumed it was an eDP panel. I don't
know what to suggest for that other than someone making up a bogus
panel for jacuzzi that's just for the stable channel.
Fixes: 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash backlight when power on")
Fixes: 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of panel-simple")
Tested-by: Anton Bambura <jenneron@postmarketos.org>
Acked-by: Hsin-Yi Wang <hsinyi@chromium.org>
Signed-off-by: Douglas Anderson <dianders@chromium.org>
Link: https://patchwork.freedesktop.org/patch/msgid/20230925150010.1.Iff672233861bcc4cf25a7ad0a81308adc3bda8a4@changeid
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/panel/panel-edp.c | 29 -----------------------
drivers/gpu/drm/panel/panel-simple.c | 35 ++++++++++++++++++++++++++++
2 files changed, 35 insertions(+), 29 deletions(-)
diff --git a/drivers/gpu/drm/panel/panel-edp.c b/drivers/gpu/drm/panel/panel-edp.c
index fbd114b4f0be0..856f73a46ee61 100644
--- a/drivers/gpu/drm/panel/panel-edp.c
+++ b/drivers/gpu/drm/panel/panel-edp.c
@@ -976,32 +976,6 @@ static const struct panel_desc auo_b116xak01 = {
},
};
-static const struct drm_display_mode auo_b116xw03_mode = {
- .clock = 70589,
- .hdisplay = 1366,
- .hsync_start = 1366 + 40,
- .hsync_end = 1366 + 40 + 40,
- .htotal = 1366 + 40 + 40 + 32,
- .vdisplay = 768,
- .vsync_start = 768 + 10,
- .vsync_end = 768 + 10 + 12,
- .vtotal = 768 + 10 + 12 + 6,
- .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC,
-};
-
-static const struct panel_desc auo_b116xw03 = {
- .modes = &auo_b116xw03_mode,
- .num_modes = 1,
- .bpc = 6,
- .size = {
- .width = 256,
- .height = 144,
- },
- .delay = {
- .enable = 400,
- },
-};
-
static const struct drm_display_mode auo_b133han05_mode = {
.clock = 142600,
.hdisplay = 1920,
@@ -1725,9 +1699,6 @@ static const struct of_device_id platform_of_match[] = {
}, {
.compatible = "auo,b116xa01",
.data = &auo_b116xak01,
- }, {
- .compatible = "auo,b116xw03",
- .data = &auo_b116xw03,
}, {
.compatible = "auo,b133han05",
.data = &auo_b133han05,
diff --git a/drivers/gpu/drm/panel/panel-simple.c b/drivers/gpu/drm/panel/panel-simple.c
index 03196fbfa4d79..e26af5e1299a8 100644
--- a/drivers/gpu/drm/panel/panel-simple.c
+++ b/drivers/gpu/drm/panel/panel-simple.c
@@ -923,6 +923,38 @@ static const struct panel_desc auo_b101xtn01 = {
},
};
+static const struct drm_display_mode auo_b116xw03_mode = {
+ .clock = 70589,
+ .hdisplay = 1366,
+ .hsync_start = 1366 + 40,
+ .hsync_end = 1366 + 40 + 40,
+ .htotal = 1366 + 40 + 40 + 32,
+ .vdisplay = 768,
+ .vsync_start = 768 + 10,
+ .vsync_end = 768 + 10 + 12,
+ .vtotal = 768 + 10 + 12 + 6,
+ .flags = DRM_MODE_FLAG_NVSYNC | DRM_MODE_FLAG_NHSYNC,
+};
+
+static const struct panel_desc auo_b116xw03 = {
+ .modes = &auo_b116xw03_mode,
+ .num_modes = 1,
+ .bpc = 6,
+ .size = {
+ .width = 256,
+ .height = 144,
+ },
+ .delay = {
+ .prepare = 1,
+ .enable = 200,
+ .disable = 200,
+ .unprepare = 500,
+ },
+ .bus_format = MEDIA_BUS_FMT_RGB666_1X7X3_SPWG,
+ .bus_flags = DRM_BUS_FLAG_DE_HIGH,
+ .connector_type = DRM_MODE_CONNECTOR_LVDS,
+};
+
static const struct display_timing auo_g070vvn01_timings = {
.pixelclock = { 33300000, 34209000, 45000000 },
.hactive = { 800, 800, 800 },
@@ -4074,6 +4106,9 @@ static const struct of_device_id platform_of_match[] = {
}, {
.compatible = "auo,b101xtn01",
.data = &auo_b101xtn01,
+ }, {
+ .compatible = "auo,b116xw03",
+ .data = &auo_b116xw03,
}, {
.compatible = "auo,g070vvn01",
.data = &auo_g070vvn01,
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 220/241] drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (218 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 221/241] drm/amdgpu: Fix possible null pointer dereference Greg Kroah-Hartman
` (30 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mika Kahola, Gustavo Sousa,
Khaled Almahallawy, Radhakrishna Sripada, Rodrigo Vivi,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Khaled Almahallawy <khaled.almahallawy@intel.com>
[ Upstream commit 5e4c16fe08c8b894b258f4110349dc9b642669f9 ]
Currently, with MFD/pin assignment D, the driver clears the pipe reset bit
of lane 1 which is not owned by display. This causes the display
to block S0iX.
By not clearing this bit for lane 1 and keeping whatever default, S0ix
started to work. This is already what the driver does at the end
of the phy lane reset sequence (Step#8)
Bspec: 65451
Fixes: 619a06dba6fa ("drm/i915/mtl: Reset only one lane in case of MFD")
Cc: Mika Kahola <mika.kahola@intel.com>
Cc: Gustavo Sousa <gustavo.sousa@intel.com>
Signed-off-by: Khaled Almahallawy <khaled.almahallawy@intel.com>
Reviewed-by: Gustavo Sousa <gustavo.sousa@intel.com>
Signed-off-by: Radhakrishna Sripada <radhakrishna.sripada@intel.com>
Link: https://patchwork.freedesktop.org/patch/msgid/20231005001310.154396-1-khaled.almahallawy@intel.com
(cherry picked from commit 4a07f063d20c46524f00976f4537de72d9f31c4e)
Signed-off-by: Rodrigo Vivi <rodrigo.vivi@intel.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/i915/display/intel_cx0_phy.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/drivers/gpu/drm/i915/display/intel_cx0_phy.c b/drivers/gpu/drm/i915/display/intel_cx0_phy.c
index 719447ce86e70..974dd52e720c1 100644
--- a/drivers/gpu/drm/i915/display/intel_cx0_phy.c
+++ b/drivers/gpu/drm/i915/display/intel_cx0_phy.c
@@ -2554,8 +2554,7 @@ static void intel_cx0_phy_lane_reset(struct drm_i915_private *i915,
drm_warn(&i915->drm, "PHY %c failed to bring out of SOC reset after %dus.\n",
phy_name(phy), XELPDP_PORT_BUF_SOC_READY_TIMEOUT_US);
- intel_de_rmw(i915, XELPDP_PORT_BUF_CTL2(port),
- XELPDP_LANE_PIPE_RESET(0) | XELPDP_LANE_PIPE_RESET(1),
+ intel_de_rmw(i915, XELPDP_PORT_BUF_CTL2(port), lane_pipe_reset,
lane_pipe_reset);
if (__intel_de_wait_for_register(i915, XELPDP_PORT_BUF_CTL2(port),
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 221/241] drm/amdgpu: Fix possible null pointer dereference
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (219 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 220/241] drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 222/241] powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12 Greg Kroah-Hartman
` (29 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Felix Kuehling,
Christian König, Alex Deucher, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Felix Kuehling <Felix.Kuehling@amd.com>
[ Upstream commit 51b79f33817544e3b4df838d86e8e8e4388ff684 ]
abo->tbo.resource may be NULL in amdgpu_vm_bo_update.
Fixes: 180253782038 ("drm/ttm: stop allocating dummy resources during BO creation")
Signed-off-by: Felix Kuehling <Felix.Kuehling@amd.com>
Reviewed-by: Christian König <christian.koenig@amd.com>
Signed-off-by: Alex Deucher <alexander.deucher@amd.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
index ec1ec08d40584..7a67bb1490159 100644
--- a/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
+++ b/drivers/gpu/drm/amd/amdgpu/amdgpu_vm.c
@@ -1094,7 +1094,8 @@ int amdgpu_vm_bo_update(struct amdgpu_device *adev, struct amdgpu_bo_va *bo_va,
struct drm_gem_object *gobj = dma_buf->priv;
struct amdgpu_bo *abo = gem_to_amdgpu_bo(gobj);
- if (abo->tbo.resource->mem_type == TTM_PL_VRAM)
+ if (abo->tbo.resource &&
+ abo->tbo.resource->mem_type == TTM_PL_VRAM)
bo = gem_to_amdgpu_bo(gobj);
}
mem = bo->tbo.resource;
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 222/241] powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (220 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 221/241] drm/amdgpu: Fix possible null pointer dereference Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 223/241] powerpc/qspinlock: Fix stale propagated yield_cpu Greg Kroah-Hartman
` (28 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Christophe Leroy, Michael Ellerman,
Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Michael Ellerman <mpe@ellerman.id.au>
[ Upstream commit ff9e8f41513669e290f6e1904e1bc75950584491 ]
Christophe reported that the change to ARCH_FORCE_MAX_ORDER to limit the
range to 10 had broken his ability to configure hugepages:
# echo 1 > /sys/kernel/mm/hugepages/hugepages-8192kB/nr_hugepages
sh: write error: Invalid argument
Several of the powerpc defconfigs previously set the
ARCH_FORCE_MAX_ORDER value to 12, via the definition in
arch/powerpc/configs/fsl-emb-nonhw.config, used by:
mpc85xx_defconfig
mpc85xx_smp_defconfig
corenet32_smp_defconfig
corenet64_smp_defconfig
mpc86xx_defconfig
mpc86xx_smp_defconfig
Fix it by increasing the allowed range to 12 to restore the previous
behaviour.
Fixes: 358e526a1648 ("powerpc/mm: Reinstate ARCH_FORCE_MAX_ORDER ranges")
Reported-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Closes: https://lore.kernel.org/all/8011d806-5b30-bf26-2bfe-a08c39d57e20@csgroup.eu/
Tested-by: Christophe Leroy <christophe.leroy@csgroup.eu>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20230824122849.942072-1-mpe@ellerman.id.au
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
arch/powerpc/Kconfig | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/arch/powerpc/Kconfig b/arch/powerpc/Kconfig
index 0b1172cbeccb3..b3fdb3d268367 100644
--- a/arch/powerpc/Kconfig
+++ b/arch/powerpc/Kconfig
@@ -917,7 +917,7 @@ config ARCH_FORCE_MAX_ORDER
default "6" if PPC32 && PPC_64K_PAGES
range 4 10 if PPC32 && PPC_256K_PAGES
default "4" if PPC32 && PPC_256K_PAGES
- range 10 10
+ range 10 12
default "10"
help
The kernel page allocator limits the size of maximal physically
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 223/241] powerpc/qspinlock: Fix stale propagated yield_cpu
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (221 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 222/241] powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12 Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 224/241] docs: Move rustdoc output, cross-reference it Greg Kroah-Hartman
` (27 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Srikar Dronamraju, Laurent Dufour,
Shrikanth Hegde, Nicholas Piggin, Michael Ellerman,
Nysal Jan K.A
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Piggin <npiggin@gmail.com>
commit f9bc9bbe8afdf83412728f0b464979a72a3b9ec2 upstream.
yield_cpu is a sample of a preempted lock holder that gets propagated
back through the queue. Queued waiters use this to yield to the
preempted lock holder without continually sampling the lock word (which
would defeat the purpose of MCS queueing by bouncing the cache line).
The problem is that yield_cpu can become stale. It can take some time to
be passed down the chain, and if any queued waiter gets preempted then
it will cease to propagate the yield_cpu to later waiters.
This can result in yielding to a CPU that no longer holds the lock,
which is bad, but particularly if it is currently in H_CEDE (idle),
then it appears to be preempted and some hypervisors (PowerVM) can
cause very long H_CONFER latencies waiting for H_CEDE wakeup. This
results in latency spikes and hard lockups on oversubscribed
partitions with lock contention.
This is a minimal fix. Before yielding to yield_cpu, sample the lock
word to confirm yield_cpu is still the owner, and bail out of it is not.
Thanks to a bunch of people who reported this and tracked down the
exact problem using tracepoints and dispatch trace logs.
Fixes: 28db61e207ea ("powerpc/qspinlock: allow propagation of yield CPU down the queue")
Cc: stable@vger.kernel.org # v6.2+
Reported-by: Srikar Dronamraju <srikar@linux.vnet.ibm.com>
Reported-by: Laurent Dufour <ldufour@linux.ibm.com>
Reported-by: Shrikanth Hegde <sshegde@linux.vnet.ibm.com>
Debugged-by: "Nysal Jan K.A" <nysal@linux.ibm.com>
Signed-off-by: Nicholas Piggin <npiggin@gmail.com>
Tested-by: Shrikanth Hegde <sshegde@linux.vnet.ibm.com>
Signed-off-by: Michael Ellerman <mpe@ellerman.id.au>
Link: https://msgid.link/20231016124305.139923-2-npiggin@gmail.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
arch/powerpc/lib/qspinlock.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/arch/powerpc/lib/qspinlock.c b/arch/powerpc/lib/qspinlock.c
index 253620979d0c..6dd2f46bd3ef 100644
--- a/arch/powerpc/lib/qspinlock.c
+++ b/arch/powerpc/lib/qspinlock.c
@@ -406,6 +406,9 @@ static __always_inline bool yield_to_prev(struct qspinlock *lock, struct qnode *
if ((yield_count & 1) == 0)
goto yield_prev; /* owner vcpu is running */
+ if (get_owner_cpu(READ_ONCE(lock->val)) != yield_cpu)
+ goto yield_prev; /* re-sample lock owner */
+
spin_end();
preempted = true;
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 224/241] docs: Move rustdoc output, cross-reference it
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (222 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 223/241] powerpc/qspinlock: Fix stale propagated yield_cpu Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 225/241] rust: docs: fix logo replacement Greg Kroah-Hartman
` (26 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Akira Yokosawa, Carlos Bilbao,
Martin Rodriguez Reboredo, Jonathan Corbet, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Carlos Bilbao <carlos.bilbao@amd.com>
[ Upstream commit 48fadf44007568e75c7af92857083058d57be403 ]
Generate rustdoc documentation with the rest of subsystem's documentation
in Documentation/output. Add a cross reference to the generated rustdoc in
Documentation/rust/index.rst if Sphinx target rustdoc is set.
Reviewed-by: Akira Yokosawa <akiyks@gmail.com>
Signed-off-by: Carlos Bilbao <carlos.bilbao@amd.com>
Reviewed-by: Martin Rodriguez Reboredo <yakoyoku@gmail.com>
Signed-off-by: Jonathan Corbet <corbet@lwn.net>
Link: https://lore.kernel.org/r/20230718151534.4067460-2-carlos.bilbao@amd.com
Stable-dep-of: cfd96726e611 ("rust: docs: fix logo replacement")
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
Documentation/rust/index.rst | 8 ++++++++
rust/Makefile | 15 +++++++++------
2 files changed, 17 insertions(+), 6 deletions(-)
diff --git a/Documentation/rust/index.rst b/Documentation/rust/index.rst
index 4ae8c66b94faf..e599be2cec9ba 100644
--- a/Documentation/rust/index.rst
+++ b/Documentation/rust/index.rst
@@ -6,6 +6,14 @@ Rust
Documentation related to Rust within the kernel. To start using Rust
in the kernel, please read the quick-start.rst guide.
+.. only:: rustdoc and html
+
+ You can also browse `rustdoc documentation <rustdoc/kernel/index.html>`_.
+
+.. only:: not rustdoc and html
+
+ This documentation does not include rustdoc generated information.
+
.. toctree::
:maxdepth: 1
diff --git a/rust/Makefile b/rust/Makefile
index 4124bfa01798d..b9acbe5a7a5d5 100644
--- a/rust/Makefile
+++ b/rust/Makefile
@@ -1,5 +1,8 @@
# SPDX-License-Identifier: GPL-2.0
+# Where to place rustdoc generated documentation
+rustdoc_output := $(objtree)/Documentation/output/rust/rustdoc
+
obj-$(CONFIG_RUST) += core.o compiler_builtins.o
always-$(CONFIG_RUST) += exports_core_generated.h
@@ -65,7 +68,7 @@ quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $<
OBJTREE=$(abspath $(objtree)) \
$(RUSTDOC) $(if $(rustdoc_host),$(rust_common_flags),$(rust_flags)) \
$(rustc_target_flags) -L$(objtree)/$(obj) \
- --output $(objtree)/$(obj)/doc \
+ --output $(rustdoc_output) \
--crate-name $(subst rustdoc-,,$@) \
@$(objtree)/include/generated/rustc_cfg $<
@@ -82,15 +85,15 @@ quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $<
# and then retouch the generated files.
rustdoc: rustdoc-core rustdoc-macros rustdoc-compiler_builtins \
rustdoc-alloc rustdoc-kernel
- $(Q)cp $(srctree)/Documentation/images/logo.svg $(objtree)/$(obj)/doc
- $(Q)cp $(srctree)/Documentation/images/COPYING-logo $(objtree)/$(obj)/doc
- $(Q)find $(objtree)/$(obj)/doc -name '*.html' -type f -print0 | xargs -0 sed -Ei \
+ $(Q)cp $(srctree)/Documentation/images/logo.svg $(rustdoc_output)
+ $(Q)cp $(srctree)/Documentation/images/COPYING-logo $(rustdoc_output)
+ $(Q)find $(rustdoc_output) -name '*.html' -type f -print0 | xargs -0 sed -Ei \
-e 's:rust-logo\.svg:logo.svg:g' \
-e 's:rust-logo\.png:logo.svg:g' \
-e 's:favicon\.svg:logo.svg:g' \
-e 's:<link rel="alternate icon" type="image/png" href="[./]*favicon-(16x16|32x32)\.png">::g'
$(Q)echo '.logo-container > img { object-fit: contain; }' \
- >> $(objtree)/$(obj)/doc/rustdoc.css
+ >> $(rustdoc_output)/rustdoc.css
rustdoc-macros: private rustdoc_host = yes
rustdoc-macros: private rustc_target_flags = --crate-type proc-macro \
@@ -154,7 +157,7 @@ quiet_cmd_rustdoc_test = RUSTDOC T $<
@$(objtree)/include/generated/rustc_cfg \
$(rustc_target_flags) $(rustdoc_test_target_flags) \
--sysroot $(objtree)/$(obj)/test/sysroot $(rustdoc_test_quiet) \
- -L$(objtree)/$(obj)/test --output $(objtree)/$(obj)/doc \
+ -L$(objtree)/$(obj)/test --output $(rustdoc_output) \
--crate-name $(subst rusttest-,,$@) $<
# We cannot use `-Zpanic-abort-tests` because some tests are dynamic,
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 225/241] rust: docs: fix logo replacement
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (223 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 224/241] docs: Move rustdoc output, cross-reference it Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 226/241] phy: mapphone-mdm6600: Fix runtime disable on probe Greg Kroah-Hartman
` (25 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benno Lossin, Andreas Hindborg,
Miguel Ojeda, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
[ Upstream commit cfd96726e61136e68a168813cedc4084f626208b ]
The static files placement by `rustdoc` changed in Rust 1.67.0 [1],
but the custom code we have to replace the logo in the generated
HTML files did not get updated.
Thus update it to have the Linux logo again in the output.
Hopefully `rustdoc` will eventually support a custom logo from
a local file [2], so that we do not need to maintain this hack
on our side.
Link: https://github.com/rust-lang/rust/pull/101702 [1]
Link: https://github.com/rust-lang/rfcs/pull/3226 [2]
Fixes: 3ed03f4da06e ("rust: upgrade to Rust 1.68.2")
Cc: stable@vger.kernel.org
Tested-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Andreas Hindborg <a.hindborg@samsung.com>
Link: https://lore.kernel.org/r/20231018155527.1015059-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
rust/Makefile | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
diff --git a/rust/Makefile b/rust/Makefile
index b9acbe5a7a5d5..467f50a752dbd 100644
--- a/rust/Makefile
+++ b/rust/Makefile
@@ -85,15 +85,14 @@ quiet_cmd_rustdoc = RUSTDOC $(if $(rustdoc_host),H, ) $<
# and then retouch the generated files.
rustdoc: rustdoc-core rustdoc-macros rustdoc-compiler_builtins \
rustdoc-alloc rustdoc-kernel
- $(Q)cp $(srctree)/Documentation/images/logo.svg $(rustdoc_output)
- $(Q)cp $(srctree)/Documentation/images/COPYING-logo $(rustdoc_output)
+ $(Q)cp $(srctree)/Documentation/images/logo.svg $(rustdoc_output)/static.files/
+ $(Q)cp $(srctree)/Documentation/images/COPYING-logo $(rustdoc_output)/static.files/
$(Q)find $(rustdoc_output) -name '*.html' -type f -print0 | xargs -0 sed -Ei \
- -e 's:rust-logo\.svg:logo.svg:g' \
- -e 's:rust-logo\.png:logo.svg:g' \
- -e 's:favicon\.svg:logo.svg:g' \
- -e 's:<link rel="alternate icon" type="image/png" href="[./]*favicon-(16x16|32x32)\.png">::g'
- $(Q)echo '.logo-container > img { object-fit: contain; }' \
- >> $(rustdoc_output)/rustdoc.css
+ -e 's:rust-logo-[0-9a-f]+\.svg:logo.svg:g' \
+ -e 's:favicon-[0-9a-f]+\.svg:logo.svg:g' \
+ -e 's:<link rel="alternate icon" type="image/png" href="[/.]+/static\.files/favicon-(16x16|32x32)-[0-9a-f]+\.png">::g'
+ $(Q)for f in $(rustdoc_output)/static.files/rustdoc-*.css; do \
+ echo ".logo-container > img { object-fit: contain; }" >> $$f; done
rustdoc-macros: private rustdoc_host = yes
rustdoc-macros: private rustc_target_flags = --crate-type proc-macro \
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 226/241] phy: mapphone-mdm6600: Fix runtime disable on probe
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (224 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 225/241] rust: docs: fix logo replacement Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 227/241] phy: mapphone-mdm6600: Fix runtime PM for remove Greg Kroah-Hartman
` (24 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivaylo Dimitrov, Merlijn Wajer,
Miaoqian Lin, Pavel Machek, Sebastian Reichel, Tony Lindgren,
Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 719606154c7033c068a5d4c1dc5f9163b814b3c8 ]
Commit d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in
phy_mdm6600_probe") caused a regression where we now unconditionally
disable runtime PM at the end of the probe while it is only needed on
errors.
Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Miaoqian Lin <linmq006@gmail.com>
Cc: Pavel Machek <pavel@ucw.cz>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Fixes: d644e0d79829 ("phy: mapphone-mdm6600: Fix PM error handling in phy_mdm6600_probe")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Link: https://lore.kernel.org/r/20230913060433.48373-1-tony@atomide.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/motorola/phy-mapphone-mdm6600.c | 8 +++++---
1 file changed, 5 insertions(+), 3 deletions(-)
diff --git a/drivers/phy/motorola/phy-mapphone-mdm6600.c b/drivers/phy/motorola/phy-mapphone-mdm6600.c
index 1d567604b650d..0147112f77b17 100644
--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c
+++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c
@@ -627,10 +627,12 @@ static int phy_mdm6600_probe(struct platform_device *pdev)
pm_runtime_put_autosuspend(ddata->dev);
cleanup:
- if (error < 0)
+ if (error < 0) {
phy_mdm6600_device_power_off(ddata);
- pm_runtime_disable(ddata->dev);
- pm_runtime_dont_use_autosuspend(ddata->dev);
+ pm_runtime_disable(ddata->dev);
+ pm_runtime_dont_use_autosuspend(ddata->dev);
+ }
+
return error;
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 227/241] phy: mapphone-mdm6600: Fix runtime PM for remove
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (225 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 226/241] phy: mapphone-mdm6600: Fix runtime disable on probe Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 228/241] phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins Greg Kroah-Hartman
` (23 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivaylo Dimitrov, Merlijn Wajer,
Pavel Machek, Sebastian Reichel, Tony Lindgren,
Sebastian Reichel, Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit b99e0ba9633af51638e5ee1668da2e33620c134f ]
Otherwise we will get an underflow on remove.
Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Fixes: f7f50b2a7b05 ("phy: mapphone-mdm6600: Add runtime PM support for n_gsm on USB suspend")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Link: https://lore.kernel.org/r/20230913060433.48373-2-tony@atomide.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/motorola/phy-mapphone-mdm6600.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/drivers/phy/motorola/phy-mapphone-mdm6600.c b/drivers/phy/motorola/phy-mapphone-mdm6600.c
index 0147112f77b17..df48b1becebe6 100644
--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c
+++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c
@@ -641,6 +641,7 @@ static void phy_mdm6600_remove(struct platform_device *pdev)
struct phy_mdm6600 *ddata = platform_get_drvdata(pdev);
struct gpio_desc *reset_gpio = ddata->ctrl_gpios[PHY_MDM6600_RESET];
+ pm_runtime_get_noresume(ddata->dev);
pm_runtime_dont_use_autosuspend(ddata->dev);
pm_runtime_put_sync(ddata->dev);
pm_runtime_disable(ddata->dev);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 228/241] phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (226 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 227/241] phy: mapphone-mdm6600: Fix runtime PM for remove Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 229/241] phy: qcom-qmp-usb: initialize PCS_USB registers Greg Kroah-Hartman
` (22 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Ivaylo Dimitrov, Merlijn Wajer,
Pavel Machek, Sebastian Reichel, Tony Lindgren,
Sebastian Reichel, Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Tony Lindgren <tony@atomide.com>
[ Upstream commit 3b384cc74b00b5ac21d18e4c1efc3c1da5300971 ]
Looks like the driver sleep pins configuration is unusable. Adding the
sleep pins causes the usb phy to not respond. We need to use the default
pins in probe, and only set sleep pins at phy_mdm6600_device_power_off().
As the modem can also be booted to a serial port mode for firmware
flashing, let's make the pin changes limited to probe and remove. For
probe, we get the default pins automatically. We only need to set the
sleep pins in phy_mdm6600_device_power_off() to prevent the modem from
waking up because the gpio line glitches.
If it turns out that we need a separate state for phy_mdm6600_power_on()
and phy_mdm6600_power_off(), we can use the pinctrl idle state.
Cc: Ivaylo Dimitrov <ivo.g.dimitrov.75@gmail.com>
Cc: Merlijn Wajer <merlijn@wizzup.org>
Cc: Pavel Machek <pavel@ucw.cz>
Cc: Sebastian Reichel <sre@kernel.org>
Fixes: 2ad2af081622 ("phy: mapphone-mdm6600: Improve phy related runtime PM calls")
Signed-off-by: Tony Lindgren <tony@atomide.com>
Reviewed-by: Sebastian Reichel <sebastian.reichel@collabora.com>
Link: https://lore.kernel.org/r/20230913060433.48373-3-tony@atomide.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/motorola/phy-mapphone-mdm6600.c | 29 +++++++++------------
1 file changed, 12 insertions(+), 17 deletions(-)
diff --git a/drivers/phy/motorola/phy-mapphone-mdm6600.c b/drivers/phy/motorola/phy-mapphone-mdm6600.c
index df48b1becebe6..376d023a0aa90 100644
--- a/drivers/phy/motorola/phy-mapphone-mdm6600.c
+++ b/drivers/phy/motorola/phy-mapphone-mdm6600.c
@@ -122,16 +122,10 @@ static int phy_mdm6600_power_on(struct phy *x)
{
struct phy_mdm6600 *ddata = phy_get_drvdata(x);
struct gpio_desc *enable_gpio = ddata->ctrl_gpios[PHY_MDM6600_ENABLE];
- int error;
if (!ddata->enabled)
return -ENODEV;
- error = pinctrl_pm_select_default_state(ddata->dev);
- if (error)
- dev_warn(ddata->dev, "%s: error with default_state: %i\n",
- __func__, error);
-
gpiod_set_value_cansleep(enable_gpio, 1);
/* Allow aggressive PM for USB, it's only needed for n_gsm port */
@@ -160,11 +154,6 @@ static int phy_mdm6600_power_off(struct phy *x)
gpiod_set_value_cansleep(enable_gpio, 0);
- error = pinctrl_pm_select_sleep_state(ddata->dev);
- if (error)
- dev_warn(ddata->dev, "%s: error with sleep_state: %i\n",
- __func__, error);
-
return 0;
}
@@ -456,6 +445,7 @@ static void phy_mdm6600_device_power_off(struct phy_mdm6600 *ddata)
{
struct gpio_desc *reset_gpio =
ddata->ctrl_gpios[PHY_MDM6600_RESET];
+ int error;
ddata->enabled = false;
phy_mdm6600_cmd(ddata, PHY_MDM6600_CMD_BP_SHUTDOWN_REQ);
@@ -471,6 +461,17 @@ static void phy_mdm6600_device_power_off(struct phy_mdm6600 *ddata)
} else {
dev_err(ddata->dev, "Timed out powering down\n");
}
+
+ /*
+ * Keep reset gpio high with padconf internal pull-up resistor to
+ * prevent modem from waking up during deeper SoC idle states. The
+ * gpio bank lines can have glitches if not in the always-on wkup
+ * domain.
+ */
+ error = pinctrl_pm_select_sleep_state(ddata->dev);
+ if (error)
+ dev_warn(ddata->dev, "%s: error with sleep_state: %i\n",
+ __func__, error);
}
static void phy_mdm6600_deferred_power_on(struct work_struct *work)
@@ -571,12 +572,6 @@ static int phy_mdm6600_probe(struct platform_device *pdev)
ddata->dev = &pdev->dev;
platform_set_drvdata(pdev, ddata);
- /* Active state selected in phy_mdm6600_power_on() */
- error = pinctrl_pm_select_sleep_state(ddata->dev);
- if (error)
- dev_warn(ddata->dev, "%s: error with sleep_state: %i\n",
- __func__, error);
-
error = phy_mdm6600_init_lines(ddata);
if (error)
return error;
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 229/241] phy: qcom-qmp-usb: initialize PCS_USB registers
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (227 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 228/241] phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 230/241] phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p Greg Kroah-Hartman
` (21 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrien Thierry, Dmitry Baryshkov,
Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrien Thierry <athierry@redhat.com>
[ Upstream commit 2d3465a75c9f83684d17da6807423824bf260524 ]
Currently, PCS_USB registers that have their initialization data in a
pcs_usb_tbl table are never initialized. Fix that.
Fixes: fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate PCS_USB region")
Signed-off-by: Adrien Thierry <athierry@redhat.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Link: https://lore.kernel.org/r/20230828152353.16529-2-athierry@redhat.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
index 466f0a56c82e1..f9cb60f12575b 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
@@ -2233,6 +2233,7 @@ static int qmp_usb_power_on(struct phy *phy)
void __iomem *tx = qmp->tx;
void __iomem *rx = qmp->rx;
void __iomem *pcs = qmp->pcs;
+ void __iomem *pcs_usb = qmp->pcs_usb;
void __iomem *status;
unsigned int val;
int ret;
@@ -2256,6 +2257,9 @@ static int qmp_usb_power_on(struct phy *phy)
qmp_usb_configure(pcs, cfg->pcs_tbl, cfg->pcs_tbl_num);
+ if (pcs_usb)
+ qmp_usb_configure(pcs_usb, cfg->pcs_usb_tbl, cfg->pcs_usb_tbl_num);
+
if (cfg->has_pwrdn_delay)
usleep_range(10, 20);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 230/241] phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (228 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 229/241] phy: qcom-qmp-usb: initialize PCS_USB registers Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 231/241] phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1 Greg Kroah-Hartman
` (20 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Dmitry Baryshkov, Adrien Thierry,
Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Adrien Thierry <athierry@redhat.com>
[ Upstream commit c599dc5cca4dd6a5c664e4a8837246e68a96cb4c ]
For sc8280xp and sa8775p, PCS and PCS_USB initialization data is
described in the same table, thus the pcs_usb offset is not being
applied during initialization of PCS_USB registers. Fix this by adding
the appropriate pcs_usb_tbl tables.
Fixes: 8bd2d6e11c99 ("phy: qcom-qmp: Add SA8775P USB3 UNI phy")
Fixes: c0c7769cdae2 ("phy: qcom-qmp: Add SC8280XP USB3 UNI phy")
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Adrien Thierry <athierry@redhat.com>
Link: https://lore.kernel.org/r/20230828152353.16529-3-athierry@redhat.com
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-usb.c | 20 +++++++++++++++-----
1 file changed, 15 insertions(+), 5 deletions(-)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
index f9cb60f12575b..575329004b901 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-usb.c
@@ -1480,8 +1480,6 @@ static const struct qmp_phy_init_tbl sc8280xp_usb3_uniphy_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_V5_PCS_RCVR_DTCT_DLY_P1U2_H, 0x03),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_RX_SIGDET_LVL, 0xaa),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_PCS_TX_RX_CONFIG, 0x0c),
- QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_RXEQTRAINING_DFE_TIME_S2, 0x07),
- QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL, 0xf8),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_CDR_RESET_TIME, 0x0a),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_ALIGN_DETECT_CONFIG1, 0x88),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_ALIGN_DETECT_CONFIG2, 0x13),
@@ -1490,6 +1488,11 @@ static const struct qmp_phy_init_tbl sc8280xp_usb3_uniphy_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_V5_PCS_REFGEN_REQ_CONFIG1, 0x21),
};
+static const struct qmp_phy_init_tbl sc8280xp_usb3_uniphy_pcs_usb_tbl[] = {
+ QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_RXEQTRAINING_DFE_TIME_S2, 0x07),
+ QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL, 0xf8),
+};
+
static const struct qmp_phy_init_tbl sa8775p_usb3_uniphy_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_V5_PCS_LOCK_DETECT_CONFIG1, 0xc4),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_LOCK_DETECT_CONFIG2, 0x89),
@@ -1499,9 +1502,6 @@ static const struct qmp_phy_init_tbl sa8775p_usb3_uniphy_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_V5_PCS_RCVR_DTCT_DLY_P1U2_H, 0x03),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_RX_SIGDET_LVL, 0xaa),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_PCS_TX_RX_CONFIG, 0x0c),
- QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_RXEQTRAINING_DFE_TIME_S2, 0x07),
- QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL, 0xf8),
- QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_POWER_STATE_CONFIG1, 0x6f),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_CDR_RESET_TIME, 0x0a),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_ALIGN_DETECT_CONFIG1, 0x88),
QMP_PHY_INIT_CFG(QPHY_V5_PCS_ALIGN_DETECT_CONFIG2, 0x13),
@@ -1510,6 +1510,12 @@ static const struct qmp_phy_init_tbl sa8775p_usb3_uniphy_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_V5_PCS_REFGEN_REQ_CONFIG1, 0x21),
};
+static const struct qmp_phy_init_tbl sa8775p_usb3_uniphy_pcs_usb_tbl[] = {
+ QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_RXEQTRAINING_DFE_TIME_S2, 0x07),
+ QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL, 0xf8),
+ QMP_PHY_INIT_CFG(QPHY_V5_PCS_USB3_POWER_STATE_CONFIG1, 0x6f),
+};
+
struct qmp_usb_offsets {
u16 serdes;
u16 pcs;
@@ -1788,6 +1794,8 @@ static const struct qmp_phy_cfg sa8775p_usb3_uniphy_cfg = {
.rx_tbl_num = ARRAY_SIZE(sc8280xp_usb3_uniphy_rx_tbl),
.pcs_tbl = sa8775p_usb3_uniphy_pcs_tbl,
.pcs_tbl_num = ARRAY_SIZE(sa8775p_usb3_uniphy_pcs_tbl),
+ .pcs_usb_tbl = sa8775p_usb3_uniphy_pcs_usb_tbl,
+ .pcs_usb_tbl_num = ARRAY_SIZE(sa8775p_usb3_uniphy_pcs_usb_tbl),
.clk_list = qmp_v4_phy_clk_l,
.num_clks = ARRAY_SIZE(qmp_v4_phy_clk_l),
.reset_list = qcm2290_usb3phy_reset_l,
@@ -1833,6 +1841,8 @@ static const struct qmp_phy_cfg sc8280xp_usb3_uniphy_cfg = {
.rx_tbl_num = ARRAY_SIZE(sc8280xp_usb3_uniphy_rx_tbl),
.pcs_tbl = sc8280xp_usb3_uniphy_pcs_tbl,
.pcs_tbl_num = ARRAY_SIZE(sc8280xp_usb3_uniphy_pcs_tbl),
+ .pcs_usb_tbl = sc8280xp_usb3_uniphy_pcs_usb_tbl,
+ .pcs_usb_tbl_num = ARRAY_SIZE(sc8280xp_usb3_uniphy_pcs_usb_tbl),
.clk_list = qmp_v4_phy_clk_l,
.num_clks = ARRAY_SIZE(qmp_v4_phy_clk_l),
.reset_list = qcm2290_usb3phy_reset_l,
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 231/241] phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (229 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 230/241] phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 232/241] phy: qcom-qmp-combo: initialize PCS_USB registers Greg Kroah-Hartman
` (19 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Abel Vesa, Dmitry Baryshkov,
Konrad Dybcio, Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit 112c23705c6dc59a05290c8e3e597e1b4e9c23fc ]
There are two instances of the POWER_STATE_CONFIG1 register: one in
the PCS space and another one in PCS_USB.
The downstream init sequence pokes the latter one while we've been poking
the former one (and misnamed it as the latter one, impostor!). Fix that
up to avoid UB.
Fixes: 49742e9edab3 ("phy: qcom-qmp-combo: Add support for SM8550")
Reviewed-by: Abel Vesa <abel.vesa@linaro.org>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20230829-topic-8550_usbphy-v3-1-34ec434194c5@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 2 +-
drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
index bebce8c591a30..48639b88a1e28 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
@@ -772,10 +772,10 @@ static const struct qmp_phy_init_tbl sm8550_usb3_pcs_tbl[] = {
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_PCS_TX_RX_CONFIG, 0x0c),
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_EQ_CONFIG1, 0x4b),
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_EQ_CONFIG5, 0x10),
- QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_USB3_POWER_STATE_CONFIG1, 0x68),
};
static const struct qmp_phy_init_tbl sm8550_usb3_pcs_usb_tbl[] = {
+ QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_USB3_POWER_STATE_CONFIG1, 0x68),
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL, 0xf8),
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_USB3_RXEQTRAINING_DFE_TIME_S2, 0x07),
QMP_PHY_INIT_CFG(QPHY_USB_V6_PCS_USB3_RCVR_DTCT_DLY_U3_L, 0x40),
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h b/drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h
index 9510e63ba9d8a..c38530d6776b4 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-pcs-usb-v6.h
@@ -12,7 +12,7 @@
#define QPHY_USB_V6_PCS_LOCK_DETECT_CONFIG3 0xcc
#define QPHY_USB_V6_PCS_LOCK_DETECT_CONFIG6 0xd8
#define QPHY_USB_V6_PCS_REFGEN_REQ_CONFIG1 0xdc
-#define QPHY_USB_V6_PCS_USB3_POWER_STATE_CONFIG1 0x90
+#define QPHY_USB_V6_PCS_POWER_STATE_CONFIG1 0x90
#define QPHY_USB_V6_PCS_RX_SIGDET_LVL 0x188
#define QPHY_USB_V6_PCS_RCVR_DTCT_DLY_P1U2_L 0x190
#define QPHY_USB_V6_PCS_RCVR_DTCT_DLY_P1U2_H 0x194
@@ -23,6 +23,7 @@
#define QPHY_USB_V6_PCS_EQ_CONFIG1 0x1dc
#define QPHY_USB_V6_PCS_EQ_CONFIG5 0x1ec
+#define QPHY_USB_V6_PCS_USB3_POWER_STATE_CONFIG1 0x00
#define QPHY_USB_V6_PCS_USB3_LFPS_DET_HIGH_COUNT_VAL 0x18
#define QPHY_USB_V6_PCS_USB3_RXEQTRAINING_DFE_TIME_S2 0x3c
#define QPHY_USB_V6_PCS_USB3_RCVR_DTCT_DLY_U3_L 0x40
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 232/241] phy: qcom-qmp-combo: initialize PCS_USB registers
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (230 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 231/241] phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1 Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 233/241] efi/unaccepted: Fix soft lockups caused by parallel memory acceptance Greg Kroah-Hartman
` (18 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Adrien Thierry, Dmitry Baryshkov,
Konrad Dybcio, Vinod Koul, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Konrad Dybcio <konrad.dybcio@linaro.org>
[ Upstream commit 76d20290d0c66a84a7a40c6231e73d1ab25994e5 ]
Currently, PCS_USB registers that have their initialization data in a
pcs_usb_tbl table are never initialized. Fix that.
Fixes: fc64623637da ("phy: qcom-qmp-combo,usb: add support for separate PCS_USB region")
Reported-by: Adrien Thierry <athierry@redhat.com>
Reviewed-by: Dmitry Baryshkov <dmitry.baryshkov@linaro.org>
Signed-off-by: Konrad Dybcio <konrad.dybcio@linaro.org>
Link: https://lore.kernel.org/r/20230829-topic-8550_usbphy-v3-2-34ec434194c5@linaro.org
Signed-off-by: Vinod Koul <vkoul@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/phy/qualcomm/phy-qcom-qmp-combo.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
index 48639b88a1e28..3e6bec4c4d6ce 100644
--- a/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
+++ b/drivers/phy/qualcomm/phy-qcom-qmp-combo.c
@@ -2649,6 +2649,7 @@ static int qmp_combo_usb_power_on(struct phy *phy)
void __iomem *tx2 = qmp->tx2;
void __iomem *rx2 = qmp->rx2;
void __iomem *pcs = qmp->pcs;
+ void __iomem *pcs_usb = qmp->pcs_usb;
void __iomem *status;
unsigned int val;
int ret;
@@ -2670,6 +2671,9 @@ static int qmp_combo_usb_power_on(struct phy *phy)
qmp_combo_configure(pcs, cfg->pcs_tbl, cfg->pcs_tbl_num);
+ if (pcs_usb)
+ qmp_combo_configure(pcs_usb, cfg->pcs_usb_tbl, cfg->pcs_usb_tbl_num);
+
if (cfg->has_pwrdn_delay)
usleep_range(10, 20);
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 233/241] efi/unaccepted: Fix soft lockups caused by parallel memory acceptance
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (231 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 232/241] phy: qcom-qmp-combo: initialize PCS_USB registers Greg Kroah-Hartman
@ 2023-10-23 10:56 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 234/241] net: move altnames together with the netdevice Greg Kroah-Hartman
` (17 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:56 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Kirill A. Shutemov, Nikolay Borisov,
Vlastimil Babka, Michael Roth, Ard Biesheuvel, Sasha Levin
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
[ Upstream commit 50e782a86c980d4f8292ef82ed8139282ca07a98 ]
Michael reported soft lockups on a system that has unaccepted memory.
This occurs when a user attempts to allocate and accept memory on
multiple CPUs simultaneously.
The root cause of the issue is that memory acceptance is serialized with
a spinlock, allowing only one CPU to accept memory at a time. The other
CPUs spin and wait for their turn, leading to starvation and soft lockup
reports.
To address this, the code has been modified to release the spinlock
while accepting memory. This allows for parallel memory acceptance on
multiple CPUs.
A newly introduced "accepting_list" keeps track of which memory is
currently being accepted. This is necessary to prevent parallel
acceptance of the same memory block. If a collision occurs, the lock is
released and the process is retried.
Such collisions should rarely occur. The main path for memory acceptance
is the page allocator, which accepts memory in MAX_ORDER chunks. As long
as MAX_ORDER is equal to or larger than the unit_size, collisions will
never occur because the caller fully owns the memory block being
accepted.
Aside from the page allocator, only memblock and deferered_free_range()
accept memory, but this only happens during boot.
The code has been tested with unit_size == 128MiB to trigger collisions
and validate the retry codepath.
Fixes: 2053bc57f367 ("efi: Add unaccepted memory support")
Signed-off-by: Kirill A. Shutemov <kirill.shutemov@linux.intel.com>
Reported-by: Michael Roth <michael.roth@amd.com
Reviewed-by: Nikolay Borisov <nik.borisov@suse.com>
Reviewed-by: Vlastimil Babka <vbabka@suse.cz>
Tested-by: Michael Roth <michael.roth@amd.com>
[ardb: drop unnecessary cpu_relax() call]
Signed-off-by: Ard Biesheuvel <ardb@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/firmware/efi/unaccepted_memory.c | 64 ++++++++++++++++++++++--
1 file changed, 60 insertions(+), 4 deletions(-)
diff --git a/drivers/firmware/efi/unaccepted_memory.c b/drivers/firmware/efi/unaccepted_memory.c
index 853f7dc3c21d8..135278ddaf627 100644
--- a/drivers/firmware/efi/unaccepted_memory.c
+++ b/drivers/firmware/efi/unaccepted_memory.c
@@ -5,9 +5,17 @@
#include <linux/spinlock.h>
#include <asm/unaccepted_memory.h>
-/* Protects unaccepted memory bitmap */
+/* Protects unaccepted memory bitmap and accepting_list */
static DEFINE_SPINLOCK(unaccepted_memory_lock);
+struct accept_range {
+ struct list_head list;
+ unsigned long start;
+ unsigned long end;
+};
+
+static LIST_HEAD(accepting_list);
+
/*
* accept_memory() -- Consult bitmap and accept the memory if needed.
*
@@ -24,6 +32,7 @@ void accept_memory(phys_addr_t start, phys_addr_t end)
{
struct efi_unaccepted_memory *unaccepted;
unsigned long range_start, range_end;
+ struct accept_range range, *entry;
unsigned long flags;
u64 unit_size;
@@ -78,20 +87,67 @@ void accept_memory(phys_addr_t start, phys_addr_t end)
if (end > unaccepted->size * unit_size * BITS_PER_BYTE)
end = unaccepted->size * unit_size * BITS_PER_BYTE;
- range_start = start / unit_size;
-
+ range.start = start / unit_size;
+ range.end = DIV_ROUND_UP(end, unit_size);
+retry:
spin_lock_irqsave(&unaccepted_memory_lock, flags);
+
+ /*
+ * Check if anybody works on accepting the same range of the memory.
+ *
+ * The check is done with unit_size granularity. It is crucial to catch
+ * all accept requests to the same unit_size block, even if they don't
+ * overlap on physical address level.
+ */
+ list_for_each_entry(entry, &accepting_list, list) {
+ if (entry->end < range.start)
+ continue;
+ if (entry->start >= range.end)
+ continue;
+
+ /*
+ * Somebody else accepting the range. Or at least part of it.
+ *
+ * Drop the lock and retry until it is complete.
+ */
+ spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
+ goto retry;
+ }
+
+ /*
+ * Register that the range is about to be accepted.
+ * Make sure nobody else will accept it.
+ */
+ list_add(&range.list, &accepting_list);
+
+ range_start = range.start;
for_each_set_bitrange_from(range_start, range_end, unaccepted->bitmap,
- DIV_ROUND_UP(end, unit_size)) {
+ range.end) {
unsigned long phys_start, phys_end;
unsigned long len = range_end - range_start;
phys_start = range_start * unit_size + unaccepted->phys_base;
phys_end = range_end * unit_size + unaccepted->phys_base;
+ /*
+ * Keep interrupts disabled until the accept operation is
+ * complete in order to prevent deadlocks.
+ *
+ * Enabling interrupts before calling arch_accept_memory()
+ * creates an opportunity for an interrupt handler to request
+ * acceptance for the same memory. The handler will continuously
+ * spin with interrupts disabled, preventing other task from
+ * making progress with the acceptance process.
+ */
+ spin_unlock(&unaccepted_memory_lock);
+
arch_accept_memory(phys_start, phys_end);
+
+ spin_lock(&unaccepted_memory_lock);
bitmap_clear(unaccepted->bitmap, range_start, len);
}
+
+ list_del(&range.list);
spin_unlock_irqrestore(&unaccepted_memory_lock, flags);
}
--
2.42.0
^ permalink raw reply related [flat|nested] 260+ messages in thread
* [PATCH 6.5 234/241] net: move altnames together with the netdevice
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (232 preceding siblings ...)
2023-10-23 10:56 ` [PATCH 6.5 233/241] efi/unaccepted: Fix soft lockups caused by parallel memory acceptance Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 235/241] Bluetooth: hci_sock: fix slab oob read in create_monitor_event Greg Kroah-Hartman
` (16 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Jiri Pirko, Jakub Kicinski, Paolo Abeni
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Jakub Kicinski <kuba@kernel.org>
commit 8e15aee621618a3ee3abecaf1fd8c1428098b7ef upstream.
The altname nodes are currently not moved to the new netns
when netdevice itself moves:
[ ~]# ip netns add test
[ ~]# ip -netns test link add name eth0 type dummy
[ ~]# ip -netns test link property add dev eth0 altname some-name
[ ~]# ip -netns test link show dev some-name
2: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 1e:67:ed:19:3d:24 brd ff:ff:ff:ff:ff:ff
altname some-name
[ ~]# ip -netns test link set dev eth0 netns 1
[ ~]# ip link
...
3: eth0: <BROADCAST,NOARP> mtu 1500 qdisc noop state DOWN mode DEFAULT group default qlen 1000
link/ether 02:40:88:62:ec:b8 brd ff:ff:ff:ff:ff:ff
altname some-name
[ ~]# ip li show dev some-name
Device "some-name" does not exist.
Remove them from the hash table when device is unlisted
and add back when listed again.
Fixes: 36fbf1e52bd3 ("net: rtnetlink: add linkprop commands to add and delete alternative ifnames")
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/core/dev.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- a/net/core/dev.c
+++ b/net/core/dev.c
@@ -379,6 +379,7 @@ static void netdev_name_node_alt_flush(s
/* Device list insertion */
static void list_netdevice(struct net_device *dev)
{
+ struct netdev_name_node *name_node;
struct net *net = dev_net(dev);
ASSERT_RTNL();
@@ -390,6 +391,9 @@ static void list_netdevice(struct net_de
dev_index_hash(net, dev->ifindex));
write_unlock(&dev_base_lock);
+ netdev_for_each_altname(dev, name_node)
+ netdev_name_node_add(net, name_node);
+
dev_base_seq_inc(net);
}
@@ -398,8 +402,13 @@ static void list_netdevice(struct net_de
*/
static void unlist_netdevice(struct net_device *dev, bool lock)
{
+ struct netdev_name_node *name_node;
+
ASSERT_RTNL();
+ netdev_for_each_altname(dev, name_node)
+ netdev_name_node_del(name_node);
+
/* Unlink dev from the device chain */
if (lock)
write_lock(&dev_base_lock);
@@ -10854,7 +10863,6 @@ void unregister_netdevice_many_notify(st
synchronize_net();
list_for_each_entry(dev, head, unreg_list) {
- struct netdev_name_node *name_node;
struct sk_buff *skb = NULL;
/* Shutdown queueing discipline. */
@@ -10882,9 +10890,6 @@ void unregister_netdevice_many_notify(st
dev_uc_flush(dev);
dev_mc_flush(dev);
- netdev_for_each_altname(dev, name_node)
- netdev_name_node_del(name_node);
- synchronize_rcu();
netdev_name_node_alt_flush(dev);
netdev_name_node_free(dev->name_node);
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 235/241] Bluetooth: hci_sock: fix slab oob read in create_monitor_event
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (233 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 234/241] net: move altnames together with the netdevice Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 236/241] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
` (15 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+c90849c50ed209d77689,
Edward AD, Luiz Augusto von Dentz
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Edward AD <twuufnxlz@gmail.com>
commit 18f547f3fc074500ab5d419cf482240324e73a7e upstream.
When accessing hdev->name, the actual string length should prevail
Reported-by: syzbot+c90849c50ed209d77689@syzkaller.appspotmail.com
Fixes: dcda165706b9 ("Bluetooth: hci_core: Fix build warnings")
Signed-off-by: Edward AD <twuufnxlz@gmail.com>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/bluetooth/hci_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -439,7 +439,7 @@ static struct sk_buff *create_monitor_ev
ni->type = hdev->dev_type;
ni->bus = hdev->bus;
bacpy(&ni->bdaddr, &hdev->bdaddr);
- memcpy(ni->name, hdev->name, 8);
+ memcpy(ni->name, hdev->name, strlen(hdev->name));
opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
break;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 236/241] net: rfkill: reduce data->mtx scope in rfkill_fop_open
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (234 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 235/241] Bluetooth: hci_sock: fix slab oob read in create_monitor_event Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 237/241] docs: rust: update Rust docs output path Greg Kroah-Hartman
` (14 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, syzbot+509238e523e032442b80, Johannes Berg
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Johannes Berg <johannes.berg@intel.com>
commit f2ac54ebf85615a6d78f5eb213a8bbeeb17ebe5d upstream.
In syzbot runs, lockdep reports that there's a (potential)
deadlock here of data->mtx being locked recursively. This
isn't really a deadlock since they are different instances,
but lockdep cannot know, and teaching it would be far more
difficult than other fixes.
At the same time we don't even really _need_ the mutex to
be locked in rfkill_fop_open(), since we're modifying only
a completely fresh instance of 'data' (struct rfkill_data)
that's not yet added to the global list.
However, to avoid any reordering etc. within the globally
locked section, and to make the code look more symmetric,
we should still lock the data->events list manipulation,
but also need to lock _only_ that. So do that.
Reported-by: syzbot+509238e523e032442b80@syzkaller.appspotmail.com
Fixes: 2c3dfba4cf84 ("rfkill: sync before userspace visibility/changes")
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/rfkill/core.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/rfkill/core.c
+++ b/net/rfkill/core.c
@@ -1180,7 +1180,6 @@ static int rfkill_fop_open(struct inode
init_waitqueue_head(&data->read_wait);
mutex_lock(&rfkill_global_mutex);
- mutex_lock(&data->mtx);
/*
* start getting events from elsewhere but hold mtx to get
* startup events added first
@@ -1192,10 +1191,11 @@ static int rfkill_fop_open(struct inode
goto free;
rfkill_sync(rfkill);
rfkill_fill_event(&ev->ev, rfkill, RFKILL_OP_ADD);
+ mutex_lock(&data->mtx);
list_add_tail(&ev->list, &data->events);
+ mutex_unlock(&data->mtx);
}
list_add(&data->list, &rfkill_fds);
- mutex_unlock(&data->mtx);
mutex_unlock(&rfkill_global_mutex);
file->private_data = data;
@@ -1203,7 +1203,6 @@ static int rfkill_fop_open(struct inode
return stream_open(inode, file);
free:
- mutex_unlock(&data->mtx);
mutex_unlock(&rfkill_global_mutex);
mutex_destroy(&data->mtx);
list_for_each_entry_safe(ev, tmp, &data->events, list)
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 237/241] docs: rust: update Rust docs output path
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (235 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 236/241] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 238/241] kbuild: remove old " Greg Kroah-Hartman
` (13 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benno Lossin, Alice Ryhl,
Andreas Hindborg, Miguel Ojeda
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit bd9e54a42ce26026d67963c21b3fdfe8c7e68430 upstream.
The Rust code documentation output path moved from `rust/doc` to
`Documentation/output/rust/rustdoc`, thus update the old reference.
Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@samsung.com>
Link: https://lore.kernel.org/r/20231018160145.1017340-1-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Documentation/rust/general-information.rst | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Documentation/rust/general-information.rst
+++ b/Documentation/rust/general-information.rst
@@ -29,7 +29,7 @@ target with the same invocation used for
To read the docs locally in your web browser, run e.g.::
- xdg-open rust/doc/kernel/index.html
+ xdg-open Documentation/output/rust/rustdoc/kernel/index.html
To learn about how to write the documentation, please see coding-guidelines.rst.
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 238/241] kbuild: remove old Rust docs output path
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (236 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 237/241] docs: rust: update Rust docs output path Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 239/241] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Greg Kroah-Hartman
` (12 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Benno Lossin, Alice Ryhl,
Andreas Hindborg, Miguel Ojeda
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Miguel Ojeda <ojeda@kernel.org>
commit 1db773da58df20772dcc037a47163ce472d39c4d upstream.
The Rust code documentation output path moved from `rust/doc` to
`Documentation/output/rust/rustdoc`. The `make cleandocs` target
takes care of cleaning it now since it is integrated with the rest
of the documentation.
Thus remove the old reference.
Fixes: 48fadf440075 ("docs: Move rustdoc output, cross-reference it")
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
Reviewed-by: Alice Ryhl <aliceryhl@google.com>
Reviewed-by: Andreas Hindborg <a.hindborg@samsung.com>
Link: https://lore.kernel.org/r/20231018160145.1017340-2-ojeda@kernel.org
Signed-off-by: Miguel Ojeda <ojeda@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
Makefile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/Makefile
+++ b/Makefile
@@ -1595,7 +1595,7 @@ endif
# Directories & files removed with 'make clean'
CLEAN_FILES += include/ksym vmlinux.symvers modules-only.symvers \
modules.builtin modules.builtin.modinfo modules.nsdeps \
- compile_commands.json .thinlto-cache rust/test rust/doc \
+ compile_commands.json .thinlto-cache rust/test \
rust-project.json .vmlinux.objs .vmlinux.export.c
# Directories & files removed with 'make mrproper'
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 239/241] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (237 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 238/241] kbuild: remove old " Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 240/241] mptcp: avoid sending RST when closing the initial subflow Greg Kroah-Hartman
` (11 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Luiz Augusto von Dentz, Edward AD,
Marcel Holtmann, Johan Hedberg, David S. Miller, Eric Dumazet,
Jakub Kicinski, Paolo Abeni, linux-bluetooth, netdev, Kees Cook
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Kees Cook <keescook@chromium.org>
commit cb3871b1cd135a6662b732fbc6b3db4afcdb4a64 upstream.
The code pattern of memcpy(dst, src, strlen(src)) is almost always
wrong. In this case it is wrong because it leaves memory uninitialized
if it is less than sizeof(ni->name), and overflows ni->name when longer.
Normally strtomem_pad() could be used here, but since ni->name is a
trailing array in struct hci_mon_new_index, compilers that don't support
-fstrict-flex-arrays=3 can't tell how large this array is via
__builtin_object_size(). Instead, open-code the helper and use sizeof()
since it will work correctly.
Additionally mark ni->name as __nonstring since it appears to not be a
%NUL terminated C string.
Cc: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Cc: Edward AD <twuufnxlz@gmail.com>
Cc: Marcel Holtmann <marcel@holtmann.org>
Cc: Johan Hedberg <johan.hedberg@gmail.com>
Cc: "David S. Miller" <davem@davemloft.net>
Cc: Eric Dumazet <edumazet@google.com>
Cc: Jakub Kicinski <kuba@kernel.org>
Cc: Paolo Abeni <pabeni@redhat.com>
Cc: linux-bluetooth@vger.kernel.org
Cc: netdev@vger.kernel.org
Fixes: 18f547f3fc07 ("Bluetooth: hci_sock: fix slab oob read in create_monitor_event")
Link: https://lore.kernel.org/lkml/202310110908.F2639D3276@keescook/
Signed-off-by: Kees Cook <keescook@chromium.org>
Signed-off-by: Luiz Augusto von Dentz <luiz.von.dentz@intel.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/bluetooth/hci_mon.h | 2 +-
net/bluetooth/hci_sock.c | 3 ++-
2 files changed, 3 insertions(+), 2 deletions(-)
--- a/include/net/bluetooth/hci_mon.h
+++ b/include/net/bluetooth/hci_mon.h
@@ -56,7 +56,7 @@ struct hci_mon_new_index {
__u8 type;
__u8 bus;
bdaddr_t bdaddr;
- char name[8];
+ char name[8] __nonstring;
} __packed;
#define HCI_MON_NEW_INDEX_SIZE 16
--- a/net/bluetooth/hci_sock.c
+++ b/net/bluetooth/hci_sock.c
@@ -439,7 +439,8 @@ static struct sk_buff *create_monitor_ev
ni->type = hdev->dev_type;
ni->bus = hdev->bus;
bacpy(&ni->bdaddr, &hdev->bdaddr);
- memcpy(ni->name, hdev->name, strlen(hdev->name));
+ memcpy_and_pad(ni->name, sizeof(ni->name), hdev->name,
+ strnlen(hdev->name, sizeof(ni->name)), '\0');
opcode = cpu_to_le16(HCI_MON_NEW_INDEX);
break;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 240/241] mptcp: avoid sending RST when closing the initial subflow
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (238 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 239/241] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 241/241] selftests: mptcp: join: correctly check for no RST Greg Kroah-Hartman
` (10 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Matthieu Baerts, Paolo Abeni,
Geliang Tang, Mat Martineau, Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Geliang Tang <geliang.tang@suse.com>
commit 14c56686a64c65ba716ff48f1f4b19c85f4cb2a9 upstream.
When closing the first subflow, the MPTCP protocol unconditionally
calls tcp_disconnect(), which in turn generates a reset if the subflow
is established.
That is unexpected and different from what MPTCP does with MPJ
subflows, where resets are generated only on FASTCLOSE and other edge
scenarios.
We can't reuse for the first subflow the same code in place for MPJ
subflows, as MPTCP clean them up completely via a tcp_close() call,
while must keep the first subflow socket alive for later re-usage, due
to implementation constraints.
This patch adds a new helper __mptcp_subflow_disconnect() that
encapsulates, a logic similar to tcp_close, issuing a reset only when
the MPTCP_CF_FASTCLOSE flag is set, and performing a clean shutdown
otherwise.
Fixes: c2b2ae3925b6 ("mptcp: handle correctly disconnect() failures")
Cc: stable@vger.kernel.org
Reviewed-by: Matthieu Baerts <matttbe@kernel.org>
Co-developed-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Geliang Tang <geliang.tang@suse.com>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-4-17ecb002e41d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/mptcp/protocol.c | 28 ++++++++++++++++++++++------
1 file changed, 22 insertions(+), 6 deletions(-)
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2336,6 +2336,26 @@ bool __mptcp_retransmit_pending_data(str
#define MPTCP_CF_PUSH BIT(1)
#define MPTCP_CF_FASTCLOSE BIT(2)
+/* be sure to send a reset only if the caller asked for it, also
+ * clean completely the subflow status when the subflow reaches
+ * TCP_CLOSE state
+ */
+static void __mptcp_subflow_disconnect(struct sock *ssk,
+ struct mptcp_subflow_context *subflow,
+ unsigned int flags)
+{
+ if (((1 << ssk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) ||
+ (flags & MPTCP_CF_FASTCLOSE)) {
+ /* The MPTCP code never wait on the subflow sockets, TCP-level
+ * disconnect should never fail
+ */
+ WARN_ON_ONCE(tcp_disconnect(ssk, 0));
+ mptcp_subflow_ctx_reset(subflow);
+ } else {
+ tcp_shutdown(ssk, SEND_SHUTDOWN);
+ }
+}
+
/* subflow sockets can be either outgoing (connect) or incoming
* (accept).
*
@@ -2373,7 +2393,7 @@ static void __mptcp_close_ssk(struct soc
lock_sock_nested(ssk, SINGLE_DEPTH_NESTING);
if ((flags & MPTCP_CF_FASTCLOSE) && !__mptcp_check_fallback(msk)) {
- /* be sure to force the tcp_disconnect() path,
+ /* be sure to force the tcp_close path
* to generate the egress reset
*/
ssk->sk_lingertime = 0;
@@ -2383,12 +2403,8 @@ static void __mptcp_close_ssk(struct soc
need_push = (flags & MPTCP_CF_PUSH) && __mptcp_retransmit_pending_data(sk);
if (!dispose_it) {
- /* The MPTCP code never wait on the subflow sockets, TCP-level
- * disconnect should never fail
- */
- WARN_ON_ONCE(tcp_disconnect(ssk, 0));
+ __mptcp_subflow_disconnect(ssk, subflow, flags);
msk->subflow->state = SS_UNCONNECTED;
- mptcp_subflow_ctx_reset(subflow);
release_sock(ssk);
goto out;
^ permalink raw reply [flat|nested] 260+ messages in thread
* [PATCH 6.5 241/241] selftests: mptcp: join: correctly check for no RST
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (239 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 240/241] mptcp: avoid sending RST when closing the initial subflow Greg Kroah-Hartman
@ 2023-10-23 10:57 ` Greg Kroah-Hartman
2023-10-23 16:26 ` [PATCH 6.5 000/241] 6.5.9-rc1 review SeongJae Park
` (9 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-23 10:57 UTC (permalink / raw)
To: stable
Cc: Greg Kroah-Hartman, patches, Mat Martineau, Matthieu Baerts,
Jakub Kicinski
6.5-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts <matttbe@kernel.org>
commit b134a5805455d1886662a6516c965cdb9df9fbcc upstream.
The commit mentioned below was more tolerant with the number of RST seen
during a test because in some uncontrollable situations, multiple RST
can be generated.
But it was not taking into account the case where no RST are expected:
this validation was then no longer reporting issues for the 0 RST case
because it is not possible to have less than 0 RST in the counter. This
patch fixes the issue by adding a specific condition.
Fixes: 6bf41020b72b ("selftests: mptcp: update and extend fastclose test-cases")
Cc: stable@vger.kernel.org
Reviewed-by: Mat Martineau <martineau@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Mat Martineau <martineau@kernel.org>
Link: https://lore.kernel.org/r/20231018-send-net-20231018-v1-1-17ecb002e41d@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Matthieu Baerts <matttbe@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
tools/testing/selftests/net/mptcp/mptcp_join.sh | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
--- a/tools/testing/selftests/net/mptcp/mptcp_join.sh
+++ b/tools/testing/selftests/net/mptcp/mptcp_join.sh
@@ -1383,7 +1383,9 @@ chk_rst_nr()
count=$(get_counter ${ns_tx} "MPTcpExtMPRstTx")
if [ -z "$count" ]; then
echo -n "[skip]"
- elif [ $count -lt $rst_tx ]; then
+ # accept more rst than expected except if we don't expect any
+ elif { [ $rst_tx -ne 0 ] && [ $count -lt $rst_tx ]; } ||
+ { [ $rst_tx -eq 0 ] && [ $count -ne 0 ]; }; then
echo "[fail] got $count MP_RST[s] TX expected $rst_tx"
fail_test
else
@@ -1394,7 +1396,9 @@ chk_rst_nr()
count=$(get_counter ${ns_rx} "MPTcpExtMPRstRx")
if [ -z "$count" ]; then
echo -n "[skip]"
- elif [ "$count" -lt "$rst_rx" ]; then
+ # accept more rst than expected except if we don't expect any
+ elif { [ $rst_rx -ne 0 ] && [ $count -lt $rst_rx ]; } ||
+ { [ $rst_rx -eq 0 ] && [ $count -ne 0 ]; }; then
echo "[fail] got $count MP_RST[s] RX expected $rst_rx"
fail_test
else
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
2023-10-23 10:55 ` [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake Greg Kroah-Hartman
@ 2023-10-23 12:05 ` Guangguan Wang
2023-10-25 10:08 ` Greg Kroah-Hartman
0 siblings, 1 reply; 260+ messages in thread
From: Guangguan Wang @ 2023-10-23 12:05 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, Tony Lu, Jan Karcher, David S. Miller, Sasha Levin
Hi, Greg.
[PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
[PATCH 6.5 160/241] net/smc: support smc v2.x features validate
The above two patches should not backport to stable tree 6.5, which may result in unexpected
fallback if communication between 6.6 and 6.5(with these two patch) via SMC-R v2.1. The above
two patches should not exist individually without the patch 7f0620b9(net/smc: support max
connections per lgr negotiation) and the patch 69b888e3(net/smc: support max links per lgr
negotiation in clc handshake).
The patch c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
does not rely the feature SMC-R v2.1. But I think it may have conflict here when backport
to stable tree 6.5:
@@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
struct smc_clc_first_contact_ext *fce =
smc_get_clc_first_contact_ext(clc_v2, false); --conflict here
+ struct net *net = sock_net(&smc->sk);
I think it is better to resolve the confilict rather than backport more patches.
The resolution of the conflict should be like:
@@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
(struct smc_clc_msg_accept_confirm_v2 *)aclc;
struct smc_clc_first_contact_ext *fce =
(struct smc_clc_first_contact_ext *)
(((u8 *)clc_v2) + sizeof(*clc_v2)); --replace the line smc_get_clc_first_contact_ext(clc_v2, false);
+ struct net *net = sock_net(&smc->sk);
Thanks,
Guangguan Wang
On 2023/10/23 18:55, Greg Kroah-Hartman wrote:
> 6.5-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Guangguan Wang <guangguan.wang@linux.alibaba.com>
>
> [ Upstream commit 1e700948c9db0d09f691f715e8f4b947e51e35b5 ]
>
> Support smc release version negotiation in clc handshake based on
> SMC v2, where no negotiation process for different releases, but
> for different versions. The latest smc release version was updated
> to v2.1. And currently there are two release versions of SMCv2, v2.0
> and v2.1. In the release version negotiation, client sends the preferred
> release version by CLC Proposal Message, server makes decision for which
> release version to use based on the client preferred release version and
> self-supported release version (here choose the minimum release version
> of the client preferred and server latest supported), then the decision
> returns to client by CLC Accept Message. Client confirms the decision by
> CLC Confirm Message.
>
> Client Server
> Proposal(preferred release version)
> ------------------------------------>
>
> Accept(accpeted release version)
> min(client preferred, server latest supported)
> <------------------------------------
>
> Confirm(accpeted release version)
> ------------------------------------>
>
> Signed-off-by: Guangguan Wang <guangguan.wang@linux.alibaba.com>
> Reviewed-by: Tony Lu <tonylu@linux.alibaba.com>
> Reviewed-by: Jan Karcher <jaka@linux.ibm.com>
> Signed-off-by: David S. Miller <davem@davemloft.net>
> Stable-dep-of: c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> net/smc/af_smc.c | 21 +++++++++++++++++----
> net/smc/smc.h | 5 ++++-
> net/smc/smc_clc.c | 14 +++++++-------
> net/smc/smc_clc.h | 23 ++++++++++++++++++++++-
> net/smc/smc_core.h | 1 +
> 5 files changed, 51 insertions(+), 13 deletions(-)
>
> diff --git a/net/smc/af_smc.c b/net/smc/af_smc.c
> index c0e4e587b4994..077e5864fc441 100644
> --- a/net/smc/af_smc.c
> +++ b/net/smc/af_smc.c
> @@ -1198,8 +1198,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
> struct smc_clc_msg_accept_confirm_v2 *clc_v2 =
> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
> struct smc_clc_first_contact_ext *fce =
> - (struct smc_clc_first_contact_ext *)
> - (((u8 *)clc_v2) + sizeof(*clc_v2));
> + smc_get_clc_first_contact_ext(clc_v2, false);
>
> if (!ini->first_contact_peer || aclc->hdr.version == SMC_V1)
> return 0;
> @@ -1218,6 +1217,9 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
> return SMC_CLC_DECL_NOINDIRECT;
> }
> }
> +
> + ini->release_nr = fce->release;
> +
> return 0;
> }
>
> @@ -1386,6 +1388,13 @@ static int smc_connect_ism(struct smc_sock *smc,
> struct smc_clc_msg_accept_confirm_v2 *aclc_v2 =
> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
>
> + if (ini->first_contact_peer) {
> + struct smc_clc_first_contact_ext *fce =
> + smc_get_clc_first_contact_ext(aclc_v2, true);
> +
> + ini->release_nr = fce->release;
> + }
> +
> rc = smc_v2_determine_accepted_chid(aclc_v2, ini);
> if (rc)
> return rc;
> @@ -1420,7 +1429,7 @@ static int smc_connect_ism(struct smc_sock *smc,
> }
>
> rc = smc_clc_send_confirm(smc, ini->first_contact_local,
> - aclc->hdr.version, eid, NULL);
> + aclc->hdr.version, eid, ini);
> if (rc)
> goto connect_abort;
> mutex_unlock(&smc_server_lgr_pending);
> @@ -1996,6 +2005,10 @@ static int smc_listen_v2_check(struct smc_sock *new_smc,
> }
> }
>
> + ini->release_nr = pclc_v2_ext->hdr.flag.release;
> + if (pclc_v2_ext->hdr.flag.release > SMC_RELEASE)
> + ini->release_nr = SMC_RELEASE;
> +
> out:
> if (!ini->smcd_version && !ini->smcr_version)
> return rc;
> @@ -2443,7 +2456,7 @@ static void smc_listen_work(struct work_struct *work)
> /* send SMC Accept CLC message */
> accept_version = ini->is_smcd ? ini->smcd_version : ini->smcr_version;
> rc = smc_clc_send_accept(new_smc, ini->first_contact_local,
> - accept_version, ini->negotiated_eid);
> + accept_version, ini->negotiated_eid, ini);
> if (rc)
> goto out_unlock;
>
> diff --git a/net/smc/smc.h b/net/smc/smc.h
> index 1f2b912c43d10..24745fde4ac26 100644
> --- a/net/smc/smc.h
> +++ b/net/smc/smc.h
> @@ -21,7 +21,10 @@
>
> #define SMC_V1 1 /* SMC version V1 */
> #define SMC_V2 2 /* SMC version V2 */
> -#define SMC_RELEASE 0
> +
> +#define SMC_RELEASE_0 0
> +#define SMC_RELEASE_1 1
> +#define SMC_RELEASE SMC_RELEASE_1 /* the latest release version */
>
> #define SMCPROTO_SMC 0 /* SMC protocol, IPv4 */
> #define SMCPROTO_SMC6 1 /* SMC protocol, IPv6 */
> diff --git a/net/smc/smc_clc.c b/net/smc/smc_clc.c
> index c90d9e5dda540..fb0be0817e8a5 100644
> --- a/net/smc/smc_clc.c
> +++ b/net/smc/smc_clc.c
> @@ -420,11 +420,11 @@ smc_clc_msg_decl_valid(struct smc_clc_msg_decline *dclc)
> return true;
> }
>
> -static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len)
> +static void smc_clc_fill_fce(struct smc_clc_first_contact_ext *fce, int *len, int release_nr)
> {
> memset(fce, 0, sizeof(*fce));
> fce->os_type = SMC_CLC_OS_LINUX;
> - fce->release = SMC_RELEASE;
> + fce->release = release_nr;
> memcpy(fce->hostname, smc_hostname, sizeof(smc_hostname));
> (*len) += sizeof(*fce);
> }
> @@ -1019,7 +1019,7 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
> memcpy(clc_v2->d1.eid, eid, SMC_MAX_EID_LEN);
> len = SMCD_CLC_ACCEPT_CONFIRM_LEN_V2;
> if (first_contact)
> - smc_clc_fill_fce(&fce, &len);
> + smc_clc_fill_fce(&fce, &len, ini->release_nr);
> clc_v2->hdr.length = htons(len);
> }
> memcpy(trl.eyecatcher, SMCD_EYECATCHER,
> @@ -1063,10 +1063,10 @@ static int smc_clc_send_confirm_accept(struct smc_sock *smc,
> memcpy(clc_v2->r1.eid, eid, SMC_MAX_EID_LEN);
> len = SMCR_CLC_ACCEPT_CONFIRM_LEN_V2;
> if (first_contact) {
> - smc_clc_fill_fce(&fce, &len);
> + smc_clc_fill_fce(&fce, &len, ini->release_nr);
> fce.v2_direct = !link->lgr->uses_gateway;
> memset(&gle, 0, sizeof(gle));
> - if (ini && clc->hdr.type == SMC_CLC_CONFIRM) {
> + if (clc->hdr.type == SMC_CLC_CONFIRM) {
> gle.gid_cnt = ini->smcrv2.gidlist.len;
> len += sizeof(gle);
> len += gle.gid_cnt * sizeof(gle.gid[0]);
> @@ -1141,7 +1141,7 @@ int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
>
> /* send CLC ACCEPT message across internal TCP socket */
> int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
> - u8 version, u8 *negotiated_eid)
> + u8 version, u8 *negotiated_eid, struct smc_init_info *ini)
> {
> struct smc_clc_msg_accept_confirm_v2 aclc_v2;
> int len;
> @@ -1149,7 +1149,7 @@ int smc_clc_send_accept(struct smc_sock *new_smc, bool srv_first_contact,
> memset(&aclc_v2, 0, sizeof(aclc_v2));
> aclc_v2.hdr.type = SMC_CLC_ACCEPT;
> len = smc_clc_send_confirm_accept(new_smc, &aclc_v2, srv_first_contact,
> - version, negotiated_eid, NULL);
> + version, negotiated_eid, ini);
> if (len < ntohs(aclc_v2.hdr.length))
> len = len >= 0 ? -EPROTO : -new_smc->clcsock->sk->sk_err;
>
> diff --git a/net/smc/smc_clc.h b/net/smc/smc_clc.h
> index 5fee545c9a109..b923e89acafb0 100644
> --- a/net/smc/smc_clc.h
> +++ b/net/smc/smc_clc.h
> @@ -370,6 +370,27 @@ smc_get_clc_smcd_v2_ext(struct smc_clc_v2_extension *prop_v2ext)
> ntohs(prop_v2ext->hdr.smcd_v2_ext_offset));
> }
>
> +static inline struct smc_clc_first_contact_ext *
> +smc_get_clc_first_contact_ext(struct smc_clc_msg_accept_confirm_v2 *clc_v2,
> + bool is_smcd)
> +{
> + int clc_v2_len;
> +
> + if (clc_v2->hdr.version == SMC_V1 ||
> + !(clc_v2->hdr.typev2 & SMC_FIRST_CONTACT_MASK))
> + return NULL;
> +
> + if (is_smcd)
> + clc_v2_len =
> + offsetofend(struct smc_clc_msg_accept_confirm_v2, d1);
> + else
> + clc_v2_len =
> + offsetofend(struct smc_clc_msg_accept_confirm_v2, r1);
> +
> + return (struct smc_clc_first_contact_ext *)(((u8 *)clc_v2) +
> + clc_v2_len);
> +}
> +
> struct smcd_dev;
> struct smc_init_info;
>
> @@ -382,7 +403,7 @@ int smc_clc_send_proposal(struct smc_sock *smc, struct smc_init_info *ini);
> int smc_clc_send_confirm(struct smc_sock *smc, bool clnt_first_contact,
> u8 version, u8 *eid, struct smc_init_info *ini);
> int smc_clc_send_accept(struct smc_sock *smc, bool srv_first_contact,
> - u8 version, u8 *negotiated_eid);
> + u8 version, u8 *negotiated_eid, struct smc_init_info *ini);
> void smc_clc_init(void) __init;
> void smc_clc_exit(void);
> void smc_clc_get_hostname(u8 **host);
> diff --git a/net/smc/smc_core.h b/net/smc/smc_core.h
> index 1645fba0d2d38..5bbc16f851e05 100644
> --- a/net/smc/smc_core.h
> +++ b/net/smc/smc_core.h
> @@ -374,6 +374,7 @@ struct smc_init_info {
> u8 is_smcd;
> u8 smc_type_v1;
> u8 smc_type_v2;
> + u8 release_nr;
> u8 first_contact_peer;
> u8 first_contact_local;
> unsigned short vlan_id;
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple
2023-10-23 10:56 ` [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple Greg Kroah-Hartman
@ 2023-10-23 14:35 ` Doug Anderson
2023-10-24 7:48 ` Greg Kroah-Hartman
0 siblings, 1 reply; 260+ messages in thread
From: Doug Anderson @ 2023-10-23 14:35 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, Anton Bambura, Hsin-Yi Wang, Sasha Levin
Hi,
On Mon, Oct 23, 2023 at 4:12 AM Greg Kroah-Hartman
<gregkh@linuxfoundation.org> wrote:
>
> 6.5-stable review patch. If anyone has any objections, please let me know.
>
> ------------------
>
> From: Douglas Anderson <dianders@chromium.org>
>
> [ Upstream commit ad3e33fe071dffea07279f96dab4f3773c430fe2 ]
>
> In commit 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of
> panel-simple") I moved a pile of panels out of panel-simple driver
> into the newly created panel-edp driver. One of those panels, however,
> shouldn't have been moved.
>
> As is clear from commit e35e305eff0f ("drm/panel: simple: Add AUO
> B116XW03 panel support"), AUX B116XW03 is an LVDS panel. It's used in
> exynos5250-snow and exynos5420-peach-pit where it's clear that the
> panel is hooked up with LVDS. Furthermore, searching for datasheets I
> found one that makes it clear that this panel is LVDS.
>
> As far as I can tell, I got confused because in commit 88d3457ceb82
> ("drm/panel: auo,b116xw03: fix flash backlight when power on") Jitao
> Shi added "DRM_MODE_CONNECTOR_eDP". That seems wrong. Looking at the
> downstream ChromeOS trees, it seems like some Mediatek boards are
> using a panel that they call "auo,b116xw03" that's an eDP panel. The
> best I can guess is that they actually have a different panel that has
> similar timing. If so then the proper panel should be used or they
> should switch to the generic "edp-panel" compatible.
>
> When moving this back to panel-edp, I wasn't sure what to use for
> .bus_flags and .bus_format and whether to add the extra "enable" delay
> from commit 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash
> backlight when power on"). I've added formats/flags/delays based on my
> (inexpert) analysis of the datasheet. These are untested.
>
> NOTE: if/when this is backported to stable, we might run into some
> trouble. Specifically, before 474c162878ba ("arm64: dts: mt8183:
> jacuzzi: Move panel under aux-bus") this panel was used by
> "mt8183-kukui-jacuzzi", which assumed it was an eDP panel. I don't
> know what to suggest for that other than someone making up a bogus
> panel for jacuzzi that's just for the stable channel.
>
> Fixes: 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash backlight when power on")
> Fixes: 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of panel-simple")
> Tested-by: Anton Bambura <jenneron@postmarketos.org>
> Acked-by: Hsin-Yi Wang <hsinyi@chromium.org>
> Signed-off-by: Douglas Anderson <dianders@chromium.org>
> Link: https://patchwork.freedesktop.org/patch/msgid/20230925150010.1.Iff672233861bcc4cf25a7ad0a81308adc3bda8a4@changeid
> Signed-off-by: Sasha Levin <sashal@kernel.org>
> ---
> drivers/gpu/drm/panel/panel-edp.c | 29 -----------------------
> drivers/gpu/drm/panel/panel-simple.c | 35 ++++++++++++++++++++++++++++
> 2 files changed, 35 insertions(+), 29 deletions(-)
I responded to Sasha but managed to miss CCing stable@. My
apologies... Copying what I wrote there:
---
I feel that this should not be added to any stable trees. Please
remove it from the 6.1 and 6.5 stable trees and, if possible, mark it
so it won't get auto-selected in the future.
The issue here is that several mediatek boards ended up (incorrectly)
claiming that they included this panel and this change has the
possibility to break those boards. In the latest upstream kernel
mediatek boards that were using it have switched to the generic
"edp-panel" compatible string, but if this is backported someplace
before that change it has the potential to break folks.
It should be noted that it was confirmed that the "snow" and
"peach-pit" boards appeared to be working even without this patch, so
there is no burning need (even for those boards) to get this patch
backported.
For discussion on the topic, please see the link pointed to by the patch, AKA:
https://patchwork.freedesktop.org/patch/msgid/20230925150010.1.Iff672233861bcc4cf25a7ad0a81308adc3bda8a4@changeid
---
Sasha has already said he'd remove it from the queue, but responding
here just in case it's important. Thanks!
-Doug
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (240 preceding siblings ...)
2023-10-23 10:57 ` [PATCH 6.5 241/241] selftests: mptcp: join: correctly check for no RST Greg Kroah-Hartman
@ 2023-10-23 16:26 ` SeongJae Park
2023-10-23 17:59 ` Ricardo B. Marliere
` (8 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: SeongJae Park @ 2023-10-23 16:26 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor, damon, SeongJae Park
Hello,
On Mon, 23 Oct 2023 12:53:06 +0200 Greg Kroah-Hartman <gregkh@linuxfoundation.org> wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
This rc kernel passes DAMON functionality test[1] on my test machine.
Attaching the test results summary below. Please note that I retrieved the
kernel from linux-stable-rc tree[2].
Also, please note that the automated run of the test was failed kunit test due
to a buggy commit. Attaching test results summary is that of the failed one.
I made a fix and pushed[3]. With the fix, I manually confirmed this rc kernel
passes the kunit test with the fix.
Tested-by: SeongJae Park <sj@kernel.org>
[1] https://github.com/awslabs/damon-tests/tree/next/corr
[2] b83aad774cc8 ("Linux 6.5.9-rc1")
[3] https://github.com/awslabs/damon-tests/commit/6182d52940e83623376ceceb6c0b90e661abba3b
Thanks,
SJ
[...]
---
ok 1 selftests: damon: debugfs_attrs.sh
ok 2 selftests: damon: debugfs_schemes.sh
ok 3 selftests: damon: debugfs_target_ids.sh
ok 4 selftests: damon: debugfs_empty_targets.sh
ok 5 selftests: damon: debugfs_huge_count_read_write.sh
ok 6 selftests: damon: debugfs_duplicate_context_creation.sh
ok 7 selftests: damon: debugfs_rm_non_contexts.sh
ok 8 selftests: damon: sysfs.sh
ok 9 selftests: damon: sysfs_update_removed_scheme_dir.sh
ok 10 selftests: damon: reclaim.sh
ok 11 selftests: damon: lru_sort.sh
ok 2 selftests: damon-tests: huge_count_read_write.sh
ok 3 selftests: damon-tests: buffer_overflow.sh
ok 4 selftests: damon-tests: rm_contexts.sh
ok 5 selftests: damon-tests: record_null_deref.sh
ok 6 selftests: damon-tests: dbgfs_target_ids_read_before_terminate_race.sh
ok 7 selftests: damon-tests: dbgfs_target_ids_pid_leak.sh
ok 8 selftests: damon-tests: damo_tests.sh
ok 9 selftests: damon-tests: masim-record.sh
ok 10 selftests: damon-tests: build_i386.sh
ok 11 selftests: damon-tests: build_arm64.sh
ok 12 selftests: damon-tests: build_i386_idle_flag.sh
ok 13 selftests: damon-tests: build_i386_highpte.sh
ok 14 selftests: damon-tests: build_nomemcg.sh
[33m
not ok 1 selftests: damon-tests: kunit.sh # exit=1
[91mFAIL [39m
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (241 preceding siblings ...)
2023-10-23 16:26 ` [PATCH 6.5 000/241] 6.5.9-rc1 review SeongJae Park
@ 2023-10-23 17:59 ` Ricardo B. Marliere
2023-10-23 19:10 ` Justin Forbes
` (7 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Ricardo B. Marliere @ 2023-10-23 17:59 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor
On 23/10/23 12:53PM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
No build and dmesg warnings, my system runs fine:
[ 0.000000] Linux version 6.5.9-rc1+ (rbmarliere@debian) (gcc (Debian 13.2.0-4) 13.2.0, GNU ld (GNU Binutils for Debian) 2.41) #9 SMP PREEMPT_DYNAMIC Mon Oct 23 11:50:20 -03 2023
Tested-by: Ricardo B. Marliere <ricardo@marliere.net>
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (242 preceding siblings ...)
2023-10-23 17:59 ` Ricardo B. Marliere
@ 2023-10-23 19:10 ` Justin Forbes
2023-10-23 21:01 ` Florian Fainelli
` (6 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Justin Forbes @ 2023-10-23 19:10 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli,
sudipm.mukherjee, srw, rwarsow, conor
On Mon, Oct 23, 2023 at 12:53:06PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Tested rc1 against the Fedora build system (aarch64, ppc64le, s390x,
x86_64), and boot tested x86_64. No regressions noted.
Tested-by: Justin M. Forbes <jforbes@fedoraproject.org>
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (243 preceding siblings ...)
2023-10-23 19:10 ` Justin Forbes
@ 2023-10-23 21:01 ` Florian Fainelli
2023-10-23 22:59 ` Ron Economos
` (5 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Florian Fainelli @ 2023-10-23 21:01 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, sudipm.mukherjee, srw, rwarsow,
conor
On 10/23/23 03:53, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
On ARCH_BRCMSTB using 32-bit and 64-bit ARM kernels, build tested on
BMIPS_GENERIC:
Tested-by: Florian Fainelli <florian.fainelli@broadcom.com>
--
Florian
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (244 preceding siblings ...)
2023-10-23 21:01 ` Florian Fainelli
@ 2023-10-23 22:59 ` Ron Economos
2023-10-24 2:49 ` Bagas Sanjaya
` (4 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Ron Economos @ 2023-10-23 22:59 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor
On 10/23/23 3:53 AM, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Built and booted successfully on RISC-V RV64 (HiFive Unmatched).
Tested-by: Ron Economos <re@w6rz.net>
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (245 preceding siblings ...)
2023-10-23 22:59 ` Ron Economos
@ 2023-10-24 2:49 ` Bagas Sanjaya
2023-10-24 8:27 ` Daniel Díaz
` (3 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Bagas Sanjaya @ 2023-10-24 2:49 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor
[-- Attachment #1: Type: text/plain, Size: 558 bytes --]
On Mon, Oct 23, 2023 at 12:53:06PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
Successfully compiled and installed bindeb-pkgs on my computer (Acer
Aspire E15, Intel Core i3 Haswell). No noticeable regressions.
Tested-by: Bagas Sanjaya <bagasdotme@gmail.com>
--
An old man doll... just what I always wanted! - Clara
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 228 bytes --]
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple
2023-10-23 14:35 ` Doug Anderson
@ 2023-10-24 7:48 ` Greg Kroah-Hartman
0 siblings, 0 replies; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-24 7:48 UTC (permalink / raw)
To: Doug Anderson; +Cc: stable, patches, Anton Bambura, Hsin-Yi Wang, Sasha Levin
On Mon, Oct 23, 2023 at 07:35:36AM -0700, Doug Anderson wrote:
> Hi,
>
> On Mon, Oct 23, 2023 at 4:12 AM Greg Kroah-Hartman
> <gregkh@linuxfoundation.org> wrote:
> >
> > 6.5-stable review patch. If anyone has any objections, please let me know.
> >
> > ------------------
> >
> > From: Douglas Anderson <dianders@chromium.org>
> >
> > [ Upstream commit ad3e33fe071dffea07279f96dab4f3773c430fe2 ]
> >
> > In commit 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of
> > panel-simple") I moved a pile of panels out of panel-simple driver
> > into the newly created panel-edp driver. One of those panels, however,
> > shouldn't have been moved.
> >
> > As is clear from commit e35e305eff0f ("drm/panel: simple: Add AUO
> > B116XW03 panel support"), AUX B116XW03 is an LVDS panel. It's used in
> > exynos5250-snow and exynos5420-peach-pit where it's clear that the
> > panel is hooked up with LVDS. Furthermore, searching for datasheets I
> > found one that makes it clear that this panel is LVDS.
> >
> > As far as I can tell, I got confused because in commit 88d3457ceb82
> > ("drm/panel: auo,b116xw03: fix flash backlight when power on") Jitao
> > Shi added "DRM_MODE_CONNECTOR_eDP". That seems wrong. Looking at the
> > downstream ChromeOS trees, it seems like some Mediatek boards are
> > using a panel that they call "auo,b116xw03" that's an eDP panel. The
> > best I can guess is that they actually have a different panel that has
> > similar timing. If so then the proper panel should be used or they
> > should switch to the generic "edp-panel" compatible.
> >
> > When moving this back to panel-edp, I wasn't sure what to use for
> > .bus_flags and .bus_format and whether to add the extra "enable" delay
> > from commit 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash
> > backlight when power on"). I've added formats/flags/delays based on my
> > (inexpert) analysis of the datasheet. These are untested.
> >
> > NOTE: if/when this is backported to stable, we might run into some
> > trouble. Specifically, before 474c162878ba ("arm64: dts: mt8183:
> > jacuzzi: Move panel under aux-bus") this panel was used by
> > "mt8183-kukui-jacuzzi", which assumed it was an eDP panel. I don't
> > know what to suggest for that other than someone making up a bogus
> > panel for jacuzzi that's just for the stable channel.
> >
> > Fixes: 88d3457ceb82 ("drm/panel: auo,b116xw03: fix flash backlight when power on")
> > Fixes: 5f04e7ce392d ("drm/panel-edp: Split eDP panels out of panel-simple")
> > Tested-by: Anton Bambura <jenneron@postmarketos.org>
> > Acked-by: Hsin-Yi Wang <hsinyi@chromium.org>
> > Signed-off-by: Douglas Anderson <dianders@chromium.org>
> > Link: https://patchwork.freedesktop.org/patch/msgid/20230925150010.1.Iff672233861bcc4cf25a7ad0a81308adc3bda8a4@changeid
> > Signed-off-by: Sasha Levin <sashal@kernel.org>
> > ---
> > drivers/gpu/drm/panel/panel-edp.c | 29 -----------------------
> > drivers/gpu/drm/panel/panel-simple.c | 35 ++++++++++++++++++++++++++++
> > 2 files changed, 35 insertions(+), 29 deletions(-)
>
> I responded to Sasha but managed to miss CCing stable@. My
> apologies... Copying what I wrote there:
>
> ---
>
> I feel that this should not be added to any stable trees. Please
> remove it from the 6.1 and 6.5 stable trees and, if possible, mark it
> so it won't get auto-selected in the future.
>
> The issue here is that several mediatek boards ended up (incorrectly)
> claiming that they included this panel and this change has the
> possibility to break those boards. In the latest upstream kernel
> mediatek boards that were using it have switched to the generic
> "edp-panel" compatible string, but if this is backported someplace
> before that change it has the potential to break folks.
>
> It should be noted that it was confirmed that the "snow" and
> "peach-pit" boards appeared to be working even without this patch, so
> there is no burning need (even for those boards) to get this patch
> backported.
>
> For discussion on the topic, please see the link pointed to by the patch, AKA:
>
> https://patchwork.freedesktop.org/patch/msgid/20230925150010.1.Iff672233861bcc4cf25a7ad0a81308adc3bda8a4@changeid
>
> ---
>
> Sasha has already said he'd remove it from the queue, but responding
> here just in case it's important. Thanks!
He's dropped them now, thanks!
greg k-h
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (246 preceding siblings ...)
2023-10-24 2:49 ` Bagas Sanjaya
@ 2023-10-24 8:27 ` Daniel Díaz
2023-10-24 8:48 ` Sudip Mukherjee (Codethink)
` (2 subsequent siblings)
250 siblings, 0 replies; 260+ messages in thread
From: Daniel Díaz @ 2023-10-24 8:27 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable
Cc: patches, linux-kernel, torvalds, akpm, linux, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee,
rwarsow, conor
Hello!
On 23/10/23 4:53 a. m., Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
>
> The whole patch series can be found in one patch at:
> https://www.kernel.org/pub/linux/kernel/v6.x/stable-review/patch-6.5.9-rc1.gz
> or in the git tree and branch at:
> git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git linux-6.5.y
> and the diffstat can be found below.
>
> thanks,
>
> greg k-h
Results from Linaro's test farm.
No regressions on arm64, arm, x86_64, and i386.
Tested-by: Linux Kernel Functional Testing <lkft@linaro.org>
## Build
* kernel: 6.5.9-rc1
* git: https://gitlab.com/Linaro/lkft/mirrors/stable/linux-stable-rc
* git branch: linux-6.5.y
* git commit: b83aad774cc81f19bac02dd06d3d3c907ea44893
* git describe: v6.5.7-432-gb83aad774cc8
* test details: https://qa-reports.linaro.org/lkft/linux-stable-rc-linux-6.5.y/build/v6.5.7-432-gb83aad774cc8
## No test regressions (compared to v6.5.7-191-gbe4ec7370801)
## No metric regressions (compared to v6.5.7-191-gbe4ec7370801)
## No test fixes (compared to v6.5.7-191-gbe4ec7370801)
## No metric fixes (compared to v6.5.7-191-gbe4ec7370801)
## Test result summary
total: 142426, pass: 122802, fail: 2262, skip: 17248, xfail: 114
## Build Summary
* arc: 10 total, 10 passed, 0 failed
* arm: 270 total, 270 passed, 0 failed
* arm64: 86 total, 86 passed, 0 failed
* i386: 64 total, 64 passed, 0 failed
* mips: 52 total, 52 passed, 0 failed
* parisc: 6 total, 6 passed, 0 failed
* powerpc: 67 total, 67 passed, 0 failed
* riscv: 43 total, 43 passed, 0 failed
* s390: 24 total, 24 passed, 0 failed
* sh: 24 total, 24 passed, 0 failed
* sparc: 12 total, 12 passed, 0 failed
* x86_64: 73 total, 73 passed, 0 failed
## Test suites summary
* boot
* kselftest-android
* kselftest-arm64
* kselftest-breakpoints
* kselftest-capabilities
* kselftest-cgroup
* kselftest-clone3
* kselftest-core
* kselftest-cpu-hotplug
* kselftest-cpufreq
* kselftest-drivers-dma-buf
* kselftest-efivarfs
* kselftest-exec
* kselftest-filesystems
* kselftest-filesystems-binderfs
* kselftest-filesystems-epoll
* kselftest-firmware
* kselftest-fpu
* kselftest-ftrace
* kselftest-futex
* kselftest-gpio
* kselftest-intel_pstate
* kselftest-ipc
* kselftest-ir
* kselftest-kcmp
* kselftest-kexec
* kselftest-kvm
* kselftest-lib
* kselftest-livepatch
* kselftest-membarrier
* kselftest-memfd
* kselftest-memory-hotplug
* kselftest-mincore
* kselftest-mount
* kselftest-mqueue
* kselftest-net
* kselftest-net-forwarding
* kselftest-net-mptcp
* kselftest-netfilter
* kselftest-nsfs
* kselftest-openat2
* kselftest-pid_namespace
* kselftest-pidfd
* kselftest-proc
* kselftest-pstore
* kselftest-ptrace
* kselftest-rseq
* kselftest-rtc
* kselftest-seccomp
* kselftest-sigaltstack
* kselftest-size
* kselftest-splice
* kselftest-static_keys
* kselftest-sync
* kselftest-sysctl
* kselftest-tc-testing
* kselftest-timens
* kselftest-timers
* kselftest-tmpfs
* kselftest-tpm2
* kselftest-user
* kselftest-user_events
* kselftest-vDSO
* kselftest-vm
* kselftest-watchdog
* kselftest-x86
* kselftest-zram
* kunit
* kvm-unit-tests
* libgpiod
* libhugetlbfs
* log-parser-boot
* log-parser-test
* ltp-cap_bounds
* ltp-commands
* ltp-containers
* ltp-controllers
* ltp-cpuhotplug
* ltp-crypto
* ltp-cve
* ltp-dio
* ltp-fcntl-locktests
* ltp-filecaps
* ltp-fs
* ltp-fs_bind
* ltp-fs_perms_simple
* ltp-fsx
* ltp-hugetlb
* ltp-io
* ltp-ipc
* ltp-math
* ltp-mm
* ltp-nptl
* ltp-pty
* ltp-sched
* ltp-securebits
* ltp-smoke
* ltp-syscalls
* ltp-tracing
* network-basic-tests
* perf
* rcutorture
* v4l2-compliance
Greetings!
Daniel Díaz
daniel.diaz@linaro.org
--
Linaro LKFT
https://lkft.linaro.org
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (247 preceding siblings ...)
2023-10-24 8:27 ` Daniel Díaz
@ 2023-10-24 8:48 ` Sudip Mukherjee (Codethink)
2023-10-24 18:12 ` Guenter Roeck
2023-10-25 0:12 ` Miguel Ojeda
250 siblings, 0 replies; 260+ messages in thread
From: Sudip Mukherjee (Codethink) @ 2023-10-24 8:48 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, linux, shuah,
patches, lkft-triage, pavel, jonathanh, f.fainelli, srw, rwarsow,
conor
Hi Greg,
On Mon, Oct 23, 2023 at 12:53:06PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
Build test (gcc version 13.2.1 20230827):
mips: 52 configs -> no failure
arm: 70 configs -> no failure
arm64: 3 configs -> no failure
x86_64: 4 configs -> no failure
alpha allmodconfig -> no failure
csky allmodconfig -> no failure
powerpc allmodconfig -> no failure
riscv allmodconfig -> no failure
s390 allmodconfig -> no failure
xtensa allmodconfig -> no failure
Boot test:
x86_64: Booted on my test laptop. No regression.
x86_64: Booted on qemu. No regression. [1]
arm64: Booted on rpi4b (4GB model). No regression. [2]
mips: Booted on ci20 board. No regression. [3]
[1]. https://openqa.qa.codethink.co.uk/tests/5364
[2]. https://openqa.qa.codethink.co.uk/tests/5365
[3]. https://openqa.qa.codethink.co.uk/tests/5371
Tested-by: Sudip Mukherjee <sudip.mukherjee@codethink.co.uk>
--
Regards
Sudip
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (248 preceding siblings ...)
2023-10-24 8:48 ` Sudip Mukherjee (Codethink)
@ 2023-10-24 18:12 ` Guenter Roeck
2023-10-25 0:12 ` Miguel Ojeda
250 siblings, 0 replies; 260+ messages in thread
From: Guenter Roeck @ 2023-10-24 18:12 UTC (permalink / raw)
To: Greg Kroah-Hartman
Cc: stable, patches, linux-kernel, torvalds, akpm, shuah, patches,
lkft-triage, pavel, jonathanh, f.fainelli, sudipm.mukherjee, srw,
rwarsow, conor
On Mon, Oct 23, 2023 at 12:53:06PM +0200, Greg Kroah-Hartman wrote:
> This is the start of the stable review cycle for the 6.5.9 release.
> There are 241 patches in this series, all will be posted as a response
> to this one. If anyone has any issues with these being applied, please
> let me know.
>
> Responses should be made by Wed, 25 Oct 2023 10:47:57 +0000.
> Anything received after that time might be too late.
>
Build results:
total: 157 pass: 157 fail: 0
Qemu test results:
total: 530 pass: 530 fail: 0
Tested-by: Guenter Roeck <linux@roeck-us.net>
Guenter
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
` (249 preceding siblings ...)
2023-10-24 18:12 ` Guenter Roeck
@ 2023-10-25 0:12 ` Miguel Ojeda
250 siblings, 0 replies; 260+ messages in thread
From: Miguel Ojeda @ 2023-10-25 0:12 UTC (permalink / raw)
To: gregkh
Cc: akpm, conor, f.fainelli, jonathanh, linux-kernel, linux,
lkft-triage, patches, patches, pavel, rwarsow, shuah, srw,
stable, sudipm.mukherjee, torvalds, Miguel Ojeda
For Rust, build tested and booted to see the minimal and printing Rust
samples output in the kernel log. Also checked that `rustdoc`'s docs
rendered as expected given the patches included in this set:
Tested-by: Miguel Ojeda <ojeda@kernel.org> # Rust
Cheers,
Miguel
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
2023-10-23 12:05 ` Guangguan Wang
@ 2023-10-25 10:08 ` Greg Kroah-Hartman
2023-10-25 13:00 ` Guangguan Wang
0 siblings, 1 reply; 260+ messages in thread
From: Greg Kroah-Hartman @ 2023-10-25 10:08 UTC (permalink / raw)
To: Guangguan Wang
Cc: stable, patches, Tony Lu, Jan Karcher, David S. Miller, Sasha Levin
On Mon, Oct 23, 2023 at 08:05:01PM +0800, Guangguan Wang wrote:
> Hi, Greg.
>
> [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
> [PATCH 6.5 160/241] net/smc: support smc v2.x features validate
>
> The above two patches should not backport to stable tree 6.5, which may result in unexpected
> fallback if communication between 6.6 and 6.5(with these two patch) via SMC-R v2.1. The above
> two patches should not exist individually without the patch 7f0620b9(net/smc: support max
> connections per lgr negotiation) and the patch 69b888e3(net/smc: support max links per lgr
> negotiation in clc handshake).
>
> The patch c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
> does not rely the feature SMC-R v2.1. But I think it may have conflict here when backport
> to stable tree 6.5:
>
> @@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
> struct smc_clc_first_contact_ext *fce =
> smc_get_clc_first_contact_ext(clc_v2, false); --conflict here
> + struct net *net = sock_net(&smc->sk);
>
>
> I think it is better to resolve the confilict rather than backport more patches.
> The resolution of the conflict should be like:
>
> @@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
> struct smc_clc_first_contact_ext *fce =
> (struct smc_clc_first_contact_ext *)
> (((u8 *)clc_v2) + sizeof(*clc_v2)); --replace the line smc_get_clc_first_contact_ext(clc_v2, false);
> + struct net *net = sock_net(&smc->sk);
Thanks for letting me know.
I've dropped this patch entirely from the 6.5.y queue now (and the
follow-on ones.) Can you send a backported, and tested, set of patches
to us for inclusion if you want this fixed up in the 6.5.y tree? That
way we make sure to get this done properly.
thanks,
greg k-h
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
2023-10-25 10:08 ` Greg Kroah-Hartman
@ 2023-10-25 13:00 ` Guangguan Wang
0 siblings, 0 replies; 260+ messages in thread
From: Guangguan Wang @ 2023-10-25 13:00 UTC (permalink / raw)
To: Greg Kroah-Hartman, huangjie.albert
Cc: stable, patches, Tony Lu, Jan Karcher, David S. Miller, Sasha Levin
On 2023/10/25 18:08, Greg Kroah-Hartman wrote:
> On Mon, Oct 23, 2023 at 08:05:01PM +0800, Guangguan Wang wrote:
>> Hi, Greg.
>>
>> [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake
>> [PATCH 6.5 160/241] net/smc: support smc v2.x features validate
>>
>> The above two patches should not backport to stable tree 6.5, which may result in unexpected
>> fallback if communication between 6.6 and 6.5(with these two patch) via SMC-R v2.1. The above
>> two patches should not exist individually without the patch 7f0620b9(net/smc: support max
>> connections per lgr negotiation) and the patch 69b888e3(net/smc: support max links per lgr
>> negotiation in clc handshake).
>>
>> The patch c68681ae46ea ("net/smc: fix smc clc failed issue when netdevice not in init_net")
>> does not rely the feature SMC-R v2.1. But I think it may have conflict here when backport
>> to stable tree 6.5:
>>
>> @@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
>> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
>> struct smc_clc_first_contact_ext *fce =
>> smc_get_clc_first_contact_ext(clc_v2, false); --conflict here
>> + struct net *net = sock_net(&smc->sk);
>>
>>
>> I think it is better to resolve the confilict rather than backport more patches.
>> The resolution of the conflict should be like:
>>
>> @@ -1201,6 +1201,7 @@ static int smc_connect_rdma_v2_prepare(struct smc_sock *smc,
>> (struct smc_clc_msg_accept_confirm_v2 *)aclc;
>> struct smc_clc_first_contact_ext *fce =
>> (struct smc_clc_first_contact_ext *)
>> (((u8 *)clc_v2) + sizeof(*clc_v2)); --replace the line smc_get_clc_first_contact_ext(clc_v2, false);
>> + struct net *net = sock_net(&smc->sk);
>
> Thanks for letting me know.
>
> I've dropped this patch entirely from the 6.5.y queue now (and the
> follow-on ones.) Can you send a backported, and tested, set of patches
> to us for inclusion if you want this fixed up in the 6.5.y tree? That
> way we make sure to get this done properly.
>
> thanks,
>
> greg k-h
I think it is more appropriate for Albert Huang, who is the author of the patch("net/smc: fix smc clc failed issue when
netdevice not in init_net"), to do this because he knows the background of the fix and how to test it.
Thanks,
Guangguan Wang
^ permalink raw reply [flat|nested] 260+ messages in thread
* Re: [PATCH 6.5 000/241] 6.5.9-rc1 review
@ 2023-10-23 19:08 Ronald Warsow
0 siblings, 0 replies; 260+ messages in thread
From: Ronald Warsow @ 2023-10-23 19:08 UTC (permalink / raw)
To: Greg Kroah-Hartman, stable; +Cc: linux-kernel
Hi Greg
6.5.9-rc1
compiles, boots and runs here on x86_64
(Intel Rocket Lake, i5-11400)
Thanks
Tested-by: Ronald Warsow <rwarsow@gmx.de>
^ permalink raw reply [flat|nested] 260+ messages in thread
end of thread, other threads:[~2023-10-25 13:00 UTC | newest]
Thread overview: 260+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2023-10-23 10:53 [PATCH 6.5 000/241] 6.5.9-rc1 review Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 001/241] Bluetooth: hci_event: Ignore NULL link key Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 002/241] Bluetooth: Reject connection with the device which has same BD_ADDR Greg Kroah-Hartman
2023-10-23 10:53 ` Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 003/241] Bluetooth: Fix a refcnt underflow problem for hci_conn Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 004/241] Bluetooth: vhci: Fix race when opening vhci device Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 005/241] Bluetooth: hci_event: Fix coding style Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 006/241] Bluetooth: avoid memcmp() out of bounds warning Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 007/241] Bluetooth: hci_conn: Fix modifying handle while aborting Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 008/241] ice: fix over-shifted variable Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 009/241] ice: Fix safe mode when DDP is missing Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 010/241] ice: reset first in crash dump kernels Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 011/241] net/smc: return the right falback reason when prefix checks fail Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 012/241] btrfs: fix stripe length calculation for non-zoned data chunk allocation Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 013/241] nfc: nci: fix possible NULL pointer dereference in send_acknowledge() Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 014/241] regmap: fix NULL deref on lookup Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 015/241] KVM: x86: Mask LVTPC when handling a PMI Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 016/241] x86/sev: Disable MMIO emulation from user mode Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 017/241] x86/sev: Check IOBM for IOIO exceptions from user-space Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 018/241] x86/sev: Check for user-space IOIO pointing to kernel space Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 019/241] x86/fpu: Allow caller to constrain xfeatures when copying to uabi buffer Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 020/241] KVM: x86/pmu: Truncate counter value to allowed width on write Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 021/241] KVM: x86: Constrain guest-supported xfeatures only at KVM_GET_XSAVE{2} Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 022/241] x86: KVM: SVM: always update the x2avic msr interception Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 023/241] x86: KVM: SVM: add support for Invalid IPI Vector interception Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 024/241] x86: KVM: SVM: refresh AVIC inhibition in svm_leave_nested() Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 025/241] audit,io_uring: io_uring openat triggers audit reference count underflow Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 026/241] tcp: check mptcp-level constraints for backlog coalescing Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 027/241] mptcp: more conservative check for zero probes Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 028/241] selftests: mptcp: join: no RST when rm subflow/addr Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 029/241] mm: slab: Do not create kmalloc caches smaller than arch_slab_minalign() Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 030/241] fs/ntfs3: Fix OOB read in ntfs_init_from_boot Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 031/241] fs/ntfs3: Fix possible null-pointer dereference in hdr_find_e() Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 032/241] fs/ntfs3: fix panic about slab-out-of-bounds caused by ntfs_list_ea() Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 033/241] fs/ntfs3: Fix shift-out-of-bounds in ntfs_fill_super Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 034/241] fs/ntfs3: fix deadlock in mark_as_free_ex Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 035/241] Revert "net: wwan: iosm: enable runtime pm support for 7560" Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 036/241] netfilter: nft_payload: fix wrong mac header matching Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 037/241] io_uring: fix crash with IORING_SETUP_NO_MMAP and invalid SQ ring address Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 038/241] nvmet-tcp: Fix a possible UAF in queue intialization setup Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 039/241] drm/i915: Retry gtt fault when out of fence registers Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 040/241] drm/mediatek: Correctly free sg_table in gem prime vmap Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 041/241] drm/nouveau/disp: fix DP capable DSM connectors Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 042/241] drm/edid: add 8 bpc quirk to the BenQ GW2765 Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 043/241] ALSA: hda/realtek - Fixed ASUS platform headset Mic issue Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 044/241] ALSA: hda/realtek: Add quirk for ASUS ROG GU603ZV Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 045/241] ALSA: hda/relatek: Enable Mute LED on HP Laptop 15s-fq5xxx Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 046/241] ASoC: codecs: wcd938x-sdw: fix use after free on driver unbind Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 047/241] ASoC: codecs: wcd938x-sdw: fix runtime PM imbalance on probe errors Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 048/241] ASoC: codecs: wcd938x: drop bogus bind error handling Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 049/241] ASoC: codecs: wcd938x: fix unbind tear down order Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 050/241] ASoC: codecs: wcd938x: fix resource leaks on bind errors Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 051/241] ASoC: codecs: wcd938x: fix regulator leaks on probe errors Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 052/241] ASoC: codecs: wcd938x: fix runtime PM imbalance on remove Greg Kroah-Hartman
2023-10-23 10:53 ` [PATCH 6.5 053/241] qed: fix LL2 RX buffer allocation Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 054/241] xfrm: fix a data-race in xfrm_lookup_with_ifid() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 055/241] xfrm6: fix inet6_dev refcount underflow problem Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 056/241] xfrm: fix a data-race in xfrm_gen_index() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 057/241] xfrm: interface: use DEV_STATS_INC() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 058/241] net: xfrm: skip policies marked as dead while reinserting policies Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 059/241] fprobe: Fix to ensure the number of active retprobes is not zero Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 060/241] wifi: cfg80211: use system_unbound_wq for wiphy work Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 061/241] net: ipv4: fix return value check in esp_remove_trailer Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 062/241] net: ipv6: " Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 063/241] net: rfkill: gpio: prevent value glitch during probe Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 064/241] tcp: fix excessive TLP and RACK timeouts from HZ rounding Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 065/241] tcp: tsq: relax tcp_small_queue_check() when rtx queue contains a single skb Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 066/241] tcp: Fix listen() warning with v4-mapped-v6 address Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 067/241] docs: fix info about representor identification Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 068/241] tun: prevent negative ifindex Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 069/241] gve: Do not fully free QPL pages on prefill errors Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 070/241] ipv4: fib: annotate races around nh->nh_saddr_genid and nh->nh_saddr Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 071/241] net: usb: smsc95xx: Fix an error code in smsc95xx_reset() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 072/241] octeon_ep: update BQL sent bytes before ringing doorbell Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 073/241] i40e: prevent crash on probe if hw registers have invalid values Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 074/241] net: dsa: bcm_sf2: Fix possible memory leak in bcm_sf2_mdio_register() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 075/241] bonding: Return pointer to data after pull on skb Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 076/241] net/sched: sch_hfsc: upgrade rt to sc when it becomes a inner curve Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 077/241] neighbor: tracing: Move pin6 inside CONFIG_IPV6=y section Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 078/241] selftests: openvswitch: Catch cases where the tests are killed Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 079/241] selftests: openvswitch: Fix the ct_tuple for v4 Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 080/241] selftests: netfilter: Run nft_audit.sh in its own netns Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 081/241] netfilter: nft_set_rbtree: .deactivate fails if element has expired Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 082/241] netlink: Correct offload_xstats size Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 083/241] netfilter: nf_tables: do not refresh timeout when resetting element Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 084/241] nf_tables: fix NULL pointer dereference in nft_expr_inner_parse() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 085/241] nf_tables: fix NULL pointer dereference in nft_inner_init() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 086/241] netfilter: nf_tables: do not remove elements if set backend implements .abort Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 087/241] netfilter: nf_tables: revert " Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 088/241] selftests: openvswitch: Add version check for pyroute2 Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 089/241] net: phy: bcm7xxx: Add missing 16nm EPHY statistics Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 090/241] net: pktgen: Fix interface flags printing Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 091/241] net: more strict VIRTIO_NET_HDR_GSO_UDP_L4 validation Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 092/241] net: mdio-mux: fix C45 access returning -EIO after API change Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 093/241] net: avoid UAF on deleted altname Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 094/241] net: fix ifname in netlink ntf during netns move Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 095/241] net: check for altname conflicts when changing netdevs netns Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 096/241] iio: light: vcnl4000: Dont power on/off chip in config Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 097/241] pwr-mlxbf: extend Kconfig to include gpio-mlxbf3 dependency Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 098/241] ARM: dts: ti: omap: Fix noisy serial with overrun-throttle-ms for mapphone Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 099/241] arm64: dts: mediatek: Fix "mediatek,merge-mute" and "mediatek,merge-fifo-en" types Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 100/241] fs-writeback: do not requeue a clean inode having skipped pages Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 101/241] btrfs: fix race when refilling delayed refs block reserve Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 102/241] btrfs: prevent transaction block reserve underflow when starting transaction Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 103/241] btrfs: return -EUCLEAN for delayed tree ref with a ref count not equals to 1 Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 104/241] btrfs: initialize start_slot in btrfs_log_prealloc_extents Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 105/241] i2c: mux: Avoid potential false error message in i2c_mux_add_adapter Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 106/241] overlayfs: set ctime when setting mtime and atime Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 107/241] accel/ivpu: Dont flood dmesg with VPU ready message Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 108/241] gpio: timberdale: Fix potential deadlock on &tgpio->lock Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 109/241] ata: libata-core: Fix compilation warning in ata_dev_config_ncq() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 110/241] ata: libata-eh: Fix compilation warning in ata_eh_link_report() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 111/241] tracing: relax trace_event_eval_update() execution with cond_resched() Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 112/241] wifi: mwifiex: Sanity check tlv_len and tlv_bitmap_len Greg Kroah-Hartman
2023-10-23 10:54 ` [PATCH 6.5 113/241] wifi: cfg80211: validate AP phy operation before starting it Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 114/241] wifi: iwlwifi: Ensure ack flag is properly cleared Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 115/241] rfkill: sync before userspace visibility/changes Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 116/241] HID: logitech-hidpp: Add Bluetooth ID for the Logitech M720 Triathlon mouse Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 117/241] HID: holtek: fix slab-out-of-bounds Write in holtek_kbd_input_event Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 118/241] Bluetooth: btusb: add shutdown function for QCA6174 Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 119/241] Bluetooth: Avoid redundant authentication Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 120/241] Bluetooth: hci_core: Fix build warnings Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 121/241] wifi: cfg80211: Fix 6GHz scan configuration Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 122/241] wifi: mac80211: work around Cisco AP 9115 VHT MPDU length Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 123/241] wifi: mac80211: allow transmitting EAPOL frames with tainted key Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 124/241] wifi: cfg80211: avoid leaking stack data into trace Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 125/241] regulator/core: Revert "fix kobject release warning and memory leak in regulator_register()" Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 126/241] SUNRPC: Fail quickly when server does not recognize TLS Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 127/241] SUNRPC/TLS: Lock the lower_xprt during the tls handshake Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 128/241] nfs: decrement nrequests counter before releasing the req Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 129/241] sky2: Make sure there is at least one frag_addr available Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 130/241] ipv4/fib: send notify when delete source address routes Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 131/241] drm: panel-orientation-quirks: Add quirk for One Mix 2S Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 132/241] btrfs: fix some -Wmaybe-uninitialized warnings in ioctl.c Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 133/241] btrfs: error out when COWing block using a stale transaction Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 134/241] btrfs: error when COWing block from a root that is being deleted Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 135/241] btrfs: error out when reallocating block for defrag using a stale transaction Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 136/241] platform/x86: touchscreen_dmi: Add info for the BUSH Bush Windows tablet Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 137/241] drm/amd/pm: add unique_id for gc 11.0.3 Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 138/241] HID: multitouch: Add required quirk for Synaptics 0xcd7e device Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 139/241] HID: nintendo: reinitialize USB Pro Controller after resuming from suspend Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 140/241] HID: Add quirk to ignore the touchscreen battery on HP ENVY 15-eu0556ng Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 141/241] platform/x86: touchscreen_dmi: Add info for the Positivo C4128B Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 142/241] cpufreq: schedutil: Update next_freq when cpufreq_limits change Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 143/241] io-wq: fully initialize wqe before calling cpuhp_state_add_instance_nocalls() Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 144/241] Bluetooth: hci_sync: Fix not handling ISO_LINK in hci_abort_conn_sync Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 145/241] Bluetooth: hci_sync: Introduce PTR_UINT/UINT_PTR macros Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 146/241] Bluetooth: ISO: Fix invalid context error Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 147/241] Bluetooth: hci_sync: delete CIS in BT_OPEN/CONNECT/BOUND when aborting Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 148/241] Bluetooth: hci_sync: always check if connection is alive before deleting Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 149/241] net/mlx5: E-switch, register event handler before arming the event Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 150/241] net/mlx5: Handle fw tracer change ownership event based on MTRC Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 151/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for striding rq Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 152/241] net/mlx5e: RX, Fix page_pool allocation failure recovery for legacy rq Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 153/241] net/mlx5e: XDP, Fix XDP_REDIRECT mpwqe page fragment leaks on shutdown Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 154/241] net/mlx5e: Take RTNL lock before triggering netdev notifiers Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 155/241] net/mlx5e: Dont offload internal port if filter device is out device Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 156/241] net/mlx5e: Fix VF representors reporting zero counters to "ip -s" command Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 157/241] net/tls: split tls_rx_reader_lock Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 158/241] tcp: allow again tcp_disconnect() when threads are waiting Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 159/241] net/smc: support smc release version negotiation in clc handshake Greg Kroah-Hartman
2023-10-23 12:05 ` Guangguan Wang
2023-10-25 10:08 ` Greg Kroah-Hartman
2023-10-25 13:00 ` Guangguan Wang
2023-10-23 10:55 ` [PATCH 6.5 160/241] net/smc: support smc v2.x features validate Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 161/241] net/smc: fix smc clc failed issue when netdevice not in init_net Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 162/241] Bluetooth: hci_event: Fix using memcmp when comparing keys Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 163/241] tcp_bpf: properly release resources on error paths Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 164/241] mtd: rawnand: qcom: Unmap the right resource upon probe failure Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 165/241] mtd: rawnand: pl353: Ensure program page operations are successful Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 166/241] mtd: rawnand: marvell: " Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 167/241] mtd: rawnand: arasan: " Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 168/241] mtd: rawnand: Ensure the nand chip supports cached reads Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 169/241] mtd: spinand: micron: correct bitmask for ecc status Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 170/241] mtd: physmap-core: Restore map_rom fallback Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 171/241] dt-bindings: mmc: sdhci-msm: correct minimum number of clocks Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 172/241] mmc: sdhci-pci-gli: fix LPM negotiation so x86/S0ix SoCs can suspend Greg Kroah-Hartman
2023-10-23 10:55 ` [PATCH 6.5 173/241] mmc: mtk-sd: Use readl_poll_timeout_atomic in msdc_reset_hw Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 174/241] mmc: core: Fix error propagation for some ioctl commands Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 175/241] mmc: core: sdio: hold retuning if sdio in 1-bit mode Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 176/241] mmc: core: Capture correct oemid-bits for eMMC cards Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 177/241] pinctrl: qcom: lpass-lpi: fix concurrent register updates Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 178/241] Revert "pinctrl: avoid unsafe code pattern in find_pinctrl()" Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 179/241] pNFS: Fix a hang in nfs4_evict_inode() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 180/241] pNFS/flexfiles: Check the layout validity in ff_layout_mirror_prepare_stats Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 181/241] NFSv4.1: fixup use EXCHGID4_FLAG_USE_PNFS_DS for DS server Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 182/241] ACPI: irq: Fix incorrect return value in acpi_register_gsi() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 183/241] ACPI: bus: Move acpi_arm_init() to the place of after acpi_ghes_init() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 184/241] perf dlfilter: Fix use of addr_location__exit() in dlfilter__object_code() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 185/241] Revert "accel/ivpu: Use cached buffers for FW loading" Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 186/241] fanotify: limit reporting of event with non-decodeable file handles Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 187/241] NFS: Fix potential oops in nfs_inode_remove_request() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 188/241] nfs42: client needs to strip file modes suid/sgid bit after ALLOCATE op Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 189/241] nvme: sanitize metadata bounce buffer for reads Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 190/241] nvme-pci: add BOGUS_NID for Intel 0a54 device Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 191/241] nvme-auth: use chap->s2 to indicate bidirectional authentication Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 192/241] nvmet-auth: complete a request only after freeing the dhchap pointers Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 193/241] nvme-rdma: do not try to stop unallocated queues Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 194/241] USB: serial: option: add Telit LE910C4-WWX 0x1035 composition Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 195/241] USB: serial: option: add entry for Sierra EM9191 with new firmware Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 196/241] USB: serial: option: add Fibocom to DELL custom modem FM101R-GL Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 197/241] thunderbolt: Call tb_switch_put() once DisplayPort bandwidth request is finished Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 198/241] perf: Disallow mis-matched inherited group reads Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 199/241] s390/pci: fix iommu bitmap allocation Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 200/241] tracing/kprobes: Return EADDRNOTAVAIL when func matches several symbols Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 201/241] selftests/ftrace: Add new test case which checks non unique symbol Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 202/241] KEYS: asymmetric: Fix sign/verify on pkcs1pad without a hash Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 203/241] apple-gmux: Hard Code max brightness for MMIO gmux Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 204/241] s390/cio: fix a memleak in css_alloc_subchannel Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 205/241] platform/surface: platform_profile: Propagate error if profile registration fails Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 206/241] platform/x86: intel-uncore-freq: Conditionally create attribute for read frequency Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 207/241] platform/x86: msi-ec: Fix the 3rd config Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 208/241] platform/x86: asus-wmi: Change ASUS_WMI_BRN_DOWN code from 0x20 to 0x2e Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 209/241] platform/x86: asus-wmi: Only map brightness codes when using asus-wmi backlight control Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 210/241] platform/x86: asus-wmi: Map 0x2a code, Ignore 0x2b and 0x2c events Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 211/241] rust: error: fix the description for `ECHILD` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 212/241] gpiolib: acpi: Add missing memset(0) to acpi_get_gpiod_from_data() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 213/241] gpio: vf610: set value before the direction to avoid a glitch Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 214/241] gpio: vf610: mask the gpio irq in system suspend and support wakeup Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 215/241] ASoC: cs35l56: Fix illegal use of init_completion() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 216/241] ASoC: pxa: fix a memory leak in probe() Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 217/241] ASoC: cs42l42: Fix missing include of gpio/consumer.h Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 218/241] drm/bridge: ti-sn65dsi86: Associate DSI device lifetime with auxiliary device Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 219/241] drm/panel: Move AUX B116XW03 out of panel-edp back to panel-simple Greg Kroah-Hartman
2023-10-23 14:35 ` Doug Anderson
2023-10-24 7:48 ` Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 220/241] drm/i915/cx0: Only clear/set the Pipe Reset bit of the PHY Lanes Owned Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 221/241] drm/amdgpu: Fix possible null pointer dereference Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 222/241] powerpc/mm: Allow ARCH_FORCE_MAX_ORDER up to 12 Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 223/241] powerpc/qspinlock: Fix stale propagated yield_cpu Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 224/241] docs: Move rustdoc output, cross-reference it Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 225/241] rust: docs: fix logo replacement Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 226/241] phy: mapphone-mdm6600: Fix runtime disable on probe Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 227/241] phy: mapphone-mdm6600: Fix runtime PM for remove Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 228/241] phy: mapphone-mdm6600: Fix pinctrl_pm handling for sleep pins Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 229/241] phy: qcom-qmp-usb: initialize PCS_USB registers Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 230/241] phy: qcom-qmp-usb: split PCS_USB init table for sc8280xp and sa8775p Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 231/241] phy: qcom-qmp-combo: Square out 8550 POWER_STATE_CONFIG1 Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 232/241] phy: qcom-qmp-combo: initialize PCS_USB registers Greg Kroah-Hartman
2023-10-23 10:56 ` [PATCH 6.5 233/241] efi/unaccepted: Fix soft lockups caused by parallel memory acceptance Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 234/241] net: move altnames together with the netdevice Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 235/241] Bluetooth: hci_sock: fix slab oob read in create_monitor_event Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 236/241] net: rfkill: reduce data->mtx scope in rfkill_fop_open Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 237/241] docs: rust: update Rust docs output path Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 238/241] kbuild: remove old " Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 239/241] Bluetooth: hci_sock: Correctly bounds check and pad HCI_MON_NEW_INDEX name Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 240/241] mptcp: avoid sending RST when closing the initial subflow Greg Kroah-Hartman
2023-10-23 10:57 ` [PATCH 6.5 241/241] selftests: mptcp: join: correctly check for no RST Greg Kroah-Hartman
2023-10-23 16:26 ` [PATCH 6.5 000/241] 6.5.9-rc1 review SeongJae Park
2023-10-23 17:59 ` Ricardo B. Marliere
2023-10-23 19:10 ` Justin Forbes
2023-10-23 21:01 ` Florian Fainelli
2023-10-23 22:59 ` Ron Economos
2023-10-24 2:49 ` Bagas Sanjaya
2023-10-24 8:27 ` Daniel Díaz
2023-10-24 8:48 ` Sudip Mukherjee (Codethink)
2023-10-24 18:12 ` Guenter Roeck
2023-10-25 0:12 ` Miguel Ojeda
2023-10-23 19:08 Ronald Warsow
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.